1

I am new to the VOIP concepts. I just took a course on VOIP. I am interested in implementations of SIP using TLS, IPSEC and Digest as well.

I want to see if SIP signaling uses IPSEC instead of TLS, how would it effect the performance, would the singaling be a little more time consuming? Would it add to the security or reduce the security.

I was searching for a softphone which has both TLS/IPSEC mechanisms so that I can analyze both packets on wireshark but I didnot come across any. Any suggestions on how to do that?

Thanking in advance!

NewStacker
  • 17
  • 1
  • 6

2 Answers2

0

Softphones don't explicitly support IPSEC because it is a network layer protocol. The lowest level dealt with in the SIP RFC is the transport layer where it provides 3 alternatives those being UDP, TCP and TLS.

SIP signalling would work fine over IPSEC since it's not that time sensitive. Even a delay of 1 or 2 seconds for SIP requests and responses will be barely noticeable. However the RTP traffic which carries the call media could well be affected if additional latency is introduced.

sipsorcery
  • 30,273
  • 24
  • 104
  • 155
0

Let's suppose you have to secure your SIP signalling between your end points (soft phone or hardware) and the call control engine, also suppose both end-points and the call control reside inside the same campus, or LAN or private network. The right choice is to employ TLS between end-points and the call control engine, most of end-points support TLS in their implementation (firmware or software). Anyway the same applies also for mobile workers (they establish TLS from the internet with an authenticated front-end placed in the DMZ inside your corporate); TLS is well suited in those scenarious where non additional client installation is needed.

At the other hand to have SIP protected inside IPSec you need to install IPSec client on your laptop (where sip client resides) first, the IPSec client establishes security with an IPSec Gateway placed in your corporate (more complex and expensive to manage). In brief IPSec is well suited in those scanarious where you need privacy between LANs accross the public network (IPSec tunnel mode is set up between IPsec Gateways).

When you talk about SIP with TLS or IPSec you cannot neglet RTP. To have SecureRTP in place, TLS protocol is the choice. During session setup SIP entities exchange TLS parameters (such as the chiper suite to use to protect RTP) within SDP body, have a look at logs to see SDP inside SIP. At the end of the exchange SIP entities are able to secure RTP traffic because of they agreed on a common session encryption key (is the simmetric key derived from the key exchange protocol).

With IPSec is different, there are no IPSec information exchanged within SDP or SIP messages. You setup IPSec tunnel first and then you send your traffic inside the tunnel, this traffic can be SIP and RTP as well. Note that with IPSec tunnel mode the original packet is encapsulated on a new IP packet (there is an external IP header), so more overhead and processing..

To summary: Securing SIP is possible with TLS and IPSec, consider your environment. I would consider TLS as much as possible. Securing RTP is possible with TLS, it is called SecureRTP (encryption, message authentication and integrity, and replay attack protection to the RTP data ). Securing RTP\SIP with IPSec requires more effort. Consider IPSec tunnel when you need to protect more than SIP\RTP. Have a look at NAT traversal feature when you decide to employ IPSec with voice\video and a NAT device is traversed.

Marco_81
  • 153
  • 1
  • 5
  • 20