[VOIPSEC] RE: TLS as the SIP security mechanism
Pankaj Shroff
shroffg at gmail.com
Mon Aug 15 18:43:42 CDT 2005
What does the history of DNS outages tell us about SIP reliability? Other
than the fact that DNS is a service at the IP core (with ENUM likely to be
integrated in a similar pattern), all that says is that DNS is an essential
service which should seldom fail. From a Voice-over-IP point of view, the
comparison is more appropriate to the local name resolution servers that
fail a lot more often. VoIP is not (considered to be) a core network
service.
The requirement of 5-nine's reliability is essentially an inherited
requirement from the Telco's. That is not to say that 5-nine's is not a
worthy (or too lofty) goal. But if you think about it, if your cable
provider's DNS resolver is as bad as has been portrayed, and if your IP
access networks (I am talking about consumers here, home/SOHO users) are
inherrently not 5-nine's how can a VoIP service provider even begin to claim
of 5-nine's reliability. The access network *is* the bottleneck, has always
been and will always be.
Reliability and performance standards best work when they are imposed by an
industry upon themselves (or to state it lightly, when they are adopted
voluntarily). There is no sign of access networks to offer reliability
"metrics" as part of their sale package. Although I do think capital market
forces will eventually make that a selling point for access networks, but
currently, the way the local access market is structured for wireline last
mile, there are really not capital market forces in place. Cable networks
are essentially regional monopolies. DSL isn't keeping up, and thanks to the
FCC it may face even more hurdles. The only hope is for UMA or Wi-Max to
open up the gates into this tightly guarded conduit - and lets hope they do
adopt "lofty" 5-nine's reliability goals.
The point I am trying to make is that technology alone is not the answer to
VoIP's quest for branding itself as "as reliable as plain old telephone
system (POTS)". There are many external, political and logistic factors at
play to make that a reality.
Regards,
Pankaj
On 8/12/05, Christopher A. Martin <chris at infravast.com> wrote:
>
> DNS outages of the past are typically linked to improper
> patching/upgrading policies...I haven't read your link yet but I do
> remember one a few years ago with this very problem as the root cause.
>
> If you don't maintain a secure and up to date system then yes, it can be
> brought down. Unfortunately I still find some enterprises with older
> versions of bind still running on them.
>
> Chris
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Evans, Mark [NTK]
> Sent: 08/10/2005 10:24 AM
> To: Johnston, Alan; Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
>
> No DNS outages? See the attached link
>
> http://news.com.com/Another+broadband+outage+strikes+Comcast/2100-1034_3
> -5669961.html
>
> Mark Evans
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Johnston, Alan
> Sent: Tuesday, August 09, 2005 7:41 AM
> To: Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
>
> TLS is the best choice for security in SIP for good reasons. Some of
> the most important are application layer awareness and mutual
> authentication.
>
> Running SIP over UDP is simply no longer an option. While it is
> possible offer very limited services and fit SIP messages into a
> datagram, as soon as you start to do anything interesting, the messages
> become too large. Throw in presence and other services, and UDP is no
> longer an option.
>
> As for managing TCP connections, the web folks have become quite good at
> this - many solutions developed for HTTP work very well with SIP
> proxies.
>
> And as for the five nines, you must have a very strange service in which
> a single proxy failure counts as a complete service outage. Failover
> using a variety of techniques is basic to providing reliability in
> Internet architectures. For true reliability, I'd suggest looking at
> the DNS - there haven't been any outages since around 1984, and all
> without any of the expensive techniques used by telcos. How many nines
> of reliability is this?
>
> Thanks,
> Alan Johnston
>
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org
> > [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> > Sent: Monday, August 08, 2005 8:03 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> >
> >
> > I believe TLS is a poor choice as a security mechanism. It's
> > unfortunate that it was placed in RFC 3261 as the recommended
> > security method. TLS must be run over a reliable transport
> > (TCP). TCP has all kinds of scaling issues when you're
> > running hundreds of thousands of instances of TCP on a big
> > Carrier-class SIP proxy. It's almost impossible to make TCP
> > redundant so if the SIP proxy bounces, all the SIP user
> > agents have to establish new TCP connections and then
> > negotiate new security associations. This creates an
> > avalanche of SYN messages and looks just like a classic SYN
> > attack. I don't know how you achieve carrier-class five 9's
> > availability in this kind of environment since your 10 minute
> > outage budget for the year is blown out of the water any time
> > you bounce a SIP proxy.
> >
> > There's an IETF draft for a security mechanism called DTLS.
> > DTLS runs over UDP so it doesn't suffer the TCP scaling and
> > starup issues. The only issue with UDP-based SIP is that you
> > need to keep the messages "small" to avoid fragmentation.
> > SIP messages are typically fairly small but they can explode
> > in size when you start doing media security key exchanges
> > embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.
> > We're seeing sizes get bigger and bigger. For example, in
> > the session description protocol, you can't offer buth SRTP
> > and RTP due to a difficiency in the way SDP was specified.
> > The work-around is to offer two different instances of SIP as
> > multipart MIME. Add in media security keys and
> > Proxy-inserted headers to do things like assert identity and
> > you start blowing through 1500 bytes. At that point, you
> > have two choices... either use a transport like TCP to deal
> > with message fragmentation (a poor choice, in my opinion), or
> > start compressing the signaling using methods like SIGCOMP
> > (RFC 3320/3321).
> >
> > Sigh.... so much for SIP being a simple, lightweight protocol.
> >
> > Geoff
> >
> >
> >
> > ________________________________________
> >
> > Date: Thu, 4 Aug 2005 14:41:45 -0700
> > From: John Todd <jtodd at loligo.com>
> > Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
> > supports IPSec or transport layer security (
> > hop-by-hop protection)?
> > To: Voipsec at voipsa.org
> > Message-ID: <p06020411bf1839520b0f at loligo.com>
> > Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
> >
> > At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
> > >
> > >I think implementing TLS in the Sip User Agent is a
> > prerogative of the
> > >User Agent developer. I think almost all commercial SIP products out
> > >there (such as software SIP User Agents, Proxies, etc., as well as
> > >Session Border
> > >Controllers) should support TLS. I am not so sure about IPSec support
> > >however. Also, S-RTP is still too new. I do not know of any product
> > >available today that supports S-RTP out of the box. Good luck on your
> > >project.
> > > Pankaj
> > >
> > > On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
> > >>
> > >> I intend to start a project(client) that will
> > >> implement TLS, IPsec(secure SIP) and secure RTP. I'm
> > surveying the
> > >> products(client and server) that support TLS or IPsec. But
> > >> I don't find any SIP client product that support TLS
> > >> or IPsec. Does anyone know such SIP security products ?
> > >>
> > >> __________________________________________________
> > >> ëzë¶éûùæìûêVêMí ímÅH
> > >> înè"â?çZYahoo!äÔñÄë¶éûí êu
> > > > http://messenger.yahoo.com.tw/
> > > >
> > >--
> > >Pankaj Shroff
> > >shroffG at Gmail.com
> >
> >
> > I believe that the Sipura and Zultys platforms
> > support both TLS and SRTP. However, both
> > companies have done what I belive to be a
> > terrible job in advertising and promoting this
> > capability, and there are very few SIP
> > proxies/gateways which support either protocol.
> > Zultys sells their own proxy/gateway, so is not
> > inclined to help develop anything. I'm sure
> > there are others - Google should help you out
> > here.
> >
> > More open-source efforts towards implementing TLS
> > and SRTP would be welcome, as far as I'm
> > concerned. The number of locations using
> > Asterisk as both a SIP element and gateway
> > element would make it a natural choice for such a
> > stack to be implemented for open-source
> > environments. The topic of SRTP and TLS comes up
> > every 6 months or so and gets a lot of approval,
> > but the important half of "rough consensus and
> > running code" never happens.
> >
> > JT
> >
> >
> >
> > ------------------------------
> >
> > Message: 3
> > Date: Sat, 6 Aug 2005 00:40:38 +0200
> > From: Johan Bilien <jobi at via.ecp.fr>
> > Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
> > supports IPSec or transport layer security (
> > hop-by-hop protection)?
> > To: dennis <m8939605 at yahoo.com.tw>
> > Cc: Voipsec at voipsa.org
> > Message-ID: <20050805224037.GA28110 at via.ecp.fr>
> > Content-Type: text/plain; charset=us-ascii
> >
> > On Thu, Aug 04, 2005, dennis wrote:
> > > I intend to start a project(client) that will
> > > implement TLS, IPsec(secure SIP) and secure RTP. I'm surveying the
> > > products(client and server) that support TLS or IPsec. But
> > > I don't find any SIP client product that support TLS
> > > or IPsec. Does anyone know such SIP security products ?
> >
> > Have a look at minisip (http://www.minisip.org/). It supports
> > TLS for SIP messages, and both SRTP and IPsec to protect the media.
> >
> > Johan.
> >
> >
> >
> > ------------------------------
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec at voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voi> psa.org <http://psa.org>
> >
> >
> > End
> > of Voipsec Digest, Vol 8, Issue 5
> >
> > *************************************
> >
> >
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
--
Pankaj Shroff
shroffG at Gmail.com
More information about the Voipsec
mailing list