Microsoft files EU Android complaint

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Sun Apr 14 02:20:16 UTC 2013 

| From: James Knott <james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org>

| D. Hugh Redelmeier wrote:
| >   While SIP can certainly travel over an IPSec VPN, and I have set that up,
| > | that's not what I was referring to.  IPSec can also be used directly by
| > | applications, without a VPN.
| >
| > Is that a standard?  Is it generally implemented by a reasonable
| > number of suppliers?
| 
| SIP can use various encryption methods, including IPSec, TLS and others.

One automatically thinks choice is good.  But for interoperation, it
just isn't.  We want everyone to have a common
encryption/authentication/privacy/security/... so that they can
interoperate.

In IPSec, a lot of the interoperation rigmarole that makes it hard to
set up is
(a) the options, and
(b) the awkward ways to configure most implementations, and
(c) the awkward way that IKE negotiates.

IKEv2 was meant to address this but I don't know if it succeeds, and
it isn't generally used.

Combinatorial complexity of a program makes it very hard to test all
cases.  This is VERY bad from a security standpoint.  Options create
such combinatorial complexity.

|  I
| mentioned IPSec because it is a standard part of IPv6 and moving to IPv6 will
| provide benefits to VoIP, such as Mobile IPv6, mandatory CoS, along with lower
| latency provided by routing improvements.

That doesn't seem like what you said.  I don't remember you mentioning
IPv6 in messages I've responded to.

IPSec is part of most IPv4 stacks already (Linux, Windows, OS X, *BSD,
and iOS already have IPSec under IPv4; I think Android does too).

The rest of the improvements seem to be minor improvements as far as
VoIP is concerned.  Unless CoS works surprisingly well.  Oh, and if
NAT goes away, that would be really good for peer-to-peer phone calls
(that should be the norm).

The IMS AKA just might be interesting (I cannot tell from the
writeup), but only if it is widely deployed).

Other than that, IPSec can support SIP, not the other way around.

We (the FreeS/WAN project) talked about creating a userland API so
that an application could request or require that a socket be carried
over IPSec.  We never got there and I don't know of any other
implementation that has done that.  Allowing applications to require
secure channels does seem like a useful facility.
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list