What is IAX?
IAX (Inter-Asterisk eXchange) is a call-control protocol for VoIP (Voice over Ineternet Protocol) native to Asterisk PBX and supported by a number of other softswitches and PBXs. IAX was created by Mark Spencer for Asterisk for VoIP signaling, to replace the earlier call control protocols, H.323 and SIP.

IAX Advantages
The protocol sets up internal sessions that can use whichever codec is desired for voice transmission. IAX is flexible enough to be used with any type of streaming media, including video.

IAX (now most commonly referring to IAX2, the second version of the IAX protocol has higher bandwidth efficiency than many VoIP call-control protocols, enabling it to support more concurrent VoIP calls over the same amount of bandwidth.

The IAX2 protocol was published as an informational (non-standards-track) RFC 5456 at the discretion of the RFC Editor in February 2010.

Technical Details of IAX
IAX2 supports trunking, multiplexing (signaling & media) channels on the same port. Trunking multiple calls into the single stream reduces IP overhead, without latency issues. This step is advantageous in VoIP transmissions, where IP headers use a large percentage of bandwidth.

Traffic uses UDP port 4569. The use of this single well-known port enables IAX to be compatible with NAT (Network Address Translation), and most firewalls. The single stream provides added security, which can be implemented very easily.

IAX supports authentication using RSA public keys with the SHA-1 message digest algorithm for digital signatures.

Operational & Security Concerns

  • Awkward extensibility: All new features have to be added in the protocol specification, making IAX/IAX2 less flexible than H.323, SIP or MGCP.
  • Vulnerability: IAX2 is vulnerable to Resource Exhaustion DoS days that are currently available to the public.
  • There are currently no solutions to these issues*. The current best practices include limiting UDP port access to specific, trusted IP addresses. Internet facing IAX2 ports are considered vulnerable and should be monitored closely. The fuzzer used to detect these application vulnerabilities was posted on milw0rm and is included in the VoIPer svn tree. These issues were briefly mentioned in the IAX RFC #5456 on page 94.

*This flaw is reported as corrected in up-to-date installations of Asterisk and other PBXes.