SIP Security in Yate

From Yate Documentation
(Difference between revisions)
Jump to: navigation, search
Line 4: Line 4:
 
SIP secure it is done by building a TLS listener. Yate will bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and will use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice.
 
SIP secure it is done by building a TLS listener. Yate will bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and will use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice.
  
Using SIP in Yate to protect the signaling messages against snooping or alteration use TLS.
+
To protect the signaling messages against snooping or alteration use TLS.
  
 
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.
 
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.

Revision as of 11:22, 15 November 2012

Yate can bind on UDP, TCP and TLS. This is done using a listener that it is a specific section in ysipchan.conf.

SIP secure it is done by building a TLS listener. Yate will bind on TLS and will use SRTP packets for voice.

To protect the signaling messages against snooping or alteration use TLS.

Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.

Contents

How to set a TLS listener

In ysipchan.conf:

[general]
type=tls
addr=x.x.x.x
port=5061
sslcontext=server_context

Configure a SSL server context

In openssl.conf

[server_context]
enable=yes
certificate=name.crt
key=name.key

The files name.crt and name.key have to be in the same place as the configuration file in this example.

Enable SRTP

Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.

In ysipchan.conf by default secure parameter is disabled, for using SRTP you have to enable it.

[default]
; secure: bool: Generate and accept RFC 4568 security descriptors for SRTP
secure=enable

Advantages

  • SRTP is ideal for protecting Voice over IP traffic because has no effect on IP Quality of Service.
  • SRTP provide significant advantages, especially for voice traffic using low-bitrate voice codecs such as G.729 and iLBC.
  • SRTP confidentiality of RTP packets protects packet payloads from being read by entities without the secret encryption key.
  • SRTP message authentication of RTP packets protects the integrity of a packet against forgery, alteration, or replacement.

See also

Personal tools
Namespaces

Variants
Actions
Preface
Configuration
Administrators
Developers