[Standards-JIG] Jingle vs. Zoep

Richard Dobson richard at dobson-i.net
Fri Feb 10 20:19:06 UTC 2006


> That said, I find it a bit frustrating that you have not yet provided
> substantive answers to my questions about authenticated identities,
> validated from addresses, the relationship between XMPP identifiers and
> SIP identifiers, and content validation. To me, these are major security
> issues.

> 4. Content validation. Some very significant adopters of XMPP like the
> technology because it is pure XML and they can validate all the XML that
> flows across the wire using standard XML tools. It is much more
> difficult to parse SIP as it goes over the wire (yes, there are
> SIP-specific firewall products, but they are specialized and expensive).
> So if we send SIP over XMPP, it is quite likely that these adopters will
> not use it.

There is also the fact that if you are just wrapping the SIP packets 
without validating them somehow and simply passing them to a SIP stack, 
so you have no control (without adding lots of complexity to the code to 
validate the SIP packets which voids the benefits of just blindly 
passing the SIP packets to the SIP stack and allowing it to deal with 
it) over what the other end will ask your SIP stack to do, it also opens 
up quite a large surface for attack (i.e. a whole SIP stack, which is 
what I would expect most people would use with this kind of solution).

To make this solution secure as far as I can see would make it rather 
complex, i.e. you would have to add in parsers to validate the SIP 
packets either in the XMPP layer before they get passed to the SIP layer 
or will need to modify the SIP stack to add this stuff in.

Richard




More information about the Standards mailing list