Add support of encryption of RTP Header Extentions #14
Comments
|
I use a proprietary testing platform (Ixia) that makes extensive use of RTP header extensions and I'd like to use it with various projects that use libsrtp. I see there hasn't been any follow-up or progress on this. I'm not a C programmer but is there anything I can do to help add support for RTP header extensions? |
|
Do you know which RTP header extensions are used by Ixia? Are they On 10/30/2013 03:28 PM, Kristian Kielhofner wrote:
|
|
Unfortunately I don't have much experience with RTP header extensions either. This is what Wireshark says: Real-Time Transport Protocol |
|
I don't know the full history on why support for header extensions was never added. One concern is the header extensions are not encrypted. This may result in leaking information about the session. The RTP application developer may not be aware of the security ramifications associated with the data they choose to include in the extension. If you're willing to help test, we could pull a branch to experiment with header extension support. Having not looked at this in detail, it's difficult to estimate how much work is required to support this. I suspect there's not a lot of code to write. But testing it properly will take more effort. Any chance you can provide the pcap file so I can load this into wireshark myself? |
|
Unencrypted (but authenticated) header extensions, as defined in RFC 3711, work. RFC 6904 encrypted header extensions aren't currently supported. Adding support for them wouldn't be very difficult; the trickiest thing would be defining a sensible API for them, since you need to configure which header extension elements are encrypted and which ones aren't. However, RFC 6904 only defines encryption of RFC 5285-style header extensions. Looking at Kristian's wireshark capture, it doesn't look like he's using RFC 5285 header extensions -- his "defined by profile" field is 17408 (0x4400 hex), whereas for RFC 5285 header extensions it should either be either 48862 (0xBEDE hex) for the one-byte-header form, or else in the range 4096-4111 (0x1000 - 0x100F hex) for the two-byte header form. On Oct 30, 2013, at 4:33 PM, John Foley <notifications@github.commailto:notifications@github.com> I don't know the full history on why support for header extensions was never added. One concern is the header extensions are not encrypted. This may result in leaking information about the session. The RTP application developer may not be aware of the security ramifications associated with the data they choose to include in the extension. If you're willing to help test, we could pull a branch to experiment with header extension support. Having not looked at this in detail, it's difficult to estimate how much work is required to support this. I suspect there's not a lot of code to write. But testing it properly will take more effort. Any chance you can provide the pcap file so I can load this into wireshark myself? — |
|
Thanks for the background information, this is very helpful. However, I'm confused with the Ixia issue. Is Ixia using libsrtp to generate SRTP traffic? My initial assumption was Ixia was simply generating RTP traffic, with the RTP->SRTP encapsulation occurring somewhere on the network. But if unencrypted header extensions are currently working today in libsrtp, this implies Ixia is using libsrtp to generate the SRTP traffic itself or there's a bug. Maybe krisk84 can provide some more detail on the Ixia configuration and network topology. |
|
I can provide the full capture via e-mail: The Ixia is generating the SRTP stream natively using some unknown/proprietary implementation. The tshark packet detail I provided is from the Ixia SRTP stream towards FreeSWITCH (latest master). I'm unable to tell if FreeSWITCH decodes the received SRTP packets but the outbound SRTP stream (from FreeSWITCH to Ixia) reports "SRTP protection failed with code 8" on the FreeSWITCH console (code here): http://fisheye.freeswitch.org/browse/freeswitch.git/src/switch_rtp.c?hb=true#to5795 FreeSWITCH currently uses a fairly old version of libsrtp so (for kicks) I updated it to a current checkout of the feature-openssl branch and applied this patch: https://codereview.chromium.org/21094005/ In this configuration FreeSWITCH now reports "SRTP protection failed with code 2". If it helps I'm compiling against OpenSSL 1.0.1e. Plain RTP streams between FreeSWITCH and the Ixia work perfectly. If it helps, I'm using IxLoad and this load module: http://www.ixiacom.com/products/xcellon/xcellon_ultra_np_load_module/index.php Hopefully this helps clarify my situation. Thank you all for your responses! |
|
Do you know if Ixia is encrypting the RTP header extension? Looking at It would be interesting to see the result of this test w/o the Chromium Is there any way to disable encryption of the RTP header extension on On 10/30/2013 07:03 PM, Kristian Kielhofner wrote:
|
|
I don't know if the Ixia is encrypting the extensions or not but if I re-run the test without SRTP enabled they are different. However, seeing as I have no idea what the extensions are used for this isn't definitive. I will be able to retry this test tomorrow with the latest libsrtp with FreeSWITCH without the Chromium patch applied. |
|
Thanks for sending the full wireshark capture. There are a couple of Second, the header extension values coming from the other device appear Defined by profile: 0x4400 But the other side is sending: Defined by profile: 0x0044 This results in a 'malformed packet' error in wireshark since it's On 10/30/2013 07:03 PM, Kristian Kielhofner wrote:
|
|
Testing today with libsrtp/feature-openssl and without the Chromium patch applied it reverted back to returning error code 8 on srtp_protect. I will work with FreeSWITCH on the byte swap issues. |
|
If anyone is interested it was fixed with this commit: http://fisheye.freeswitch.org/changelog/freeswitch.git?cs=b0d95efd09d010154a8422c611feb64c64a1e71f |
|
Closing this issue since it appears to have been fixed in freeswitch. |
No description provided.
The text was updated successfully, but these errors were encountered: