[VOIPSEC] RE: TLS as the SIP security mechanism

Jim Cliver jclive at aptalaska.net
Wed Aug 10 10:11:16 PDT 2005


Forgive my ignorance here, but has SCTP been considered as a transport protocol
for SIP instead of TCP?

Thank you,
jim

Christopher A. Martin wrote:
> A properly engineered sip deployment will not be relying on a single SIP
> proxy but will actually be a distributed system (these do exist) that
> can handle issues such as this, either with DNS SRV or SBC's. 
> 
> Five nines on the other hand is not yet achievable in the open Internet
> since you cannot guarantee a suitable SLA over the Internet to meet five
> nines...that said a properly engineered internal solution can be
> implemented with five nines guarantee, if suitable redundancy and DR
> methodology is considered in the design. 
> 
> MMoIP is a new paradigm that will change the rules a bit when it comes
> to the five nines concept. We are not discussing a closed system anymore
> and the open standards are what we are engineering to. 
> 
> There will be a need to define a new set of acceptable quality
> parameters; cellular is a good example of this. People still use it even
> if it doesn’t meet five nines.
> 
> There will also be a need to utilize the existing mechanisms while
> augmenting them at the same time, which means that realistically we will
> need to be creative with what we have at hand and what is emerging. 
> 
> As for engineering ethics, SIP is based loosely on http and smtp with a
> little of this and a little of that. :) I don’t think it inappropriate
> to compare the two, especially since I was referring to state at the
> time. VoIP is more suitably considered multimedia over ip rather than
> just pure telephony...there is just much more to consider, hence our
> security concerns. 
> 
> I realize that I am painting with broad strokes here.
> 
> Chris
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Geoff Devine
> Sent: 08/09/2005 7:21 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> The problem is that when a large SIP proxy goes down, it takes a
> significant amount of time before all the SIP user agents can
> re-establish a TCP connection and a security association.  If you are
> trying to meet the five 9's requirements of primary line telephony, this
> is completely unacceptable.  You could kill someone when they try to
> dial '911' and fail to complete the call due to a flood of TCP and TLS
> resynchronization.  Comparing SIP using TCP/TLS to an https web
> application is completely inappropriate.  Engineering ethics require
> that we come up with a better solution.
>  
> Geoff
> 
> ________________________________
> 
> From: Christopher A. Martin [mailto:chris at infravast.com]
> Sent: Mon 8/8/2005 8:21 PM
> To: Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> 
> 
> TCP is what they should have went with in the first place (They have
> basically engineered UDP to be TCP-like when they developed sip). That
> said, a properly distributed proxy solution for signaling using TLS
> should not be any worse than a properly implemented https
> implementation. The characteristics are the same for both protocols in
> terms of state.
> 
> That's just my 2 cents.
> Chris
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Geoff Devine
> Sent: 08/08/2005 8:03 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> I believe TLS is a poor choice as a security mechanism.  It's
> unfortunate that it was placed in RFC 3261 as the recommended security
> method.  TLS must be run over a reliable transport (TCP).  TCP has all
> kinds of scaling issues when you're running hundreds of thousands of
> instances of TCP on a big Carrier-class SIP proxy.  It's almost
> impossible to make TCP redundant so if the SIP proxy bounces, all the
> SIP user agents have to establish new TCP connections and then negotiate
> new security associations.  This creates an avalanche of SYN messages
> and looks just like a classic SYN attack.  I don't know how you achieve
> carrier-class five 9's availability in this kind of environment since
> your 10 minute outage budget for the year is blown out of the water any
> time you bounce a SIP proxy.
> 
> There's an IETF draft for a security mechanism called DTLS.  DTLS runs
> over UDP so it doesn't suffer the TCP scaling and starup issues.  The
> only issue with UDP-based SIP is that you need to keep the messages
> "small" to avoid fragmentation.  SIP messages are typically fairly small
> but they can explode in size when you start doing media security key
> exchanges embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.
> We're seeing sizes get bigger and bigger.  For example, in the session
> description protocol, you can't offer buth SRTP and RTP due to a
> difficiency in the way SDP was specified.  The work-around is to offer
> two different instances of SIP as multipart MIME.  Add in media security
> keys and Proxy-inserted headers to do things like assert identity and
> you start blowing through 1500 bytes.  At that point, you have two
> choices... either use a transport like TCP to deal with message
> fragmentation (a poor choice, in my opinion), or start compressing the
> signaling using methods like SIGCOMP (RFC 3320/3321).
> 
> Sigh.... so much for SIP being a simple, lightweight protocol.
> 
> Geoff
> 
> 
> 
> ________________________________________
> 
> Date: Thu, 4 Aug 2005 14:41:45 -0700
> From: John Todd <jtodd at loligo.com>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( hop-by-hop
> protection)?
> To: Voipsec at voipsa.org
> Message-ID: <p06020411bf1839520b0f at loligo.com>
> Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
> 
> At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
> 
>>I think implementing TLS in the Sip User Agent is a prerogative of the
> 
> User
> 
>>Agent developer. I think almost all commercial SIP products out there
> 
> (such
> 
>>as software SIP User Agents, Proxies, etc., as well as Session Border
>>Controllers) should support TLS. I am not so sure about IPSec support
>>however. Also, S-RTP is still too new. I do not know of any product
>>available today that supports S-RTP out of the box. Good luck on your
>>project.
>> Pankaj
>>
>> On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
>>
>>> I intend to start a project(client) that will
>>> implement TLS, IPsec(secure SIP) and secure RTP. I'm
>>> surveying the products(client and server) that support
>>> TLS or IPsec. But
>>> I don't find any SIP client product that support TLS
>>> or IPsec. Does anyone know such SIP security products ?
>>>
>>> __________________________________________________
>>> ëzë¶éûùæìûêVêMí ímÅH
>>> înè"â?çZYahoo!äÔñÄë¶éûí êu
>>
>> > http://messenger.yahoo.com.tw/
>> >
>>--
>>Pankaj Shroff
>>shroffG at Gmail.com
> 
> 
> 
> I believe that the Sipura and Zultys platforms
> support both TLS and SRTP.  However, both
> companies have done what I belive to be a
> terrible job in advertising and promoting this
> capability, and there are very few SIP
> proxies/gateways which support either protocol.
> Zultys sells their own proxy/gateway, so is not
> inclined to help develop anything.  I'm sure
> there are others - Google should help you out
> here.
> 
> More open-source efforts towards implementing TLS
> and SRTP would be welcome, as far as I'm
> concerned.  The number of locations using
> Asterisk as both a SIP element and gateway
> element would make it a natural choice for such a
> stack to be implemented for open-source
> environments.  The topic of SRTP and TLS comes up
> every 6 months or so and gets a lot of approval,
> but the important half of "rough consensus and
> running code" never happens.
> 
> JT
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 6 Aug 2005 00:40:38 +0200
> From: Johan Bilien <jobi at via.ecp.fr>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( hop-by-hop
> protection)?
> To: dennis <m8939605 at yahoo.com.tw>
> Cc: Voipsec at voipsa.org
> Message-ID: <20050805224037.GA28110 at via.ecp.fr>
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, Aug 04, 2005, dennis wrote:
> 
>>I intend to start a project(client) that will
>>implement TLS, IPsec(secure SIP) and secure RTP. I'm
>>surveying the products(client and server) that support
>>TLS or IPsec. But
>>I don't find any SIP client product that support TLS
>>or IPsec. Does anyone know such SIP security products ?
> 
> 
> Have a look at minisip (http://www.minisip.org/). It supports TLS for
> SIP messages, and both SRTP and IPsec to protect the media.
> 
> Johan.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> End of Voipsec Digest, Vol 8, Issue 5
> *************************************
> 
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




More information about the Voipsec mailing list