[VOIPSEC] Interactive Connectivity Establishment (ICE)
Dan Wing
dwing at cisco.com
Sat Nov 12 18:44:51 GMT 2005
> ICE has all kinds of issues. If you want to pick on
> security, consider the following:
>
> ICE uses TURN in cases where STUN doesn't solve the problem.
> TURN makes
> it easy to defeat firewall policy since you can no longer
> block traffic
> at the firewall based on source IP address. For example, if employees
> in a company have access to a TURN server out in the internet, there's
> no way to block web surfing to porn based on the IP address of the
> offending web servers. As a result, corporate firewalls
> typically don't allow TURN.
As Randall pointed out, web surfing is over TCP, and TURN (and VoIP)
is over UDP. So I'm not sure of the scenario you're ascribing to
TURN here.
> The specific case where STUN falls over is Double NAT: A
> device behind a
> NAT/Firewall talking to a device behind another NAT/Firewall.
> STUN
> works well enough if only one of the endpoints is behind a NAT router
> and if the STUN service is embedded in the SIP proxy and media gateway
> so it works properly with symmetric NAT.
You mean like:
Alice---NAT----------------------NAT---Bob
Where the Internet is between the two NATs? STUN works fine there. So does
ICE.
> My biggest issue with ICE isn't security; it's the potential for
> significant delays in establishing talk path. You potentially have to
> re-signal your SDP (SIP re-INVITE) several times as the endpoints try
> different ICE methods to traverse NAT.
ICE-06 doesn't do that, although earlier versions of ICE, such as ICE-04,
did encourage such behavior in an attempt to utilize more efficient
media paths. That has been dropped since ICE-05.
> Any solution to this problem is imperfect until we all migrate to IPv6
> where NAT is no longer necessary.
ICE will remain useful during the IPv4->IPv6 transition to validate the
IPv6 or IPv4 path is viable before commiting to it.
-d
> Geoff Devine
> Chief Architect
> Cedar Point Communications
>
>
>
> ----------------------------------------------------------------------
>
> Date: Sat, 12 Nov 2005 09:05:49 +0300
> From: "Jorge Sebastiao" <jorge at esgulf.com>
> Subject: [VOIPSEC] Interactive Connectivity Establishment (ICE)
> To: <Voipsec at voipsa.org>
> Message-ID: <20051111220548.59D14996 at dm19.mta.everyone.net>
> Content-Type: text/plain; charset="US-ASCII"
>
> This story on Microsoft and Cisco Systems team up to work on ICE. It
> reads
> "Giants team to make VoIP work with firewalls" by working on
> Interactive
> Connectivity Establishment (ICE).
>
> ICE is a proposed industry standard for a framework that would allow
> VOIP
> traffic to be exchanged between devices on NATed networks.
>
> Any security implications or simply focus on interoperability?
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list