Sergio, Please see inline for the replies (***) Regards, - sunil vatnal -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 27, 2004 8:46 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [Sip-implementors] Security and Performance: ALG in SIP networks with TLS and/or IP Secsecurity
Hi Damir/Sunil/ALL, I am student interested in sip security mechanism and impacts to my thesis. Sorry for my interference in this conversation but I am interested in que question and I would like to add some doubts: 1) Regarding the question of providing security mechanisms, do you evaluate the impact of these solution in the performance, mainly in voice quality? *** There is a significant impact on the performance of voice if these security mechanisms are used. IpSec and TLS are used only for signaling security and not for voice. In IPSec mechanism there is an overhead of 37 bytes per IPSec packet for 3DES encryption and up to 53 bytes for AES encryption. For example, if an ITU-T G.711 A-law or mu-law audio codec is used which generates an 8 bit speech sample every 125 micro-sec and 10ms of uncompressed speech is mapped as 80 contiguous samples into a single RTP packet then the IPSec overhead is between 30-50%. So, SRTP and MIKEY are the most widely used security mechanisms for RTP payload (voice). 2) To provide security with IPSEC/TLS all devices must have support to IPSEC and/or TLS if some device (SIP phone) doesn't support what is the action to taken (do not allow the communication?) *** If any phone which in not following the security then, it cannot be allowed communication since it will fail in authentication and does not understand the encrypted messages. And this phone will not be secured. 3) Another question that certanly someone in the list could help me: Are there any others solution to provide security (confidenciality and authenticity) to SIP in a topology with many proxies? *** IPSec and TLS are the most widely used ones and SRTP with MIKEY for RTP data. Thanks in advance to everyone. Sergio -----Original Message----- From: [EMAIL PROTECTED] on behalf of sunil vatnal Sent: Wed 10/27/2004 00:12 To: 'Bilajbegovic Damir' Cc: [EMAIL PROTECTED] Subject: RE: RE: [Sip-implementors] ALG in SIP networks with TLS and/or IP Secsecurity Hi Damir/All, Thank you very much Damir for your detailed explanation. Can you please explain, when security mechanisms like IpSec and TLS are used in this architecture, what NAT can do. Does it understand the data which is encrypted by IPSec/TLS mechanisms? What capabilities should the NAT have in this architecture when IPSec/TLS are used? Thanks and regards, - sunil vatnal -----Original Message----- From: Bilajbegovic Damir [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 6:05 PM To: [EMAIL PROTECTED] Subject: RE: RE: [Sip-implementors] ALG in SIP networks with TLS and/or IP Sec security Since there is communication between SIP- proxy and UE in private network I am not shure how it will work at all. The problem that I was dealing is similar. UE -----------------------/DSL line wiht NAPT/-----------------------SIP-Proxy privte addresses public addresses First implementation was to have SIP-ALG that will control NAPT. Ok Now the communication can quite good but on the other hand there was a need for security. We were using HTTP digest but it is the same for all security concepts. The comuniation between UE and Proxy will be broken since the SIP-ALG is not going to be albe to read the session parameters (or in HTTP digest case sucessfully change them). UE =====================================SIP-Proxy (= is secure tunnel) /DSL line with NAPT/ -> It changed only IP level but not the upper level informations (no voide communication posible only sip messagess) so the solution was to have SIP-ALG that will create security connection between Proxy and SIP-ALG. This seemed to be the most fitttable solution. But in that case we assumed that connection form SIP-ALG in home network to UE is secure... UE -----------------------/DSL line wiht NAPT/===========SIP-Proxy Not the best solution but aslo not the worst. I do not know how will this help but this is only a try... Best Regards, Damir Bilajbegovic -----Original Message----- From: MVATNAL SUNIL [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 10:53 AM To: Bilajbegovic Damir Subject: Re: RE: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security Hi Damir, The NAT is being used at the edge of the private network. All the traffic leaves and enters the NAT. Please see the simple acrhitecture below. Private network | | ALG | | NAT | | TCP/IP | | Public Network When IPSec and TLS are used in the above architecture, how the ALG is going to function since the data is encrypted? Thanks and regards, - sunil vatnal ------- Original Message ------- Sender : Bilajbegovic Damir<[EMAIL PROTECTED]> Date : Oct 26, 2004 17:20 Title : RE: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security I think the question is where do you put NAT? Where is the NATs place and what is your (planned) network arhitecture... Best Regards, Damir Bilajbegovic -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of MVATNAL SUNIL Sent: Tuesday, October 26, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security Hi, My question is on functionalities of the ALG used with NAT in SIP networks with security mechanisms like TLS and/or IPSec. Please read the following paragraphs first. The NAT (Network Address Translator) modifies IPv4 addressing, and takes special care of protocols such as UDP and TCP to avoid port conflicts and it may also carry out port number translation. When NAT is used in SIP networks, the IPv4 address is copied into the protocol data and thus becomes impossible for the NAT to translate it without using an ALG (Application Level Gateway). The ALG performs special translation not only for the IP addresses and port numbers but also within the payload (voice/data). As new protocols are created, new ALGs may have to be added in order for the applications to work. My question : In the above scenario (NAT used in SIP networks), if the security mechanisms TLS and IPSec are used, what functionalities should the ALG have? The main task of the ALG is to take care of the addresses and port numbers changed by NAT. But, these addresses and port numbers are encypted and encapsulated by IPSec and TLS mechanisms. How does ALG work in this situation? Also, please provide me any information or example implementations or white papers on the above scenario. Lots of thanks, - sunil vatnal _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors ________________________________________________________________________ _________ Quer mais velocidade? S� com o acesso Aditivado iG, a velocidade que voc� quer na hora que voc� precisa. Clique aqui: http://www.acessoaditivado.ig.com.br _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
