[Standards-JIG] Jingle vs. Zoep
dgriffioen at voipster.com
Mon Feb 13 23:25:03 UTC 2006
Richard Dobson wrote:
>> That said, I find it a bit frustrating that you have not yet provided
>> substantive answers to my questions about authenticated identities,
>> validated from addresses, the relationship between XMPP identifiers and
>> SIP identifiers, and content validation. To me, these are major security
>> 4. Content validation. Some very significant adopters of XMPP like the
>> technology because it is pure XML and they can validate all the XML that
>> flows across the wire using standard XML tools. It is much more
>> difficult to parse SIP as it goes over the wire (yes, there are
>> SIP-specific firewall products, but they are specialized and expensive).
>> So if we send SIP over XMPP, it is quite likely that these adopters will
>> not use it.
> There is also the fact that if you are just wrapping the SIP packets
> without validating them somehow and simply passing them to a SIP
> stack, so you have no control (without adding lots of complexity to
> the code to validate the SIP packets which voids the benefits of just
> blindly passing the SIP packets to the SIP stack and allowing it to
> deal with it) over what the other end will ask your SIP stack to do,
> it also opens up quite a large surface for attack (i.e. a whole SIP
> stack, which is what I would expect most people would use with this
> kind of solution).
Would this not apply for every payload in the XMPP world?
And secondly, the application is in charge of the SIP stack over a
secure connection. Not the user. The is no way to inject malicious
content: with pc2pc the SIP address is the same as the XMPP JID (all
rules apply), for pc2pstn only qualified numbers are allowed (things
like 00 44 123456789).
> To make this solution secure as far as I can see would make it rather
> complex, i.e. you would have to add in parsers to validate the SIP
> packets either in the XMPP layer before they get passed to the SIP
> layer or will need to modify the SIP stack to add this stuff in.
Why the duplication? The sip stack WILL parse & validate messages -
which means the message passed
More information about the Standards