Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vovida's VOCAL Softswitch Freed

Posted by timothy on from the no-parole-no-nothin'-free dept.

bko writes: "Our software, VOCAL, won a Computer Telephony Magazine award for Product of the Year (it's at the bottom of the page), mostly because they liked the idea of Open Source Voice over IP software. Well, we've finally been able to release all of it (not just part) at our website. CVS access coming soon (we hope). Currently compiles on Red Hat 6.2 and Solaris, diffs accepted for more OSen (I'll do FreeBSD when I get a chance). Since the site is vague about what's in VOCAL, try this Technology Overview (sorry, pdf) for more info. Basically, there's a working VoIP softswitch in there, under a BSD-style license." Open Source Telephony software is a good deal all around, so this is quite nice news. (See also this story about David Sugar's Bayonne Project.)

3 of 49 comments (clear)

  1. Re:problematic VoIP by stripes · · Score: 3
    Why aren't VoIP calls encrypted? Because on-the-fly encryption and decryption takes time, and time is at an utter premium in a VoIP connection. The overall latency of a VoIP call must be less than 250 mSec to approximate toll quality.

    Encrypting a stream (w/ blowfish) seems to take well under 5msec on my (two year old) machine. Five years ago (which I think is when VoIP was formed) it would have been 10msec. Not too bad if 250msec is your goal.

    Now I don't think 250msec is a good goal. Isn't that like .25 seconds?!! I think 100msec is the upper bound for things like command line user interfaces, and I think GUI's as well. If 100msec is the goal, 10msec is a lot harder to justify, esp since coast to coast latency tends to be 70ms on leased lines.

    However I think there are two bigger reasons encryption isn't part of standard VoIP. Five years ago it was almost impossible to do open source crypto in the USA, and doing closed source export crypto was quite painful. In fact doing close source export crypto is still a pain. Ask Apple why SSH was in the preview releases, but failed to make it to the final release.

    The other reason? People don't see it as worse then the existing unencrypted phone system. It may actually be worse (simpler to divert IP traffic, probably simpler to systemicly monitor as well), but most people don't see it as worse.

    I have another viewpoint. A new technology shouldn't strove to be "as good as" an old one. It should try to "hit the ball out of the park". Crush the old one. Faster, better, stronger. Old one's not safe? The new one is a Volvo. Old one is a tad slow? New one finishes as your finger leaves the enter key. Never aim for second best, there are enough things pulling you down anyway...

  2. problematic VoIP by deran9ed · · Score: 3

    There are three main issues of VoIP security. One is authentication: Is the party who answered the call the intended destination? Another is nonrepudiation: Once a destination accepts a call, is there anything in place that prohibits it from denying receipt of the connection? Finally, there's privacy: Is the call content secure? Authentication and nonrepudiation are important.

    Without gateway-to-gateway encryption, VoIP packets are vulnerable to sniffingng. All it takes to intrude is one IP packet monitor sniffing somewhere on the network, watching for VoIP packets and storing them on a hard drive for playback later on.

    In addition to commercial devices for monitoring and troubleshooting IP traffic streams, sniffers are available as free software and most come with source code (or as source code) that can be easily modified for tapping.

    It's kind of like the early days of cordless phones. It took a while for users of those to realize they were being tapped. FCC regulations prohibiting the sale of the scanners that pick up certain bands allocated to wireless telephony didn't provide much of a barrier. And the information necessary to modify common scanner models was widely available. Later, the same became true with regard to analog cell phones.

    IP packet monitors are much like those scanners. Few of the commercially available devices snoop VoIP streams right out of the box. Neither can most of the free software tools available enable VoIP snooping without modification. But either can become a fully automated, programmable VoIP tap. Why aren't VoIP calls encrypted? Because on-the-fly encryption and decryption takes time, and time is at an utter premium in a VoIP connection. The overall latency of a VoIP call must be less than 250 mSec to approximate toll quality. Add milliseconds, and the perceived quality of the call drops. For an industry still working for broad acceptance, call quality is paramount.

    Even though encryption is a component of the H.323v2 standard, it's likely to be one of the last features implemented. Although each involves different skills and technologies, the same blackguards who'll tap your PSTN lines are the ones who'll sniff VoIP links. Any data that can be stolen from analog conversations is at risk in a digital link too. The difference, generally, is that analog lines can be tapped only one at a time, VoIP lines can be tapped by a whole T-span or more at once. There's also no real way to detect a VoIP tap, except by locating an unauthorized system on the network.

    Internal snooping is easier and more likely than an outside tap, unless your network can be compromised at some outside point.

    But the most important thing to remember is that VoIP calls can be tapped. Until you have gateways that encrypt the call end to end, treat VoIP calls as "unsecure" - especially if they leave your private network. And any calls passing through the 'Net should be regarded as no more secure than a CB radio conversation.

    Good article on VoIP... RFP: VoIP invasion, are you ready for it?

    Be advised, the article is over 10+ pages long, and it gets boring

    view the source Luke!

    --
    360 degrees of Karma
  3. Re:Late and Never by vidarh · · Score: 3
    What kinds of VoIP systems have you used? I tested VoIP two years ago that was available then, and that delivered chrystal clear trans-atlantic calls over the public internet at low bandwidths, and I tested 9.6kbps systems that gave better quality than most residential analog phones I've used.

    Of course, if you're using VoIP over networks that are also being used for data transfers without switching or quality of service limitations on data transfers, VoIP will suck, because someone will eat up the needed bandwidth.

    As for Vovida's system, it seems mostly geared at integrators that wish to put together either custom systems or telephony "appliances" to place with customers. It seems well suited both as a full PBX solution for corporate use, as well as for components if you want to build larger, carrier type, systems.

    Obviously, if you want to build carrier type systems you'll need to know what you're doing, and the software is only a small part of what you need.