[Freeswitch-users] MIKEY-Support
Brian West
brian.west at mac.com
Fri Jan 25 03:09:16 PST 2008
How on earth is it not secure? The keys are exchanged over a secure
TLS channel. That is secure. Read section 8.3 again.
"Thus, IT IS REQUIRED that MIME secure multiparts, IPsec, TLS, or some
other data security service be used to provide message authentication
for the encapsulating protocol that carries the SDP messages having a
crypto attribute (a=crypto)."
It does however say in 8.3
"When the communication path of the SDP message is routed through
intermediate systems that inspect parts of the SDP message, security
protocols such as [IPsec] or TLS SHOULD NOT be used for encrypting and/
or authenticating the security description."
This can clearly be seen don't trust it if TLS isn't used end to end
for the sip signaling channel. SDES seems to be the most widely used
method at this point as you pointed out. I feel the security afforded
by using SDES + TLS is way more than you'll ever get elsewhere. We do
accept patches. ;)
/b
On Jan 25, 2008, at 12:15 AM, Alois Komenda wrote:
> I don't think SDES over TLS can be called secure. And according to
> RFC 4568 this combination should not be used.
> (Anyway this seems to be the mostly used configuration at the moment.)
>
> Even if MIKEY is not a perfect soloution for the problem, it
> provides end-to-end security for keying material.
>
> Regards
>
> --
> Alois Komenda
> Fraunhofer-Einrichtung für Systeme der Kommunikationstechnik ESK
More information about the FreeSWITCH-users
mailing list