Uploaded image for project: 'FreeSWITCH'
  1. FreeSWITCH
  2. FS-5755

Allow better control over incoming/outgoing secure media offers

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: mod_sofia
    • Security Level: public
    • Labels:
      None
    • CPU Architecture:
      x86
    • Kernel:
      Linux
    • Userland:
      GNU/Linux
    • Compiler:
      gcc
    • FreeSWITCH GIT Revision:
      All
    • GIT Master Revision hash::
      All

      Description

      Ideally there would be "codec like" means to control inbound and outbound SRTP behavior. Currently setting sip_secure_media/rtp_secure_media doesn't seem to have the expected affect when compared to codecs, for example:

      A leg endpoint sends the following SDP:

         v=0
         o=- 1377289399 1377289399 IN IP4 10.41.22.51
         s=Polycom IP Phone
         c=IN IP4 10.41.22.51
         t=0 0
         a=sendrecv
         m=audio 2222 RTP/SAVP 9 0 8 18 101
         a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:zXsSyzAa4QvE6ZtZDktSWqQSgvOvCrBprAmsMg9p
         a=rtpmap:9 G722/8000
         a=rtpmap:0 PCMU/8000
         a=rtpmap:8 PCMA/8000
         a=rtpmap:18 G729/8000
         a=fmtp:18 annexb=no
         a=rtpmap:101 telephone-event/8000
         m=audio 2222 RTP/AVP 9 0 8 18 101
         a=rtpmap:9 G722/8000
         a=rtpmap:0 PCMU/8000
         a=rtpmap:8 PCMA/8000
         a=rtpmap:18 G729/8000
         a=fmtp:18 annexb=no
         a=rtpmap:101 telephone-event/8000

      If I wanted to select the codec I could parse ${ep_codec_string} and set ${absolute_codec} to the codec I wanted to select. I could also export absolute_codec to contain only the codecs I wanted to offer on the B leg. However, FreeSWITCH will automatically enable crypto in this case on the A leg because of the crypto offer. Ideally I could set sip_secure_media=false and FreeSWITCH would decline the crypto offer on the A leg, just like I can export sip_secure_media to offer crypto on the B leg today.

      However, in this case the Polycom gives control of AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32, RTP/SAVP + RTP/AVP, RTP/SAVP only, etc. Ideally FreeSWITCH would also allow inbound and outbound control over the crypto suite selected/offered.

      I'd also like the ability for FreeSWITCH to offer RTP/AVP + RTP/SAVP on the B leg for selection by the remote endpoint. It seems that allowing the export of "sip_secure_media=both" or "sip_secure_media=optional" might make sense for this.

        Activity

        Hide
        tc Travis Cross added a comment -
        Moc: The use of inbound_rtp_cipher_prefs would be to e.g. tell FS which cipher it should pick when given the choice by the offer, or to ensure certain ciphers are never chosen by excluding them from the list.

        Regarding your parenthetical, as I said, the idea with inbound_* and outbound_* is that they are copied over to the * variable on bridge or (pre)answer.

        Prefixing with inbound_ and outbound_ is better as it maintains consistency with inbound-codec-prefs and outbound-codec-prefs.

        sip_secure_media has always meant optional, so this is less of a change than the alternative of setting true=mandatory. I would find true=mandatory more surprising, as I read rtp_secure_media=true as "enable SRTP" which doesn't imply "force SRTP" to me.

        I don't fully follow your last paragraph. If the variables are not set by the user we should pick a reasonable cipher prefs list by default, and should accept both SAVP and AVP offers (preferring SAVP) and send both SAVP and AVP offers.
        Show
        tc Travis Cross added a comment - Moc: The use of inbound_rtp_cipher_prefs would be to e.g. tell FS which cipher it should pick when given the choice by the offer, or to ensure certain ciphers are never chosen by excluding them from the list. Regarding your parenthetical, as I said, the idea with inbound_* and outbound_* is that they are copied over to the * variable on bridge or (pre)answer. Prefixing with inbound_ and outbound_ is better as it maintains consistency with inbound-codec-prefs and outbound-codec-prefs. sip_secure_media has always meant optional, so this is less of a change than the alternative of setting true=mandatory. I would find true=mandatory more surprising, as I read rtp_secure_media=true as "enable SRTP" which doesn't imply "force SRTP" to me. I don't fully follow your last paragraph. If the variables are not set by the user we should pick a reasonable cipher prefs list by default, and should accept both SAVP and AVP offers (preferring SAVP) and send both SAVP and AVP offers.
        Hide
        git Git added a comment -
        Repository: freeswitch
        Branch: refs/heads/master
        Commit: e5b2915 http://fisheye.freeswitch.org/changelog/freeswitch/?cs=e5b2915
        Updated By: anthm@freeswitch.org

        Comment:
        FS-5755


        FreeSWITCH Support Contracts and Consulting Services available!

        Contact us:
        Email: consulting@freeswitch.org
        Web: http://www.freeswitch.org
        Phone: +1-918-420-9266
        Tollfree: +1-877-742-2583
        Fax: +1-918-420-9267
        iNum: +883 5100 1420 9266


        Come To ClueCon in August to learn more about FreeSWITCH and Internet Telephony!
        http://www.cluecon.com

        Show
        git Git added a comment - Repository: freeswitch Branch: refs/heads/master Commit: e5b2915 http://fisheye.freeswitch.org/changelog/freeswitch/?cs=e5b2915 Updated By: anthm@freeswitch.org Comment: FS-5755 FreeSWITCH Support Contracts and Consulting Services available! Contact us: Email: consulting@freeswitch.org Web: http://www.freeswitch.org Phone: +1-918-420-9266 Tollfree: +1-877-742-2583 Fax: +1-918-420-9267 iNum: +883 5100 1420 9266 Come To ClueCon in August to learn more about FreeSWITCH and Internet Telephony! http://www.cluecon.com
        Hide
        anthm Anthony Minessale II added a comment -
        rtp_secure_media=mandatory
        rtp_secure_media=optional
        rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32
        rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80
        rtp_secure_media=forbidden

        true implies mandatory
        false implies forbidden
        not set implies optional

        rtp_secure_media_inbound or rtp_secure_media_outbound take precedence and are treated the same way based on leg direction
        Show
        anthm Anthony Minessale II added a comment - rtp_secure_media=mandatory rtp_secure_media=optional rtp_secure_media=mandatory:AES_CM_256_HMAC_SHA1_80,AES_CM_256_HMAC_SHA1_32 rtp_secure_media=optional:AES_CM_256_HMAC_SHA1_80 rtp_secure_media=forbidden true implies mandatory false implies forbidden not set implies optional rtp_secure_media_inbound or rtp_secure_media_outbound take precedence and are treated the same way based on leg direction
        Hide
        mochouinard Marc Olivier Chouinard added a comment -
        Travis, my reasoning for rtp_secure_media=true as mandatory is rtp secure media = true, it mean to be secure, so mandatory. If it was rtp_srtp_enable=true, then I would have agreed optional would make sense.

        As for the inbound/outbound first or after... I don't care much, except that if it a standard feature, it would be ok and even useful: Eg: inbound_effective_caller_id_name="Inbound call". But I don't think this is the case now. having everything start with rtp_secure_media might be simpler though to script extracting of variable name and matching them together. But whatever you guys go... I just wanted to give my 2 cent on this one rather than say what should be done.

        For my long comment, I know I wasn't clear (and the reason it was that long too). In the end, Tony patch look perfect. The only thing I find confusing still is the got_crypto variable and the implication of it value, but I won't play with that code, so don't change it for my sake.
        Show
        mochouinard Marc Olivier Chouinard added a comment - Travis, my reasoning for rtp_secure_media=true as mandatory is rtp secure media = true, it mean to be secure, so mandatory. If it was rtp_srtp_enable=true, then I would have agreed optional would make sense. As for the inbound/outbound first or after... I don't care much, except that if it a standard feature, it would be ok and even useful: Eg: inbound_effective_caller_id_name="Inbound call". But I don't think this is the case now. having everything start with rtp_secure_media might be simpler though to script extracting of variable name and matching them together. But whatever you guys go... I just wanted to give my 2 cent on this one rather than say what should be done. For my long comment, I know I wasn't clear (and the reason it was that long too). In the end, Tony patch look perfect. The only thing I find confusing still is the got_crypto variable and the implication of it value, but I won't play with that code, so don't change it for my sake.
        Hide
        brian Brian West added a comment -
        We've done this, Please reopen if the controls we've done aren't what you were thinking, They are outlined in vars.xml in the latest tree.
        Show
        brian Brian West added a comment - We've done this, Please reopen if the controls we've done aren't what you were thinking, They are outlined in vars.xml in the latest tree.

          People

          • Assignee:
            anthm Anthony Minessale II
            Reporter:
            krisk Kristian Kielhofner
          • Votes:
            0 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development