Dan Wing wrote:
Dan Wing wrote:
Elwell, John wrote:
Which would be ideal, if we were sure of getting them
through service providers unchanged.
Therein lies the conundrum with intermediate manglers like B2BUA's
and mailing lists managers, etc.
It is the conundrum for the entire Internet -- TCP 'protocol
scrubbers' exist, TCP options get dropped, DSCP bits get changed,
ECN bits are mangled, and Router Alert Option gets dropped.
Yet IPsec and TLS still work most of the time. Sticking a b2bua into
a stream is fundamentally different than routers and
scrubbers, etc. Their
job is to change the very things you want to protect. Either
you get to the
"break it/own it" or tunnel it across manglers. Anything else
is eating
caking and having it to.
Has any one proposed tunneling SIP in SIP? Ie, the manglers get to
set up their rendezvous ("because they simply must") and then the
ends get to set up theirs? This is one way the real world
routes around
damage too.
Yes, http://tools.ietf.org/html/draft-gurbani-sip-sipsec-01. But
that only gives encrypted SIP signaling end-to-end -- it does not
cause a firewall or SBC or B2BUA to open its permission for the
RTP flow. A firewall or SBC will only open permissions for a
flow it knows about: that is their primary purpose.
Ok, so we're already half way there. The other half is to use TCP or
whatever other means to get the media through. Sneer if you like, but
millions of skype users can't be wrong. If that's what it takes to route
around firewalls, then that's what it takes. The fat lady has pretty much
sung on this security vs. new and kewl issue, and the firewall owners
have pretty much said that if you're willing to go through the TCP hoops
for media, we're willing to ignore that you're bypassing policy. Stupid,
I know, but that's manifestly what we have to work with.
Mike
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
