Panoramisk / The VoIP druid 

Once decided to use voice over IP in order to place call to a public network, like Internet, we can be conscious about confidentiality of transit. On Asterisk an inter switch protocol over IP has been developed and it allows ciphering: IAX.

IAX is still a confidential protocol versus SIP which has been chosen as foundation key of the 3GPP, but some advantages are present. The main one is the fact signalling and voice frames are transiting over the same IP communication channel. It is thus easier to pass through firewalls and NAT devices, but force voice to follow the signalling path. For sure, IAX is first an inter Asterisk exchange protocol more targeting the interconnection of Asterisk rather than phones. Now the ciphering is implemented, this is a good complement when interconnecting two Asterisk devices between remote sites or even with an IP Centrex supporting it.

From a ciphering point of view, the implementation is simple but canbe considered efficient and better than nothing. Ciphering keys are derived from the authentication exchanges and used for the voice and signalling communications. Ciphering algorithm is AES¹, which is the state of the art for ciphering; the low bandwidth isn’t an impact on the CPU, even with this rich algorithm.

To put this ciphering in place, only configuration is required, on both ends of the IAX communication (iax.conf).

Prior activation, our trunk is looking like: (iax2 show peers):
Site A (192.168.16.13):

Name/Username    Host                 Mask             Port          Status
Trunk/TRUNK      192.168.1.253   (S)  255.255.255.255  4569          Unmonitored

Site B (192.168.1.253):

Name/Username    Host                 Mask             Port          Status
Trunk/TRUNK      192.168.16.13   (S)  255.255.255.255  4569          Unmonitored

Then we add on both Asterisk the following lines in the iax.conf file:

auth=md5
encryption=aes128

The reload activates automatically the ciphering (module reload), now we have a specific information about it (see (E)), for example on site B:

Name/Username    Host                 Mask             Port          Status
Trunk/TRUNK      192.168.16.13   (S)  255.255.255.255  4569      (E) Unmonitored

Nothing else is required, all dial plan usage remains as usual.

To be sure, let sniff the network, using Wireshark can ease this action since it understand the IAX protocol :

Before:

No.  Src Dst   Proto    len    Info
 1   A   B     IAX2     131    IAX, source call# 1, timestamp 8ms NEW
 2   B   A     IAX2     76     IAX, source call# 4, timestamp 18ms AUTHREQ
 3   A   B     IAX2     88     IAX, source call# 1, timestamp 36ms AUTHREP
 4   B   A     IAX2     60     IAX, source call# 4, timestamp 30ms ACCEPT
 5   A   B     IAX2     60     IAX, source call# 1, timestamp 30ms ACK
 6   B   A     IAX2     54     Control, source call# 4, timestamp 33ms RINGING
 7   A   B     IAX2     60     IAX, source call# 1, timestamp 33ms ACK
 8   B   A     IAX2     54     Control, source call# 4, timestamp 7336ms stop sounds
 9   B   A     IAX2     54     Control, source call# 4, timestamp 7339ms ANSWER
10   A   B     IAX2     60     IAX, source call# 1, timestamp 7336ms ACK
11   A   B     IAX2     60     IAX, source call# 1, timestamp 7339ms ACK
12   B   A     IAX2     214    Voice, source call# 4, timestamp 7380ms, Raw A-law data (G.711)
13   A   B     IAX2     60     IAX, source call# 1, timestamp 7380ms ACK
14   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7400ms, Raw A-law data (G.711)
15   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7420ms, Raw A-law data (G.711)
16   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7440ms, Raw A-law data (G.711)
17   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7460ms, Raw A-law data (G.711)
18   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7480ms, Raw A-law data (G.711)
19   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7500ms, Raw A-law data (G.711)
20   B   A     IAX2     206    Mini packet, source call# 4, timestamp 7520ms, Raw A-law data (G.711)

On this trace we can see the whole call setup phase, with init (frame 1), authentication (frames 2 and 3), ring back (frame 6), off hook (frame 9) and voice transport, here using G.711 A law codec.

After:

No.  Src Dst   Proto    len    Info
 1   A   B     IAX2     135    IAX, source call# 1, timestamp 6ms NEW
 2   B   A     IAX2     80     IAX, source call# 2, timestamp 5ms AUTHREQ
 3   A   B     IAX2     110    Unknown (0x25), source call# 1, timestamp 1430387355ms subclass 45
 4   B   A     IAX2     78     Unknown (0x1d), source call# 2, timestamp 597413362ms subclass 8
 5   A   B     IAX2     78     Unknown (0x6f), source call# 1, timestamp 438296161ms subclass 49
 6   B   A     IAX2     78     Unknown (0x78), source call# 2, timestamp 381704198ms subclass 255
 7   A   B     IAX2     78     Unknown (0x6c), source call# 1, timestamp 3638405095ms subclass 51
 8   B   A     IAX2     78     Unknown (0x68), source call# 2, timestamp 1230132843ms subclass 129
 9   B   A     IAX2     78     Unknown (0x0b), source call# 2, timestamp 2389260322ms subclass 47
10   B   A     IAX2     238    Unknown (0xd9), source call# 2, timestamp 3043325243ms subclass 40
11   A   B     IAX2     78     Unknown (0x61), source call# 1, timestamp 768224630ms subclass 92
12   A   B     IAX2     78     Unknown (0xe9), source call# 1, timestamp 706764186ms subclass 59
13   A   B     IAX2     78     Voice, source call# 1, timestamp 3987333658ms, unknown (0x66)
14   B   A     IAX2     236    Mini packet, source call# 2, timestamp 45655ms, unknown (0x00)
15   B   A     IAX2     236    Mini packet, source call# 2, timestamp 63334ms, unknown (0x00)
16   B   A     IAX2     236    Mini packet, source call# 2, timestamp 52953ms, unknown (0x00)
17   B   A     IAX2     236    Mini packet, source call# 2, timestamp 31588ms, unknown (0x00)
18   B   A     IAX2     236    Mini packet, source call# 2, timestamp 3198ms, unknown (0x00)
19   B   A     IAX2     236    Mini packet, source call# 2, timestamp 19488ms, unknown (0x00)
20   B   A     IAX2     236    Mini packet, source call# 2, timestamp 31942ms, unknown (0x00)

After activation, we see that only the first packet is in clear once a call is placed. We still see in this one information about the caller and callee, but the rest of the communication is ciphered, both signalling (authentication, try, ring, acknowledge) and voice.

This configuration is straight forward once communication is enabled through IAX between two hosts. You can try it and put it in production if you find it stable enough, since this is not in 1.4 mature. The last point to check is latency implied by ciphering on highly loaded Asterisk PBX, but probably limited to some milliseconds.

1. Advanced Encryption Standard [↩]