[VOIPSEC] Prevailing trends in securing the SIP signaling plane

[Dan Wing]

> Second question for the day, I'd like to understand what the folks
> on this list see as the emerging trend(s) in protecting the SIP
> signaling plane.  The IETF has defined SIPS, which uses either TLS
> or DTLS. 

A nit:  only SIP-over-TLS is standardized.  The SIP-over-DTLS specification is
an individual contribution, draft-jennings-sip-dtls, and has expired.  It is
accessible at http://tools.ietf.org/html/draft-jennings-sip-dtls

> My concern is that most SIP stacks don't' run over TCP,
> and I'm not convinced that the industry will rally around DTLS
> (maybe you folks can change my mind). 

DTLS, like TLS, has an advantage that the application is aware of
the encryption underneath it.  IPsec doesn't provide that ability.
The application awareness and application control over how the
crypto works is one of the reasons HTTPS, STARTTLS (for SMTP and 
IMAP and others) are popular.

> IETF also talks about S/MIME
> (though I don't know anybody who takes this seriously

Right; it doesn't work as originally envisioned for a variety of
reasons.

> ) and IPsec.
> IPsec is also the direction the 3GPP standards have taken for IMS
> (using AKA to authenticate the user and perform key establishment).
> Am I missing anything obvious?  What are the thoughts on TLS/DTLS
> vs. IPsec?

DTLS versus IPsec are very similar.

I do agree the SIP-over-TLS-over-TCP is a mindset change for a lot
of stacks, especially if the underlying TCP stack on the server
side cannot be tuned or is not tuned to support a lot of TCP
connections.

-d