[VOIPSEC] RE: TLS as the SIP security mechanism

Geoff Devine gdevine at cedarpointcom.com
Wed Aug 10 14:51:47 PDT 2005


Last time I looked many months ago, there was a Rosenberg draft for SIP over SCTP.  It's really intended for trunking applications.  We've built SCTP and use it to run SS#7 over IP.  As a mechanism for connecting soft switches together, SIP/SCTP is a really good thing.  

I'm not so comfortable using SCTP on SIP clients.  It has even more scaling issues than TCP if you're trying to have thousands of instances of it since it supports multiple threads per connection and a heavyweight heartbeat mechanism down redundant NICs.  Big cost both in memory and CPU horsepower.

Geoff

-----Original Message-----
From: Jim Cliver [mailto:jclive at aptalaska.net] 
Sent: Wednesday, August 10, 2005 1:11 PM
To: Chris at infravast.com
Cc: Geoff Devine; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] RE: TLS as the SIP security mechanism

Forgive my ignorance here, but has SCTP been considered as a transport protocol
for SIP instead of TCP?

Thank you,
jim

Christopher A. Martin wrote:
> A properly engineered sip deployment will not be relying on a single SIP
> proxy but will actually be a distributed system (these do exist) that
> can handle issues such as this, either with DNS SRV or SBC's. 
> 
> Five nines on the other hand is not yet achievable in the open Internet
> since you cannot guarantee a suitable SLA over the Internet to meet five
> nines...that said a properly engineered internal solution can be
> implemented with five nines guarantee, if suitable redundancy and DR
> methodology is considered in the design. 
> 
> MMoIP is a new paradigm that will change the rules a bit when it comes
> to the five nines concept. We are not discussing a closed system anymore
> and the open standards are what we are engineering to. 
> 
> There will be a need to define a new set of acceptable quality
> parameters; cellular is a good example of this. People still use it even
> if it doesn't meet five nines.
> 
> There will also be a need to utilize the existing mechanisms while
> augmenting them at the same time, which means that realistically we will
> need to be creative with what we have at hand and what is emerging. 
> 
> As for engineering ethics, SIP is based loosely on http and smtp with a
> little of this and a little of that. :) I don't think it inappropriate
> to compare the two, especially since I was referring to state at the
> time. VoIP is more suitably considered multimedia over ip rather than
> just pure telephony...there is just much more to consider, hence our
> security concerns. 
> 
> I realize that I am painting with broad strokes here.
> 
> Chris
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Geoff Devine
> Sent: 08/09/2005 7:21 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> The problem is that when a large SIP proxy goes down, it takes a
> significant amount of time before all the SIP user agents can
> re-establish a TCP connection and a security association.  If you are
> trying to meet the five 9's requirements of primary line telephony, this
> is completely unacceptable.  You could kill someone when they try to
> dial '911' and fail to complete the call due to a flood of TCP and TLS
> resynchronization.  Comparing SIP using TCP/TLS to an https web
> application is completely inappropriate.  Engineering ethics require
> that we come up with a better solution.
>  
> Geoff
> 
> ________________________________
> 
> From: Christopher A. Martin [mailto:chris at infravast.com]
> Sent: Mon 8/8/2005 8:21 PM
> To: Geoff Devine; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> 
> 
> TCP is what they should have went with in the first place (They have
> basically engineered UDP to be TCP-like when they developed sip). That
> said, a properly distributed proxy solution for signaling using TLS
> should not be any worse than a properly implemented https
> implementation. The characteristics are the same for both protocols in
> terms of state.
> 
> That's just my 2 cents.
> Chris
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Geoff Devine
> Sent: 08/08/2005 8:03 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> I believe TLS is a poor choice as a security mechanism.  It's
> unfortunate that it was placed in RFC 3261 as the recommended security
> method.  TLS must be run over a reliable transport (TCP).  TCP has all
> kinds of scaling issues when you're running hundreds of thousands of
> instances of TCP on a big Carrier-class SIP proxy.  It's almost
> impossible to make TCP redundant so if the SIP proxy bounces, all the
> SIP user agents have to establish new TCP connections and then negotiate
> new security associations.  This creates an avalanche of SYN messages
> and looks just like a classic SYN attack.  I don't know how you achieve
> carrier-class five 9's availability in this kind of environment since
> your 10 minute outage budget for the year is blown out of the water any
> time you bounce a SIP proxy.
> 
> There's an IETF draft for a security mechanism called DTLS.  DTLS runs
> over UDP so it doesn't suffer the TCP scaling and starup issues.  The
> only issue with UDP-based SIP is that you need to keep the messages
> "small" to avoid fragmentation.  SIP messages are typically fairly small
> but they can explode in size when you start doing media security key
> exchanges embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.
> We're seeing sizes get bigger and bigger.  For example, in the session
> description protocol, you can't offer buth SRTP and RTP due to a
> difficiency in the way SDP was specified.  The work-around is to offer
> two different instances of SIP as multipart MIME.  Add in media security
> keys and Proxy-inserted headers to do things like assert identity and
> you start blowing through 1500 bytes.  At that point, you have two
> choices... either use a transport like TCP to deal with message
> fragmentation (a poor choice, in my opinion), or start compressing the
> signaling using methods like SIGCOMP (RFC 3320/3321).
> 
> Sigh.... so much for SIP being a simple, lightweight protocol.
> 
> Geoff
> 
> 
> 
> ________________________________________
> 
> Date: Thu, 4 Aug 2005 14:41:45 -0700
> From: John Todd <jtodd at loligo.com>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( hop-by-hop
> protection)?
> To: Voipsec at voipsa.org
> Message-ID: <p06020411bf1839520b0f at loligo.com>
> Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
> 
> At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
> 
>>I think implementing TLS in the Sip User Agent is a prerogative of the
> 
> User
> 
>>Agent developer. I think almost all commercial SIP products out there
> 
> (such
> 
>>as software SIP User Agents, Proxies, etc., as well as Session Border
>>Controllers) should support TLS. I am not so sure about IPSec support
>>however. Also, S-RTP is still too new. I do not know of any product
>>available today that supports S-RTP out of the box. Good luck on your
>>project.
>> Pankaj
>>
>> On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
>>
>>> I intend to start a project(client) that will
>>> implement TLS, IPsec(secure SIP) and secure RTP. I'm
>>> surveying the products(client and server) that support
>>> TLS or IPsec. But
>>> I don't find any SIP client product that support TLS
>>> or IPsec. Does anyone know such SIP security products ?
>>>
>>> __________________________________________________
>>> ëzë¶éûùæìûêVêMí ímÅH
>>> înè"â?çZYahoo!äÔñÄë¶éûí êu
>>
>> > http://messenger.yahoo.com.tw/
>> >
>>--
>>Pankaj Shroff
>>shroffG at Gmail.com
> 
> 
> 
> I believe that the Sipura and Zultys platforms
> support both TLS and SRTP.  However, both
> companies have done what I belive to be a
> terrible job in advertising and promoting this
> capability, and there are very few SIP
> proxies/gateways which support either protocol.
> Zultys sells their own proxy/gateway, so is not
> inclined to help develop anything.  I'm sure
> there are others - Google should help you out
> here.
> 
> More open-source efforts towards implementing TLS
> and SRTP would be welcome, as far as I'm
> concerned.  The number of locations using
> Asterisk as both a SIP element and gateway
> element would make it a natural choice for such a
> stack to be implemented for open-source
> environments.  The topic of SRTP and TLS comes up
> every 6 months or so and gets a lot of approval,
> but the important half of "rough consensus and
> running code" never happens.
> 
> JT
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 6 Aug 2005 00:40:38 +0200
> From: Johan Bilien <jobi at via.ecp.fr>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( hop-by-hop
> protection)?
> To: dennis <m8939605 at yahoo.com.tw>
> Cc: Voipsec at voipsa.org
> Message-ID: <20050805224037.GA28110 at via.ecp.fr>
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, Aug 04, 2005, dennis wrote:
> 
>>I intend to start a project(client) that will
>>implement TLS, IPsec(secure SIP) and secure RTP. I'm
>>surveying the products(client and server) that support
>>TLS or IPsec. But
>>I don't find any SIP client product that support TLS
>>or IPsec. Does anyone know such SIP security products ?
> 
> 
> Have a look at minisip (http://www.minisip.org/). It supports TLS for
> SIP messages, and both SRTP and IPsec to protect the media.
> 
> Johan.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> End of Voipsec Digest, Vol 8, Issue 5
> *************************************
> 
> 
> 
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




More information about the Voipsec mailing list