[VOIPSEC] RE: TLS as the SIP security mechanism

Christopher A. Martin chris at infravast.com
Mon Aug 8 17:21:57 PDT 2005


TCP is what they should have went with in the first place (They have
basically engineered UDP to be TCP-like when they developed sip). That
said, a properly distributed proxy solution for signaling using TLS
should not be any worse than a properly implemented https
implementation. The characteristics are the same for both protocols in
terms of state.

That’s just my 2 cents.
Chris 

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Geoff Devine
Sent: 08/08/2005 8:03 AM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] RE: TLS as the SIP security mechanism

I believe TLS is a poor choice as a security mechanism.  It's
unfortunate that it was placed in RFC 3261 as the recommended security
method.  TLS must be run over a reliable transport (TCP).  TCP has all
kinds of scaling issues when you're running hundreds of thousands of
instances of TCP on a big Carrier-class SIP proxy.  It's almost
impossible to make TCP redundant so if the SIP proxy bounces, all the
SIP user agents have to establish new TCP connections and then negotiate
new security associations.  This creates an avalanche of SYN messages
and looks just like a classic SYN attack.  I don't know how you achieve
carrier-class five 9's availability in this kind of environment since
your 10 minute outage budget for the year is blown out of the water any
time you bounce a SIP proxy.
 
There's an IETF draft for a security mechanism called DTLS.  DTLS runs
over UDP so it doesn't suffer the TCP scaling and starup issues.  The
only issue with UDP-based SIP is that you need to keep the messages
"small" to avoid fragmentation.  SIP messages are typically fairly small
but they can explode in size when you start doing media security key
exchanges embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.
We're seeing sizes get bigger and bigger.  For example, in the session
description protocol, you can't offer buth SRTP and RTP due to a
difficiency in the way SDP was specified.  The work-around is to offer
two different instances of SIP as multipart MIME.  Add in media security
keys and Proxy-inserted headers to do things like assert identity and
you start blowing through 1500 bytes.  At that point, you have two
choices... either use a transport like TCP to deal with message
fragmentation (a poor choice, in my opinion), or start compressing the
signaling using methods like SIGCOMP (RFC 3320/3321).
 
Sigh.... so much for SIP being a simple, lightweight protocol.
 
Geoff
 
 

________________________________________

Date: Thu, 4 Aug 2005 14:41:45 -0700
From: John Todd <jtodd at loligo.com>
Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
        supports        IPSec or transport layer security ( hop-by-hop
protection)?
To: Voipsec at voipsa.org
Message-ID: <p06020411bf1839520b0f at loligo.com>
Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"

At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
>
>I think implementing TLS in the Sip User Agent is a prerogative of the
User
>Agent developer. I think almost all commercial SIP products out there
(such
>as software SIP User Agents, Proxies, etc., as well as Session Border
>Controllers) should support TLS. I am not so sure about IPSec support
>however. Also, S-RTP is still too new. I do not know of any product
>available today that supports S-RTP out of the box. Good luck on your
>project.
>  Pankaj
>
>  On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
>>
>>  I intend to start a project(client) that will
>>  implement TLS, IPsec(secure SIP) and secure RTP. I'm
>>  surveying the products(client and server) that support
>>  TLS or IPsec. But
>>  I don't find any SIP client product that support TLS
>>  or IPsec. Does anyone know such SIP security products ?
>>
>>  __________________________________________________
>>  ëzë¶éûùæìûêVêMí ímÅH
>>  înè"â?çZYahoo!äÔñÄë¶éûí êu
>  > http://messenger.yahoo.com.tw/
>  >
>--
>Pankaj Shroff
>shroffG at Gmail.com


I believe that the Sipura and Zultys platforms
support both TLS and SRTP.  However, both
companies have done what I belive to be a
terrible job in advertising and promoting this
capability, and there are very few SIP
proxies/gateways which support either protocol.
Zultys sells their own proxy/gateway, so is not
inclined to help develop anything.  I'm sure
there are others - Google should help you out
here.

More open-source efforts towards implementing TLS
and SRTP would be welcome, as far as I'm
concerned.  The number of locations using
Asterisk as both a SIP element and gateway
element would make it a natural choice for such a
stack to be implemented for open-source
environments.  The topic of SRTP and TLS comes up
every 6 months or so and gets a lot of approval,
but the important half of "rough consensus and
running code" never happens.

JT



------------------------------

Message: 3
Date: Sat, 6 Aug 2005 00:40:38 +0200
From: Johan Bilien <jobi at via.ecp.fr>
Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
        supports        IPSec or transport layer security ( hop-by-hop
protection)?
To: dennis <m8939605 at yahoo.com.tw>
Cc: Voipsec at voipsa.org
Message-ID: <20050805224037.GA28110 at via.ecp.fr>
Content-Type: text/plain; charset=us-ascii

On Thu, Aug 04, 2005, dennis wrote:
> I intend to start a project(client) that will
> implement TLS, IPsec(secure SIP) and secure RTP. I'm
> surveying the products(client and server) that support
> TLS or IPsec. But
> I don't find any SIP client product that support TLS
> or IPsec. Does anyone know such SIP security products ?

Have a look at minisip (http://www.minisip.org/). It supports TLS for
SIP messages, and both SRTP and IPsec to protect the media.

Johan.



------------------------------

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org


End of Voipsec Digest, Vol 8, Issue 5
*************************************






More information about the Voipsec mailing list