[Kamailio-Users] [Sip-implementors] Secure VoIP

Theo Zourzouvillys theo at crazygreek.co.uk
Fri Feb 27 08:20:36 CET 2009 

On Thu, Feb 26, 2009 at 5:08 PM, Iñaki Baz Castillo <ibc at aliax.net> wrote:

>> However, being out there so many phones without such support, it is
>> practically unusable since service providers won't deploy different server
>> solutions for each group of devices, so they stick to one size fits all and
>> that is not DNS for now.
>
> Devices don't implement it, so service providers don't implement it,
> so devices don't implement it, so...  XD

We use SRV extensivly, and indeed as the main means of redundancy.

However, there are lots of issues with UA implementations of SRV, most
notably when they're behind NAT and jumping between different records.

Others will not ever expire it's cache, and stick to the same one.
Even 2 months after we removed an RR from SRV, we're still seeing some
devices using that proxy (!!).

Asterisk is particularly bad at doing SRV, to the point we've had to
give it it's own DNS record:

  http://wiki.voip.co.uk/products/asterisk#asterisk.bugs

There are STILL some (mainstream) devices out there that don't support
DNS.  this means we're forced to give IP addresses to customers, which
of course is bad for redundancy and capacity planning.

As a result, we've devoted (read: wasted) a lot of time and effort on
implementing anycast for our platform rather than rely on devices
supporting SRV properly.  It works, but it's far from pretty and
something we should never have had to have done.

I'm not actually sure which is better - devices that don't support
SRV, or those that try and implement it but don't get it right :-)

On the same note, it's shocking how many devices bail out after
receiving a 503 and just give up.  Please, implementers: 503 does not
mean "never try registering again".

>> Proper DNS support should be enforced somehow (who knows how?!?) before
>> anything else. At the end, DNS drives the IP world.
>
> IMHO RFC 3263 complexity doesn't help too much.

I don't see any real complexity in RFC 3263 for a well engineered
stack.  What do you see as being complex about it?

 ~ Theo

-- 
Theo Zourzouvillys
Chief Technical Officer
VoIP.co.uk

Sent from: Bicester Oxfordshire United Kingdom.

More information about the sr-users mailing list