[VOIPSEC] FYI - Internet-Draft about security and Peer-to-Peer SIP (versus client/server SIP)

Dan York dyork at voxeo.com
Tue Feb 12 10:51:39 EST 2008

VOIPSEC readers,

Interesting draft out now that analyzes the security of potentially  
using peer-to-peer networks for SIP. There's a lot of work going on  
within the IETF around this whole concept of "p2p SIP" with the idea  
being that it would allow individual SIP endpoints to associate with  
other SIP endpoints without the need for central servers.  No more IP- 
PBXs or call managers or whatever you want to call them.  Just  
endpoints... softphones, hardphones, whatever.  Able to connect to  
each other through a "P2P overlay network".

Obviously there's a whole host of security issues here when you move  
away from an environment where you have a "trusted" central server. A  
group of people has put together this draft to outline what those  
security issues are:


They don't get into solutions as this stage is really all about  
identifying the problems.  It also makes an interesting read just to  
understand what are the potential differences between "P2P" and  
regular SIP.  The authors are, naturally, looking for feedback.

You may also want to read the "concepts and terminology for P2P SIP"  
draft at:


to understand the wording of the security document.


Begin forwarded message:

> From: Internet-Drafts at ietf.org
> Date: February 4, 2008 5:15:01 AM EST
> To: i-d-announce at ietf.org
> Subject: I-D Action:draft-song-p2psip-security-eval-00.txt
> Reply-To: internet-drafts at ietf.org
> A New Internet-Draft is available from the on-line Internet-Drafts  
> directories.
> 	Title           : P2PSIP Security Analysis and Evaluation
> 	Author(s)       : S. Yongchao, et al.
> 	Filename        : draft-song-p2psip-security-eval-00.txt
> 	Pages           : 17
> 	Date            : 2008-02-04
> This document provides an analysis and evaluation of security with
> P2PSIP overlay network.  The draft compares security difference
> between C/S and P2P, then partitions the P2PSIP architecture into
> layers, and analyze the security issues in each layer and the
> security relationship among the layers.  Security issues with
> different kind of application scenarios are distinct.  This draft
> classifies the application scenarios into two main types, and the
> security threats with these two types of scenarios are analyzed in
> detail.
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-song-p2psip-security- 
> eval-00.txt
> To remove yourself from the I-D Announcement list, send a message to
> i-d-announce-request at ietf.org with the word unsubscribe in the body of
> the message.
> You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
> Internet-Drafts are also available by anonymous FTP. Login with the
> username "anonymous" and a password of your e-mail address. After
> logging in, type "cd internet-drafts" and then
> 	"get draft-song-p2psip-security-eval-00.txt".
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> Internet-Drafts can also be obtained by e-mail.
> Send a message to:
> 	mailserv at ietf.org.
> In the body type:
> 	"FILE /internet-drafts/draft-song-p2psip-security-eval-00.txt".
> NOTE:   The mail server at ietf.org can return the document in
> 	MIME-encoded form by using the "mpack" utility.  To use this
> 	feature, insert the command "ENCODING mime" before the "FILE"
> 	command.  To decode the response(s), you will need "munpack" or
> 	a MIME-compliant mail reader.  Different MIME-compliant mail readers
> 	exhibit different behavior, especially when dealing with
> 	"multipart" MIME messages (i.e. documents which have been split
> 	up into multiple messages), so check your local documentation on
> 	how to manipulate these messages.
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
> Content-Type: text/plain
> Content-ID: <2008-02-04020157.I-D\@ietf.org>
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce at ietf.org
> http://www.ietf.org/mailman/listinfo/i-d-announce

Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO    Voxeo Corporation     dyork at voxeo.com
Phone: +1-407-455-5859  Skype: danyork  http://www.voxeo.com
Blogs: http://blogs.voxeo.com  http://www.disruptivetelephony.com

Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com

More information about the Voipsec mailing list