SIP Security in Yate

From Yate Documentation
(Difference between revisions)
Jump to: navigation, search
(Advantages)
Line 1: Line 1:
  
VoIP call signaling and call control can be secured by implementing some form of Authorization, Authentication or Transport Layer Security (TLS/SSL) mechanism and Media encryption (SRTP).
 
  
 
To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
 
To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Line 6: Line 5:
 
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.
 
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.
  
Yate can bind on UDP, TCP and TLS. This is done using a '''listener''' that it is a specific section in [[SIP Configuration File#Configuration File|ysipchan.conf]].
+
===How to configure SIP secure===
  
In the next steps will configure Yate to bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and to use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice.
+
Yate can bind on TLS. This is done using a '''listener''' that it is a specific section in [[SIP Configuration File#Configuration File|ysipchan.conf]].
  
 +
In the next steps will configure Yate to bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and to use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice.
  
  
=== How to set a TLS listener ===
+
==== How to set a TLS listener ====
  
 
In [[SIP Configuration File#Configuration File|ysipchan.conf]]:
 
In [[SIP Configuration File#Configuration File|ysipchan.conf]]:
Line 22: Line 22:
 
  sslcontext=server_context
 
  sslcontext=server_context
  
=== Configure a SSL server context===
+
==== Configure a SSL server context====
  
 
In [[OpenSSL#Configuration|openssl.conf]]
 
In [[OpenSSL#Configuration|openssl.conf]]
Line 33: Line 33:
 
The files name.crt and name.key have to be in the same place as the configuration file in this example.
 
The files name.crt and name.key have to be in the same place as the configuration file in this example.
  
===Enable SRTP===
+
====Enable SRTP====
  
 
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.
 
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.

Revision as of 10:43, 16 November 2012


To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.

Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.

Contents

How to configure SIP secure

Yate can bind on TLS. This is done using a listener that it is a specific section in ysipchan.conf.

In the next steps will configure Yate to bind on TLS and to use SRTP packets for voice.


How to set a TLS listener

In ysipchan.conf:

[general]
type=tls
addr=x.x.x.x
port=5061
sslcontext=server_context

Configure a SSL server context

In openssl.conf

[server_context]
enable=yes
certificate=name.crt
key=name.key

The files name.crt and name.key have to be in the same place as the configuration file in this example.

Enable SRTP

Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.

In ysipchan.conf by default secure parameter is disabled, for using SRTP you have to enable it.

[default]
; secure: bool: Generate and accept RFC 4568 security descriptors for SRTP
secure=enable

Advantages

  • SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service.
  • SRTP provide significant advantages, especially for voice traffic using low-bitrate voice codecs such as G.729 and iLBC.
  • SRTP confidentiality of RTP packets protects packet payloads from being read by entities without the secret encryption key.
  • SRTP message authentication of RTP packets protects the integrity of a packet against forgery, alteration, or replacement.
  • TLS provide privacy and data integrity between communicating applications.

See also

Personal tools
Namespaces

Variants
Actions
Preface
Configuration
Administrators
Developers