[VOIPSEC] TLS and Firewalls

Alexander aldem-voipsec at aldem.net
Thu Feb 10 08:02:43 CST 2005 

On Wed, Feb 09, 2005 at 01:31:48PM -0500, Brian Rosen wrote:

> Ultimately, this is the problem with IAX.  It's a special protocol,
> promulgated by a small group, without a rigorous process.

  The fact that group is small means nothing - it doesn't mean, in
  particular, that protocol is bad or worse than something else.

> 
> there are other IM protocols).  IETF is not the only game in town, of
> course.

  And RFC (by itself) is not a standard (unless promoted to). This is
  exactly what it says - Request For Comment. Anything that is published as
  RFC doesn't mean it is good, is only, or is right solution to do
  something.

> I think that, actually, the IAX one port idea is a bad way to handle
> signaling and multiple media streams related to the same session.

  It is not bad - by itself. It is possible to multiplex a lot of sessions
  over single UDP connection, call it tunnel - if you like. It is logical
  and consistent - to keep one communication channel for single application.

  Think about this as of L2TP/PPTP/IPsec-NAT-T, if you wish - the idea of
  single UDP connection is exactly this - to keep all related data channels
  together, so it can (among other things) easily traverse firewalls.
  
> The fact that it makes it easier on the firewalls is not enough to
> overcome the limitations it has.

  Could you please explain (or point to exlanation) of limitations?

> We're better off working to make SIP and firewalls work better together. 

  Basically, what you suggest is that every firewall implementation should
  know everything about every possible (or published as RFC) protocol, which
  may spread into multiple connections. This idea is bad, IMHO - simply
  because you cannot expect that every firewall vendor would do this.
  
  OTOH, if we choose a protocol/implementation which uses single UDP/TCP
  channel, and will do (de)multiplexing inside of application, we are free
  and completely independent on any specific firewall implementation - which
  is good, I believe. Or?
  
Regards,
/Al

More information about the Voipsec mailing list