Home page logo

nanog logo nanog mailing list archives

RE: VoIP over IPsec
From: "Bender, Andrew" <abender () taqua com>
Date: Tue, 18 Feb 2003 13:25:41 -0500

-----Original Message-----
From: tedawson () attbi com [mailto:tedawson () attbi com]

Comments inline:
At 01:34 PM 2/17/2003 -0500, Charles Youse wrote:

So do you suppose that in my scenario, I'd be better off 
leaving the VoIP out 
of the encrypted tunnels and use a separate [cleartext] path 
for them?

Oh goodness no. VoIP (SIP specifically) has no real security 
in it. Call 
hijacking for example is a matter of sending a pair of 
spoofed UDP packets to 
each phone and having the voice streams arrive at the 
attackers machine. Not 
pretty, and I do this trick (and worse) daily. (in a lab as 
part of work of 

What about sips:/TLS, S/MIME, and digest auth? These are all integral to the 'standard', and many popular 
implementations support these facilities currently. 

IPSec may be less painful within a single domain, but in other cases, I'd think that these facilities (or their 
derivatives) are the only practical option for 'real' security. Granted it is all pretty worthless if you dont 
enable/use any of it... Am I missing something?

Andrew Bender

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]