[Kamailio-Users] [Sip-implementors] Secure VoIP

Fri Feb 27 08:49:06 CET 2009

On Thu, Feb 26, 2009 at 2:57 PM, Olle E. Johansson <oej at edvina.net> wrote:
>
>> IETF guys should visit our planet someday.

Agreed.  There are some people - me included - who live on both
planets. but as time goes by, those people are becoming less and less.
 This is mostly, it would seem, due to many of the people who used to
be active in being acquired by large vendors who then get them working
on other things or change their direction or thinking :-)

> This is a problem I realize at every SIPit. The implementations are
> far away from the IETF world. And the gap doesn't seem to close.

This is the issue I see at every IETF meeting, and in a lot of on-list
discussions.  Implementers need to get more involved!

The IETF is *not* a closed process - it's open to everyone.  If anyone
is unhappy about the direction that the IETF is going, them please
please please: get active in the process!

> Basic stuff like DNS is not understood or used by many SIPit attendees
> so even trying to mention NAPTR is too complex, and it's necessary for
> many security scenarious.

perhaps this is another major issue then - the fact that some
implementers don't understand the protocols they're writing software
for

Implementers can't make an informed decision about NAPTR/SRV unless
they understand it, as well as all the other DNS issues that exist.
(on that note, the number of DNS client's that don't randomise QID or
sport is shocking).  Perhaps they should learn the protocols :-)

now, this leads on to another topic ...

> The big question is how to close this gap. I have no clue.
> - Can we stop the IETF SIP development during a year and work on
> implementations, testing and reality checks?

no! (!!)

> - Would it be possible to get more implementation guidelines published?

absolutely.  and i think this is where we're going wrong at the moment
on the implementer side.  We don't have any real "implementers guides"
that can be a helping hand to people trying to get up to speed on
protocols involved.  Almost the whole of SIP requires wrapping your
head around many, many issues crossing many RFCs and protocols and
"learned experience".

Although, i'll add that many people have managed to understand the
protocols without such a guide, so it is possible - but takes many
years.  Don't expect to just be able to sit down read a book, not get
involved in the SIP community, scan a few rfcs/drafts, and suddenly
and magically understand SIP.  it takes time - there are *lots* of
quirks, and a sizeable chunk of undocumented philosophy.

> We have at least two cases now where an update to the RFC added
> important MUSTs:
>
> - Tel uri - phone-context is now required, which affects all SIP
> devices using SIP uri with user=phone
>    regardless if they use a Tel: URI.
> - RFC2833 DTMF is updated and secure RTP is now required
>
> Will these changes be implemented at all? When?

Yes, they will at some point.  Although the problem in RAI is that no
one seems to have any time to actually do stuff.  So anyone who feels
strongly should get involved!

Out of interest - how many people on sip-implementors@ that are
actually maintaining SIP implementations are going to be at ietf74 and
feel strongly about these issues?

 ~ Theo

-- 
Theo Zourzouvillys
Chief Technical Officer
VoIP.co.uk

Sent from: Bicester Oxfordshire United Kingdom.