2011/10/10 Juha Heinanen <[email protected]>: >> For platforms where you want some sort of integrity check in the >> message, like with S/MIME or SIP Identity, rewriting the message will >> break security. If we want to build secure platforms in SIP, we need >> to find solutions that doesn't require SDP and SIP rewrites in the >> proxys. > > based on my observations from many users and also based what kind of new > modules people have written for sr lately, there is more and more > tendency towards adding b2bua kind of stuff to sip proxy.
Indeed. And honestly I don't like that at all. > if you want > a secure solution, better not to use proxy at all, but some kind of p2p > protocol. But nobody here is proposing RFC 5626 for security ;) The point here is that, by implementing RFC 5626, a proxy does NOT mangle the headers so, other proxies or UA's can verify the integrity of the request (for example using Identity header). If the proxy rewrites a header then forget Identity mechanism. >> One thing I realized the other night during a SIP discussion was that >> Ice doesn't allow >> a network provider to implement a policy. I don't think a proxy can't >> say "442 Always use media relay" >> and force the client to drop local addresses, like if there's a >> requirement for lawful >> intercept in the network. That will be something that needs to be >> added to ICE. > > making it yet more complex. forget proxy if you want end-to-end > security. That's not security, it's just "local policy". Mandating the audio through a RTP tunnel is not "security". -- Iñaki Baz Castillo <[email protected]> _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
