[VOIPSEC] VPNs and VoIP
Geoff Devine
gdevine at cedarpointcom.com
Sat Jul 29 09:47:54 CDT 2006
Michael Slavitch writes
>> VPNs are workarounds to bring the SIP/H.323 protocols back into a
>> protected/friendly network where you hope such forgings will not
>> happen.
>>
>
> Indeed. Simplicity is better. SIP/H.323 had no solution. ICE is still
> a pain. Session border controllers are useless and a pain. VPN's work
> for all and are a simple easy commodity.
ICE is also virtually impossible for a service provider to debug. A
customer calls in complaining, "I made a call and had no talk path." Or,
even worse, "I made a call and had a 1-way talk path." How would you
troubleshoot this?
I view SBCs as being useful in establishing a trust boundary. Given the
incredible complexity of SIP, it's pretty easy to discover message and
message sequences that will kill core services. This may not be an
issue in the enterprise space but it certainly is an issue in the
service provider space. The last thing you want in a pure proxy
topology is to have some script kiddie start blowing your media gateway
controllers out of the water. Personally, I'd just stuff a Cavium chip
in my SBC, make it terminate the VPN, and call it a day. I want the
B2BUA protocol trust boundary function out of the SBC, not the SDP
hacking to deal with NAT traversal issues.
Geoff
More information about the Voipsec
mailing list