[VOIPSEC] SRTP

Lee Dilkie lee_dilkie at mitel.com
Wed Feb 22 14:49:12 CST 2006 

Nathan Allen Stratton wrote:
> On Wed, 22 Feb 2006, Richard Polishak wrote:
>
>   
>> Interesting discussion (as always).  In investigations here I have been trying to gather from the vendor community what
...
>>  the soft-client approach but Marketing tells me hard phones are a requirement by most customers for 'work from home' users.
>>     
>
> SNOM is the only SRTP with standard key exchange that I know about. Sipura
> does SRTP, but they have a totally proprietary way of dealing with key
> exchange so it is worthless unless it is their CPE on both ends.
>
> -Nathan
>
>   
I've never heard of SNOM, other than 
http://spm.phy.bris.ac.uk/techniques/SNOM/ , but AFAIK there *aren't* 
really any "standard" key exchange methods in this space yet so it it's 
a bit unfair to call a proprietary solution "worthless".

Security is *hard*. It's way more hard than folks give it credit. What 
may be overkill for one persons application will often be insufficient 
for anothers. The reason that "universal" security solutions (ie. IPsec, 
VPN) don't catch on is because it's just not possible to do, though we 
keep trying. Would you expect that a Schlage door lock would be an 
acceptable solution to locking all doors, everywhere? What would your 
local bank or military installation have to say to that suggestion? (or 
heck, ask your company to replace the security guard with a Schlage lock)

So the current state of VoIP secuity is one of groping for solutions. At 
this stage most of the solutions are proprietary because, and this is a 
good thing, it solves immediate needs *and* gives the community 
experience on a solution. Experience is a good thing, especially for 
security.

<my experience>
It shouldn't surprise folks that the best security solutions end up 
being application specific. It's nice to abstract out common parts (like 
PKI and X.509 for example), but security isn't something an application 
(any application) can totally defer to another layer. SRTP is a nice 
abstraction for one piece of the puzzle. The other piece is that hard 
one, key management/exchange, so it's not surprising that we're getting 
hung up on it. It will come. In fact, probably more than one solution 
will emerge. I wouldn't be surprised to see a pure peer key exchange 
*and* a third party trust model emerge. Both are needed for different 
reasons.
</my experience>

As for softphones... I hate 'em. Give me something I can bang down on 
hard when I need to make a point ;)

My 2 cents,

-lee

More information about the Voipsec mailing list