[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
draft of broad requirements for VoIP security
The draft draft-jacobs-signaling-security-requirements-00.txt
http://www.ietf.org/internet-drafts/draft-jacobs-signaling-security-requirem
ents-00.txt
attempts to define the body of security requirements
that must be dealt with in order to carrier-scale VoIP
deployments. The requirements are generic, and are not
written relative to specific threats.
This draft was a direct result of our initial pursuit of a
light-weight key distribution design to be coupled with ESP.
Instead of moving straight to a solution Jeff Schiller
recommended that we publish a requirements draft to have the
IETF community help determine if a solution exists, to see
if these security needs of large carrier deployments of SIP,
MGCP and Megaco can already be met.
A significant issue for this draft is that the requirements
do not neatly fit into any one WG charter. I believe this
is more of a security issue than an application level
issue. To date the SIP WG has worked to fill in a variety
of gaps whereas MGCP and Megaco say not much more than
"just use IPsec". Security is an essential part of VoIP,
and many of the needed features exist. Still, the issue of
a cohesive, workable security solution for carrier-scale
deployment remains beyond the scope of any one workgroup.
Thus we are posting this note here.
The goal of this draft is to get agreement on the broader
requirements, followed by an determining what gaps there
are between what exists and what is needed. Obviously if
we could see a full solution, we would not be pursuing this.
For example, common usage of current technology leads to
poor practices in handling keying material. The technology
must be defined so that it is possible to define simple and
secure common practices.
We would like to work to get agreement on the requirements,
as well as how to best meet them.
Thank you,
Eric Nielsen
Sylantro Systems
Stuart Jacobs CISSP
Verizon Laboratories