Secure traffic between Asterisk peers

From Etel

Contents 1 Secure traffic between Asterisk peers 2 Problem 3 Solution 4 Discussion 5 See Also: 6 Metadata

Secure traffic between Asterisk peers

Problem

You want to protect voice and signalling traffic between your Asterisk peers from eavesdropping and other evil.

Solution

To secure traffic between Asterisk peers foo and bar, we can use IPsec to encrypt all data exchanged between those peers, including voice and signalling. Let's assume foo is at 192.168.10.10, and bar is at 192.168.20.20. Proceed as follows on system foo, and repeat the procedure on system bar, replacing all references to address 192.168.10.10 with 192.168.20.20.

• Install ipsec-tools, containing an Internet Key Exchange (IKE) daemon called racoon and an IPsec management tool called setkey.

This step is often not needed as the ipsec-tools package is included in most linux distributions. It's also present by default on Mac OS X. If it's not included, you can often install a pre-built package. For example, on Fedora, use yum (as user root):

yum install ipsec-tools

On FreeBSD, it's in the ports collection:

cd /usr/ports/security/racoon
make
make install

Of course, you can also install from source. The source package is distributed as a ".tgz" file, which you can download from http://ipsec-tools.sourceforge.net/ .

To install (as user root), use the following commands (replace x.y.z with the latest version available):

gunzip ipsec-tools-x.y.z.tar.gz 
tar xvf ipsec-tools-x.y.z.tar
cd ipsec-tools-x.y.z
./configure
make
make install

• Now, define a security policy that forces all IP traffic from and to your peer to be protected with IPsec.

Store the following policy in the file /etc/ipsec.conf:

spdadd 192.168.10.10/32 192.168.20.20/32 any -P out ipsec esp/transport//require;
spdadd 192.168.20.20/32 192.168.10.10/32 any -P in  ipsec esp/transport//require;

This policy states that protection with IPsec for all packets traveling from and to our asterisk peers is required.

• Configure racoon to automatically exchange encryption keys between our peers by editing the file /etc/racoon/racoon.conf.

For the peer at address 192.168.10.10:

path pre_shared_key "/etc/racoon/psk.txt";

# IKE phase 1 parameters:
remote 192.168.20.20
{
        exchange_mode main;
        lifetime time  8 hours;
        proposal {
                authentication_method pre_shared_key;
                encryption_algorithm aes256;
                hash_algorithm sha1;
                dh_group modp1024;
        }
}

# IKE phase 2 parameters:
sainfo anonymous
{
        pfs_group modp1024;
        lifetime time 3600 sec;
        authentication_algorithm hmac_sha1;
        encryption_algorithm aes256;
        compression_algorithm deflate ;
}

• The preshared key method of authentication means that both peers need to share a secret te be able to authenticate to each other.

We add the IP address of our peer and the associated secret to the file /etc/racoon/psk.txt:

192.168.20.20 betterfillinsomegobbledygookhere

Also make sure this file is only readable by user root:

chmod 600 /etc/racoon/psk.txt

• Now that we configured our key exchange, we can activate our security policy with a tool called setkey. As user root, execute:

setkey -f /etc/ipsec.conf

And start our key exchange daemon to negotiate cryptographic keys, simply by running:

racoon

• To verify if data is indeed secured by IPsec, try pinging one system from the other while running tcpdump to sniff packets from the network.

tcpdump -n host 192.168.10.10 and host 192.168.20.20

We should see only ESP packets between our peers, for example:

14:15:30.919115 192.168.10.10 > 192.168.20.20:
        ESP(spi=24501,seq=0x59e)
14:15:30.924053 192.168.20.20 > 192.168.10.10:
        ESP(spi=15701,seq=0x198)
14:15:31.002687 192.168.10.10 > 192.168.20.20:
        ESP(spi=24501,seq=0x59f)
14:15:31.007360 192.168.20.20 > 192.168.10.10:
        ESP(spi=15701,seq=0x199)
...

Discussion

Unfortunately, at the time of writing, Asterisk does not support encryption of voice and signaling. The Secure Real-time Transport Protocol (SRTP) is normally used to protect voice on an IP network. A problem with SRTP is that there is no concensus yet as to how to exchange encryption keys between endpoints (although the IETF is working on this). When SIP over TCP is used as the signalling protocol, traffic can be protected using TLS, but Asterisk only uses UDP for SIP transport, so TLS is not an option either. When using the IAX2 protocol, there is experimental support for encryption, but this is disabled by default and does not seem to be ready for prodution.

A solution to this problem is to protect traffic at the network layer. This has the advantage that traffic can be protected regardless of transport protocols and completely transparent for applications. The method of choice for protecting IP packets on the network layer is IPsec, a set of protocols that provide privacy, authentication and integrity and replay protection. Since privacy is our main goal here, we use IPsec's Encapsulating Security Payload (ESP) protocol to encrypt the payload of all IP packets on the network.

As IPsec must be carefully configured on both security endpoints, it provides a solution only if we control both ends of communication. Also, VoIP phones rarely support IPsec. But in the case where we need to securely communicate between two Asterisk peers, both under our control, IPsec might be just what we need. A typical situation where our solution applies is when we need to connect two branch offices, both hosting an Asterisk system, peer-to-peer over the Internet. IPsec prevents eavesdroppers on the Internet from listening in on our conversations.

See Also:

• The ipsec-tools homepage at

http://ipsec-tools.sourceforge.net/

• The setkey(8) and racoon(8) manual pages

Metadata

• By: Joost van Dijk, TUNIX Internet Security and Training, the Netherlands