OBiTALK Community

General Support => On-Topic: Obihai and OBi Products => Topic started by: yehob150 on December 05, 2017, 01:43:58 pm

Title: Encrypt Simonics Google Voice Gateway
Post by: yehob150 on December 05, 2017, 01:43:58 pm
Was reading a bit and his site says it supports encryption on TLS port 5061.

Didn't see any instructions on how to do this though.

So went into Obi Expert Config, went under service providers/ITSP Profile A SIP, and changed:
ProxyServerPort to 5061
ProxyServerTransport to TLS
RegistrarServerPort to 5061
X_EchoServerPort to 5061

Basically anything that was 5060 was changed to 5061.
and.... it seems to work.

Does anyone know if this is the right method? Did I change too much or too little?

And, more importantly, what exactly does this encrypt? I assume anyone with access to the Simonics server can still listen in on calls (if there is any interest of course...).

Anyone with expertise that can chime in?

Title: Re: Encrypt Simonics Google Voice Gateway
Post by: restamp on December 05, 2017, 02:21:28 pm
Yes, the Simonics GVGW supports TLS encryption, but I doubt it does what you want it to do.  TLS encrypts the SIP channel, which registers the device and sets up the call.  However, the actual voice traffic (Media) is handled by the RTP protocol using a different port.  So, with TLS, your conversations can still be easily tapped, although it would be quite difficult to decode the phone number you placed the call to.

As far as I know, the GVGW (along with the vast majority of VOIP providers) do not offer secure RTP, which is probably what you want.  And this surprises me, as I think it would be a popular option if someone did offer it.

(I've been meaning to test whether IAX2 offering supports encryption.  Does anyone know?)

Title: Re: Encrypt Simonics Google Voice Gateway
Post by: billsimon on December 09, 2017, 07:35:00 am
We offer TLS for signaling encryption but do not offer SRTP. The reasons are complicated but boil down to incompatibilities with several popular useragents used with our service + it's a resource hog at the $6/forever price point.

TLS alone is quite useful in that it conceals your signaling and helps get past SIP ALGs and other layer-7 filters that might disrupt SIP. (For a while, Verizon mobile data was disrupting SIP - don't think this is true any more.) Encrypting the signaling layer means it's not obvious who you are calling and which audio ports are in use.

Title: Re: Encrypt Simonics Google Voice Gateway
Post by: restamp on December 09, 2017, 09:15:04 pm
Interesting:  I had not considered the ancillary benefits of TLS encryption of the signaling channel.  However, although I used TLS for a while with the GVGW (and allow me to add my thanks for providing the fine service for us, and at an amazing price as well, Bill!) I eventually backed it down a notch to just TCP.  The reason was that I was seeing a worrisome number of notices in the logs like the following:

NOTICE[20579] chan_sip.c: Peer 'GV16145551212' is now Lagged. (2135ms / 2000ms)

I have no idea who is responsible for the long RTTs, but when I backed off of using TLS, the number of "Lagging" reports fell significantly, to maybe a couple per day.