[SIPForum-techwg] SIPConnect 1.1: Mutual TLS

Francois Audet audet at nortel.com
Tue Apr 7 11:57:34 EDT 2009 

I found the arguements against TLS to be completely bogus.
 
I don't believe the "high cost" arguement. The most popular TLS librairies are free.
 
The reason TLS is not deployed in SMB is complacency, ignorance, and vendor and service provider FUD, and (to a certain extent) "island-type" deployments where the IP network is essentially isolated and used as a pipe to a PSTN gateway. Once people realize that they are deploying completely unsecure systems, and the openness of the system increases, letting the rif-raf in, there will be some hard realization of the dangers.
 
Note: I'm not saying TLS is the only choice. Some service providers may choose to use an IPsec link between their network and the customer's.


________________________________

	From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On Behalf Of Ahmad, Syed
	Sent: Tuesday, April 07, 2009 08:39
	To: Grzenda, Jay; richard at shockey.us
	Cc: techwg at sipforum.org
	Subject: Re: [SIPForum-techwg] SIPConnect 1.1: Mutual TLS
	
	

	Jay,

	 

	Fully agree with you that TLS (and need for TCP) is an overkill specially in the SOHO and SMB market where most customers just want the thing to work without having to worry about any added IT complexity.

	 

	Doing SIP interop with major SIP SP across Europe - (All of western and some eastern European countries) - we have yet to come across a single SIP SP - or customer that is requiring TLS.

	 

	-       Syed Ahmad

	=======================================================
	Panasonic Communications Company, UK Ltd.
	=======================================================

	From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On Behalf Of Grzenda, Jay
	Sent: 02 April 2009 21:18
	To: 'Bernard Aboba'; 'richard at shockey.us'
	Cc: 'techwg at sipforum.org'
	Subject: Re: [SIPForum-techwg] SIPConnect 1.1: Mutual TLS

	 

	For the Allworx products (low-end, SMB market), TLS will most likely not be supported. Several reasons:

	 

	1) High cost -- The encryption libraries, PKI certificates, public-key large number math libraries, etc are fairly hefty algorithms for a UMC-driven, embedded appliance.

	2) Not simple -- Many of our smaller customers do not have an "IT team". Basic networking is difficult enough without the added requirements of obtaining a certificate and a permanent address.

	3) Not scalable -- Service providers may not want 1000 smaller customers to turn on TLS (or even TCP) due to the demand on their servers.

	 

	Service providers we work with (e.g. Cbeyond, PAETEC) offer VPN services on dedicated T1 lines. The customers that want QoS and security can get that through a managed-network offering from their provider.

	 

	I understand the value and need for TLS in the Enterprise market. However, requiring the low-end products and service providers to support something that won't be used doesn't get us any closer to interoperability.

	 

	    -Jay

	 

	
________________________________


	From: techwg-bounces at sipforum.org [mailto:techwg-bounces at sipforum.org] On Behalf Of Bernard Aboba
	Sent: Tuesday, March 31, 2009 11:23 AM
	To: richard at shockey.us
	Cc: techwg at sipforum.org
	Subject: Re: [SIPForum-techwg] SIPConnect 1.1: Mutual TLS

	OCS, OpenSIPS, Sametime, Asterisk 1.6, FreeSwitch all include TLS support.   
	So not only is it implemented, implementations are becoming more common.  
	The biggest hurdle is typically getting support for TCP in place.
	
	SIPS is a different story.  The above implementations all support use of
	SIP over TLS using the SIP URI.  SIPS adds interoperability issues, but
	not much intrinsic value, so it's not widely supported now (I've only seen
	it in Sametime) and the situation doesn't look like it will improve in the near 
	future.
	
	
	> From what I hear ..its because most implementations involve real or highly
	> virtual circuits from PBX to SSP hence there is a perception of security at
	> Layer 1 and no real need for TLS. Additionally there is the perception that
	> TLS adds unnecessary "overhead" to the session establishment. Frankly I've
	> found that argument to be somewhat bizarre since it seems to work pretty
	> well for zillions of transactions on Amazon ..but I've stopped trying to
	> reason why my 'former customers' act the way they do.
	> 
	> From what I can tell virtually no one is implementing TLS or SIPS for that
	> matter.
	
	
	______________________________________________________________________
	This email has been scanned by the MessageLabs Email Security System.
	For more information please visit http://www.messagelabs.com/email 
	______________________________________________________________________


	
	..............................................................................
	Confidentiality Notice
	The information contained in this Email, and any attachments, is intended for the named recipients only. It may contain confidential and/or legally privileged information. If you are not the intended recipient, you must not copy, store, distribute or take any action in reliance on it. Any views expressed do not necessarily reflect the views of the company.
	
	If you receive this Email by mistake, please advise the sender by using the reply facility in your Email software and then delete it.
	.............................................................................
	

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://sipforum.org/pipermail/techwg/attachments/20090407/5a7d1c45/attachment.html

More information about the techwg mailing list