Does anyone know if sip phones from any of the major IP phone vendors support 802.1x authentication? Any feedback would be greatly appreciated. Thanks in advance. =====================Jeronimo Romero EUS Networks Email: jromero at euscorp.com Cell: 917-332-7238 Office: 212-624-5943 Web: www.euscorp.com ====================== -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080109/9d20c97d/attachment.htm
Jeronimo Romero wrote:> > Does anyone know if sip phones from any of the major IP phone vendors > support 802.1x authentication? Any feedback would be greatly appreciated. >This is so unlikely. I worked on 802.1X and 802.11i. There is just too much overhead there. No way to meet the ITU 50ms disruption requirement. Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get any real secure roaming. Rather implement SRTP.> > > > Thanks in advance. > > > > =====================> Jeronimo Romero > EUS Networks > Email: jromero at euscorp.com <mailto:jromero at euscorp.com> > Cell: 917-332-7238 > Office: 212-624-5943 > Web: www.euscorp.com <http://www.euscorp.com> > =====================> > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
Im pretty sure the Cisco Unified IP Phones 7900 Series phones support this, Dont quote me on it but its worth checking out Kev Jeronimo Romero wrote:> > Does anyone know if sip phones from any of the major IP phone vendors > support 802.1x authentication? Any feedback would be greatly appreciated. > > > > Thanks in advance. > > > > =====================> Jeronimo Romero > EUS Networks > Email: jromero at euscorp.com <mailto:jromero at euscorp.com> > Cell: 917-332-7238 > Office: 212-624-5943 > Web: www.euscorp.com <http://www.euscorp.com> > =====================> > > > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-- This message has been scanned for viruses and dangerous content by Mail Call antivirus software, and is believed to be clean.
I called Cisco and they are so far the only vendor that offers it. -----Original Message----- From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Robert Moskowitz Sent: Wednesday, January 09, 2008 11:47 PM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] IEEE 802.1x capable sip phones Jeronimo Romero wrote:> > Does anyone know if sip phones from any of the major IP phone vendors > support 802.1x authentication? Any feedback would be greatlyappreciated.>This is so unlikely. I worked on 802.1X and 802.11i. There is just too much overhead there. No way to meet the ITU 50ms disruption requirement. Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get any real secure roaming. Rather implement SRTP.> > > > Thanks in advance. > > > > =====================> Jeronimo Romero > EUS Networks > Email: jromero at euscorp.com <mailto:jromero at euscorp.com> > Cell: 917-332-7238 > Office: 212-624-5943 > Web: www.euscorp.com <http://www.euscorp.com> > =====================> > > > > > > >------------------------------------------------------------------------> > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:> > Jeronimo Romero wrote: > > > > Does anyone know if sip phones from any of the major IP phone vendors > > support 802.1x authentication? Any feedback would be greatly > appreciated. > > > This is so unlikely. I worked on 802.1X and 802.11i. There is just too > much overhead there. No way to meet the ITU 50ms disruption requirement.I thought that : 1. 802.1X was mainly when you plug your hardphone into your network, 2. SRTP is an orthogonal issue as you could positively be looking to authenticate your network device and be confident that with authentified devices, risks are kept to an acceptable level Am I wrong ? Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get> any real secure roaming. Rather implement SRTP. > > > > > > > > Thanks in advance. > > > > > > > > =====================> > Jeronimo Romero > > EUS Networks > > Email: jromero at euscorp.com <mailto:jromero at euscorp.com> > > Cell: 917-332-7238 > > Office: 212-624-5943 > > Web: www.euscorp.com <http://www.euscorp.com> > > =====================> > > > > > > > > > > > > > > > ------------------------------------------------------------------------ > > > > _______________________________________________ > > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > > > asterisk-users mailing list > > To UNSUBSCRIBE or update options visit: > > http://lists.digium.com/mailman/listinfo/asterisk-users > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/ab3ddd95/attachment.htm
Olivier wrote:> > I thought that : > 1. 802.1X was mainly when you plug your hardphone into your network,802.1X-2001 was written to secure ports on a 802.3 switch. Originally for PCs works just fine for phones. Really does NOT play with VLANs, but HP cheated (I know their lead engineers). 802.1X-2004 (you have to watch it with IEEE standards naming) added the state machines necessary to support 802.11i. This was a struggle and really is NOT right. 802.1af is trying to fix that.> 2. SRTP is an orthogonal issue as you could positively be looking to > authenticate your network device and be confident that with > authentified devices, risks are kept to an acceptable levelI am a real security expert. I am one of the strong proponents to security in depth and how layer 4 security cannot protect the device. When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow and long time worker on 802.1 and other layer 2 standards) said it well: Layer 2 security protects and addresses the liablities of the network owner Layer 3 security protects and addresses the liablities of the system owner Layer 4 security protects and addresses the liablities of the application owner Data security (anything above 4) protects and addresses the liablities of the data owner Think about it. You are on a 802.11 phone. Anyone there can intercept the 802.11 frames. They can attack your phone with 802.11 payloads. Your call leaves the 802.11 cloud and backbones over 802.16! Even if this is with parabolic radios, there is still plenty of room for listeners. And the original 802.16 security was DOCSIS! Almost as weak as WEP; done at the same time that we were working on 802.11i (we have to get something out, we will go back and fix it later). Your call goes through some Telco's switches that MUST comply with CALEA or are owned by some foreign government or drug cartel. Well you get the picture. Protect the network (802.11i etal). Protect the phone (IPsec or HIP). Protect the call (DTLS or TLS for SIP and SRTP). Any wonder why we still don't have good security? It is HARD to make it easy.> Am I wrong ?Yes and No ;)
I am seeing slight differences in URIs. In the case where things work, the URI is user at sip.foo.com where it does not work is user at sip.foo.com:5060 In the first case I suspect that Asterisk did something, perhaps at startup, where it 'decided' it was behind a firewall, so let the firewall do the port mapping. In the second case I suspect whatever Asterisk was doing at startup indicated it was wide open so it supplies the 5060 port number. Is Asterisk doing any discovery at startup?
Olivier wrote:> > > 2008/1/10, Robert Moskowitz <rgm at htt-consult.com > <mailto:rgm at htt-consult.com>>: > > Jeronimo Romero wrote: > > > > Does anyone know if sip phones from any of the major IP phone > vendors > > support 802.1x authentication? Any feedback would be greatly > appreciated. > > > This is so unlikely. I worked on 802.1X and 802.11i. There is > just too > much overhead there. No way to meet the ITU 50ms disruption > requirement. > > > Do you mean ITU is asking phone to authenticate within a 50ms time frame ? > Or do you mean, RTP flow encryption shouldn't exceed 50ms ?The later. So an authenticate while a flow is in process can kill the call. This is what can happen during a roam (or a re-key). Cellular phone authentication can take a REAL long time! You see this when the phone is 'discoverying' your network.
Robert Moskowitz
2008-Jan-11 16:04 UTC
[asterisk-users] More detalis: Re: SIP URI question and NATs
OK. I will continue this thread. I have learned a lot through a lot of tcpdumps. So I am top posting so new understanding does not get hidden. Senario: Asterisk publicly addressed behind a firewall. Two different firewalls available: Linksys WRT54G running sveasoft and Centos using Netfilter configured with Shorewall. Both firewalls have the same IP addresses, switching them is a matter of switching cables. With Linksys, I have turned NAT off, but still needed to define the *box as the dmzbox. Problem: inbound calls work with Linksys not with Netfilter (no voice). Observation 1: With Linksys, the INVITE for inbound calls have redirect information. The RTP flow goes to the different Broadvoice server. With Netfilter, the INVITE lacks this additional information. The RTP flow goes to the Broadvoice server * is registered to, and that box replys with an ICMP port not available. Observation 2: The REGISTER coming from * has Contact: Phone#@foo.com. Linksys alters this to Phone#@foo.com:5060. In fact it alters many SDP values to add the port number (this was determined by tcpdumps on both sides of the Linksys box). Of course the Netfilers box does NOT mangle. Further looking at the INVITEs, this port number information seems to be important. Conclusion: Broadvoice is NOT acting properly with only Phone#@foo.com, it needs Phone#@foo.com:5060. Next step: How do I get * to directly include the port number? I tried nat=yes, but this did not make a difference. Johansson Olle E wrote:> 10 jan 2008 kl. 15.24 skrev Robert Moskowitz: > > >> I am seeing slight differences in URIs. >> >> In the case where things work, the URI is user at sip.foo.com where it >> does not work is user at sip.foo.com:5060 >> >> In the first case I suspect that Asterisk did something, perhaps at >> startup, where it 'decided' it was behind a firewall, so let the >> firewall do the port mapping. >> >> In the second case I suspect whatever Asterisk was doing at startup >> indicated it was wide open so it supplies the 5060 port number. >> >> Is Asterisk doing any discovery at startup? >> >> > First, don't start a new mail in an old thread. Thanks. > > Your mail doesn't have enough information on what goes wrong and where, > so there is little I can say to help you. There's no information about > how > you are using the SIP uri in Asterisk. > > In general, if there's a port number attached to the domain part in a > URI, > this indicates that the domain name is actually a host and that a SIP > device should > *not* lookup any SRV records. > > /O > > _______________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > >