Need to connect with a solution provider?
                     CONTACT US

Understanding IAX2 (Inter-Asterisk eXchange)

paulcolmer's picture

[b]IAX2 (The “Inter-Asterisk eXchange” Protocol)[/b]

These trunks can typically provide up to 28 high quality voice channels over a standard DSL line, providing enormous cost savings against typical incumbent provider line services.

The IAX protocol was developed by Digium for the purpose of communicating with other Asterisk servers (hence “the Inter-Asterisk eXchange protocol”). IAX2 is a transport protocol (much like SIP) that uses a single UDP port (4569) for both the channel signalling and Real-time Transport Protocol (RTP) streams. As discussed below, this makes it easier to firewall and more likely to work behind NAT. IAX2 also has the unique ability to trunk multiple sessions into one dataflow, which can be a tremendous bandwidth advantage when sending a lot of simultaneous channels to a remote box. Trunking allows multiple data streams to be represented with a single datagram header, to lower the overhead associated with individual channels. This helps to lower latency and reduce the processing power and bandwidth required, allowing the protocol to scale much more easily with a large number of active channels between endpoints.

IAX2 was optimized for voice and now supports video—but in fact, IAX2 holds the potential to carry pretty much any media stream desired. Because it is an open protocol, future media types are certain to be incorporated as the community desires them.

[b]Security considerations[/b]
IAX2 includes the ability to authenticate in three ways: plain text, MD5 hashing, and RSA key exchange. This, of course, does nothing to encrypt the media path or headers between endpoints. Many solutions include using a Virtual Private Network (VPN) appliance or software to encrypt the stream in another layer of technology, which requires the endpoints to pre-establish a method of having these tunnels configured and operational. IAX2 is now able to encrypt the streams between endpoints with the use of an exchanged RSA key, or dynamic key exchange at call setup, allowing the use of automatic key rollover. This is very attractive for creating a secure link with an institution such as your bank. The various law enforcement agencies, however, are going to want some level of access to such connections.

[b]IAX2 and NAT[/b]
The IAX2 protocol was deliberately designed to work from behind devices performing NAT. The use of a single UDP port for both signalling and transmission of media also keeps the number of holes required in your firewall to a minimum. These considerations have helped make IAX2 one of the easiest protocols (if not the easiest) to implement in secure networks.