linphone-developers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Linphone-developers] Lots Of Configuration Questions.

From: Simon MORLAT
Subject: Re: [Linphone-developers] Lots Of Configuration Questions.
Date: Thu, 15 Sep 2016 18:58:35 +0200
Hi David,

Please find below my answers for some of your questions, inlined below.



1: In my research, I found a link that says "...integrity protection might not be used" for SRTP, which I understand is used as the basis of all popular SIP encryption methods. Is this something to be concerned about? There are also a few other points of interest for implementation of non-ZRTP methods but they may be common knowledge.



I think that it refers to the fact that packet hmac is optional in SRTP. However its presence is negociated by clients within the SDP offer/answer model. It is only a matter of client configuration to decide that hmac is mandatory.
 

2: According to Wikipedia, MIKEY (rfc-3830) can be used to determine session keys for use with SRTP. Is this used only for 3DES or also for DTLS? Would both clients need to be specifically configured to use MIKEY? I don't know if this is beneficial or perhaps already default but it is interesting to me because I have not heard of it before.

I have no experience with mikey, unfortunately.

 


3: In Linphone GUI, when I select ZRTP the "Media encryption is mandatory" checkbox becomes unclickable. Is this because ZRTP is opportunistic? I would like this to be required, or at least required for contacts who have used it before. I imagine that, without this requirement, down-grade attacks would be possible. I might also like to configure DTLS to be required when ZRTP is not available but this does not appear to be possible from the GUI. Are these sort of settings normally configured in a text file?

Actually "media encryption mandatory" only works for normal SRTP (SDES), so that the call is declined if the other party doesn't support SRTP.

 


4: How can I specify which key exchange methods should be allowed, which should not be allowed, and the priority in which the methods should be preferred?

From the linphonerc config file you can specify the supported SRTP profiles, for example:
 [sip]
srtp_crypto_suites=AES_CM_128_HMAC_SHA1_80, AES_CM_128_HMAC_SHA1_32, AES_256_CM_HMAC_SHA1_80, AES_256_CM_HMAC_SHA1_32
 


5: IPv6 is very intimidating for a number of reasons but why is the option to allow it disabled by default? I understand it is usually not necessary but is there some risk associated with its use? If IPv6 traffic is allowed, does that mean it is preferred by Linphone?

If IPv6 is allowed and the SIP server to which Linphone is registering has an IPv6 in DNS, then IPv6 will be prefered indeed.
There is no risk theoritically but unfortunately we see that IPv6 is not working well with certain routers or dsl boxes, despite devices are provided with IPv6 addresses.
Turning if off will, in such cases
 


6: Is text messaging handled through MSRP and CEMA? Are there provisions for end-to-end encryption, such as O.T.R.?

Messaging is handled by SIP MESSAGE request. We have our own end to end encryption called LIME, that is based on ZRTP for key exchange and MITM verification.
This is a feature in the library that is not exposed in the UIs for the moment.
 


7: I understand Linphone supports R.F.C. 3994 (indication of composition) and 3856 (presence) but do these rely on an intermediary server or do they also function normally in P2P? When adding a contact, there are options to configure presence but not indication of composition; this seems a bit strange since they are similar in nature. Are the settings for indication of composition also available per contact?

Presence can work p2p without the assistance of a presence server. It is configured by enabling presence subscription on LinphoneFriends (ie contacts).
Composition indication works independently and I think cannot be turned off.
 
 

8: Liblinphone seems to support rfc-3323 through "enum _LinphonePrivacy" but I could not find relevant settings in the Linphone GUI. How should I configure my client on Windows or Linux?

This is a library only feature.
 

9: Is it possible to broker file transfers through SIP with Linphone? I found an interesting I.E.T.F. draft and I suspect this approach has been assumed by the Blink client software, though I cannot confirm. Here is a link to the draft: https://tools.ietf.org/html/draft-ietf-mmusic-file-transfer-mech-11

The file transfer is supported in iOS and Android apps. It is indeed supported in desktop edition. This is a feature implemented in the library.

Best regards,

Simon 




Those are all of my questions for now but I would also like to provide a quick commentary on some of the messaging clients I have recently tested. Jitsi makes security easy with options for DNSSEC and Tor binding. Blink advertises screen sharing and file transfers. Wire advertises decentralised service and simple account creation. Telepathy advertises VNC integration and Pidgin advertises support for numerous communication protocols/services. Obviously many of these features would be practically impossible to build into Linphone but I wanted to mention them all in one place since they are all good features. If it is ever convenient to build any of them into Linphone, I think they would be useful.

Thanks for reading if you're gotten this far!


_______________________________________________
Linphone-developers mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/linphone-developers


reply via email to
[Prev in Thread] Current Thread [Next in Thread]