[VOIPSEC] IAX2 entity auth and more

dan_york at Mitel.com dan_york at Mitel.com
Mon Mar 5 16:15:09 CST 2007 

Derek,

Just to echo Dan Wing's comments... and also to say that when you say 
"VoIP" you have to differentiate between the different kinds of "VoIP". 
There's a number of ways you can slice it up, but I'll do it this way:

1. ENTERPRISE VOIP - as Dan W said, the reality is that most all the 
*enterprise* VoIP installations are going in with proprietary protocols. 
Cisco has SCCP (a.k.a. "Skinny"), Avaya has their version of H.323, Nortel 
has UNISTIM, Mitel has MiNet, Siemens has CorNet, etc., etc.  Why 
proprietary and not SIP?  Well, a number of opinions, but I'll suggest 
that one reason is that SIP has historically not provided enough 
"business" telephony features that typical customers have needed.  Now, 
this is slowly changing as more features are added to SIP (and also as 
user demands for esoteric features decrease) but the fact is that if you 
want something like shared line appearance or call park, you're probably 
only going to get that from one of the vendors' own implementations (as 
the authors of SIP RFCs on those two topics now send me flaming emails). 
Having said that, SIP usage is definitely increasing, both as all of the 
traditional vendors add SIP capabilities to their systems and also as 
newer SIP-only entrants move into the market.

2. CARRIER VOIP - the carriers that interconnect all our various systems 
in the background are using different forms of VoIP.  I don't personally 
know this space, but I believe a lot of it is H.323 and SIP.

3. CONSUMER VOIP - services such as Vonage, Primus,  and the cable 
companies and telcos offering VoIP to consumers are another market segment 
that again I'm not overly familiar with personally.  In various 
discussions I've inferred that much of this was H.323 and is increasingly 
SIP.

4. CONSUMER IM VOIP - services such as Skype, MSN/WLM, Yahoo!Voice, 
GoogleTalk, AOL, Gizmo, etc.  Wide mixture of protocols here, ranging from 
the proprietary (Skype) to the open (Gizmo with SIP, GoogleTalk with 
XMPP).

So there's not exactly an easy answer to your question.  In the enterprise 
space, it would lean heavily toward proprietary protocols... in the 
others, the answer is less clear.

On your question number 3 about SRTP, you can add Mitel to Dan's list of 
vendors supporting SRTP... we've been doing that with our own protocol 
since 2003. 

Dan Wing is dead on that the issue with better SRTP support in the world 
of SIP comes down to agreeing on the key exchange mechanism.  This will be 
a topic of discussion at the upcoming IETF-68 in March in Prague, where 
the RTPSEC BOF session is intended to help reduce the number of possible 
key exchange proposals from something like 13 or 15 down to a more 
manageable number.

For a good glimpse into the issues, you can look at Dan Wing's Internet 
Draft on media security requirements:

 
http://www.ietf.org/internet-drafts/draft-wing-media-security-requirements-00.txt

The Blue Box podcast to which Dan W refers is at:

  http://www.blueboxpodcast.com/2006/04/blue_box_podcas.html

Side note to Dan Wing... that episode is now almost a year old - I guess 
we should look to do another one post-Prague, eh?  (Maybe we'll have some 
good news?)

Regards,
Dan

-- 
Dan York, CISSP
Dir of IP Technology, Office of the CTO
Mitel       http://www.mitel.com
dan_york at mitel.com +1-613-592-2122
PGP key (F7E3C3B4) available for 
secure communication






Dan Wing <dwing at fuggles.com>
Sent by: voipsec-bounces at voipsa.org
03/02/2007 12:58 PM
 
        To:     derek macmurchy <derek_macmurchy at yahoo.co.uk>
        cc:     voipsec at voipsa.org
        Subject:        Re: [VOIPSEC] IAX2 entity auth and more


derek macmurchy wrote:

 > I have been doing some reading on voip security and I have a couple
 > of questions I hope someone could help with:
 > 1. I have heard differing opinions on which is the predomiment
 >    signalling protocol for voip; some say SIP, others various
 >    proprietry ones.  Can anyone point me to solid reasearch on
 >    this ?

Cisco has the largest market share of IP PBXs (the most installed 
phones) and almost all of those use SCCP, Cisco's proprietary call
signaling protocol.  If you're talking about what is used on the 
Internet between companies, the next biggest protocol is probably
H.323.  Then it's probably SIP or Avaya's or Nortel's proprietary
signaling protocol next.  There are many ways to slice the pie
and make assumptions about which signaling protocol is being used
in different places.  For what it's worth, most of the industry
are either doing SIP now or are adding SIP to their product lines
(3GPP, 3GPP2, IETF, and all the major IP PBX vendors), on the
on the line side (to their phones) and on the trunk side (to
other IP PBXs or to VoIP service providers).

 > 2.  I have been reading the ietf draft of the IAX2 protocol;
 >     particularly the MD5 based unilateral entity authentication
 >     mechanism.  Does anyone know precisely what is concatinated with
 >     the challenge and, presumably, the shared secret before being
 >     hashed and sent to the server as the authentication response.

If it isn't in the draft (draft-guy-iax-02) you should be able to
find your answer in the source code.  I am not familiar with how
they do their authentication.

 > 3. The srtp rfc (I do not know the number as I am writing this on a
 >    nokia e61 phone) was released in 2004.

RFC3711.

 > Again, is there any
 >    research on how quickly this standard is being incorporated into,
 >    new or existing, products/applications ?

Off the top of my head I know it is implemented by Counterpath, snom, 
Avaya, Nortel, and Cisco, all with shipping implementations.  I don't
know of any research papers that cite market share or take rates,
though.

One of the difficulties with SRTP is interoperability with keying;
there are about 15 ways to key SRTP.  I am co-chairing the RTPSEC
BoF at the upcoming IETF on that topic.  There is an old Blue Box
podcast interview I did the last time we had the RTPSEC BoF and
tackled the requirements - you might dig that up if you're
interested in more details around SRTP keying.

-d



_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list