[Kamailio-Users] stun/outbound draft...
Jiri Kuthan
jiri at iptel.org
Wed Jan 7 02:20:25 CET 2009
I respectfully disagree -- the field has clearly shown that working NAT
traversal today
is more valuable than message integrity and ICE architecture both
together. (Whcih happens
to be my personal preference too: getting over NATs today is more
important to me than
any sort of securing free phone calls.) Generally I tend to prefer
priorities as articulated
by live deployments.
I'm sorry to be so differently opinionated on this, particularly because
I like ICE
esthetically as the "e2e" solution. However, somehow in the Internet the
things that
are deployable today always matter. (even if considered evil, such as NATs)
-jiri
Aymeric Moizard wrote:
>
> On Sun, 4 Jan 2009, Juha Heinanen wrote:
>
>> Aymeric Moizard writes:
>>
>>> If you have a 100% working trick, I'll be interested to learn it! Very
>>> interested!
>> no, i don't have 100% working trick, but normal means cover 90+% of the
>> cases. trying to avoid needless use of rtp proxy for the remainder is
>> not worth of the extreme complexity that comes with ice.
>
> So the 10% calls are the one that use relay when they should not? right?
> I'm pretty convinced this is not a true value. Anyway, I don't think
> this is a problem of number here.
>
> Let's describe a case:
>
> I send an INVITE and encrypt the SDP. I'm behind a symmetric NAT. I'm
> calling somebody (a UA of course) who is able to decrypt it.
>
> Whatever trick you provide, I will not have always voice (except
> if ICE is supported or if the NAT are kind with me)
>
> Conclusion: I'm forced to provide UA and ask my customer to NOT encrypt
> their signalling. NEVER encrypt their signalling.
>
>> i don't understand what you try to say in above. sip works fine over
>> the internet today.
>
> SIP works today **if**:
> * no security
> * no SIP message integrity is used
> * sip server are well configured (...)
> * sip server is not compliant (modifying contact and SDP...)
>
> My conclusion is that it's not acceptable. I want my applications
> to do security and I don't want to be dependant on badly configured
> servers.
>
> I don't want "SIP works today **if**", I want "SIP works today."
>
> I just need a SIP compliant internet infrastructure.
>
> tks,
> Aymeric MOIZARD / ANTISIP
> amsip - http://www.antisip.com
> osip2 - http://www.osip.org
> eXosip2 - http://savannah.nongnu.org/projects/exosip/
>
>
>> -- juha
>>
>
> _______________________________________________
> Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
>
More information about the sr-users
mailing list