[Freeswitch-users] MIKEY-Support

Brian West brian.west at mac.com
Fri Jan 25 03:09:16 PST 2008


How on earth is it not secure?  The keys are exchanged over a secure  
TLS channel.  That is secure. Read section 8.3 again.

"Thus, IT IS REQUIRED that MIME secure multiparts, IPsec, TLS, or some  
other data security service be used to provide message authentication  
for the encapsulating protocol that carries the SDP messages having a  
crypto attribute (a=crypto)."

It does however say in 8.3

"When the communication path of the SDP message is routed through  
intermediate systems that inspect parts of the SDP message, security  
protocols such as [IPsec] or TLS SHOULD NOT be used for encrypting and/ 
or authenticating the security description."

This can clearly be seen don't trust it if TLS isn't used end to end  
for the sip signaling channel.  SDES seems to be the most widely used  
method at this point as you pointed out.  I feel the security afforded  
by using SDES + TLS is way more than you'll ever get elsewhere.  We do  
accept patches.  ;)

/b

On Jan 25, 2008, at 12:15 AM, Alois Komenda wrote:

> I don't think SDES over TLS can be called secure. And according to  
> RFC 4568 this combination should not be used.
> (Anyway this seems to be the mostly used configuration at the moment.)
>
> Even if MIKEY is not a perfect soloution for the problem, it  
> provides end-to-end security for keying material.
>
> Regards
>
> --
> Alois Komenda
> Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK





More information about the FreeSWITCH-users mailing list