[VOIPSEC] Watering down VoIP security expectations.
Simon Horne
s.horne at packetizer.com
Fri Mar 10 19:40:15 CST 2006
Dustin
>In my opinion, the VoIP industry is still in it's relative infancy; it
>should be OK to leave some technology behind. Not every solution needs
>to be backward compatible. It would be nice if it is, but it shouldn't
>always be a requirement, and will most likely hinder the security the
>solution is meant to provide.
VoIP has been around for 10 years. That's some infancy :) The point is
that a holistic (or any) security framework was never a consideration when
formulating some VoIP protocols which makes securing them after the fact
much much more difficult.
It is very possible to create holistic interoperable approach for
authentication and encryption (that goes most of the way) just they are
much more difficult to do in SIP.
See
http://www.voip-security-blog.com/
They also can also natively work behind NATs but that is a whole different
thread :)
I guess the point of my rant (apart from livening up the list) is that we
should not cloud or limit our expectations on VoIP security because of what
we are using now but rather expect and demand VoIP security to do what we
NEED in the future. If we break things so be it, if we have to turn the
world on its head then lets do that too.
10 years in a long time to be crawling so lets stand up and start walking.....
Simon
More information about the Voipsec
mailing list