Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: VoIP over IPsec

  • From: Bender, Andrew
  • Date: Tue Feb 18 13:29:41 2003

> -----Original Message-----
> From: tedawson@attbi.com [mailto:tedawson@attbi.com]
> 
> Comments inline:
> At 01:34 PM 2/17/2003 -0500, Charles Youse wrote:
> 
> >So do you suppose that in my scenario, I'd be better off 
> leaving the VoIP out 
> >of the encrypted tunnels and use a separate [cleartext] path 
> for them?
> 
> Oh goodness no. VoIP (SIP specifically) has no real security 
> in it. Call 
> hijacking for example is a matter of sending a pair of 
> spoofed UDP packets to 
> each phone and having the voice streams arrive at the 
> attackers machine. Not 
> pretty, and I do this trick (and worse) daily. (in a lab as 
> part of work of 
> course)

What about sips:/TLS, S/MIME, and digest auth? These are all integral to the 'standard', and many popular implementations support these facilities currently. 

IPSec may be less painful within a single domain, but in other cases, I'd think that these facilities (or their derivatives) are the only practical option for 'real' security. Granted it is all pretty worthless if you dont enable/use any of it... Am I missing something?

Regards,
Andrew Bender
taqua.com





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.