I respectfully disagree -- the field has clearly shown that working NAT traversal today is more valuable than message integrity and ICE architecture both together. (Whcih happens to be my personal preference too: getting over NATs today is more important to me than any sort of securing free phone calls.) Generally I tend to prefer priorities as articulated by live deployments.
I'm sorry to be so differently opinionated on this, particularly because I like ICE esthetically as the "e2e" solution. However, somehow in the Internet the things that are deployable today always matter. (even if considered evil, such as NATs)
-jiri
Aymeric Moizard wrote:
On Sun, 4 Jan 2009, Juha Heinanen wrote:
Aymeric Moizard writes:
If you have a 100% working trick, I'll be interested to learn it! Very interested!
no, i don't have 100% working trick, but normal means cover 90+% of the cases. trying to avoid needless use of rtp proxy for the remainder is not worth of the extreme complexity that comes with ice.
So the 10% calls are the one that use relay when they should not? right? I'm pretty convinced this is not a true value. Anyway, I don't think this is a problem of number here.
Let's describe a case:
I send an INVITE and encrypt the SDP. I'm behind a symmetric NAT. I'm calling somebody (a UA of course) who is able to decrypt it.
Whatever trick you provide, I will not have always voice (except if ICE is supported or if the NAT are kind with me)
Conclusion: I'm forced to provide UA and ask my customer to NOT encrypt their signalling. NEVER encrypt their signalling.
i don't understand what you try to say in above. sip works fine over the internet today.
SIP works today **if**:
- no security
- no SIP message integrity is used
- sip server are well configured (...)
- sip server is not compliant (modifying contact and SDP...)
My conclusion is that it's not acceptable. I want my applications to do security and I don't want to be dependant on badly configured servers.
I don't want "SIP works today **if**", I want "SIP works today."
I just need a SIP compliant internet infrastructure.
tks, Aymeric MOIZARD / ANTISIP amsip - http://www.antisip.com osip2 - http://www.osip.org eXosip2 - http://savannah.nongnu.org/projects/exosip/
-- juha
Users mailing list Users@lists.kamailio.org http://lists.kamailio.org/cgi-bin/mailman/listinfo/users