Inter Asterisk Xchange
IAX is the Inter-Asterisk eXchange protocol used by Asterisk , a dual licensed open source and commercial PBX server from Digium and other softswitches and PBXs . It is used to enable VoIP connections between servers, and between servers and clients that also use the IAX protocol.
IAX now most commonly refers to IAX2, the second version of the IAX protocol. The original IAX protocol has been deprecated almost universally in favor of IAX2.
IAX2 is a very robust and full-featured yet simple protocol. It is agnostic to codecs and number of streams, meaning that it can be used as a transport for virtually any type of data. This capability will be useful as videophones become common.
IAX2 uses a single UDP data stream (usually on port 4569) to communicate between endpoints, both for signaling and data. The voice traffic is transmitted in-band, making IAX2 easier to firewall and more likely to work behind network address translation. This is in contrast to SIP , which uses an out-of-band RTP stream to deliver information.
IAX2 supports trunking, multiplexing channels over a single link. When trunking, data from multiple calls are merged into a single set of packets, meaning that one IP datagram can deliver information for more than one call, reducing the effective IP overhead without creating additional latency. This is a big advantage for VoIP users, where IP headers are large percentage of the bandwidth usage.
The creation of IAX
The IAX2 Protocol or Inter-Asterisk Exchange Protocol was created by Mark Spencer for Asterisk for VoIP signalling. The protocol sets up internal sessions and these sessions can use whichever codec they want for voice transmission. The Inter-Asterisk Exchange protocol essentially provides control and transmission of streaming media over IP (Internet Protocol) networks. IAX is extremely flexible and can be used with any type of streaming media including video however it is mainly designed for control of IP voice calls. IAX’s design was based on many common control and transmission standards today including Session Initiation Protocol (SIP , which is the most common), Media Gateway Control Protocol (MGCP) and Real-time Transfer Protocol (RTP).
The goals of IAX
The primary goals for IAX were to minimize bandwidth used in media transmissions, with particular attention drawn to control and individual voice calls, and to provide native support for NAT (Network Address Translation) transparency. Another goal is to be easy to use behind firewalls.
The basic structure of IAX is that it multiplexes signalling and multiple media streams over a single UDP (user datagram protocol) stream between two computers. IAX is a binary protocol, designed to reduce overhead especially in regards to voice streams. Bandwidth efficiency in some places is sacrificed in exchange for bandwidth efficiency for individual voice calls. One UDP stream is easier to setup for users that are behind a firewall.
As stated previously, IAX2 uses 1 path for both signalling and media. This leads to the following issues:
- According to an email by Mark Spencer, when you use a centralized server and transfer to a media gateway for call completion, the centralized server loses track of the phone call. As a result, the centralized server does not know when the call terminated and cannot provide billing information on that call. Asterisk 1.4 claims support for partial redirects to address this drawback.
- As warned by ISS in a security advisory: An attacker (or fairly busy network, i.e. enterprise-level) can use up all the available sessions, in which case no future sessions can be assigned until current ones expire or the session ends and they are removed. Sessions are used for call requests, authentication requests, basically any time a unique id is required for a series of related packets. Version 1.2.10 (and above) of Asterisk mitigates the attack by setting the maximum amount of unauthenticated requests made for a single username, but it is still possible to fill up this session queue if many usernames are used and there are sufficiently many calls.
- IAX2 does not require a handshake when initiating a call. If a system has any accounts with no password (such as the default account ‘guest’, provided so that others can call via iax2 without having an account) then the media from that call can be used in a DoS attack against anyone that that system can route packets to, by saturating the victim’s network. A security advisory by ISS has been issued on this problem, although the only fix appears to be to not let users talk to you without a passworded account on your system.