10 Oct
2011
10 Oct
'11
3:39 p.m.
Olle E. Johansson writes:
For platforms where you want some sort of integrity
check in the
message, like with S/MIME or SIP Identity, rewriting the message will
break security. If we want to build secure platforms in SIP, we need
to find solutions that doesn't require SDP and SIP rewrites in the
proxys.
based on my observations from many users and also based what kind of new
modules people have written for sr lately, there is more and more
tendency towards adding b2bua kind of stuff to sip proxy. if you want
a secure solution, better not to use proxy at all, but some kind of p2p
protocol.
One thing I realized the other night during a SIP
discussion was that
Ice doesn't allow
a network provider to implement a policy. I don't think a proxy can't
say "442 Always use media relay"
and force the client to drop local addresses, like if there's a
requirement for lawful
intercept in the network. That will be something that needs to be
added to ICE.
making it yet more complex. forget proxy if you want end-to-end
security.
-- juha