View previous topic :: View next topic |
Author |
Message |
rgm at htt-consult.com Guest
|
Posted: Wed Jan 09, 2008 11:47 pm Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone vendors
support 802.1x authentication? Any feedback would be greatly appreciated.
| This is so unlikely. I worked on 802.1X and 802.11i. There is just too
much overhead there. No way to meet the ITU 50ms disruption requirement.
Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get
any real secure roaming. Rather implement SRTP.
Quote: |
Thanks in advance.
======================
Jeronimo Romero
EUS Networks
Email: jromero at euscorp.com <mailto:jromero at euscorp.com>
Cell: 917-332-7238
Office: 212-624-5943
Web: www.euscorp.com <http://www.euscorp.com>
======================
------------------------------------------------------------------------
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
|
Back to top |
|
|
kev at mailcall.com.au Guest
|
Posted: Wed Jan 09, 2008 11:47 pm Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Im pretty sure the Cisco Unified IP Phones 7900 Series phones support
this, Dont quote me on it but its worth checking out
Kev
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone vendors
support 802.1x authentication? Any feedback would be greatly appreciated.
Thanks in advance.
======================
Jeronimo Romero
EUS Networks
Email: jromero at euscorp.com <mailto:jromero at euscorp.com>
Cell: 917-332-7238
Office: 212-624-5943
Web: www.euscorp.com <http://www.euscorp.com>
======================
------------------------------------------------------------------------
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
|
--
This message has been scanned for viruses and
dangerous content by Mail Call antivirus software, and is
believed to be clean. |
|
Back to top |
|
|
jromero at eusnetworks... Guest
|
Posted: Thu Jan 10, 2008 12:24 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
I called Cisco and they are so far the only vendor that offers it.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Robert
Moskowitz
Sent: Wednesday, January 09, 2008 11:47 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] IEEE 802.1x capable sip phones
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone vendors
support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is just too
much overhead there. No way to meet the ITU 50ms disruption
requirement.
Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get
any real secure roaming. Rather implement SRTP.
Quote: |
Thanks in advance.
======================
Jeronimo Romero
EUS Networks
Email: jromero at euscorp.com <mailto:jromero at euscorp.com>
Cell: 917-332-7238
Office: 212-624-5943
Web: www.euscorp.com <http://www.euscorp.com>
======================
| ------------------------------------------------------------------------
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
Back to top |
|
|
oza-4h07 at myamail.com Guest
|
Posted: Thu Jan 10, 2008 5:14 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:
Quote: |
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone vendors
support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is just too
much overhead there. No way to meet the ITU 50ms disruption requirement.
| I thought that :
1. 802.1X was mainly when you plug your hardphone into your network,
2. SRTP is an orthogonal issue as you could positively be looking to
authenticate your network device and be confident that with authentified
devices, risks are kept to an acceptable level
Am I wrong ?
Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/ab3ddd95/attachment.htm |
|
Back to top |
|
|
rgm at htt-consult.com Guest
|
Posted: Thu Jan 10, 2008 7:56 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Olivier wrote:
Quote: | Mitel and Avaya support 802.1X with proprietary protocols.
For Siemens, I'm not so sure.
| Two facts:
Proprietary EAP methods that can actually complete in a reasonable
amount of time. Many of these have small security holes and thus are
not acceptable as standards. (I know, I wrote two of them myself!).
They have thin APs with a central switch, so the phones don't actually
roam in the classic 802.11 sense. Thus the 802.1X exchange may only
occur once (when the phone is turned on); then al you need is enough
memory for the code, and with advances in Flash that is now possible.
|
|
Back to top |
|
|
rgm at htt-consult.com Guest
|
Posted: Thu Jan 10, 2008 8:11 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Olivier wrote:
Quote: |
I thought that :
1. 802.1X was mainly when you plug your hardphone into your network,
| 802.1X-2001 was written to secure ports on a 802.3 switch. Originally
for PCs works just fine for phones. Really does NOT play with VLANs,
but HP cheated (I know their lead engineers). 802.1X-2004 (you have to
watch it with IEEE standards naming) added the state machines necessary
to support 802.11i. This was a struggle and really is NOT right.
802.1af is trying to fix that.
Quote: | 2. SRTP is an orthogonal issue as you could positively be looking to
authenticate your network device and be confident that with
authentified devices, risks are kept to an acceptable level
| I am a real security expert. I am one of the strong proponents to
security in depth and how layer 4 security cannot protect the device.
When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow
and long time worker on 802.1 and other layer 2 standards) said it well:
Layer 2 security protects and addresses the liablities of the network owner
Layer 3 security protects and addresses the liablities of the system owner
Layer 4 security protects and addresses the liablities of the
application owner
Data security (anything above 4) protects and addresses the liablities
of the data owner
Think about it. You are on a 802.11 phone. Anyone there can intercept
the 802.11 frames. They can attack your phone with 802.11 payloads.
Your call leaves the 802.11 cloud and backbones over 802.16! Even if
this is with parabolic radios, there is still plenty of room for
listeners. And the original 802.16 security was DOCSIS! Almost as weak
as WEP; done at the same time that we were working on 802.11i (we have
to get something out, we will go back and fix it later).
Your call goes through some Telco's switches that MUST comply with CALEA
or are owned by some foreign government or drug cartel. Well you get
the picture.
Protect the network (802.11i etal). Protect the phone (IPsec or HIP).
Protect the call (DTLS or TLS for SIP and SRTP).
Any wonder why we still don't have good security? It is HARD to make it
easy.
Yes and No |
|
Back to top |
|
|
oza-4h07 at myamail.com Guest
|
Posted: Thu Jan 10, 2008 8:53 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:
Quote: |
Olivier wrote:
Quote: |
I thought that :
1. 802.1X was mainly when you plug your hardphone into your network,
| 802.1X-2001 was written to secure ports on a 802.3 switch. Originally
for PCs works just fine for phones. Really does NOT play with VLANs,
but HP cheated (I know their lead engineers). 802.1X-2004 (you have to
watch it with IEEE standards naming) added the state machines necessary
to support 802.11i. This was a struggle and really is NOT right.
802.1af is trying to fix that.
Quote: | 2. SRTP is an orthogonal issue as you could positively be looking to
authenticate your network device and be confident that with
authentified devices, risks are kept to an acceptable level
| I am a real security expert. I am one of the strong proponents to
security in depth and how layer 4 security cannot protect the device.
| I never you SHOULD NOT use SRTP but you DON'T HAVE TO
When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow
Quote: | and long time worker on 802.1 and other layer 2 standards) said it well:
Layer 2 security protects and addresses the liablities of the network
owner
Layer 3 security protects and addresses the liablities of the system owner
Layer 4 security protects and addresses the liablities of the
application owner
Data security (anything above 4) protects and addresses the liablities
of the data owner
Think about it. You are on a 802.11 phone. Anyone there
|
That's the point : at least, you're certain those guys are using the
devices you provided them with.
So, for instance, you don't have an unkown PC spoofing hardphone.
You know which PC spoofed other devices and that PC user had to
authenticate, some times before.
That's not perfect, mayby not enough, but this is what 802.1X is all about.
can intercept
Quote: | the 802.11 frames. They can attack your phone with 802.11 payloads.
Your call leaves the 802.11 cloud and backbones over 802.16! Even if
this is with parabolic radios, there is still plenty of room for
listeners. And the original 802.16 security was DOCSIS! Almost as weak
as WEP; done at the same time that we were working on 802.11i (we have
to get something out, we will go back and fix it later).
Your call goes through some Telco's switches that MUST comply with CALEA
or are owned by some foreign government or drug cartel. Well you get
the picture.
Protect the network (802.11i etal). Protect the phone (IPsec or HIP).
Protect the call (DTLS or TLS for SIP and SRTP).
Any wonder why we still don't have good security? It is HARD to make it
easy.
Yes and No
_______________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
| -------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/9b240039/attachment.htm |
|
Back to top |
|
|
oza-4h07 at myamail.com Guest
|
Posted: Thu Jan 10, 2008 8:58 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:
Quote: |
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone vendors
support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is just too
much overhead there. No way to meet the ITU 50ms disruption requirement.
| Do you mean ITU is asking phone to authenticate within a 50ms time frame ?
Or do you mean, RTP flow encryption shouldn't exceed 50ms ?
Plus it is a lot of code. Wait until 802.11r and/or 11s get done to get
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/caaf510c/attachment.htm |
|
Back to top |
|
|
rgm at htt-consult.com Guest
|
Posted: Thu Jan 10, 2008 9:29 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Olivier wrote:
Quote: |
When we were starting on 802.1AE (LinkSec), Norm Finn (a CISCO Fellow
and long time worker on 802.1 and other layer 2 standards) said it
well:
Layer 2 security protects and addresses the liablities of the
network owner
Layer 3 security protects and addresses the liablities of the
system owner
Layer 4 security protects and addresses the liablities of the
application owner
Data security (anything above 4) protects and addresses the liablities
of the data owner
Think about it. You are on a 802.11 phone. Anyone there
That's the point : at least, you're certain those guys are using the
devices you provided them with.
So, for instance, you don't have an unkown PC spoofing hardphone.
You know which PC spoofed other devices and that PC user had to
authenticate, some times before.
That's not perfect, mayby not enough, but this is what 802.1X is all
about.
| That is why we did 802.1X for 802.3. But Authentication is worthless
for protection if you do not have per-packet authentication. On 802.3
they initially took the stance that there is only one device on the
wire, so don't worry about session stealing. Now we have 802.1AE to fix
this.
With 802.11, 802.1X was worthless without 802.11i (that was the hole of
802.1X and WEP).
Once you authenticate the device, you MUST authenticate every packet
from the device. There was some that just did not get that... |
|
Back to top |
|
|
rgm at htt-consult.com Guest
|
Posted: Thu Jan 10, 2008 9:31 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Olivier wrote:
Quote: |
2008/1/10, Robert Moskowitz <rgm at htt-consult.com
<mailto:rgm at htt-consult.com>>:
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone
| vendors
Quote: | support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is
just too
much overhead there. No way to meet the ITU 50ms disruption
requirement.
Do you mean ITU is asking phone to authenticate within a 50ms time frame ?
Or do you mean, RTP flow encryption shouldn't exceed 50ms ?
| The later. So an authenticate while a flow is in process can kill the
call. This is what can happen during a roam (or a re-key).
Cellular phone authentication can take a REAL long time! You see this
when the phone is 'discoverying' your network. |
|
Back to top |
|
|
oza-4h07 at myamail.com Guest
|
Posted: Thu Jan 10, 2008 9:53 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
2008/1/10, Robert Moskowitz <rgm at htt-consult.com>:
Quote: |
Olivier wrote:
Quote: |
2008/1/10, Robert Moskowitz <rgm at htt-consult.com
<mailto:rgm at htt-consult.com>>:
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone
| vendors
Quote: | support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is
just too
much overhead there. No way to meet the ITU 50ms disruption
requirement.
Do you mean ITU is asking phone to authenticate within a 50ms time frame
| ?
Quote: | Or do you mean, RTP flow encryption shouldn't exceed 50ms ?
| The later. So an authenticate while a flow is in process can kill the
call. This is what can happen during a roam (or a re-key).
| OK : now I understand what you meant .
Myself, I was thinking about desktop hardphones so I didn't why this
authentication process duration would matter.
Have you looked at Meru or Extricom stuff ?
Cellular phone authentication can take a REAL long time! You see this
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.digium.com/pipermail/asterisk-users/attachments/20080110/8e18145a/attachment.htm |
|
Back to top |
|
|
rgm at htt-consult.com Guest
|
Posted: Thu Jan 10, 2008 10:23 am Post subject: [asterisk-users] IEEE 802.1x capable sip phones |
|
|
Olivier wrote:
Quote: |
2008/1/10, Robert Moskowitz <rgm at htt-consult.com
<mailto:rgm at htt-consult.com>>:
Olivier wrote:
Quote: |
2008/1/10, Robert Moskowitz <rgm at htt-consult.com
| <mailto:rgm at htt-consult.com>
Quote: | <mailto:rgm at htt-consult.com <mailto:rgm at htt-consult.com>>>:
Jeronimo Romero wrote:
Quote: |
Does anyone know if sip phones from any of the major IP phone
| vendors
Quote: | support 802.1x authentication? Any feedback would be greatly
| appreciated.
This is so unlikely. I worked on 802.1X and 802.11i. There is
just too
much overhead there. No way to meet the ITU 50ms disruption
requirement.
Do you mean ITU is asking phone to authenticate within a 50ms
| time frame ?
Quote: | Or do you mean, RTP flow encryption shouldn't exceed 50ms ?
| The later. So an authenticate while a flow is in process can kill
the
call. This is what can happen during a roam (or a re-key).
OK : now I understand what you meant .
Myself, I was thinking about desktop hardphones so I didn't why this
authentication process duration would matter.
| Depends on what your 802.1X timeout is set at. There is still rekeying
based on the expected 'lifetime' of your key. With 802.1AE we had to
design for 10Gb and typical rekeying would be every few minutes! So the
actual protection is done with sub-keys. But today, pretty much every
protocol we design has a 'key hierarchy'. Burn me once ok, but not twice...
Quote: | Have you looked at Meru or Extricom stuff ?
| Meru way back and they were 'on track'. Not Extricom. |
|
Back to top |
|
|
|