[VOIPSEC] RE: TLS as the SIP security mechanism

Johnston, Alan alan.johnston at mci.com
Tue Aug 9 07:41:15 PDT 2005


TLS is the best choice for security in SIP for good reasons.  Some of the most important are application layer awareness and mutual authentication.

Running SIP over UDP is simply no longer an option.  While it is possible offer very limited services and fit SIP messages into a datagram, as soon as you start to do anything interesting, the messages become too large.   Throw in presence and other services, and UDP is no longer an option.

As for managing TCP connections, the web folks have become quite good at this - many solutions developed for HTTP work very well with SIP proxies.

And as for the five nines, you must have a very strange service in which a single proxy failure counts as a complete service outage.  Failover using a variety of techniques is basic to providing reliability in Internet architectures.  For true reliability, I'd suggest looking at the DNS - there haven't been any outages since around 1984, and all without any of the expensive techniques used by telcos.  How many nines of reliability is this?

Thanks,
Alan Johnston

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> Sent: Monday, August 08, 2005 8:03 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> 
> I believe TLS is a poor choice as a security mechanism.  It's 
> unfortunate that it was placed in RFC 3261 as the recommended 
> security method.  TLS must be run over a reliable transport 
> (TCP).  TCP has all kinds of scaling issues when you're 
> running hundreds of thousands of instances of TCP on a big 
> Carrier-class SIP proxy.  It's almost impossible to make TCP 
> redundant so if the SIP proxy bounces, all the SIP user 
> agents have to establish new TCP connections and then 
> negotiate new security associations.  This creates an 
> avalanche of SYN messages and looks just like a classic SYN 
> attack.  I don't know how you achieve carrier-class five 9's 
> availability in this kind of environment since your 10 minute 
> outage budget for the year is blown out of the water any time 
> you bounce a SIP proxy.
>  
> There's an IETF draft for a security mechanism called DTLS.  
> DTLS runs over UDP so it doesn't suffer the TCP scaling and 
> starup issues.  The only issue with UDP-based SIP is that you 
> need to keep the messages "small" to avoid fragmentation.  
> SIP messages are typically fairly small but they can explode 
> in size when you start doing media security key exchanges 
> embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.  
> We're seeing sizes get bigger and bigger.  For example, in 
> the session description protocol, you can't offer buth SRTP 
> and RTP due to a difficiency in the way SDP was specified.  
> The work-around is to offer two different instances of SIP as 
> multipart MIME.  Add in media security keys and 
> Proxy-inserted headers to do things like assert identity and 
> you start blowing through 1500 bytes.  At that point, you 
> have two choices... either use a transport like TCP to deal 
> with message fragmentation (a poor choice, in my opinion), or 
> start compressing the signaling using methods like SIGCOMP 
> (RFC 3320/3321).
>  
> Sigh.... so much for SIP being a simple, lightweight protocol.
>  
> Geoff
>  
>  
> 
> ________________________________________
> 
> Date: Thu, 4 Aug 2005 14:41:45 -0700
> From: John Todd <jtodd at loligo.com>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( 
> hop-by-hop protection)?
> To: Voipsec at voipsa.org
> Message-ID: <p06020411bf1839520b0f at loligo.com>
> Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
> 
> At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
> >
> >I think implementing TLS in the Sip User Agent is a 
> prerogative of the 
> >User Agent developer. I think almost all commercial SIP products out 
> >there (such as software SIP User Agents, Proxies, etc., as well as 
> >Session Border
> >Controllers) should support TLS. I am not so sure about IPSec support
> >however. Also, S-RTP is still too new. I do not know of any product
> >available today that supports S-RTP out of the box. Good luck on your
> >project.
> >  Pankaj
> >
> >  On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
> >>
> >>  I intend to start a project(client) that will
> >>  implement TLS, IPsec(secure SIP) and secure RTP. I'm  
> surveying the 
> >> products(client and server) that support  TLS or IPsec. But
> >>  I don't find any SIP client product that support TLS
> >>  or IPsec. Does anyone know such SIP security products ?
> >>
> >>  __________________________________________________
> >>  ëzë¶éûùæìûêVêMí ímÅH
> >>  înè"â?çZYahoo!äÔñÄë¶éûí êu
> >  > http://messenger.yahoo.com.tw/
> >  >
> >--
> >Pankaj Shroff
> >shroffG at Gmail.com
> 
> 
> I believe that the Sipura and Zultys platforms
> support both TLS and SRTP.  However, both
> companies have done what I belive to be a
> terrible job in advertising and promoting this
> capability, and there are very few SIP
> proxies/gateways which support either protocol.
> Zultys sells their own proxy/gateway, so is not
> inclined to help develop anything.  I'm sure
> there are others - Google should help you out
> here.
> 
> More open-source efforts towards implementing TLS
> and SRTP would be welcome, as far as I'm
> concerned.  The number of locations using
> Asterisk as both a SIP element and gateway
> element would make it a natural choice for such a
> stack to be implemented for open-source
> environments.  The topic of SRTP and TLS comes up
> every 6 months or so and gets a lot of approval,
> but the important half of "rough consensus and
> running code" never happens.
> 
> JT
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 6 Aug 2005 00:40:38 +0200
> From: Johan Bilien <jobi at via.ecp.fr>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( 
> hop-by-hop protection)?
> To: dennis <m8939605 at yahoo.com.tw>
> Cc: Voipsec at voipsa.org
> Message-ID: <20050805224037.GA28110 at via.ecp.fr>
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, Aug 04, 2005, dennis wrote:
> > I intend to start a project(client) that will
> > implement TLS, IPsec(secure SIP) and secure RTP. I'm surveying the 
> > products(client and server) that support TLS or IPsec. But
> > I don't find any SIP client product that support TLS
> > or IPsec. Does anyone know such SIP security products ?
> 
> Have a look at minisip (http://www.minisip.org/). It supports 
> TLS for SIP messages, and both SRTP and IPsec to protect the media.
> 
> Johan.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org 
> http://voipsa.org/mailman/listinfo/voipsec_voi> psa.org
> 
> 
> End 
> of Voipsec Digest, Vol 8, Issue 5
> 
> *************************************
> 
> 




More information about the Voipsec mailing list