Philippe Sultan's Home Page

IP Telephony

The following links describe the software development work made around the Cisco IP telephony platform. You will find information about how to build Java applications from the Cisco JTAPI implementation and XML phone navigator :

Integration of an external (LDAP, RADIUS) authentication database to a SIP server (Asterisk or OpenPBX) :

SIP peers external authentication in Asterisk / OpenPBX

Some notes gathered during INRIA's SIP.edu integration. This project participates to the promotion fo the SIP protocol, and depicts a SIP architecture that any university can set up to join a growing SIP network.

SIP.edu deployment notes

Some useful links related to IP telephony :

http://www.internet2.edu/sip.edu : SIP.edu working group
http://www.asterisk.org : Asterisk web site
http://www.openpbx.org : OpenPBX web site
http://www.sipcenter.com : documentation and test tools in order to explore the SIP protocol

VPN

An example of how to spoof an outside IPsec VPN server for a VPN client both configured to work in Aggressive Mode + PSK + XAUTH. Test tools and sample code are also available :

A spoofed VPN connection example

An example of how to configure a Cisco IOS router based VPN remote access with RSA signatures :

Configuring a Cisco IOS VPN router with RSA signatures + XAUTH

This solves the VPN spoofing attack based on the XAUTH vulnerability described in these pages. Certificates are handled by a basic CA, using the openssl commands.
Three certificates are needed for such an architecture to work :

A CA certificate
A certificate for the VPN router
A generic certificate dedicated to the clients, as the next step in the client authentication process against the VPN server involves XAUTH

Note : 'basic' CA means no revocation check, nor automatic enrollment. The CA actually builds the CSRs (Certificate Signing Requests) for both the VPN server and clients, and it also processes the CSRs in order to generate the PKCS#12 packages. These packages must be transfered to the VPN server and clients, as they contain the necessary stuff to authenticate using RSA signatures (eg. CA certificate, personal certificate and personal private key).
Transfering the crypto material from a CA to the endpoints in a more automated way can be achieved with SCEP (Simple Certificate Enrollment Protocol). An 'SCEP capable CA' such as OpenCA or IDX-PKI is needed in this case, thus the present document could be completed once we set SCEP up.

Some useful links related to IKE, ISAKMP, IPsec, openssl :

http://www.openswan.org : an IPsec implementation for Linux by the OpenSWAN team
http://www.jacco2.dds.nl/networking/freeswan-l2tp.html : *swan based VPN setup documentation by Jacco de Leeuw
http://ikecrack.sourceforge.net : an IKE authentication crack tool by Anton T. Rager
http://www.madboa.com/geek/openssl : OpenSSL Command-Line HOWTO by Paul Heinlein

SRTP (Secured Real Time Protocol)

SRTP is a protocol that aims to ensure confidentiality and authenticity functions to a given RTP stream. Hereafter, you will find a link to a detailed description of how to encrypt or decrypt and sign clear RTP packets with libsrtp and netfilter on a Linux system :

http://nfsrtp.sourceforge.net

Links related to SRTP and netfilter/iptables :

http://www.faqs.org/rfcs/rfc3711.html : The RFC that defines SRTP
http://srtp.sourceforge.net/srtp.html : The libsrtp project page
http://www.netfilter.org : The netfilter/iptables project page
http://uqconnect.net/~zzoklan/documents/netfilter.html : A good document that details netfilter hooks

Personal

My friend, Daniel Smadja's web site :

http://danielsmadja.free.fr : A great photographer

My friend, Yves Weber's blog :

http://www.yves-weber.net : A business visionary

author : Philippe Sultan


      Created: 2003/02/23 22:42:41

      Updated: $Revision: 1.28 $ $Date: 2006/09/26 16:36:15 $ $Author: sultan $