[Freeswitch-users] MIKEY-PK support

Sergey Safarov s.safarov at gmail.com
Fri Nov 6 14:01:29 MSK 2015


Using SDES "keys are transported in the SDP attachment of a SIP message
<https://en.wikipedia.org/wiki/SDES>". This keys is accessible to
FreeSwitch process.
I want reach case when keys negotiated by endpoints and is
not accessible to FreeSwitch process.
Second target I want use certificate issued by trusted CA to identity
participant on other leg and all participants in conference. It will be
like site identification in browser. If encryption icon green, then user
know it is trusted and user knows who is on other leg.

When used SDES channel is protected from leg-A to FS and from FS to leg-B.
But FS is the weakest link. Keys can be intercepted, media can be decrypted
and user will not known that channel is not secured.

According RFC <https://tools.ietf.org/html/rfc5197#section-5.5>5197
<https://tools.ietf.org/html/rfc5197#section-5.5> modes RSA (3.2), DH-SIGN
(3.3), RSA-R (3.7) look is appropriate. Additional feature is support
conference call.
After reading "6. Transport of MIKEY Messages
<https://tools.ietf.org/html/rfc5197#section-6>" i think support MIKEY on
FreeSwitch side is optional. Endpoints can directly negotiate keys via port
2269.
But in same section exist "The transport of MIKEY messages as part of SDP
is described in [RFC4567 <https://tools.ietf.org/html/rfc4567>]."  and
FreeSwitch can help to transport messages when NAT is used.

Sergey





On Fri, Nov 6, 2015 at 12:14 PM, Brian West <brian at freeswitch.org> wrote:

> I think you mean RFC4568, What does MIKEY give you that SDES does not?
>
> On Fri, Nov 6, 2015 at 1:57 AM, Sergey Safarov <s.safarov at gmail.com>
> wrote:
>
>> Are is mean that libsrtp cannot be used?
>>
>> Also. Are is FS support RFC4567 <https://tools.ietf.org/html/rfc4567>?
>>
>>
>> On Fri, Nov 6, 2015 at 10:48 AM, Ken Rice <krice at freeswitch.org> wrote:
>>
>>> Brian’s message there still rings true at this time.
>>>
>>>
>>>
>>> *From:* freeswitch-users-bounces at lists.freeswitch.org [mailto:
>>> freeswitch-users-bounces at lists.freeswitch.org] *On Behalf Of *Sergey
>>> Safarov
>>> *Sent:* Friday, November 6, 2015 1:42 AM
>>> *To:* FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>> *Subject:* [Freeswitch-users] MIKEY-PK support
>>>
>>>
>>>
>>> Hi
>>>
>>> According this message
>>> <http://lists.freeswitch.org/pipermail/freeswitch-users/2008-January/029822.html> to
>>> support MIKEY key exchange is required library with compatible licence.
>>>
>>> Now I am not find MIKEY support in source code.
>>>
>>>
>>>
>>> Are is posible to use libsrtp <http://srtp.sourceforge.net/license.html>
>>> to implement MIKEY key exchange?
>>>
>>>
>>>
>>> Sergey
>>>
>>> _________________________________________________________________________
>>> Professional FreeSWITCH Consulting Services:
>>> consulting at freeswitch.org
>>> http://www.freeswitchsolutions.com
>>>
>>> Official FreeSWITCH Sites
>>> http://www.freeswitch.org
>>> http://confluence.freeswitch.org
>>> http://www.cluecon.com
>>>
>>> FreeSWITCH-users mailing list
>>> FreeSWITCH-users at lists.freeswitch.org
>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>>> http://www.freeswitch.org
>>>
>>
>>
>> _________________________________________________________________________
>> Professional FreeSWITCH Consulting Services:
>> consulting at freeswitch.org
>> http://www.freeswitchsolutions.com
>>
>> Official FreeSWITCH Sites
>> http://www.freeswitch.org
>> http://confluence.freeswitch.org
>> http://www.cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> http://www.freeswitch.org
>>
>
>
>
> --
>
> *Brian West*
> brian at freeswitch.org
>
>
> *Twitter: @FreeSWITCH , @briankwest*
> http://www.freeswitchbook.com
> http://www.freeswitchcookbook.com
>
> Got Bugs? Report them here <https://freeswitch.org/jira>! | Reddit:
> /r/freeswitch <https://www.reddit.com/r/freeswitch>
>
> *T:*+19184209001 | *F:*+19184209002 | *M:*+1918424WEST (9378)
> *iNUM:*+883 5100 1420 9001 | *ISN:*410*543 | *Skype:*briankwest
>
> _________________________________________________________________________
> Professional FreeSWITCH Consulting Services:
> consulting at freeswitch.org
> http://www.freeswitchsolutions.com
>
> Official FreeSWITCH Sites
> http://www.freeswitch.org
> http://confluence.freeswitch.org
> http://www.cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> http://www.freeswitch.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20151106/0e31038e/attachment-0001.html 


Join us at ClueCon 2016 Aug 8-12, 2016
More information about the FreeSWITCH-users mailing list