News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

Encrypt Simonics Google Voice Gateway

Started by yehob150, December 05, 2017, 01:43:58 PM

Previous topic - Next topic

yehob150

Was reading a bit and his site says it supports encryption on TLS port 5061.

Didn't see any instructions on how to do this though.

So went into Obi Expert Config, went under service providers/ITSP Profile A SIP, and changed:
ProxyServerPort to 5061
ProxyServerTransport to TLS
RegistrarServerPort to 5061
X_EchoServerPort to 5061

Basically anything that was 5060 was changed to 5061.
and.... it seems to work.

Does anyone know if this is the right method? Did I change too much or too little?

And, more importantly, what exactly does this encrypt? I assume anyone with access to the Simonics server can still listen in on calls (if there is any interest of course...).

Anyone with expertise that can chime in?

restamp

Yes, the Simonics GVGW supports TLS encryption, but I doubt it does what you want it to do.  TLS encrypts the SIP channel, which registers the device and sets up the call.  However, the actual voice traffic (Media) is handled by the RTP protocol using a different port.  So, with TLS, your conversations can still be easily tapped, although it would be quite difficult to decode the phone number you placed the call to.

As far as I know, the GVGW (along with the vast majority of VOIP providers) do not offer secure RTP, which is probably what you want.  And this surprises me, as I think it would be a popular option if someone did offer it.

(I've been meaning to test whether voip.ms IAX2 offering supports encryption.  Does anyone know?)

billsimon

We offer TLS for signaling encryption but do not offer SRTP. The reasons are complicated but boil down to incompatibilities with several popular useragents used with our service + it's a resource hog at the $6/forever price point.

TLS alone is quite useful in that it conceals your signaling and helps get past SIP ALGs and other layer-7 filters that might disrupt SIP. (For a while, Verizon mobile data was disrupting SIP - don't think this is true any more.) Encrypting the signaling layer means it's not obvious who you are calling and which audio ports are in use.

restamp

Interesting:  I had not considered the ancillary benefits of TLS encryption of the signaling channel.  However, although I used TLS for a while with the GVGW (and allow me to add my thanks for providing the fine service for us, and at an amazing price as well, Bill!) I eventually backed it down a notch to just TCP.  The reason was that I was seeing a worrisome number of notices in the logs like the following:

NOTICE[20579] chan_sip.c: Peer 'GV16145551212' is now Lagged. (2135ms / 2000ms)

I have no idea who is responsible for the long RTTs, but when I backed off of using TLS, the number of "Lagging" reports fell significantly, to maybe a couple per day.

ProfTech

Quote from: restamp on December 09, 2017, 09:15:04 PM
I eventually backed it down a notch to just TCP.  The reason was that I was seeing a worrisome number of notices in the logs like the following:
NOTICE[20579] chan_sip.c: Peer 'GV16145551212' is now Lagged. (2135ms / 2000ms)
I have no idea who is responsible for the long RTTs, but when I backed off of using TLS, the number of "Lagging" reports fell significantly, to maybe a couple per day.

Interesting note. I just got TLS to work with Simonics on Asterisk but I am using PJSIP. I couldn't get tcp to work. I was just trying to test to be sure it would work since udp sometimes shifts temporarily to tcp. hmmm...