[VOIPSEC] IPSec and VoIP Security
Geoff Devine
gdevine at cedarpointcom.com
Tue Apr 25 09:25:10 CDT 2006
Dhiraj Bhuyan writes:
> 3GPP IMS is going to use IPSec for hop-by-hop encryption of SIP
signaling
> traffic. Note that session key establishment (for IPSec) between SIP
> client and proxy (P-CSCF) on the network is achieved using SIP-AKA
> (instead of IKE). 3GPP is yet to decide how to secure the media
traffic.
...but one can assume that 3GPP will never bear the header overhead
expense of securing the media traffic with IPSec. Licensed spectrum is
costly and IPSec ESP is probably unacceptable when you use a compression
codec. The header overhead for SRTP compared to RTP is the four octet
HMAC-SHA1 authentication hash.
A walled garden architecture like 3GPP is likely to use SDESCRIPTIONS
and pass media keying information in SDP of SIP messages and rely on TLS
or IPSec to keep the SIP messages private and authenticated. The VoIP
over Cable PacketCable standard uses a home brew equivalent of SRTP and
SDESCRIPTIONS and will likely migrate to those IETF standards as the
cable operators start having to deal with interoperability with SIP
devices.
Geoff Devine
Chief Architect
Cedar Point Communications
More information about the Voipsec
mailing list