[SIPForum-techwg] Discussion on why 7.2.5 (authentication etc. for static mode) differs from 7.1.6 (for registration mode)

[Cullen Jennings]

On Feb 12, 2009, at 14:13 , Theo Zourzouvillys wrote:

> On Thu, Feb 12, 2009 at 7:15 AM, Cullen Jennings <fluffy at cisco.com>  
> wrote:
>
>> So if the SP has a VPN connection with IPSEc to Customer A and
>> Customer B, and A makes a call to 1-900-pay-fluffy but claims the  
>> call
>> is from Customer B, how does the SP know to bill A instead of B?
>
> the SP would see the call came from customer A's IPSec connection
> though?  customer A does not need to signal to the SP who to charge
> ...
>

This sounds good in theory but let's talk about practice. Let's say  
the SP proxy is running on a Unix box and the VPN terminated on some  
VPN terminator. How would the proxy know which VPN it came in over?  
Consider another case, the VPN terminates on the unix box running the  
proxy. What OS calls would the proxy use to find out which VPN the  
message came in over or if it even came in over a VPN? It's not easy.  
TLS provides a way for the application to see what security  
association was formed. One fo the goals of many IPSec models is to  
remove the need for the application to even be aware IPsec is  
happening much less what security association is formed. That makes it  
harder to use IPsec in this case.

This is not a new problem. Back 8 or more years ago when Microsoft  
deployed a large SIP Turnking solution for the Voice.Net stuff -  
Microsoft specified mutual TLS in a nice way that worked well and was  
pretty secure. One of the proxy vendors, Cisco, did not want to do TLS  
and instead used IPSec to connect Microsoft PBXs to the Cisco proxies  
in the service providers. This problem existed then and was, to my  
knowledge, never resolved.



> ~ Theo
>
> Sent from: Bicester Oxfordshire United Kingdom.