IAX encryption

IAX encryption


As of asterisk version 1.2.4 (maybe before) there is a rather undocumented channel encryption feature included in chan_iax2. After successful authentication the whole channel including control data and voice data is encrypted with AES128. The encryption can be activated by adding the line

  encryption=aes128
or
  encryption=yes

respectively to your iax.conf. For the encryption to be functional you have to use MD5 authentication since one is based upon the other in this particular implementation!

Note: The calling/called numbers are still passed in the clear over encrypted IAX, so you are still vulnerable to traffic analysis.
If you also care about concealing the dialed number you can do it just fine. The simplest way is to have a single exten that takes all encrypted calls, then once the call is up, dial 'onwards' with DTMF, the DTMF frames would be encrypted.

The IAX encryption scheme is documented in the draft RFC at:
http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-guy-iax-03.txt

Example

For example, consider the following scenario:
alice (192.168.25.10) <-----> bob (192.168.25.11)

iax.conf on alice:

 [bob-enc]
 type=friend
 host=192.168.25.11
 username=alice-enc
 auth=md5
 secret=foobar
 trunk=no
 notransfer=no
 encryption=aes128
 disallow=all
 allow=alaw


iax.conf on bob:

 [alice-enc]
 type=friend
 host=192.168.25.10
 username=bob-enc
 auth=md5
 secret=foobar
 trunk=no
 notransfer=no
 encryption=aes128
 disallow=all
 allow=alaw


Debugging

In order to verify the correct configuration you could use the following CLI command:

 bob*CLI> iax2 show peers
 Name/Username    Host                 Mask             Port          Status    
 alice-enc/bob-e  192.168.25.10   (S)  255.255.255.255  4569      (E) Unmonitored

The "(E)" indicates our encryption feature. Unfortunately the "(E)" also appears when using other authentication methods than MD5, however the actual encryption is NOT operational in this case.

If you would like to see the encryption in action, try the debug output in "logger.conf" and issue the following CLI commands:

 bob*CLI> set debug 1
 Core debug is at least 1
 bob*CLI> iax2 debug
 IAX2 Debugging Enabled


the debug output of our control data looks like this:

 TE-Frame Retry000 — OSeqno: 009 ISeqno: 009 Type: IAX     Subclass: LAGRP  
    Timestamp: 20004ms  SCall: 00001  DCall: 00004 192.168.25.10:4569
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3875 encrypt_frame: Encoding full frame 6/12 with length 12
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3883 encrypt_frame: Encoding full frame 6/12 with length 12 + 24 padding (15=28)
 Tx-Frame Retry000 — OSeqno: 017 ISeqno: 002 Type: (168?) Subclass: 141
    Timestamp: 3945693623ms  SCall: 00001  DCall: 00004 192.168.25.10:4569
 Rx-Frame Retry No — OSeqno: 133 ISeqno: 235 Type: (132?) Subclass: 101
    Timestamp: 43813863ms  SCall: 00004  DCall: 00001 192.168.25.10:4569
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3836 decode_frame: Decoding full frame with length 36 (padding = 24) (15=d8)
 RD-Frame Retry No — OSeqno: 008 ISeqno: 009 Type: IAX     Subclass: ACK    
    Timestamp: 20001ms  SCall: 00004  DCall: 00001 192.168.25.10:4569


... and the voice data:

Feb 15 14:09:23 DEBUG18288: chan_iax2.c:3891 encrypt_frame: Encoding mini frame with length 164
Feb 15 14:09:23 DEBUG17937: chan_iax2.c:3851 decode_frame: Decoding mini with length 194


See also


Created by: bef,Last modification on Thu 07 of Feb, 2008 [15:58 UTC] by JustRumours


Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - support@voip-info.org

Page Changes | Comments

 
Sponsored by:




Search: