[VOIPSEC] Interactive Connectivity Establishment (ICE)
dwing at cisco.com
Sat Nov 12 18:44:51 GMT 2005
> ICE has all kinds of issues. If you want to pick on
> security, consider the following:
> ICE uses TURN in cases where STUN doesn't solve the problem.
> TURN makes
> it easy to defeat firewall policy since you can no longer
> block traffic
> at the firewall based on source IP address. For example, if employees
> in a company have access to a TURN server out in the internet, there's
> no way to block web surfing to porn based on the IP address of the
> offending web servers. As a result, corporate firewalls
> typically don't allow TURN.
As Randall pointed out, web surfing is over TCP, and TURN (and VoIP)
is over UDP. So I'm not sure of the scenario you're ascribing to
> The specific case where STUN falls over is Double NAT: A
> device behind a
> NAT/Firewall talking to a device behind another NAT/Firewall.
> works well enough if only one of the endpoints is behind a NAT router
> and if the STUN service is embedded in the SIP proxy and media gateway
> so it works properly with symmetric NAT.
You mean like:
Where the Internet is between the two NATs? STUN works fine there. So does
> My biggest issue with ICE isn't security; it's the potential for
> significant delays in establishing talk path. You potentially have to
> re-signal your SDP (SIP re-INVITE) several times as the endpoints try
> different ICE methods to traverse NAT.
ICE-06 doesn't do that, although earlier versions of ICE, such as ICE-04,
did encourage such behavior in an attempt to utilize more efficient
media paths. That has been dropped since ICE-05.
> Any solution to this problem is imperfect until we all migrate to IPv6
> where NAT is no longer necessary.
ICE will remain useful during the IPv4->IPv6 transition to validate the
IPv6 or IPv4 path is viable before commiting to it.
> Geoff Devine
> Chief Architect
> Cedar Point Communications
> Date: Sat, 12 Nov 2005 09:05:49 +0300
> From: "Jorge Sebastiao" <jorge at esgulf.com>
> Subject: [VOIPSEC] Interactive Connectivity Establishment (ICE)
> To: <Voipsec at voipsa.org>
> Message-ID: <20051111220548.59D14996 at dm19.mta.everyone.net>
> Content-Type: text/plain; charset="US-ASCII"
> This story on Microsoft and Cisco Systems team up to work on ICE. It
> "Giants team to make VoIP work with firewalls" by working on
> Connectivity Establishment (ICE).
> ICE is a proposed industry standard for a framework that would allow
> traffic to be exchanged between devices on NATed networks.
> Any security implications or simply focus on interoperability?
> Voipsec mailing list
> Voipsec at voipsa.org
More information about the Voipsec