By Date:	<-- -->
By Thread:	<-- -->
ipsec vs. tls/srtp ?

From: "Ignjatic, Dragan" <Dragan.Ignjatic (at) polycom.com>
Date: Wed, 22 Feb 2006 15:22:26 -0800
In other words with MIKEY you can separate media encryption &
authentication from signaling encryption which answers the original
question.

Dragan

> -----Original Message-----
> From: Voipsec-bounces (at) voipsa.org [mailto:Voipsec-bounces (at) voipsa.org]
On
> Behalf Of Dan Wing
> Sent: February 22, 2006 2:43 PM
> To: 'Irwin Lazar'; dan_york (at) Mitel.com; 'Jin Wang'
> Cc: Voipsec (at) voipsa.org
> Subject: Re: [VOIPSEC] ipsec vs. tls/srtp ?
> 
> (I'm a different Dan, but I'll nevertheless take a stab at this.)
> 
> For media encryption to make sense you need to provide integrity
> protection
> and authentication of the signaling, and have some way to encrypt the
SRTP
> keys themselves.  The easiest way to accomplish this is to simply
encrypt
> the signaling (using, say, TLS).  Other techniques such as using SIP
> Digest
> authentication provide authentication but pretty poor integrity
> protection.
> S/MIME is hard.  Some of the MIKEY modes provide ways to authenticate,
> integrity protect, and encrypt the SRTP keys themselves but not other
> aspects of the signaling.
> 
> As for ALG-based firewalls breaking with encrypted signaling yes,
that's a
> problem -- they break.  Whenever the media and signaling don't
traverse
> them
> they break, too (backup ISDN links for example).  See
> draft-wing-session-auth for one proposed solution.  Other solutions
are to
> use an SBC or a to use a SIP-aware firewall that is implemented as a
SIP
> proxy.  Firewalls can also be configured without their ALG function
and
> permit outgoing UDP traffic and UDP responses - as everyone is now
doing
> symmetric RTP and symmetric RTCP for NAT traversal anyway, this can
work
> pretty well although the security characteristics of doing this are
weaker
> than an ALG-based firewall, an SBC, a firewall+proxy, or
> draft-wing-session-auth.
> 
> -d
> 
> 
> > Dan and others,
> > Can you separate out the signaling encryption from the media
> > encryption?
> > That is, can one typically use SRTP for encrypting the actual
> > voice stream
> > without encrypting the signaling stream?
> >
> > The reason I ask this is my assumption is that if the
> > signaling stream is
> > encrypted, VoIP-aware firewalls are no longer viable since
> > the FW can't see
> > inside the signaling session to know which ports to open for the
media
> > session.
> >
> > Thoughts?
> >
> > Irwin
> >
> > --
> > Irwin Lazar, CISSP
> > Senior Analyst, Burton Group
> > ilazar (at) burtongroup.com
> > Phone: 703-742-9659
> > AIM/Gizmo/Google/MSN/Skype/Yahoo: imlazar
> > SightSpeed: ilazar (at) burtongroup.com
> >
> >
> >
> > > From: <dan_york (at) Mitel.com>
> > > Date: Wed, 22 Feb 2006 14:01:53 -0500
> > > To: Jin Wang <jin_x_wang (at) yahoo.com>
> > > Cc: <Voipsec (at) voipsa.org>
> > > Subject: Re: [VOIPSEC] ipsec vs. tls/srtp ?
> > >
> > > Jin,
> > >
> > >> The recent list discussion about voip & vpns brings up another
> > >> question: How do the list members feel about using tls & srtp as
a
> > >> secure alternative to running sip voip over ipsec vpns ?    There
> > >> would seem to be some advantages to using tls & srtp but I
> >  would like
> > > some other opinions.
> > >
> > > Are you asking about the approach of separately encrypting
> > the SIP call
> > > control
> > > using TLS and then encrypting the voice using SRTP?  (Versus not
> > > encrypting both
> > > but just tunnelling all the unencrypted traffic over an
> > encrypted VPN
> > > tunnel?)
> > >
> > > If so, yes, we see that as a secure alternative to VPN
> > tunnelling.  This
> > > is
> > > how we secure all of our (Mitel) sets.
> > >
> > > Regards,
> > > Dan
> > >
> > > --
> > > Dan York, CISSP
> > > Dir of IP Technology, Office of the CTO
> > > Mitel Corp.     http://www.mitel.com
> > > dan_york (at) mitel.com +1-613-592-2122
> > > PGP key (F7E3C3B4) available for
> > > secure communication
> > > _______________________________________________
> > > Voipsec mailing list
> > > Voipsec (at) voipsa.org
> > > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> >
> >
> > _______________________________________________
> > Voipsec mailing list
> > Voipsec (at) voipsa.org
> > http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> 
> _______________________________________________
> Voipsec mailing list
> Voipsec (at) voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

_______________________________________________
Voipsec mailing list
Voipsec (at) voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
Prev by Date: ipsec vs. tls/srtp ?
Next by Date: SRTP
Previous by thread: ipsec vs. tls/srtp ?
Next by thread: ipsec vs. tls/srtp ?
Index(es):
- Main
- Thread