[VOIPSEC] Using SRTP for University project

Hadriel Kaplan HKaplan at acmepacket.com
Mon Mar 27 13:09:52 CST 2006 


> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
> Behalf Of Cesc Santasusana
> Sent: Monday, March 27, 2006 4:10 AM
> To: Christian.Stredicke at snom.de; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Using SRTP for University project
> 
> - "joe average" (say ... 99% of the users) doesn't care about the
> security ... he even does not care (much) about his call being
> wiretapped (the current pstn allows that too) ... give him free
> unlimited calling, he'll be happy.

Make that more like 99.9%.

> - for the rest of users, that small minority ... they do care about
> security ... they do NOT want their calls being intercepted ... so SDES
> just doesn't cut it for them. And actually, this is probably a niche
> market ... but very powerful ... economically, i mean. Enterprises don't
> want (or should not want, we just have to educate them ;D ) their calls
> among employees being intercepted (by any government). The government
> itself does not want his calls being intercepted ... and so on and so
> on.  And here is where MIKEY (and others) have its chances ... but there
> won't probably be just one survivor here

Enterprises don't typically care, so long as their competition cannot
wiretap it.  Some actually want to wiretap it themselves. (for example,
recording support center calls "for customer quality reasons")  But if
they're a security-conscious enterprise they will use IPSec or SSL VPNs
anyway, or some such, and control their own data enough that we don't need
to help them.

The government sector is another matter altogether, and no matter what we do
they will have their own needs, based on the government.  For example some
parts of the US Government care almost as much about hiding who's calling
whom and when, as what they say to each other.  But whatever those needs
are, they are not cheap to deploy in the endpoints or the service providers,
and the governments will pay extra for them and oversee them to some extent.
Expecting the 99.9% who need a fraction of the requirements, to pay the same
costs of overhead is not realistic.

Geoff Devine had it dead-on.  This is a cost/scale issue.  The majority of
voip traffic today (except Skype's) eventually goes through media gateways
to the PSTN (to wireline or cell).  This will not change for several years
at least.  Expecting media-gateways to handle SRTP is one thing (and even
that's a tough pill), but expecting them to do call-by-call public-key
cryptography is quite unrealistic I think.  

I'd prefer the most secure solution possible, but a solution which cannot
scale or be easily used by the majority is not a solution at all, and will
fail.  

-hadriel

More information about the Voipsec mailing list