[VOIPSEC] FYI - Internet-Draft about security and Peer-to-Peer SIP (versus client/server SIP)
dyork at voxeo.com
Tue Feb 12 10:51:39 EST 2008
Interesting draft out now that analyzes the security of potentially
using peer-to-peer networks for SIP. There's a lot of work going on
within the IETF around this whole concept of "p2p SIP" with the idea
being that it would allow individual SIP endpoints to associate with
other SIP endpoints without the need for central servers. No more IP-
PBXs or call managers or whatever you want to call them. Just
endpoints... softphones, hardphones, whatever. Able to connect to
each other through a "P2P overlay network".
Obviously there's a whole host of security issues here when you move
away from an environment where you have a "trusted" central server. A
group of people has put together this draft to outline what those
security issues are:
They don't get into solutions as this stage is really all about
identifying the problems. It also makes an interesting read just to
understand what are the potential differences between "P2P" and
regular SIP. The authors are, naturally, looking for feedback.
You may also want to read the "concepts and terminology for P2P SIP"
to understand the wording of the security document.
Begin forwarded message:
> From: Internet-Drafts at ietf.org
> Date: February 4, 2008 5:15:01 AM EST
> To: i-d-announce at ietf.org
> Subject: I-D Action:draft-song-p2psip-security-eval-00.txt
> Reply-To: internet-drafts at ietf.org
> A New Internet-Draft is available from the on-line Internet-Drafts
> Title : P2PSIP Security Analysis and Evaluation
> Author(s) : S. Yongchao, et al.
> Filename : draft-song-p2psip-security-eval-00.txt
> Pages : 17
> Date : 2008-02-04
> This document provides an analysis and evaluation of security with
> P2PSIP overlay network. The draft compares security difference
> between C/S and P2P, then partitions the P2PSIP architecture into
> layers, and analyze the security issues in each layer and the
> security relationship among the layers. Security issues with
> different kind of application scenarios are distinct. This draft
> classifies the application scenarios into two main types, and the
> security threats with these two types of scenarios are analyzed in
> A URL for this Internet-Draft is:
> To remove yourself from the I-D Announcement list, send a message to
> i-d-announce-request at ietf.org with the word unsubscribe in the body of
> the message.
> You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
> Internet-Drafts are also available by anonymous FTP. Login with the
> username "anonymous" and a password of your e-mail address. After
> logging in, type "cd internet-drafts" and then
> "get draft-song-p2psip-security-eval-00.txt".
> A list of Internet-Drafts directories can be found in
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> Internet-Drafts can also be obtained by e-mail.
> Send a message to:
> mailserv at ietf.org.
> In the body type:
> "FILE /internet-drafts/draft-song-p2psip-security-eval-00.txt".
> NOTE: The mail server at ietf.org can return the document in
> MIME-encoded form by using the "mpack" utility. To use this
> feature, insert the command "ENCODING mime" before the "FILE"
> command. To decode the response(s), you will need "munpack" or
> a MIME-compliant mail reader. Different MIME-compliant mail readers
> exhibit different behavior, especially when dealing with
> "multipart" MIME messages (i.e. documents which have been split
> up into multiple messages), so check your local documentation on
> how to manipulate these messages.
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Content-Type: text/plain
> Content-ID: <2008-02-04020157.I-D\@ietf.org>
> I-D-Announce mailing list
> I-D-Announce at ietf.org
Dan York, CISSP, Director of Emerging Communication Technology
Office of the CTO Voxeo Corporation dyork at voxeo.com
Phone: +1-407-455-5859 Skype: danyork http://www.voxeo.com
Blogs: http://blogs.voxeo.com http://www.disruptivetelephony.com
Bring your web applications to the phone.
Find out how at http://evolution.voxeo.com
More information about the Voipsec