[Freeswitch-users] ZRTP proxying
Dahlberg, David
david.dahlberg at fkie.fraunhofer.de
Wed Feb 5 15:03:27 MSK 2014
Hello all,
I have some problems with proxying ZRTP streams trough Freeswitch. My
setup is as follows:
[FS-A]----[FS-B]----[FS-C]
For End-to-end security, "A" should initiate a ZRTP session and "C"
shall terminate it.
What works:
* With late negotiation, two ZRTP security associations (A,B) and (B,C)
are established. Of course in that case there is no E2E encryption,
so no real advantage over the usage of TLS/SAVP .
According to the Wiki, it should be possible to use "proxy_media" with
"inbound-zrtp-passthru". Only this does not work and the problem is
this:
ZRTP uses a slightly modified RTP header format with a CRC checksum that
is calculated over the whole ZRTP header and payload (excluding the CRC
field).
Freeswitch ("FS-B" in my use-case) on the other hand exchanges the RTP
"sequence numbers" and "syncronization source identifiers" (SSRC) (which
in ZRTP become "Source Identifiers"). Which leads to the case that the
checksums are valid on call leg (A,B) but invalid on leg (B,C).
Accordingly, "FS-C" receives ZRTP hello packets from "FS-A", calculates
the checksums, finds a mismatch and discards the packets.
I have found a thread on [freeswitch-users] dated January 2013 and with
a subject "problems with freeswitch + zrtp in proxy-media mode" which
discusses exactly this problem. Within this thread was mentioned, that
FS would change the proxy behaviour, if it encounters "zrtp-hash"
attribute in the SDP and a quick test with SFLphone and w/o proxy_media
seems to confirm this. So is there any possibility to originate this
attribute, when FS originates the ZRTP?
Regards,
David
--
David Dahlberg
Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany | Fax: +49-228-856277
Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users
mailing list