[VOIPSEC] Prevailing trends in securing the SIP signaling plane

[J. Oquendo]

On Tue, 14 Apr 2009, Dan Wing wrote:

> DTLS versus IPsec are very similar.
> 
> I do agree the SIP-over-TLS-over-TCP is a mindset change for a lot
> of stacks, especially if the underlying TCP stack on the server
> side cannot be tuned or is not tuned to support a lot of TCP
> connections.
> 
> -d
> 

Also be advised, from a carrier perspective, if you're planning
on doing trunking, this may become problematic if the carrier
pushing your SIP does not have a product with those capabilities.
For those of us using Session Border Controllers, it wouldn't
make sense for us (at least for me it wouldn't) to have to deal
with the potential overhead in processing and packet(ing) to
accomplish this. At best, I would have to create granularly
configured trunks at the cost of alienating existing customers
to appease a few. So just know that 1) anyone doing SIP-TLS-TCP
will likely charge a decent premium to offset the alienation
2) your vendor selection will be extremely low.

It's probably more practical for me to provide IPSEC for some
instances than it would be for me to hope that my SBC wouldn't
give me a headache with interoperability of the SIP/TLS mashup.
That's just based on experience from the non IETF/IEEE worries.
So asking/wanting/needing one thing may make as much sense as
we'd want it, in the end it may not be at all practical. Kind
of makes me think of the Diameter protocol. "Oh my! Diameter!
The next best 'IT' security thing!" Followed by the "where is
it now" notion.


=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP

"Enough research will tend to support your
conclusions." - Arthur Bloch

"A conclusion is the place where you got
tired of thinking" - Arthur Bloch

227C 5D35 7DCB 0893 95AA  4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x5CCD6B5E