[Solar-general] Fwd: David Sugar's Latest on SIP Witch and VoIP
Freedom
Diego Saravia
dsa en unsa.edu.ar
Jue Ago 27 18:27:02 CEST 2009
Secure VoIP, GNU SIP Witch, and replacing Skype with Free Software
David Sugar
August 26, 2009 11:51 pm
For the last few years I had been working on what is called the GNU
Telephony Secure Calling initiative
(http://www.gnutelephony.org/index.php/Secure_Call). The GNU Telephony
Secure Calling initiative was itself originally formed specifically to
make passive voice communication intercept a thing of the past using
free software and public standards, and came out of ideas from and
work of the New York City civil liberties community and New York Fair
Use in the early part of this decade.
While it is true that technological means for mass communication
intercept has grown with incremental improvements in communication
technology, the means to apply and use encryption techniques to
counter these abuses and offer communication privacy on a large scale
using free software have also become possible. Given the nature of
this project, important work had been done by volunteers and
contributors in Europe such as Werner Dittmann who created the ZRTP
compliant stack we use, over the summer of 2006, and Federico Pouzols,
who re-wrote the RTP stack I originally authored for use in GNU
Bayonne. The use of non-US contributors was specifically encouraged to
avoid putting additional people in potential danger in the United
States for working on cryptographic systems for worldwide public use
specifically to avoid communication intercept.
One result of the initiative was creation of the GNU ZRTP stack (and
our related GNU ZRTP4J now used in SIP communicator). The project was
first publically introduced in October 2006 during the 4th
International Free Knowledge conference, where a complete ZRTP enabled
client (the Twinkle softphone) became immediately available for use by
anyone through Debian GNU/Linux for establishing simple secure point
to point VoIP calls over the public internet. This offered a basic
means of establishing secure calls using Phil Zimmerman’s ZRTP
protocol and a free software licensed implementation, but did not
offer a means to truly integrate and manage secure calling or make it
a standard or easy to deploy internet user service.
This latter goal became possible through the development of GNU SIP
Witch, which can be used to create and deploy network scalable secure
privacy enabling VoIP solutions for individuals, private
organizations, and even national governments. My focus in this project
over the past year has been on this recently introduced GNU SIP Witch
package. While this package is still rather new, there is a basic
howto for system admins to use and deploy GNU SIP Witch with Ubuntu
GNU/Linux, and this can be found at
http://www.gnutelephony.org/index.php/Howto_Deploy_SIP_Witch_On_Ubuntu.
Ideally I would like to do far more to make it easier to deploy secure
calling networks without requiring system admin skills.
GNU SIP Witch is different from many other VoIP servers, such as for
example Asterisk, in that it never establishes media connections with
or through a server, and hence does no protocol conversion or media
operations that would otherwise require decrypting a secure audio
session in a central location. Instead it relies on published open
standards and the SIP protocol to coordinate secure endpoints which
can then form direct peer to peer media connections. This means these
media sessions are not decrypted by a central server, nor are
encryption keys shared with or managed by a central server.
One use case for GNU SIP Witch is as a kind distributed domain service
to handle inbound VoIP calls directly received over the public
Internet for the SIP protocol much like something like sendmail does
for SMTP. In this role, one could then create local publicly reachable
SIP identities (URI’s) that match email addresses and thereby offer a
consistent means of contact. This eliminates the need for some kind of
centralized “registry” of callable users which so many other schemes
and services wish to reply upon since we can make use of DNS and
individually ran services. This suggests an alternate and much more
distributed model for enabling secure public voice, video, and instant
messaging contact to that of Skype, the latter of which requires a
central user directory and control point, as well as using source
secret protocols and methods which cannot be independently validated.
Another interesting use case is that of creating a secure calling
“domain” in conjunction with an already existing insecure VoIP
infrastructure, such as for example might be offered by Asterisk. Used
this way SIP Witch will maintain both a secure and “insecure” identity
for each ZRTP enabled node it is used to manage. The insecure identity
will be cross-registered to the insecure IP-PBX so insecure users can
reach users in the secure domain. Similarly, all non-secure
destinations dialing from a secure VoIP user agent are automatically
routed through the insecure IP-PBX. Dialing a secure destination from
a secure user agent will however bypass the insecure IP-PBX entirely,
and establish a direct peer to peer media session.
Awhile back I was asked about speaking at LinuxCon 2009 about this
project, and now I am ready to do so. Given my topic, I am uncertain
as to whether LinuxCon is really ready for me. However there is a
preliminary copy of my presentation next month now available at
http://www.gnutelephony.org/data/linuxcon2009.odp and
http://www.gnutelephony.org/data/linuxcon2009.pdf for those curious
about my talk next month.
--
Diego Saravia
Diego.Saravia en gmail.com
NO FUNCIONA->dsa en unsa.edu.ar
Más información sobre la lista de distribución Solar-general