[VOIPSEC] IPv6 and the demise (or not) of NAT(wasRe: Interactive Connectivity Establishment (ICE))

Chris Boulton cboulton at ubiquity.net
Wed Nov 16 15:52:29 GMT 2005 



I dont believe the business case for S/MIME is workable

SIP with TLS and SRTP-based media using any number of key management
techniques seems to be the solution with the strongest business case and
most consensus

[Chris Boulton] Agreed that both are important in a secure context.

an SBC in the middle of the TLS signaling and SRTP media path solves the
encryption issue that otherwise breaks ALG functionality

[Chris Boulton] TLS is fine for 'hop-by-hop' security but you are
placing your security trust in elements that are routing further down
the signaling path.  SIP has no means to force an unknown element to use
TLS and security can easily be downgraded at a rogue proxy (making
end-to-end important).

I dont see why identity/privacy is an issue with an SBC... perhaps Im
missing something

[Chris Boulton] Identity uses a hash of key SIP components such as
Call-ID and the message body to name a few.  As soon as a B2BUA (or SBC)
alters ANY components in the message that are used for the hash -
Identity breaks.  

Fundamentally, I believe that SIP is suffering from too many technical
options and not enough end to end solutions. My comments are intended to
create solutions with a business case that meets the requirements of 95%
of
the user communities. I believe it does so

1. STUN through ICE for the now (and possibly the future) .. TURN piece
seems worthless for most
2. SIP Proxy/NAT/FW with ALG functionality for media for future small
scale
3. SBC for large scale performing media and signaling relay
functionality

If groups like us dont make these decisions, then the vendors with the
greatest influence will create the solutions based on their business
plans,
imho...

		Ken



-----Original Message-----
From: Chris Boulton [mailto:cboulton at ubiquity.net]
Sent: Wednesday, November 16, 2005 5:11 AM
To: kapnet at mindspring.com; Dan Wing; Randell Jesup
Cc: Voipsec at voipsa.org
Subject: RE: [VOIPSEC] IPv6 and the demise (or not) of NAT(wasRe:
Interactive Connectivity Establishment (ICE))




For more scalable enterprise implementations, it seems most likely that
the
data firewall will remain in place and all voice will pass through the
new
"IP communicaions firewall" (aka Session Border Controller) which will
proxy
all voice traffic and bearer channels leaving the enterprise. Encryption
issues are solved, NATing issues are solved, lawful intercept issues are
handled, and we may actually have a product to make money with instead
of a
"protocol."


[Chris Boulton] I'm a bit confused.  'Encryption issues are solved' -
can you explain what you mean by this please?  How would an SBC work
with S/MIME and Sip identity at the moment?  Perhaps you don't mean 'aka
SBC' which usually act as a B2BUA?


Information contained in this e-mail and any attachments are intended
for
the use of the addressee only, and may contain confidential information
of
Ubiquity Software Corporation.  All unauthorized use, disclosure or
distribution is strictly prohibited.  If you are not the addressee,
please
notify the sender immediately and destroy all copies of this email.
Unless
otherwise expressly agreed in writing signed by an officer of Ubiquity
Software Corporation, nothing in this communication shall be deemed to
be
legally binding.  Thank you.

More information about the Voipsec mailing list