SIP Security in Yate
(→Advantages) |
|||
(7 intermediate revisions by 2 users not shown) | |||
Line 2: | Line 2: | ||
SIP secure uses [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS protocol] for securing the signalling. This will stop man in the middle attacks and hide the called identity. | SIP secure uses [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS protocol] for securing the signalling. This will stop man in the middle attacks and hide the called identity. | ||
− | In order to secure the media | + | In order to secure the media [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP protocol] is used. This will add confidentiality, message authentication, and replay protection to the RTP data. |
<!--To protect the signaling messages against snooping or alteration use TLS. | <!--To protect the signaling messages against snooping or alteration use TLS. | ||
− | |||
The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. | The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. | ||
− | |||
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.--> | Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.--> | ||
− | + | ==How to configure SIP secure== | |
− | Yate can bind on TLS. This is done using a '''listener''' that it is a specific section in [[SIP Configuration File#Configuration File|ysipchan.conf]]. | + | Yate can bind on TLS. This is done using a '''listener''', that it is a specific section in [[SIP Configuration File#Configuration File|ysipchan.conf]], that will specify to which network interface Yate will listen. |
In the next steps will configure Yate to bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and to use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice. | In the next steps will configure Yate to bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and to use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice. | ||
− | + | === How to set a TLS listener === | |
In [[SIP Configuration File#Configuration File|ysipchan.conf]]: | In [[SIP Configuration File#Configuration File|ysipchan.conf]]: | ||
Line 25: | Line 23: | ||
sslcontext=server_context | sslcontext=server_context | ||
− | + | === Configure a SSL server context=== | |
In [[OpenSSL#Configuration|openssl.conf]] | In [[OpenSSL#Configuration|openssl.conf]] | ||
Line 36: | Line 34: | ||
The files name.crt and name.key have to be in the same place as the configuration file in this example. | The files name.crt and name.key have to be in the same place as the configuration file in this example. | ||
− | + | ===Enable SRTP=== | |
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message. | Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message. | ||
Line 46: | Line 44: | ||
secure=enable | secure=enable | ||
− | + | ==Advantages== | |
* SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service. | * SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service. | ||
Line 59: | Line 57: | ||
* [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security] | * [http://en.wikipedia.org/wiki/Transport_Layer_Security Transport Layer Security] | ||
* [[SIP Configuration File]] | * [[SIP Configuration File]] | ||
+ | * [[Telephony]] | ||
+ | |||
+ | [[Category:SIP]] [[Category:SRTP]] [[Category:TLS]] [[Category:Security]] |
Latest revision as of 10:45, 4 November 2013
SIP secure uses TLS protocol for securing the signalling. This will stop man in the middle attacks and hide the called identity.
In order to secure the media SRTP protocol is used. This will add confidentiality, message authentication, and replay protection to the RTP data.
Contents |
[edit] How to configure SIP secure
Yate can bind on TLS. This is done using a listener, that it is a specific section in ysipchan.conf, that will specify to which network interface Yate will listen.
In the next steps will configure Yate to bind on TLS and to use SRTP packets for voice.
[edit] How to set a TLS listener
In ysipchan.conf:
[general] type=tls addr=x.x.x.x port=5061 sslcontext=server_context
[edit] Configure a SSL server context
In openssl.conf
[server_context] enable=yes certificate=name.crt key=name.key
The files name.crt and name.key have to be in the same place as the configuration file in this example.
[edit] Enable SRTP
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.
In ysipchan.conf by default secure parameter is disabled, for using SRTP you have to enable it.
[default] ; secure: bool: Generate and accept RFC 4568 security descriptors for SRTP secure=enable
[edit] Advantages
- SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service.
- SRTP provide significant advantages, especially for voice traffic using low-bitrate voice codecs such as G.729 and iLBC.
- SRTP confidentiality of RTP packets protects packet payloads from being read by entities without the secret encryption key.
- SRTP message authentication of RTP packets protects the integrity of a packet against forgery, alteration, or replacement.
- TLS provide privacy and data integrity between communicating applications.
See also