[VOIPSEC] IPSec and VoIP Security

DePietro, John jdepietro at starentnetworks.com
Tue Apr 25 10:51:44 CDT 2006 

Hi,

The trend based on my read of the standards for 3GPP2 and 3GPP is that IPsec IKEv2 will be technology of choice for Mobile Terminal session to the Access Gateways (PDSN or GGSN).  This is a catch all tunnel that would cover RTP (but not end-to-end). IMHO this choice by 3GPP and 3GPP2 is inefficient when considering the fact that Mobile Terminals will need to run IPsec SA for SIP (defined) and possibly IPsec SA for RTP (not defined).

Regards,

John

-----Original Message-----
From: dhiraj.2.bhuyan at bt.com [mailto:dhiraj.2.bhuyan at bt.com]
Sent: Tuesday, April 25, 2006 5:46 AM
To: vatn at kth.se; DePietro, John; alexandre.passito at gmail.com
Cc: joachim at orrblad.se; Voipsec at voipsa.org
Subject: RE: [VOIPSEC] IPSec and VoIP Security


3GPP IMS is going to use IPSec for hop-by-hop encryption of SIP signalling traffic. Note that session key establishment (for IPSec) between SIP client and proxy (P-CSCF) on the network is achieved using SIP-AKA (instead of IKE). 3GPP is yet to decide how to secure the media traffic.

Regards,
Dhiraj Bhuyan
Senior Security Specialist,
British Telecom

-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On Behalf Of Jon-Olov Vatn
Sent: 25 April 2006 07:48
To: DePietro, John; Alexandre Passito
Cc: Joachim Orrblad; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] IPSec and VoIP Security

Hi,

IMS is not designed to use IPSec end-to-end as far as I understand, but it would be interesting to see if those methods could be used end-to-end too.

As an alternative I suggest that you have a look at Joachim Orrblad's master thesis "Alternatives to MIKEY/SRTP to secure VoIP" where he uses MIKEY to establish the IPSec-ESP security association, and also implements experimental support for it in Minisip, see http://www.minisip.org/publications.html
Still, one should note that Orrblad prefers "SRTP" over "IPSec-ESP"
to protect VoIP calls (see he conclusions).
You may also find some more measurements on call setup delays for MIKEY with both SRTP and IPSec-ESP in Bilien et al "Secure VoIP: call establishment and media protection" found on the same page.

BW J-O


DePietro, John wrote:

>Hi Passito,
>
>I suggest you look at the SIP AKA model for IPSEC, based on HTTP AKA.  This is utilized in IMS (3GPP IMS, 3GPP2 MMD).  This may give you some idea to address your second issue "(key sharing, user permissions and etc)".  
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]On
>Behalf Of Alexandre Passito
>Sent: Tuesday, April 04, 2006 4:50 PM
>To: Voipsec at voipsa.org
>Subject: [VOIPSEC] IPSec and VoIP Security
>
>
>Hi ALL,
>
>I'd like to start a discussion about using IPSec for end-to-end 
>security in VoIP Systems. I have read some papers about the subject and 
>it seens that IPSec is not completely suitable for this kind of task due to two reasons:
>damage to some QoS metrics and the problem with management (key 
>sharing, user permissions and etc). I'd like to hear some ideas about 
>it, future trends and if there are well deployed solutions being tested.
>
>Best regards,
>
>Passito
>
>--
>--
>Alexandre Passito - Estudante de Mestrado Universidade Federal do 
>Amazonas (UFAM) Departamento de Ciência da Computação (DCC)
>--
>Alexandre Passito - M.Sc. Student
>Federal University of Amazonas (UFAM)
>Computer Science Department (DCC)
>--
>E-mail: passito at dcc.ufam.edu.br
>Web: www.dcc.ufam.edu.br/~passito
>Manaus - AM - Brasil
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>"This email message and any attachments are confidential information of Starent Networks, Corp. The information transmitted may not be used to create or change any contractual obligations of Starent Networks, Corp.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this e-mail and its attachments by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient, please notify the sender immediately -- by replying to this message or by sending an email to postmaster at starentnetworks.com -- and destroy all copies of this message and any attachments without reading or disclosing their contents. Thank you."
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>  
>


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list