Requirements for IPsec Negotiation in the SIP Framework - - PDF document

requirements for ipsec negotiation in the sip framework
SMART_READER_LITE
LIVE PREVIEW

Requirements for IPsec Negotiation in the SIP Framework - - PDF document

Dec 19, 2022 23 likes •84 views

Requirements for IPsec Negotiation in the SIP Framework draft-saito-mmusic-ipsec-negotiation-req-00.txt August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com) 1 Motivation To secure communication

slide-1
SLIDE 1

1

1

Requirements for IPsec Negotiation in the SIP Framework

August 1, 2005 Makoto Saito (ma.saito@ntt.com) Shingo Fujimoto (shingo_fujimoto@jp.fujitsu.com)

draft-saito-mmusic-ipsec-negotiation-req-00.txt

2

  • To secure communication between SIP-

enabled home appliances.

– Applicable to Proprietary Media Protocols – One Generic Security Protocol

  • Proposal: IPsec!!

– But, no standard key-exchange mechanism for IPsec within SIP/SDP.

Motivation

SRTP RTP HTTP HTTPS SNMP FTP ... L2TP Proprietary-1 ... ...

IPsec

Application Security

slide-2
SLIDE 2

2

3

Use Cases

Proxy-1 (ISP1) Trust

  • Assumptions

– Trusted 3rd Party Model

  • ISPs’ SIP proxies assure identification of UAs

– Mutual Trust between Domains (ISPs?)

Proxy-2 (ISP2) Trust Trust UA-1@ISP1 UA-2@ISP2

Where and how can it be used?

4

  • Home Security Service

Controlling Sensors, Cameras, etc.

  • Secure Access via the Internet

Control Device Security Devices, Home Appliances Proxy (ISP) Trust & Secure Channel Trust & Secure Channel Sessions over IPsec

Use Case 1: Remote Device Control

slide-3
SLIDE 3

3

5

  • P2P Communication between Users

Proprietary protocols are often used. (Not always RTP)

  • Secure Access via the Internet

Use Case 2: Visual Communication

Proxy (ISP) Trust & Secure Channel Trust & Secure Channel Sessions over IPsec

6

  • Security
  • Reduction of Resources

– Transaction Load – Implementation Cost

  • Connectivity

– Protocol Interoperability, Scalability

  • Generic Use

– Independent of Applications

Requirements for Security Protocol

IPsec meets these requirements

slide-4
SLIDE 4

4

7

Possible Key-Exchange Solutions

Conformance with SDP Implementation Calculation Load

KINK

(work in progress)

MIKEY with kmgmt Security Descriptions

No No Yes Yes Full IKE needed

External Kerberos system needed

in SDP in SDP High Low High Low

*SDP must be secured.

IKE (RFC2409)

8

IPsec Negotiation in SIP

UA-1 UA-2 Proxy

INVITE Get Address & Port of UA-1 IPsec SA for UA-1 is configured

Media Session over IPsec

INVITE 200 OK 200 OK Get Address & Port of UA-2 IPsec SA for UA-2 is configured ACK ACK

slide-5
SLIDE 5

5

9

  • Home appliances need security with their

resources reduced. ----- IPsec is proposed.

  • Standard mechanism to configure IPsec

based on SDP information is needed.

  • Concept of Security Descriptions may be a

better solution.

Summary

10

  • Why SIP to configure IPsec?

– IP addresses of devices (necessary for IPsec configuration) are not static. They are determined during SDP negotiation.

  • Why not IKE for key-exchange?

– It is still necessary to transmit the information from SDP to IKE. It’s efficient to exchange IPsec keys during SDP negotiation.

Discussions in MMUSIC ML

slide-6
SLIDE 6

6

11

  • Suggestions?
  • Discussions?
  • MMUSIC WG item?

Next Steps