[SIPForum-techwg] SIPconnect and Security

Ahmad, Syed Syed.Ahmad at eu.panasonic.com
Tue Jun 10 11:41:34 EDT 2008 

Chris,
 
Service Providers / Carriers (I assume) need to be sure that the
signalling they receive, and based on which they generate billing - is
secure to some level.
 
Enterprises also want to be sure that the call they are receiving is
also from a valid provider (and not from someone who may be trying to do
things like SIP DoS attacks, etc).
 
That said - there will always be cost for authentication and security -
which some companies may or may not want to invest in.
 
Defining levels of authentication/security as None, Basic, Advanced,
Encrypted, etc would be a good compromise.
 
- Let security be not the main impediment to interoperability.
 
- Just my 2 cents.
 
- Syed Ahmad
=======================================================
Senior Engineer, Marketing Dept.,
Communications Solutions - Europe
Panasonic Communications Company, UK Ltd.
Web: http://pccuk.panasonic.co.uk/
Printing ? Please consider your carbon footprint.
=======================================================
 

________________________________

From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org]
On Behalf Of Chris Gatch
Sent: 10 June 2008 14:49
To: Johnston, Alan B (Alan); techwg at sipforum.org
Subject: Re: [SIPForum-techwg] SIPconnect and Security


Good point, Alan.  I would like to see SIPconnect 1.1 provide a best
practice for security on SIP Trunking.  In my view, e-mail is a great
example.  Many mail providers and clients support a few different levels
of security (i.e. SMTP Auth and TLS), which the implementer chooses
based on their requirements.  The really tough issues we're going to
face as the debate gets going is the effect of so many ALGs deployed in
the wild.  These products are everywhere from firewalls to SBCs, and
they are activity engaged in SIP header fix-up, transcoding, etc.  We
can't force a standard on the market (i.e TLS, SRTP) that will make
signaling invisible to these devices.  In my view we'll need an approach
that offers a couple of prescribed levels of security such as basic,
secure, really secure ... In the end, the choice to secure ones
investment should be their own - especially when cost and complexity is
involved in doing so.

Chris


On 6/10/08 9:40 AM, "Johnston, Alan B (Alan)" <abjohnston at avaya.com>
wrote:



	I've started a separate thread on this as is a worthwhile topic
for discussion on its own.
	 
	Before we get lost in the details of how best to key SRTP and
how to do best effort SRTP, let's think about SIPconnect and security.
We currently have a recommendation that basically has no security at
all.  Many of us went along with this 1.0 version in the name of having
immediate interoperability and deployability.
	 
	But is this really the direction we want to go in all our future
recommendations?  Is security just a nice feature that we debate and
decide to leave out of our recommendations?
	 
	Our work on these recommendations should set the direction for
our industry.  Do we believe that enterprise communication needs
authentication and confidentiality of both signaling and media?
	 
	Once we debate these questions, we can go back to the details,
timelines, etc for the next version of SIPconnect...
	 
	Thanks,
	Alan
	
	
________________________________

	_______________________________________________
	techwg mailing list
	Send mail to: techwg at sipforum.org
	Unsubscribe or edit options at:
http://sipforum.org/mailman/listinfo/techwg
	



________________________________

This email may contain confidential information. If you are not the
intended recipient, please advise by return email and delete immediately
without reading or forwarding to others. -- Cbeyond 

________________________________



PANASONIC COMMUNICATIONS COMPANY (U.K.) LTD.
Is a legal company registered in England & Wales
Registration Number 2030567
Registered Office:
Pencarn Way,
Duffryn,
Newport.
South Wales.
NP10 8YE
United Kingdom


..............................................................................
Confidentiality Notice
The information contained in this Email, and any attachments, is intended for the named recipients only. It may contain confidential and/or legally privileged information. If you are not the intended recipient, you must not copy, store, distribute or take any action in reliance on it. Any views expressed do not necessarily reflect the views of the company.

If you receive this Email by mistake, please advise the sender by using the reply facility in your Email software and then delete it.
.............................................................................
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sipforum.org/pipermail/techwg/attachments/20080610/69d303c7/attachment-0001.html

More information about the techwg mailing list