[SIPForum-techwg] Discussion on why 7.2.5 (authentication etc. for static mode) differs from 7.1.6 (for registration mode)
fluffy at cisco.com
Tue Feb 17 18:46:48 EST 2009
On Feb 12, 2009, at 14:13 , Theo Zourzouvillys wrote:
> On Thu, Feb 12, 2009 at 7:15 AM, Cullen Jennings <fluffy at cisco.com>
>> So if the SP has a VPN connection with IPSEc to Customer A and
>> Customer B, and A makes a call to 1-900-pay-fluffy but claims the
>> is from Customer B, how does the SP know to bill A instead of B?
> the SP would see the call came from customer A's IPSec connection
> though? customer A does not need to signal to the SP who to charge
This sounds good in theory but let's talk about practice. Let's say
the SP proxy is running on a Unix box and the VPN terminated on some
VPN terminator. How would the proxy know which VPN it came in over?
Consider another case, the VPN terminates on the unix box running the
proxy. What OS calls would the proxy use to find out which VPN the
message came in over or if it even came in over a VPN? It's not easy.
TLS provides a way for the application to see what security
association was formed. One fo the goals of many IPSec models is to
remove the need for the application to even be aware IPsec is
happening much less what security association is formed. That makes it
harder to use IPsec in this case.
This is not a new problem. Back 8 or more years ago when Microsoft
deployed a large SIP Turnking solution for the Voice.Net stuff -
Microsoft specified mutual TLS in a nice way that worked well and was
pretty secure. One of the proxy vendors, Cisco, did not want to do TLS
and instead used IPSec to connect Microsoft PBXs to the Cisco proxies
in the service providers. This problem existed then and was, to my
knowledge, never resolved.
> ~ Theo
> Sent from: Bicester Oxfordshire United Kingdom.
More information about the techwg