Child pages
  • How to enable TLS + SRTP

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • TLS is the recommended security mechanism for Session Initiation Protocol (SIP).

  • NAT traversal -- since IPSec is Layer 3 protocol NAT is not supported, while TLS works flawlessly

  • HTTP Digest sessions in SIP environments are based on TLS.

  • SIP clients implementations natively supports  TLS

  • Provides privacy (private user identity)

  • Provides user authentication instead of data-origin authentication (higher degree of authentication)

Disadvantages

  • Both of the TLS models require the server and client to support PKI features, such as certificate validation and certificate management. Not all clients and solutions support PKI. PKI is typically used in complex environments

  • PKI is computationally expensive since it uses public key cryptography

  • TCP and TLS pose significant memory consumption and scaling issues when you have tens of thousands of TCP connections. UDP and IPsec are easier to scale. TCP is not well liked by service providers since the overheads associated with its mass use are significant compared to UDP.

  • Runs on top of TCP only (connection-oriented). There is a subset version of TLS that is supported for use with UDP called DTLS (RFC 4347)

  • Provides only hop-by-hop security. What this means is that every intermittent hop would need to be secured with TLS. With this, it doesn’t provide true end-2-end security

  • TLS cannot be used to secure VoIP RTP media streams ----> SRTP is used instead

  • In Server-Side Authentication, only one end is authenticated

  • TLS does not handle dead office recovery scenarios efficiently.  As mentioned, PKI is CPU intensive therefore when you need to handle re-authentications for all endpoints, this is going to significantly slow down your system

...