Dan Wing wrote:
Elwell, John wrote:
Which would be ideal, if we were sure of getting them
through service providers unchanged.
Therein lies the conundrum with intermediate manglers like B2BUA's
and mailing lists managers, etc.
It is the conundrum for the entire Internet -- TCP 'protocol
scrubbers' exist, TCP options get dropped, DSCP bits get changed,
ECN bits are mangled, and Router Alert Option gets dropped.
Yet IPsec and TLS still work most of the time. Sticking a b2bua into
a stream is fundamentally different than routers and scrubbers, etc. Their
job is to change the very things you want to protect. Either you get to the
"break it/own it" or tunnel it across manglers. Anything else is eating
caking and having it to.
Has any one proposed tunneling SIP in SIP? Ie, the manglers get to
set up their rendezvous ("because they simply must") and then the
ends get to set up theirs? This is one way the real world routes around
damage too.
Mike
Such is the reality. I wish it weren't the reality, too.
-d
On the one hand, you can
sign very little
and be far more successful at surviving the mangler. However,
that's buying
you very, very little since things that the manglers mangle
are the very
things
that you want to protect. So why bother.
An alternate approach is "you break it, you own it". That is,
if you must
break the signature, all you can do is resign it and hope
that your own
reputation is enough to convince the called party to accept
the call. Yes,
this is messy and unsatisfying at many levels and leaves many
unanswered
questions. But fundamentally what people are asking for here
is impossible
if you insist on b2bua manglers.
Lastly, if you want e2e security the conversation needs to
be... e2e. Be it
straight over the top of the internet, through a tunnel --
however you can
route opaque packets to and from the two ends -- that is the
only way to
have any both security as well as robustness. If we'd just
get over that,
our heads would eventually stop hurting from repeatedly bashing them
up against this brick wall.
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
