[VOIPSEC] RE: TLS as the SIP security mechanism

Kolenko, Marc Marc.Kolenko at gd-ns.com
Wed Aug 17 12:42:53 CDT 2005 

NIST Publication VoIPsec_SP800-58-final.pdf offers "some" guidance on
VoIP over WPA/WEP - you may find more references within this publication
Cheers

Marc M. Kolenko 
Principal Technologist, Nat'l Info Solutions/IA
 
GENERAL DYNAMICS 
Network Systems
15000 Conference Ctr. Dr.
Chantilly, VA  20151
703.818.5433 (Office)
703.298.4521 (Cell)
703.961.0029 (Fax)
-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Vijay Shyamasundar Shyamasundar
Sent: Tuesday, August 16, 2005 11:30 AM
To: Brian Rosen
Cc: Geoff Devine; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] RE: TLS as the SIP security mechanism

Hi All,
 This is Vijay, a graduate student at Towson University. I just started
to 
work on VoIP security over wireless lan. Could anybody please guide me
to a 
good resource on the web or any book where i could get some basics on
VoIP 
Security over wireless lan. 
 Please help me in this regard. 
 Thanks,
Vijay Shyamasundar


 On 8/11/05, Brian Rosen <br at brianrosen.net> wrote: 
> 
> AFAIK, this was a localized access network failure. It clearly wasn't
a
> failure of the DNS. DNS is highly distributed. Your "local resolver"
can
> fail. Lots of access networks are not particularly well engineered to
cope
> with local resolver failure. Specifically, there is often not a
secondary
> DNS server that is actually different enough that a failure of one
isn't
> equivalent to a failure of them all.
> 
> A typical set up is that the secondary server is on the same subnet,
fed
> from the same router, from the same uplink, and often from the same 
> upstream
> DNS server, and runs the same code as the primary. When that happens,
you
> often get the same results from the secondary when the primary bogs
down.
> 
> Don't do that :)
> 
> Brian
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Evans, Mark [NTK]
> Sent: Wednesday, August 10, 2005 11:24 AM
> To: Johnston, Alan; Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> No DNS outages? See the attached link
> 
> 
>
http://news.com.com/Another+broadband+outage+strikes+Comcast/2100-1034_3
-566
> 9961.html
> 
> Mark Evans
> 
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Johnston, Alan
> Sent: Tuesday, August 09, 2005 7:41 AM
> To: Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> TLS is the best choice for security in SIP for good reasons. Some of
the
> most important are application layer awareness and mutual
authentication.
> 
> Running SIP over UDP is simply no longer an option. While it is
possible
> offer very limited services and fit SIP messages into a datagram, as
soon 
> as
> you start to do anything interesting, the messages become too large.
Throw
> in presence and other services, and UDP is no longer an option.
> 
> As for managing TCP connections, the web folks have become quite good
at
> this - many solutions developed for HTTP work very well with SIP
proxies.
> 
> And as for the five nines, you must have a very strange service in
which a
> single proxy failure counts as a complete service outage. Failover
using a
> variety of techniques is basic to providing reliability in Internet
> architectures. For true reliability, I'd suggest looking at the DNS - 
> there
> haven't been any outages since around 1984, and all without any of the
> expensive techniques used by telcos. How many nines of reliability is 
> this?
> 
> Thanks,
> Alan Johnston
> 
> > -----Original Message-----
> > From: Voipsec-bounces at voipsa.org
> > [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> > Sent: Monday, August 08, 2005 8:03 AM
> > To: Voipsec at voipsa.org
> > Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> >
> >
> > I believe TLS is a poor choice as a security mechanism. It's
> > unfortunate that it was placed in RFC 3261 as the recommended
> > security method. TLS must be run over a reliable transport
> > (TCP). TCP has all kinds of scaling issues when you're
> > running hundreds of thousands of instances of TCP on a big
> > Carrier-class SIP proxy. It's almost impossible to make TCP
> > redundant so if the SIP proxy bounces, all the SIP user
> > agents have to establish new TCP connections and then
> > negotiate new security associations. This creates an
> > avalanche of SYN messages and looks just like a classic SYN
> > attack. I don't know how you achieve carrier-class five 9's
> > availability in this kind of environment since your 10 minute
> > outage budget for the year is blown out of the water any time
> > you bounce a SIP proxy.
> >

More information about the Voipsec mailing list