nanog mailing list archives
RE: VoIP over IPsec
From: "Bender, Andrew" <abender () taqua com>
Date: Tue, 18 Feb 2003 13:25:41 -0500
-----Original Message----- From: tedawson () attbi com [mailto:tedawson () attbi com] Comments inline: At 01:34 PM 2/17/2003 -0500, Charles Youse wrote:So do you suppose that in my scenario, I'd be better offleaving the VoIP outof the encrypted tunnels and use a separate [cleartext] pathfor them? Oh goodness no. VoIP (SIP specifically) has no real security in it. Call hijacking for example is a matter of sending a pair of spoofed UDP packets to each phone and having the voice streams arrive at the attackers machine. Not pretty, and I do this trick (and worse) daily. (in a lab as part of work of course)
What about sips:/TLS, S/MIME, and digest auth? These are all integral to the 'standard', and many popular implementations support these facilities currently. IPSec may be less painful within a single domain, but in other cases, I'd think that these facilities (or their derivatives) are the only practical option for 'real' security. Granted it is all pretty worthless if you dont enable/use any of it... Am I missing something? Regards, Andrew Bender taqua.com
Current thread:
- Re: VoIP over IPsec, (continued)
- Re: VoIP over IPsec Iljitsch van Beijnum (Feb 18)
- Re: VoIP over IPsec Vadim Antonov (Feb 18)
- Re: VoIP over IPsec Kurt Erik Lindqvist (Feb 18)
- RE: VoIP over IPsec Charles Youse (Feb 17)
- RE: VoIP over IPsec Charles Youse (Feb 17)
- RE: VoIP over IPsec Ejay Hire (Feb 17)
- RE: VoIP over IPsec Charles Youse (Feb 17)
- RE: VoIP over IPsec Ejay Hire (Feb 17)
- Re: VoIP over IPsec Petri Helenius (Feb 17)
- RE: VoIP over IPsec tedawson (Feb 17)
- RE: VoIP over IPsec Bender, Andrew (Feb 18)
- RE: VoIP over IPsec Kuhtz, Christian (Feb 18)
- Re: VoIP over IPsec Petri Helenius (Feb 18)