Patrick’s Blog(2)

Let’s say you have an Asterisk server that listens on the standard UDP port 5060 and want to use the VoIP client on for example your shiny new Nokia N900. You configure the VoIP client and everything works as advertised via your local WiFi link.

Next you also want to use the 3G/3.5G Internet link on your phone. Security conscious as you are you run into a small problem. Using the standard UDP port 5060 is not a smart thing to do as the usual evil suspects are scanning boxes across the Internet for port 5060 so they can try to hack into it and make free calls. So you need to use a different UDP port. Here’s were the problem starts.

Asterisk can only listen on one port and one IP address. Pretty silly I know but that’s the way it is (unless you switch to FreeSWITCH). Your VoIP client also supports only one UDP port. You could create two profiles in your VoIP client but that’s ugly and not what we want.

We really just want to use a UDP port that is not 5060 that can be used on the local LAN and on the 3G/3.5G link while Asterisk is still listening on UDP port 5060. The solution is simple: on the box running Asterisk add one IPtables port forwarding rule to your firewall. Here’s how to do it:

You need root privileges for all steps.

Make sure your firewall is running before continuing with the next steps:

# service iptables start

Next add the portforwarding rule to IPtables where:

INTERFACE = the interface of your Asterisk box (example: eth0)
IP = the IP address of your Asterisk box (example: 192.168.43.157)
OTHERPORT = the port you configured in the VoIP client (anything but 5060, example 12345)

# cd /etc/sysconfig
# cp iptables iptables.backup
# iptables -t nat -A PREROUTING -p udp -i <INTERFACE> -d <IP> –dport <OTHERPORT> -j DNAT –to <IP:5060>
# service iptables save
# service iptables restart

Now check your shiny new IPtables portforwarding rule:

# service iptables status

And you should see something like this (IP addresses are just examples):

Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source     destination
1   DNAT   udp  --  0.0.0.0/0  192.168.43.157 udp dpt:12345 to:192.168.43.157:5060

To enhance security I would recommend to limit the IP ranges from which the VoIP client can connect by adding IP restrictions to your VoIP client’s profile in /etc/asterisk/sip.conf:

deny=0.0.0.0/0.0.0.0
permit=<IP range1 of GSM provider>/<netmask>
permit=<IP range2 of GSM provider>/<netmaks>
permit=<IP range3 of GSM provider>/<netmaks>

Testing the various codecs using the 3G/3.5G link on my N900 it seems that the iLBC codec at 40ms gave the best results (allow=ilbc:40 under the VoIP client’s profile in /etc/asterisk/sip.conf). Alaw was the clearest but every second letter of words I spoke were dropped. Same for AMR and G.729. This seems to be caused by high packet loss. On the N900 I ran mtr-tiny and saw packet loss as high as 49% and about 30% consistently (WTH?). This might be caused by shaping and prioritizing of UDP by the Telco. Once I have replaced Asterisk with FreeSWITCH I will test again using UDP and TCP to see if using TCP makes a difference.

For even more security use TLS with self-signed client certificates. TLS is supported on Asterisk 1.6.x but I do not know if Asterisk 1.6.x also supports authorization based on client certificates. Again, if you want advanced secure functionality like that you should probably look at FreeSWITCH.

As announced on FreeSWITCH’s frontpage, version 1.0.4 has been released and now supports Skype, ZRTP, H.323 and MRCP: The FreeSWITCH team is pleased to announce the immediately availability of FreeSWITCH version 1.0.4. (Source tarball available here.) This new version contains many improvements in stability and security as well as some notable additions. More information here and digg it here.

In case you are still using Asterisk and haven’t switched to FreeSWITCH yet, Venturevoip has a nice overview of 31 great free applications for Asterisk.

This week I updated the FreeSWITCH test box and decided to hook up a Cisco 7961G phone. To my surprise the 7961G would not register to the FreeSWITCH box. Further investigation showed that the 7961G with firmware 8.3.5 sends the following register to the FreeSWITCH box:

REGISTER sip:10.9.123.36 SIP/2.0
Via: SIP/2.0/UDP 10.4.11.25:5060;branch=z9hG4bK8b5670ec
From: <sip:1000@10.9.123.36>;tag=0016467650c80002ed42b648-ff2b3abc
To: <sip:1000@10.9.123.36>
Call-ID: 00164676-50c80002-86027558-17f7cc0c@10.4.11.25
Max-Forwards: 70
Date: Tue, 15 Apr 2008 21:21:55 GMT
CSeq: 101 REGISTER
User-Agent: Cisco-CP7961G/8.3.0
Contact: <sip:1000@10.4.11.25:5060;transport=udp>;+sip.instance<urn:uuid:00000000-0000-0000-0000-0016467650c8>”;+u.sip!model.ccm.cisco.com=”30018″
Supported: (null),X-cisco-xsi-6.0.2
Content-Length: 0
Expires: 3600

What’s totally wrong with this register is the following line:

Supported: (null),X-cisco-xsi-6.0.2

The “(” and “)” are not allowed there and break the register method. So Cisco’s 8.3.5 SIP firmware is non-RFC compliant.

A correct Supported line looks something like this:

Supported: 100rel, timer, precondition, path

The 7961G register is not even close. I could not believe that Cisco would release firmware with such a bad bug in it so I started to search for anything wrong in the 7961G config files. I couldn’t find anything. Then I decided to downgrade the 7961G to firmware release 8.3.3. Same problem. Finally I decided to downgrade the 7961G even further to firmware release  8.2.1. And guess what. The 7961G sends a correct register request and subsequently registers fine with the FreeSWITCH box.

So what’s going on here? How could Cisco’s quality control miss this one? Or couldn’t they care less about SIP because they use SCCP with their Callmanager product? I don’t know but it sure seems like a good idea to steer clear from Cisco phones when using them with a non-Cisco VoIP PBX. Seems the general opinion in the Open Source VoIP community that you better buy Polycom, Aastra or Snom holds in this case.

New Scientist has an interesting article about the vulnerability of encrypted VoIP packets: “Security researchers at Johns Hopkins report that a variable bit-rate compression scheme being rolled out on VoIP systems leaves encrypted calls vulnerable to bugging. Simpler syllables are squeezed into smaller data packets, with more complex ones taking up more space; the researchers built software that uses this to spot phrases of interest in encrypted calls simply by measuring packet size.”. Time to disable those VBR codecs when making TLS/SRTP calls.