[Standards-JIG] Jingle vs. Zoep

dirk.griffioen@voipster.com dgriffioen at voipster.com
Mon Feb 13 23:25:03 UTC 2006

Richard Dobson wrote:

>> That said, I find it a bit frustrating that you have not yet provided
>> substantive answers to my questions about authenticated identities,
>> validated from addresses, the relationship between XMPP identifiers and
>> SIP identifiers, and content validation. To me, these are major security
>> issues.
>> 4. Content validation. Some very significant adopters of XMPP like the
>> technology because it is pure XML and they can validate all the XML that
>> flows across the wire using standard XML tools. It is much more
>> difficult to parse SIP as it goes over the wire (yes, there are
>> SIP-specific firewall products, but they are specialized and expensive).
>> So if we send SIP over XMPP, it is quite likely that these adopters will
>> not use it.
> There is also the fact that if you are just wrapping the SIP packets 
> without validating them somehow and simply passing them to a SIP 
> stack, so you have no control (without adding lots of complexity to 
> the code to validate the SIP packets which voids the benefits of just 
> blindly passing the SIP packets to the SIP stack and allowing it to 
> deal with it) over what the other end will ask your SIP stack to do, 
> it also opens up quite a large surface for attack (i.e. a whole SIP 
> stack, which is what I would expect most people would use with this 
> kind of solution).

Would this not apply for every payload in the XMPP world?

And secondly, the application is in charge of the SIP stack over a 
secure connection. Not the user. The is no way to inject malicious 
content: with pc2pc the SIP address is the same as the XMPP JID (all 
rules apply), for pc2pstn only qualified numbers are allowed (things 
like 00 44 123456789).

> To make this solution secure as far as I can see would make it rather 
> complex, i.e. you would have to add in parsers to validate the SIP 
> packets either in the XMPP layer before they get passed to the SIP 
> layer or will need to modify the SIP stack to add this stuff in.
Why the duplication? The sip stack WILL parse & validate messages - 
which means the message passed

> Richard

More information about the Standards mailing list