[VOIPSEC] TLS and Firewalls

Brian Rosen br at brianrosen.net
Tue Feb 8 21:53:55 GMT 2005 

Let's keep the pieces straight:

We have the SIP signaling, and we have the media streams.
The mechanisms for securing them are separate, but we negotiate media
mechanisms with the signaling.

So, for the SIP session, usually we use TLS.
Remember please that there are three (and sometimes four) parts to securing
a signaling exchange.  Authentication (and sometimes authorization),
integrity protection and privacy (encryption).  TLS gives you the three, but
you don't have to use all three.  In particular, you can have authentication
and integrity protection without encryption OF THE SIGNALING.  This is
pretty useful.

You are correct that TLS is used on TCP and not UDP.  SIP can run on TCP,
and when we use TLS, that's what we do.  

Now, on the media streams.  We use RTP (on UDP), and we protect them with
SRTP.  Sometimes we need to send keying material to set up the SRTP keys in
the signaling (the SDP in the SIP message).  This would necessitate
encrypting the SIP session.

And, of course, if the firewall has to peer into the SIP message to figure
out the RTP ports to open a pinhole, and you encrypt the SDP, you are hosed.
This is a known problem, and there have been suggestions for selectively
encrypting the SIP messages so that we can tell the firewall what to do
while protecting what we need to protect.

Just to get my own plug in, SIP can be used to carry location information.
This is used in, among other things, emergency calls (9-1-1/1-1-2).  SIP
standards say that when you use SIP to convey location, you MUST encrypt it
to protect the location data.  So, you MUST use TLS (or some other mechanism
if both ends support it) when you make an emergency call.  Should a firewall
or an SBC stop it because it can't do whatever it is that it thinks it
should be doing, someone can die. Big problem.

Brian

> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Tim Moses
> Sent: Tuesday, February 08, 2005 2:47 PM
> To: 'Volker Tanger'; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] TLS and Firewalls
> 
> Is it not also true that you can't secure UDP with TLS?  All the best.
> Tim.
> 
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Volker Tanger
> Sent: Tuesday, February 08, 2005 1:17 PM
> To: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] TLS and Firewalls
> 
> 
> Greetings!
> 
> On Tue, 08 Feb 2005 18:25:04 +0100
> "Thorsten Brinkmann" <mail at Thorsten-Brinkmann.de> wrote:
> 
> > securing VoIP (e.g. SIP) with TLS is a nice idea. But how can
> > firewalls handle this? Look at the workarounds are needed to use HTTPS
> > thru firewalls.
> 
> Not at all - the RTP part is the complicated one, opening two completely
> independen UDP streams in both directions, usually without any connection
> to
> the SIP session.
> 
> The SIP session usually is done between client and gateway/server or the
> two
> gates/servers. After signaling RTP gues between the clients doing the
> audio
> transfer.
> 
> And for handling that the firewall *MUST* be able to look into the SIP or
> H.323 protocol. Which then is not to be encrypted. So no TLS if you want
> the
> audio stream too and not just the"ringing/busy/okay"-messaging, sorry.
> 
> Bye
> 
> Volker
> 
> --
> 
> Volker Tanger    http://www.wyae.de/volker.tanger/
> --------------------------------------------------
> vtlists at wyae.de                    PGP Fingerprint
> 378A 7DA7 4F20 C2F3 5BCC  8340 7424 6122 BB83 B8CB
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list