[VOIPSEC] TLS [Was: Cisco 7920 wireless IP Phones]
Zmolek, Andrew (Andy)
zmolek at avaya.com
Fri May 27 20:23:59 BST 2005
David Ebel wrote:
> I think everyone is forgetting that there is no VOIP protocol
> that will work over TLS, SSL, or SSH. I have yet to have
> figured out how to use SSL or SSH over UDP.
What is meant by this? The SIP standard is very clear on the use of TLS
(via the sips: URI scheme), although there are somewhat fewer vendors
that implement it. At least one other vendor protects their proprietary
signaling with TLS as well, and there are non-TLS encryption schemes in
use by a large number of vendors. In general there is nothing inherent
about VoIP signaling that is incompatible with TLS.
As far a media goes, most vendors prefer to use UDP which isn't
compatible with TLS (or SSL/SSH for that matter) but the existing
standards for media encryption are based on AES and are more than
adequate from an encryption perspective (see RFC 3711). The fundamental
challenge today remains implementation and interoperability since there
are few vendors there today and among those there remain several
competing key management approaches and other basic signaling
Nevertheless, the point is that there are adequate VoIP security
solutions in the marketplace if one is willing to do the research. TLS
is a decent way to protect signaling (though it has its drawbacks and is
probably not a good fit for media in most cases). Other good
alternatives exist as well, although I doubt you're going to see "free"
VoIP services supported over TLS any time soon.
More information about the Voipsec