[Kamailio-Users] stun/outbound draft...

Jiri Kuthan jiri at iptel.org
Wed Jan 7 02:20:25 CET 2009


I respectfully disagree -- the field has clearly shown that working NAT 
traversal today
is more valuable than message integrity and ICE architecture both 
together. (Whcih happens
to be my personal preference too: getting over NATs today is more 
important to me than
any sort of securing free phone calls.) Generally I tend to prefer 
priorities as articulated
by live deployments.

I'm sorry to be so differently opinionated on this, particularly because 
I like ICE
esthetically as the "e2e" solution. However, somehow in the Internet the 
things that
are deployable today always matter. (even if considered evil, such as NATs)

-jiri

Aymeric Moizard wrote:
> 
> On Sun, 4 Jan 2009, Juha Heinanen wrote:
> 
>> Aymeric Moizard writes:
>>
>>> If you have a 100% working trick, I'll be interested to learn it! Very
>>> interested!
>> no, i don't have 100% working trick, but normal means cover 90+% of the
>> cases.  trying to avoid needless use of rtp proxy for the remainder is
>> not worth of the extreme complexity that comes with ice.
> 
> So the 10% calls are the one that use relay when they should not? right?
> I'm pretty convinced this is not a true value. Anyway, I don't think
> this is a problem of number here.
> 
> Let's describe a case:
> 
> I send an INVITE and encrypt the SDP. I'm behind a symmetric NAT. I'm
> calling somebody (a UA of course) who is able to decrypt it.
> 
> Whatever trick you provide, I will not have always voice (except
> if ICE is supported or if the NAT are kind with me)
> 
> Conclusion: I'm forced to provide UA and ask my customer to NOT encrypt
> their signalling. NEVER encrypt their signalling.
> 
>> i don't understand what you try to say in above.  sip works fine over
>> the internet today.
> 
> SIP works today **if**:
>   * no security
>   * no SIP message integrity is used
>   * sip server are well configured (...)
>   * sip server is not compliant (modifying contact and SDP...)
> 
> My conclusion is that it's not acceptable. I want my applications
> to do security and I don't want to be dependant on badly configured
> servers.
> 
> I don't want "SIP works today **if**", I want "SIP works today."
> 
> I just need a SIP compliant internet infrastructure.
> 
> tks,
> Aymeric MOIZARD / ANTISIP
> amsip - http://www.antisip.com
> osip2 - http://www.osip.org
> eXosip2 - http://savannah.nongnu.org/projects/exosip/
> 
> 
>> -- juha
>>
> 
> _______________________________________________
> Users mailing list
> Users at lists.kamailio.org
> http://lists.kamailio.org/cgi-bin/mailman/listinfo/users
> 




More information about the Users mailing list