[VOIPSEC] VPNs and VoIP
Michael Slavitch
slavitch at gmail.com
Sun Jul 30 07:12:36 CDT 2006
"Given the incredible complexity of SIP"
Buh? SIP is simple. It's the bellheads who made it hard.
On 7/29/06, Geoff Devine <gdevine at cedarpointcom.com> wrote:
> Michael Slavitch writes
>
> >> VPNs are workarounds to bring the SIP/H.323 protocols back into a
> >> protected/friendly network where you hope such forgings will not
> >> happen.
> >>
> >
> > Indeed. Simplicity is better. SIP/H.323 had no solution. ICE is still
> > a pain. Session border controllers are useless and a pain. VPN's work
> > for all and are a simple easy commodity.
>
> ICE is also virtually impossible for a service provider to debug. A
> customer calls in complaining, "I made a call and had no talk path." Or,
> even worse, "I made a call and had a 1-way talk path." How would you
> troubleshoot this?
>
> I view SBCs as being useful in establishing a trust boundary. Given the
> incredible complexity of SIP, it's pretty easy to discover message and
> message sequences that will kill core services. This may not be an
> issue in the enterprise space but it certainly is an issue in the
> service provider space. The last thing you want in a pure proxy
> topology is to have some script kiddie start blowing your media gateway
> controllers out of the water. Personally, I'd just stuff a Cavium chip
> in my SBC, make it terminate the VPN, and call it a day. I want the
> B2BUA protocol trust boundary function out of the SBC, not the SDP
> hacking to deal with NAT traversal issues.
>
> Geoff
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
More information about the Voipsec
mailing list