[VOIPSEC] IAX2 entity auth and more

Dan Wing dwing at fuggles.com
Fri Mar 2 11:58:22 CST 2007 

derek macmurchy wrote:

 > I have been doing some reading on voip security and I have a couple
 > of questions I hope someone could help with:
 > 1. I have heard differing opinions on which is the predomiment
 >    signalling protocol for voip; some say SIP, others various
 >    proprietry ones.  Can anyone point me to solid reasearch on
 >    this ?

Cisco has the largest market share of IP PBXs (the most installed 
phones) and almost all of those use SCCP, Cisco's proprietary call
signaling protocol.  If you're talking about what is used on the 
Internet between companies, the next biggest protocol is probably
H.323.  Then it's probably SIP or Avaya's or Nortel's proprietary
signaling protocol next.  There are many ways to slice the pie
and make assumptions about which signaling protocol is being used
in different places.  For what it's worth, most of the industry
are either doing SIP now or are adding SIP to their product lines
(3GPP, 3GPP2, IETF, and all the major IP PBX vendors), on the
on the line side (to their phones) and on the trunk side (to
other IP PBXs or to VoIP service providers).

 > 2.  I have been reading the ietf draft of the IAX2 protocol;
 >     particularly the MD5 based unilateral entity authentication
 >     mechanism.  Does anyone know precisely what is concatinated with
 >     the challenge and, presumably, the shared secret before being
 >     hashed and sent to the server as the authentication response.

If it isn't in the draft (draft-guy-iax-02) you should be able to
find your answer in the source code.  I am not familiar with how
they do their authentication.

 > 3. The srtp rfc (I do not know the number as I am writing this on a
 >    nokia e61 phone) was released in 2004.

RFC3711.

 > Again, is there any
 >    research on how quickly this standard is being incorporated into,
 >    new or existing, products/applications ?

Off the top of my head I know it is implemented by Counterpath, snom, 
Avaya, Nortel, and Cisco, all with shipping implementations.  I don't
know of any research papers that cite market share or take rates,
though.

One of the difficulties with SRTP is interoperability with keying;
there are about 15 ways to key SRTP.  I am co-chairing the RTPSEC
BoF at the upcoming IETF on that topic.  There is an old Blue Box
podcast interview I did the last time we had the RTPSEC BoF and
tackled the requirements - you might dig that up if you're
interested in more details around SRTP keying.

-d

More information about the Voipsec mailing list