[VOIPSEC] Is it feasible that we just protect part(master key) of SDP to pass some Middle boxes (firewalls, SBCs and other ALGs) ?

Mark Baugher mbaugher at cisco.com
Tue Jan 10 09:54:12 PST 2006


It's possible to use multipart/signed and have the entire SDP message  
signed and the keys in the message encrypted.  I always favored that  
approach.  There are other concerns, however, and the current  
approach in SIP AFAICT is to use multipart/alternative so that a  
legacy endpoint that does not understand SRTP can still process an  
incoming call, see http://tools.ietf.org/wg/sipping/draft-jennings- 
sipping-multipart-01.txt

Mark
On Jan 10, 2006, at 6:50 AM, dennis wrote:

> Dear all,
>
> Because some sip proxies need to modify the SDP/etc
> (such as SBC's modifying IP and port values), which
> can make S/MIME more fun to do.
> Why not we use S/MIME to encrypt part(master key) of
> SDP ?
> like this:
>
> INVITE sip:bob at biloxi.com SIP/2.0
> Via: SIP/2.0/UDP
> pc33.atlanta.com;branch=z9hG4bKnashds8
> To: Bob <sip:bob at biloxi.com>
> From: Alice <sip:alice at atlanta.com>;tag=1928301774
> Call-ID: a84b4c76e66710
> CSeq: 314159 INVITE
> Max-Forwards: 70
> Contact: <sip:alice at pc33.atlanta.com>
> Content-Type: application/pkcs7-mime;
> smime-type=enveloped-data;
> name=smime.p7m
> Content-Disposition: attachment; filename=smime.p7m
> handling=required
>
> v=0
> o=sam 2890844526 2890842807 IN IP4 10.47.16.5
> s=SRTP Discussion
> i=A discussion of Secure RTP
> u=http://www.example.com/seminars/srtp.pdf
> e=marge at example.com (Marge Simpson)
> c=IN IP4 168.2.17.12
> t=2873397496 2873404696
> m=audio 49170 RTP/SAVP 0
> **********************************************************
> *a=crypto:1 AES_CM_128_HMAC_SHA1_80			 *
> *inline:WVNfX19zZW1jdGwgKCkgewkyMjA7fQp9CnVubGVz|2^20|1:4*
> *FEC_ORDER=FEC_SRTP					 *
> **********************************************************
> --boundary42
> Content-Type: application/pkcs7-signature;
> name=smime.p7s
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment; filename=smime.p7s;
> handling=required
> ghyHhHUujhJhjH77n8HHGTrfvbnj756tbB9HG4VQpfyF467GhIGfHfYT6
> 4VQpfyF467GhIGfHfYT6jH77n8HHGghyHhHUujhJh756tbB9HGTrfvbnj
> n8HHGTrfvhJhjH776tbB9HG4VQbnj7567GhIGfHfYT6ghyHhHUujpfyF4
> 7GhIGfHfYT64VQbnj756
> --boundary42-
>
>
> Best regards,
> Dennis
>
> ___________________________________________________  最新版  
> Yahoo!奇摩即時通訊 7.0,免費網路電話任你打!   
> http://messenger.yahoo.com.tw/
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org




More information about the Voipsec mailing list