Verifying IAX encryption

pwebguy · April 22, 2009, 7:12pm

Hello;

I am attempting to verify IAX2 encryption with wireshark using this page as a guide:

panoramisk.com/85/iax-trunk- … hering/en/

I am capturing packets on my local machine, and making a call from a second computer on my lan, the asterisk computer is located remotely.

In iax.conf, I comment out all lines dealing with encryption, restart asterisk and make a call. The captured packets all show:

40 9.705337 192.168.1.11 xxx.xxx.xxx.xxx IAX2 Voice, source call# 25, timestamp 6340ms, GSM compression

or

48 9.845138 192.168.1.11 xxx.xxx.xxx.xxx IAX2 Mini packet, source call# 25, timestamp 6480ms, GSM compression

according to the web page, I should see ‘unknown’ instead of the GSM voice compression.

for an encrypted test, I have used (in the general section of iax.conf):

encryption=aes128

or

encryption=yes

and/or

forceencryption = yes

In each extension, I have set:

auth=md5

and

encryption=aes128

or

encryption=yes

each iax.conf change is followed by unregistering the client software (zoiper), restarting asterisk, ‘iax2 reload’, re-registering the zoiper clients, and making a call.

For the tests, ‘iax2 show peers’ shows:

911/911 xxx.xxx.xxx.xxx (D) 255.255.255.255 64938 (E) OK (188 ms)
912/912 xxx.xxx.xxx.xxx (D) 255.255.255.255 49492 (E) OK (198 ms)

So I am assuming that the md5 auth is working ok.

Each test comes up with the same result in wireshark. Am I looking for the wrong thing in wireshark?

EDIT - I should also include that I am using version:

Asterisk 1.6.0.9 built by (me) on a i686 running Linux on 2009-04-22 17:43:59 UTC

Ubuntu Linux 8.04.2
Linux 2.6.24-23-server on i686

pwebguy · April 22, 2009, 7:31pm

Sorry; really should add this here too because it is related:

Concerning this page:

voip-info.org/wiki/view/IAX+encryption

Where can I find the information in the sections:

"the debug output of our control data looks like this: "

and

"… and the voice data: "

I have set the debug parameters as indicated and checked the logs but cannot find this data?

pwebguy · April 24, 2009, 2:51pm

Does anyone have any ideas on this?

pwebguy · April 26, 2009, 7:23pm

Here is some more data:

If you use wireshark to capture the IAX call, starting the capture BEFORE the call is initiated, you can see the information for the call, i.e. the codec used (GSM in my case), the IP addresses, etc.

This is the result both WITH encryption enebled AND disabled.

However, if you start the capture AFTER the call is initiated, you see the ‘unknown’ information that is described in my reference page above.

Has anyone else tried this? What were your results? Am I doing this wrong?

In addition - I downloaded a free trial of Unsniff Network Analyzer, which claims to have the ability to replay captured packets; Attempting to do so fails; if I export the conversation to a WAV file, the WAV is unreadable; importing it into audacity as RAW data produces unintelligible sounds, but it seems that the waveforms are still there.

Is this proof enough that this IAX2 voice encryption is working?

g2010 · April 26, 2009, 10:21pm

I would try doing the Unsniff test with encryption enabled and disabled to see if you get different results.

I have never played with IAX encryption, so I can’t offer anything more useful.

pwebguy · April 26, 2009, 11:50pm

That is exactly what I did (although I guess I left that detail out - sorry)

I did the captures with unsniff with the encryption options both off and on, and got seemingly similar results. I made sure to restart asterisk AND do a ‘iax2 reload’ before registering the iax clients. I also verified with ‘iax show peers’, looking for the telltale (E) to denote encryption as noted in the voip-info wiki.

I have been testing the TLS/SRTP encryption and have had some results, but the lack of softphone clients that support it make me very interested in this IAX feature.

I am still wondering about these lines at this page:

[quote]the debug output of our control data looks like this:

TE-Frame Retry000 â€” OSeqno: 009 ISeqno: 009 Type: IAX Subclass: LAGRP
Timestamp: 20004ms SCall: 00001 DCall: 00004 192.168.25.10:4569
Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3875 encrypt_frame: Encoding full frame 6/12 with length 12
Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3883 encrypt_frame: Encoding full frame 6/12 with length 12 + 24 padding (15=28)

… and the voice data:

Feb 15 14:09:23 DEBUG18288: chan_iax2.c:3891 encrypt_frame: Encoding mini frame with length 164
Feb 15 14:09:23 DEBUG17937: chan_iax2.c:3851 decode_frame: Decoding mini with length 194 [/quote]

I have tried various settings in logger.conf and various debug levels - but I never see this output?

pwebguy · April 27, 2009, 3:12pm

I have some further data:

I stumbled across this page, which states that wireshark will not play RTP streams with codecs other than ulaw and alaw.

I assumed that possibly this could be the case with unsniff, and IAX2.

So, I reset my codecs to only allow ulaw and alaw, then did some captures with both SIP and IAX2, on wireshark and unsniff.

SIP calls play back as expected.

IAX2 call playback is not supported in wireshark, so I tried using usniff.

Playback is loud and clear with encryption OFF and ON.

EDIT: I am doing capture tests on my local machine, and also at the remote server using tcpdump. I am getting the same results with each

What am I doing wrong here?

Here is a sample of my iax.conf that I am using for testing:

[general]

disallow=all
;allow=gsm
allow=ulaw
allow=alaw

bindaddr=0.0.0.0
encryption=aes128
;encryption=yes
forceencryption=yes

authdebug=0

[901]
type=friend
host=dynamic
username=901
auth=md5
secret=xxxxxx
trunk=no
notransfer=no
encryption=aes128
context=iax_phones

[911]
type=friend
host=dynamic
username=911
auth=md5
secret=xxxxxx
trunk=no
notransfer=no
encryption=aes128
context=iax_phones

Can I provide any more info to help verify this feature?

pwebguy · April 27, 2009, 4:10pm

Found the solution my talking with some folks on IRC:

The IAX2 voice encryption does not work in 1.6 (client to client at least), and furthermore it seems that the software clients do not support it either.

Back to the drawing board.

russell · April 27, 2009, 5:17pm

IAX2 encryption does work in Asterisk 1.6. It was that the clients you were using do not support it, regardless of what Asterisk version you use.

The “forceencryption” option is what didn’t work in 1.6.0, as it is a new option added later.

pwebguy · April 27, 2009, 5:43pm

Just reread the transcript - you are right; sorry for the confusion