[VOIPSEC] H.235

Qos Lab qoslab at gmail.com
Wed May 24 15:33:13 CDT 2006 

Simon,

There is certainly a huge number of potential use case of H235, but
CAT/Radius authentication is the easiest way from what i've seen yet. I
haven't seen much CPEs/softphone supporting more advanced mode of H235
authentication and same for AGK/SBC. But I would be interested in having
your feedback on this and sources/references of such devices/deployment.

And regarding the PKI, let me quote Zimmerman's draft on zrtp, because I
have the same opinion moreover I originaly am from the security field before
moving to voip/telecom. Note that this is my opinion for a carrier grade
deployment... I truly believe that a PKI for a small scale could remain
managable...

"  A decade of industry experience has shown that deploying centrally
   managed PKIs can be a painful and often futile experience.  PKIs are
   just too messy, and require too much activation energy to get them
   started.  Setting up a PKI requires somebody to run it, which is not
   practical for an equipment provider.  A service provider like a
   carrier might venture down this path, but even then you have to deal
   with cross-carrier authentication, certificate revocation lists, and
   other complexities.  It is much simpler to avoid PKIs altogether,
   especially when developing secure commercial products."



On 5/22/06, Simon Horne <s.horne at packetizer.com> wrote:
>
>
> Abdelkader
>
> H.235 has a lot more than just CAT and Radius support, it can be used to
> embed user/pass, digital certificates, encrypted shared secret material into
> almost any H.323 message which means that potentially any message (or all)
> can be authenticated or used for key exchange or both. It is quite legal to
> put a user/pass (H.235.1) and a PKI & diffie-hellman (H.235.2) in the same
> H.235 field of a single H.323 message to do 2 different functions
> Per-Call admission control at the border element (with radius support) and
> end-to-end certificate based authentication and encryption.
>
> Simon
>
>
>
> At 12:50 AM 22/05/2006, Qos Lab wrote:
>
> Michael,
>
> From what i've seen, cisco like implementation of H235 (search for H235
> CAT cisco access token) is very nice, more over you can have  H235
> authentication through a Radius authentication server thanks to this
> implementation.
>
> Abdelkader
>
> On 5/10/06, *Simon Horne* <s.horne at packetizer.com> wrote:
>
> Michael
>
> They are in the most part final drafts (and almost identical to the
> standards document) and free, They are kept up to date by a college who is
> closely associated with the ITU, all 'official' standards have to be
> purchased from the ITU.
>
> Simon
>
> Also, a concise list of SIP related RFC's are also available
> http://www.packetizer.com/voip/sip/standards.html
>
>
> At 04:21 PM 10/05/2006, Michael Prochaska wrote:
> >thanks,
> >but are these the official standards or only drafts for the year 2006?
> >
> >i've thought i have to pay for them...
> >
> >regards,
> >michael
> >
> >
> >Simon Horne schrieb:
> >>The ITU last year changed the numbering system for the H.235 series from
> >>Annex D,E etc to H235.x notation.
> >>Basically the following were renamed
> >>H.235AnnexD  -> H.235.1
> >>H.235AnnexE  -> H.235.2
> >>A complete list of draft standards are available free from
> >>http://www.packetizer.com/voip/h323/standards.html
> >>Simon
> >>
> >>At 06:44 AM 10/05/2006, you wrote:
> >>>hi,
> >>>it would be great if there is anybody out there who can give me a short
> >>>overview over H.235.
> >>>
> >>>everytime i read annex D, annex e, and so on. but on the itu-t homepage
> >>>there are no annexes but substandards (h.235.1, ....).
> >>>
> >>>i thought that the annexes became substandards, but i've read a
> >>>scientific paper from the year 2005 which speaks from annexes....i'm
> >>>really confused
> >>>
> >>>thanks very much in advance,
> >>>michael
> >>>
> >>>_______________________________________________
> >>>Voipsec mailing list
> >>>Voipsec at voipsa.org
> >>>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
> <http://voipsa.org/mailman/listinfo/voipsec_voipsa.org>
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>

More information about the Voipsec mailing list