asterisk users - Oct 2004 - Where is the cheapest place to buy grandstream phones ?.

Where is the cheapest place to buy grandstream phones ?.

And the other day I posted questions about security fir SIP, is the only
solution a vpn ?.
Isn't there SSL integrated in SIP ?.


/Hitete

On Wed, 13 Oct 2004 10:48:39 +0200, hitete@free.fr <hitete@free.fr>
wrote:
> Where is the cheapest place to buy grandstream phones ?
I have heard that SIPphones.com are about to sell them for $49 or $59
a piece but that may be just a rumour or it may be an offer limited to
those over the age of 80 attended by their parents, I don't know.
> And the other day I posted questions about security fir SIP, is the only
> solution a vpn ?.
> Isn't there SSL integrated in SIP ?
Do you actually know how SIP works?

SIP is only HALF a protocol from the viewpoint of VoIP. SIP doesn't
actually do any VoIP. SIP is only there for introducing two parties to
each other. That's all SIP does. "1.2.3.4 meet 6.7.8.9 -- 6.7.8.9,
this is 1.2.3.4". It is then up to those parties to arrange how they
communicate with each other. SIP has nothing to do with that
communication. SIP does not deal with voice. It only deals with
introductions and the filing of divorce papers. That's it

The kind of SIP that is mostly used for establishing VoIP connections
is using another protocol, called RTP, which from the viewpoint of
VoIP has to be considered the OTHER HALF of what makes up the VoIP
protocol. SIP makes the introduction, RTP carries the voice.

So when you talk about a SIP phone call, what you really mean is an
RTP phone call which has been arranged for by SIP.

Since those two protocols are technically independent protocols only
loosely taped together by SIP's introduction, there are three
independent data streams involved, all using different ports, from the
viewpoint of TCP/IP all independent connections that have nothing to
do with each other. To make things worse still, the ports used for the
voice traffic, are determined at random, one for each direction.

So, if you wanted to wrap a SIP based IP phone call into SSL, then you
would need to find a way how to get three independent data streams
potentiall going to two different destinations on three different
ports, two of which are random, all together into one socket. Good
luck with that.

Of course you could wrap the three connections all individually, but
that doesn't help you with NAT traversal. In fact it will make NAT
traversal more difficult because some of the techniques that aid
SIP/NAT traversal need to be able to read and understand the SIP
messages to know which ports to open for the associated RTP traffic.
If you encrypt the SIP stream individually, you will make it
impossible for those techniques to work because they cannot read the
SIP messages anymore.

If you leave the SIP stream untouched and only encrypt the RTP
traffic, then you will not increase your security in terms of
potential break in attacks. You will only protect yourself against
eavesdropping on the audio channels.

So, to get proper security, you would have to encapsulate both SIP and
RTP streams into a single stream and send that off to a remote party
that knows how to unbundle it again.

This means you are looking at building a tunnel. Hence VPN.


The moral of the story is this:

Everybody doing VoIP has at some point run into the issue of SIP/NAT
traversal and discovered how it is a pain to get working and how it is
a serious security risk if you do get it working.

We have all been there before you. We are all wearing the T-shirt that
says "been there, done that" and we have earned that T-shirt with our
own blood, sweat and tears.

So, you have two choices: You can either just trust our advice. Or you
can ignore it, bang your head against the wall like many of us did
before and earn your own "been there, done that" T-shirt. Whatever you
do, you are not going to find a solution other than what has been
presented to you already. SIP is broken and it will remain that way
because it is broken by design.

Trust me on this, I myself have been one of those who didn't want to
take the advice from the resident VoIP gurus at the time and I was
banging my head against the wall in search of a solution that isn't
there. Of course my stubborness has given me a pretty good
understanding of the problem, but I could have saved myself a lot of
trouble if I had listened to the advice of those who told me that I
was wasting my time.

VPN or IAX it is.

rgds
benjk

-- 
Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
Tokyo, Japan.

NB: Spam filters in place. Messages unrelated to the * mailing lists
may get trashed.