[VOIPSEC] RE: TLS as the SIP security mechanism

Brian Rosen br at brianrosen.net
Thu Aug 11 08:49:05 PDT 2005


AFAIK, this was a localized access network failure.  It clearly wasn't a
failure of the DNS.  DNS is highly distributed.  Your "local resolver" can
fail.  Lots of access networks are not particularly well engineered to cope
with local resolver failure.  Specifically, there is often not a secondary
DNS server that is actually different enough that a failure of one isn't
equivalent to a failure of them all.

A typical set up is that the secondary server is on the same subnet, fed
from the same router, from the same uplink, and often from the same upstream
DNS server, and runs the same code as the primary.  When that happens, you
often get the same results from the secondary when the primary bogs down.

Don't do that :)

Brian

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Evans, Mark [NTK]
Sent: Wednesday, August 10, 2005 11:24 AM
To: Johnston, Alan; Geoff Devine; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism

No DNS outages? See the attached link

http://news.com.com/Another+broadband+outage+strikes+Comcast/2100-1034_3-566
9961.html

Mark Evans


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Johnston, Alan
Sent: Tuesday, August 09, 2005 7:41 AM
To: Geoff Devine; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] RE: TLS as the SIP security mechanism

TLS is the best choice for security in SIP for good reasons.  Some of the
most important are application layer awareness and mutual authentication.

Running SIP over UDP is simply no longer an option.  While it is possible
offer very limited services and fit SIP messages into a datagram, as soon as
you start to do anything interesting, the messages become too large.   Throw
in presence and other services, and UDP is no longer an option.

As for managing TCP connections, the web folks have become quite good at
this - many solutions developed for HTTP work very well with SIP proxies.

And as for the five nines, you must have a very strange service in which a
single proxy failure counts as a complete service outage.  Failover using a
variety of techniques is basic to providing reliability in Internet
architectures.  For true reliability, I'd suggest looking at the DNS - there
haven't been any outages since around 1984, and all without any of the
expensive techniques used by telcos.  How many nines of reliability is this?

Thanks,
Alan Johnston

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org 
> [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Geoff Devine
> Sent: Monday, August 08, 2005 8:03 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] RE: TLS as the SIP security mechanism
> 
> 
> I believe TLS is a poor choice as a security mechanism.  It's 
> unfortunate that it was placed in RFC 3261 as the recommended 
> security method.  TLS must be run over a reliable transport 
> (TCP).  TCP has all kinds of scaling issues when you're 
> running hundreds of thousands of instances of TCP on a big 
> Carrier-class SIP proxy.  It's almost impossible to make TCP 
> redundant so if the SIP proxy bounces, all the SIP user 
> agents have to establish new TCP connections and then 
> negotiate new security associations.  This creates an 
> avalanche of SYN messages and looks just like a classic SYN 
> attack.  I don't know how you achieve carrier-class five 9's 
> availability in this kind of environment since your 10 minute 
> outage budget for the year is blown out of the water any time 
> you bounce a SIP proxy.
>  
> There's an IETF draft for a security mechanism called DTLS.  
> DTLS runs over UDP so it doesn't suffer the TCP scaling and 
> starup issues.  The only issue with UDP-based SIP is that you 
> need to keep the messages "small" to avoid fragmentation.  
> SIP messages are typically fairly small but they can explode 
> in size when you start doing media security key exchanges 
> embedded in your SIP messaging using MIKEY or SDESCRIPTIONS.  
> We're seeing sizes get bigger and bigger.  For example, in 
> the session description protocol, you can't offer buth SRTP 
> and RTP due to a difficiency in the way SDP was specified.  
> The work-around is to offer two different instances of SIP as 
> multipart MIME.  Add in media security keys and 
> Proxy-inserted headers to do things like assert identity and 
> you start blowing through 1500 bytes.  At that point, you 
> have two choices... either use a transport like TCP to deal 
> with message fragmentation (a poor choice, in my opinion), or 
> start compressing the signaling using methods like SIGCOMP 
> (RFC 3320/3321).
>  
> Sigh.... so much for SIP being a simple, lightweight protocol.
>  
> Geoff
>  
>  
> 
> ________________________________________
> 
> Date: Thu, 4 Aug 2005 14:41:45 -0700
> From: John Todd <jtodd at loligo.com>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( 
> hop-by-hop protection)?
> To: Voipsec at voipsa.org
> Message-ID: <p06020411bf1839520b0f at loligo.com>
> Content-Type: text/plain; charset="iso-8859-1" ; format="flowed"
> 
> At 9:27 AM -0600 8/4/05, Pankaj Shroff wrote:
> >
> >I think implementing TLS in the Sip User Agent is a 
> prerogative of the 
> >User Agent developer. I think almost all commercial SIP products out 
> >there (such as software SIP User Agents, Proxies, etc., as well as 
> >Session Border
> >Controllers) should support TLS. I am not so sure about IPSec support
> >however. Also, S-RTP is still too new. I do not know of any product
> >available today that supports S-RTP out of the box. Good luck on your
> >project.
> >  Pankaj
> >
> >  On 8/4/05, dennis <m8939605 at yahoo.com.tw> wrote:
> >>
> >>  I intend to start a project(client) that will
> >>  implement TLS, IPsec(secure SIP) and secure RTP. I'm  
> surveying the 
> >> products(client and server) that support  TLS or IPsec. But
> >>  I don't find any SIP client product that support TLS
> >>  or IPsec. Does anyone know such SIP security products ?
> >>
> >>  __________________________________________________
> >>  ëzë¶éûùæìûêVêMí ímÅH
> >>  înè"â?çZYahoo!äÔñÄë¶éûí êu
> >  > http://messenger.yahoo.com.tw/
> >  >
> >--
> >Pankaj Shroff
> >shroffG at Gmail.com
> 
> 
> I believe that the Sipura and Zultys platforms
> support both TLS and SRTP.  However, both
> companies have done what I belive to be a
> terrible job in advertising and promoting this
> capability, and there are very few SIP
> proxies/gateways which support either protocol.
> Zultys sells their own proxy/gateway, so is not
> inclined to help develop anything.  I'm sure
> there are others - Google should help you out
> here.
> 
> More open-source efforts towards implementing TLS
> and SRTP would be welcome, as far as I'm
> concerned.  The number of locations using
> Asterisk as both a SIP element and gateway
> element would make it a natural choice for such a
> stack to be implemented for open-source
> environments.  The topic of SRTP and TLS comes up
> every 6 months or so and gets a lot of approval,
> but the important half of "rough consensus and
> running code" never happens.
> 
> JT
> 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Sat, 6 Aug 2005 00:40:38 +0200
> From: Johan Bilien <jobi at via.ecp.fr>
> Subject: Re: [VOIPSEC] Are there any SIP client and proxy server that
>         supports        IPSec or transport layer security ( 
> hop-by-hop protection)?
> To: dennis <m8939605 at yahoo.com.tw>
> Cc: Voipsec at voipsa.org
> Message-ID: <20050805224037.GA28110 at via.ecp.fr>
> Content-Type: text/plain; charset=us-ascii
> 
> On Thu, Aug 04, 2005, dennis wrote:
> > I intend to start a project(client) that will
> > implement TLS, IPsec(secure SIP) and secure RTP. I'm surveying the 
> > products(client and server) that support TLS or IPsec. But
> > I don't find any SIP client product that support TLS
> > or IPsec. Does anyone know such SIP security products ?
> 
> Have a look at minisip (http://www.minisip.org/). It supports 
> TLS for SIP messages, and both SRTP and IPsec to protect the media.
> 
> Johan.
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org 
> http://voipsa.org/mailman/listinfo/voipsec_voi> psa.org
> 
> 
> End 
> of Voipsec Digest, Vol 8, Issue 5
> 
> *************************************
> 
> 

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org






More information about the Voipsec mailing list