[Kamailio-Users] Secure VoIP
Olle E. Johansson
oej at edvina.net
Thu Feb 26 15:57:36 CET 2009
26 feb 2009 kl. 15.20 skrev Iñaki Baz Castillo:
> 2009/2/26 Johansson Olle E <oej at edvina.net>:
>> " This document provides clarifications and guidelines concerning the
>> use of the SIPS URI scheme in the Session Initiation Protocol (SIP).
>> It also makes normative changes to SIP."
>> "1. Introduction
>> The meaning and usage of the SIPS URI scheme and of TLS [RFC5246] is
>> underspecified in SIP [RFC3261] and has been a source of confusion
>> for
>> implementers. This document provides clarifications and guidelines
>> concerning the use of the SIPS URI scheme in the Session Initiation
>> Protocol (SIP). It also makes normative changes to SIP (including
>> both
>> [RFC3261] and [RFC3608]."
>
> This is very common in lots of RFC's: It seems that a draft must
> contain some stuff about "security" and "privacy" in order to be
> accepted as a new RFC.
>
> For example, each new RFC has a vague section mentioning S/MIME:
>
> "In order to provide security the UA could use S/MIME"
>
> Of course, S/MIME is not implemented *AT ALL*, but that seems not to
> be important, the target is publishing a new RFC so S/MIME, SIPS,
> IPSEC and TLS stuff is required to appear "somewhere" in the draft.
>
> IETF guys should visit our planet someday.
This is a problem I realize at every SIPit. The implementations are
far away from the IETF world. And the gap doesn't seem to close.
Basic stuff like DNS is not understood or used by many SIPit attendees
so even trying to mention NAPTR is too complex, and it's necessary for
many security scenarious.
The big question is how to close this gap. I have no clue.
- Can we stop the IETF SIP development during a year and work on
implementations, testing and reality checks?
- Would it be possible to get more implementation guidelines published?
We have at least two cases now where an update to the RFC added
important MUSTs:
- Tel uri - phone-context is now required, which affects all SIP
devices using SIP uri with user=phone
regardless if they use a Tel: URI.
- RFC2833 DTMF is updated and secure RTP is now required
Will these changes be implemented at all? When?
I think people will use "rfc2833" over insecure RTP for a very long
time, regardless that it's now not allowed.
The Jabber world annualöy publish a document where they specify "base
level standard compliance" for a client and a server. Maybe the SIP
world should copy this and use it as a way to push changes to the
market.
If the standardization is too far away from current implementations,
we have a fork. That's not good for anyone.
/O
More information about the sr-users
mailing list