[VOIPSEC] Interactive Connectivity Establishment (ICE)

Geoff Devine gdevine at cedarpointcom.com
Sat Nov 12 08:39:33 CST 2005 

ICE has all kinds of issues.  If you want to pick on security, consider
the following:

ICE uses TURN in cases where STUN doesn't solve the problem.  TURN makes
it easy to defeat firewall policy since you can no longer block traffic
at the firewall based on source IP address.  For example, if employees
in a company have access to a TURN server out in the internet, there's
no way to block web surfing to porn based on the IP address of the
offending web servers.  As a result, corporate firewalls typically don't
allow TURN.

The specific case where STUN falls over is Double NAT: A device behind a
NAT/Firewall talking to a device behind another NAT/Firewall.  STUN
works well enough if only one of the endpoints is behind a NAT router
and if the STUN service is embedded in the SIP proxy and media gateway
so it works properly with symmetric NAT.

My biggest issue with ICE isn't security; it's the potential for
significant delays in establishing talk path.  You potentially have to
re-signal your SDP (SIP re-INVITE) several times as the endpoints try
different ICE methods to traverse NAT.

Any solution to this problem is imperfect until we all migrate to IPv6
where NAT is no longer necessary.

Geoff Devine
Chief Architect
Cedar Point Communications



----------------------------------------------------------------------

Date: Sat, 12 Nov 2005 09:05:49 +0300
From: "Jorge Sebastiao" <jorge at esgulf.com>
Subject: [VOIPSEC] Interactive Connectivity Establishment (ICE)
To: <Voipsec at voipsa.org>
Message-ID: <20051111220548.59D14996 at dm19.mta.everyone.net>
Content-Type: text/plain;	charset="US-ASCII"

This story on Microsoft and Cisco Systems team up to work on ICE. It
reads
"Giants team to make VoIP work with firewalls" by working on
Interactive
Connectivity Establishment (ICE).

ICE is a proposed industry standard for a framework that would allow
VOIP
traffic to be exchanged between devices on NATed networks.

Any security implications or simply focus on interoperability?

More information about the Voipsec mailing list