[VOIPSEC] VoIP Attack : How feasible
Dan Wing
dwing at cisco.com
Tue Jul 25 11:21:08 CDT 2006
> John DePietro writes:
> > I my opinion even though TLS (SIPS, HTTPS, S/MIME) and SRTP provide
> > better end-to-end security; are optional for wireless standards
> > (3GPP, 3GPP2 and WIMAX), they do not fit as economically as IPSEC
> > from a network equipment deployment perspective, yet!
>
> My ongoing issue with TLS is the technical difficulty of making TCP
> redundant in a fully scaled carrier-class environment. If you don't
> make it redundant, you end up having storms of TCP SYN and TLS
> authentication messages whenever you have a node failure or an access
> network failure. This blows any five 9's availability requirement out
> of the water.
sip-outbound's approach is to make TLS connections to two edge
proxies.
> I believe the 3GPP approach is the correct
> one... put SIP on a diet so it fits within an MTU and
> you can use UDP.
The problem isn't just SIP but also SDP. Here is an example of SDP
that is over 10K bytes long:
http://www1.ietf.org/mail-archive/web/mmusic/current/msg04205.html
And the problem is fragmenting UDP, too. See:
http://www.ietf.org/internet-drafts/draft-heffner-frag-harmful-02.txt
It is time to abandon SIP over UDP.
-d
> Run transport
> mode IPSec which is very straightforward to make redundant. Sadly,
> SIGCOMP is an unfortunately complex way of putting SIP on a diet. We
> need to invent a better "binary SIP" compression standard.
>
> I think TLS is somewhat better when used inside the core
> where you have
> a much smaller number of connections/sockets and don't face the
> initialization/restart storm problem. TCP is a little worrying to use
> in the core since a few dropped packets can cause flow control to be
> invoked on mission-critical signaling. SCTP is a better transport and
> is less prone to this problem.
>
> SRTP is fairly straightforward to make redundant in a carrier-class
> media gateway. The only tricky bit is dealing with RTP
> sequence number
> wrap for a codec that uses silence suppression/voice activity
> detection.
>
>
> Geoff Devine
> Chief Architect
> Cedar Point Communications
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list