how to Improve security in minisip?

Cesc cesc.santa at gmail.com
Fri May 18 19:57:21 CEST 2007 

See inline.

On 5/18/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
> Cesc,
>
> well, it's actually a bit more complicated then just using DTLS
> and then, all of a sudden, have a secure SIP or secure RTP with DTLS.
>
Never said anything to the contrary :)

> For example:
> - DTLS adds some overhead to the protocol and this would impact RTP
>   as real-Time protocol and would use bandwidth, thus SRTP would be
>   better.
>
Agreed, but if DTLS is used as key-exchange (that was my
poorly-explained line of thought), then you get the best of both.

> - Using DTLS for SIP could work, however TLS (and thus DTLS) works
>   best in a cleint/server environment where the client checks the
>   server's certificate. SIP is a peer-to-peer protocol, the SIP proxies
>   are just proxies - it's just not enough to check a proxy's certificate,
>   the other peer's certificate is the interessting part.
>
As for SIP over DTLS ... well, u r right. End-to-end may be the
interesting part, but let's say that currently most of us would settle
for hop-by-hop as compared to nothing. End-to-end SIP sec is covered
by S/Mime, but in the same way that it never picked up with e-mail, I
don't see it happening in SIP. Certs are still too complex to grasp
for the end-user to be commonly used, so security user-proxy and
proxy-proxy would be a great step.

> As Bruce Schneier says: security is not just a protocol, it's process and
> one need to look at the complete picture.
>

I do, but you need to see what are reasonable goals based on the
current practices and see the use-cases you try to cover.
There is way too many things to cover, as I see: end-to-end vs
hop-by-hop, media gateways, media proxies, transcoders, sip gateways
and proxies ... Too many use-cases and covering them all seems a huge
task ...

> Regards,
> Werner
>
>

I think it is a nice discussion, but sort of endless. As what minisip
is concerned, we shall provide as many mechanisms possible, with an
easy interface for the user to choose from. Time will tell which is
the most appropriate for each person.

Cesc


> Cesc wrote:
> > Werner,
> >
> > I scanned through it and it looks worth reading.
> >
> > As for the discussion, DTLS vs ZRTP vs Mikey ... well, without being
> > too much involved and having not too much to back my case up, DTLS
> > looks promising, as one same protocol (implementation) may help solve
> > most of the problems ...
> > - secure SIP UDP over DTLS
> > - secure RTP with DTLS
> > But as I am a strong believer that the one-fits-all does not exist or
> > is not possible in IETF ... so be it, we'll have to make do with all
> > three and let the user pick :)
> >
> > Cesc
> >
> > On 5/18/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
> >> Cesc,
> >>
> >> here the missing link :-) :
> >>
> >> <http://www.fsfe.org/en/content/download/32472/201002/file/KeyNegotiationOverRTP.pdf>
> >>
> >> Regards,
> >> Werner
> >>
> >>
> >> Cesc wrote:
> >>> Hi Werner,
> >>>
> >>> Great info.
> >>> Actually I just follow lightly the rtpsec group, so I missed your last remarks.
> >>>
> >>> As to what is good for minisip ... well, it gets a bit difficult, because having
> >>> Mikey ... and ZRTP already implemented ... adding DTLS just adds to
> >>> the complexity.
> >>> But I think that this is one of the reasons of minisip, to experiment
> >>> and give options.
> >>>
> >>> Regards,
> >>>
> >>> Cesc
> >>> PS - I think the link to the DTLS-attacks document is missing :)
> >>>
> >>> On 5/17/07, Werner Dittmann <Werner.Dittmann at t-online.de> wrote:
> >>>> Hi Cesc, all,
> >>>>
> >>>> regarding DTLS/SRTP I was activly involved in the rtpsec discussions.
> >>>>
> >>>> The statement "ZRTP violates layer separation" is no longer true
> >>>> with the latest specification of ZRTP - it is not an protocol on its
> >>>> own and that uses the same RTP connection (multiplexing) similar to
> >>>> DTLS which is also using the same RTP connection.
> >>>>
> >>>> Here a link to d PDF doc that show some attacks to DTLS/SRTP (this
> >>>> is a document under construction, some chapters are missing). The
> >>>> attack I describe in the document was confirmed by some peer
> >>>> reviews.
> >>>>
> >>>> Just a few days ago I finished the implementation of ZRTP Version 3
> >>>> and I'm looking into the build process of minisip (again) to have
> >>>> a better separation, i.e. have the ZRTP library independent of minisp
> >>>> and provide only the minisip dependent glue code inside the minisip
> >>>> project. Of course the ZRTP lib is GPL :-) and will be available.
> >>>>
> >>>> Regards,
> >>>> Werner
> >>>>
> <SNIP> ---- <SNAP>
>
> _______________________________________________
> Minisip-devel mailing list
> Minisip-devel at minisip.org
> http://lists.minisip.org/mailman/listinfo/minisip-devel
>

More information about the Minisip-devel mailing list