[VOIPSEC] Asterisk security

Diana Cionoiu diana-liste at voip.null.ro
Wed Dec 27 12:16:00 GMT 2006

Hi Michael,

In any SIP library there are 2 parts. First of all is the SIP parser, 
which can be better or worse, it doesn't matter much. And the second and 
often misimplemented is the transaction layer, which takes care of 
retransmissions, default answers and so on. This is true mainly for a 
B2BUA like Asterisk.
The SIP stack that Asterisk has now, is messing up quite lovely with the 
transaction part. I can go into technical details if is necessary.
The osip library doesn't even have a transaction engine. They didn't 
even bother. So most of the people have to use exosip which has a 
transaction engine, but is designed for a SIP client and assume things.
When i started to design a SIP stack, first of all i had some experience 
with Asterisk SIP stack, and than I've wrote 2 modules for Yate, one 
based on exosip and one based on osip. After I've spend 6 months trying 
to figure out how to make it work, I've realize that what i need for SIP 
is a stack that can handle some answers by himself. An engine which gets 
the message and is handling retransmissions and so on. And an engine 
that is flexible enough to not be for a client. And also that doesn't 
have his internal thread system like OPAL or OpenH323 at that time that 
will fight against my threading system from my telephony engine.
Anyway chan_exosip will never go there because it doesn't deserve to be 
Security always means first of all unbreakable systems, and after that 
it means encrypted communications.

Diana Cionoiu

Michael Billerbeck wrote:

>is anybody familiar with asterisk security?
>I know this document on "Setting up Asterisk for SRTP" (http://www.e164.org/wiki/AsteriskSRTP) which uses libSRTP.
>It also relies on the asterisk patch which can be found on http://bugs.digium.com/view.php?id=5413.
>There is also the codename pineapple branch from Olle E. Johansson which is about the development of a chan_sip3 SIP channel (http://www.asterisk.org/node/117).
>Sometimes you can find discussions on chan_exosip (or was it chan_exosip2?), an exosip (extended osip) channel which won't get into asterisk branch because it doesn't agree with the asterisk license if I understood correctly. Please correct me if I am wrong.

More information about the Voipsec mailing list