Microsoft files EU Android complaint

James Knott james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org
Sun Apr 14 03:09:44 UTC 2013 

D. Hugh Redelmeier wrote:
> | From: James Knott <james.knott-bJEeYj9oJeDQT0dZR+AlfA at public.gmane.org>
>
>
> | SIP can use various encryption methods, including IPSec, TLS and others.
>
> One automatically thinks choice is good.  But for interoperation, it
> just isn't.  We want everyone to have a common
> encryption/authentication/privacy/security/... so that they can
> interoperate.

Actually, there's a bit of history, where choice is available.  For 
example, with VoIP, you often have a choice of codecs and the app 
chooses the best common one, though it's also possible to select, such 
as G.729a for low bandwidth, G.711 for toll quality or even one that can 
provide broadcast quality.  There are other situations where multiple 
methods are available.
>
> In IPSec, a lot of the interoperation rigmarole that makes it hard to
> set up is
> (a) the options, and
> (b) the awkward ways to configure most implementations, and
> (c) the awkward way that IKE negotiates.
>
> IKEv2 was meant to address this but I don't know if it succeeds, and
> it isn't generally used.
>
> Combinatorial complexity of a program makes it very hard to test all
> cases.  This is VERY bad from a security standpoint.  Options create
> such combinatorial complexity.

IPSec has been in use for a while and seen a lot of testing.  There are 
different ways to configure it.  For example, I have used shared secret 
passwords with several VPNs,  You can also use public/private keys, in 
the same manner as ssh, certificates, as is used with several services 
or a key server.  IPSec supports them all and you choose which ever is 
best for the application.
>
> |  I
> | mentioned IPSec because it is a standard part of IPv6 and moving to IPv6 will
> | provide benefits to VoIP, such as Mobile IPv6, mandatory CoS, along with lower
> | latency provided by routing improvements.
> That doesn't seem like what you said. I don't remember you mentioning 
> IPv6 in messages I've responded to. IPSec is part of most IPv4 stacks 
> already (Linux, Windows, OS X, *BSD, and iOS already have IPSec under 
> IPv4; I think Android does too).

I didn't mention IPv6 specifically in that message, but I have on many 
other occasions, both here and elsewhere.  I have been running IPv6 
myself for almost 3 years and my home network is fully functional with 
it (I have a /56 subnet, which is 2^72 addresses or about a trillion 
times the entire IPv4 address space).  Regardless, IPSec is available on 
both IPv6 and IPv4 and is becoming the standard for many uses beyond 
VPNs.  Also, IPSec was originally developed for IPv6 and then adapted to 
IPv4.  My Android phone and tablet both support IPSec, PPTP and L2TP.  
They also can use IPv6 when connected to my home network and my phone 
will also be able to when Rogers gets around to offering IPv6 on their 
cell network.

Unlike with IPv4, CoS is mandatory with IPv6.  This means that when you 
use it with VoIP, your call will be given priority over other traffic on 
the Internet.

> The rest of the improvements seem to be minor improvements as far as 
> VoIP is concerned. Unless CoS works surprisingly well. Oh, and if NAT 
> goes away, that would be really good for peer-to-peer phone calls 
> (that should be the norm).

The routing improvements (hierarchical routing, fixed length header 
etc.) reduce latency for all traffic, not just VoIP, but reducing 
latency is one of the goals when you're using it.

> Other than that, IPSec can support SIP, not the other way around. We 
> (the FreeS/WAN project) talked about creating a userland API so that 
> an application could request or require that a socket be carried over 
> IPSec. We never got there and I don't know of any other implementation 
> that has done that. Allowing applications to require secure channels 
> does seem like a useful facility.

Compare VoIP using IPSec to the way browsers, email (or even VoIP) etc. 
use ssl.  It just provides encryption and authentication on a per 
application basis, rather than an encrypted tunnel, when used in a VPN, 
which leaves the contents unencrypted outside of the VPN.  I have never 
used FreeS/WAN, but I'm in the process of setting up a StrongSWAN VPN 
between my notebook and home network, to see how well it supports IPv6.  
Then I'll include my tablet, which already has the StrongSWAN software 
installed.  If that works with IPv6, then I'll be able to access the 
computers on my home network from my tablet, regardless of whether IPv6 
is otherwise available.  I also have the 6in4 tunnel software installed 
on my notebook, so I can use IPv6 to access my home computers when 
elsewhere (other than the Mississauga library & community centre WiFi, 
where everything other than http port 80 is blocked).  As for those 
implementations you mentioned not supporting applications, that may be 
because they're designed to be used as a VPN and not for directly 
supporting apps.  Are the required pieces available to be called by an 
app? Perhaps we'll have to see what Cisco and others do with this.  
Cisco routers certainly support IPSec, but I haven't worked at that 
level with their phones.  Many of the soft phone apps support some form 
of encryption.

--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list