[VOIPSEC] VPNs and VoIP (was: Re: VoIP Attack : How feasible)

[Simon Horne]

At 09:21 AM 29/07/2006, Michael Slavitch wrote:

> > VPNs are workarounds to bring the SIP/H.323 protocols back into a
> > protected/friendly network where you hope such forgings will not happen.
> >
>
>Indeed. Simplicity is better. SIP/H.323 had no solution. ICE is still
>a pain. Session border controllers are useless and a pain.  VPN's work
>for all and are a simple easy commodity.
>Why sniff?

Don't lose site that ICE has very important functionality as it attempts to 
find ways to traverse a NAT without proxying media. The idea is very good 
but the practical execution is a little painful. To correct your comment, 
in H.323, you are actual spoilt for choice for NAT Traversal. I know of 3 
methods, 2 standards and one non-standard. There are two standard methods, 
H.460.17/19 which Radvision uses and H.460.18/19 which has been adopted as 
the preferred method of traversal.  Both require no special end user 
configuration and have no media startup delay. A lot of video terminals 
have recently been release or are currently under development that support 
H.460.18/19. There is also the non-standard GnuGK method which you can find 
software and hardware (IP Phones and Gateways) devices can support. We are 
currently doing a lot of development on extending NAT support in H.323 to 
allow functional point to point calling (avoiding the need to proxy, much 
like what ICE attempts to do).

Given that H.323 already contains an end-to-end security framework (H.235), 
it's quite possible to add secure NAT support to existing deployed networks 
without having to force the installation of a VPN or requiring network 
upgrades. (except deploy a server to assist NAT Traversal which is 
available for free and open source ) .

My point is that these solutions do exist in a standards based VoIP 
protocol, they work and they can be deployed today,  just they are not 
available in SIP.

Simon