[Standards-JIG] Jingle vs. Zoep

dirk.griffioen@voipster.com dgriffioen at voipster.com
Wed Feb 15 23:08:30 UTC 2006


Peter Saint-Andre wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>dirk.griffioen at voipster.com wrote:
>
>  
>
>>>>>as
>>>>>secure as both XMPP and SIP are.
>>>>>    
>>>>>          
>>>>>
>>SIP is secure? Authentication is OPTIONAL. From addresses are not
>>validated and checked. Interdomain communications ("federation") is
>>still a mess. Sure you can use sips: URIs (forcing TCP and TLS) but most
>>implementations out there will still use the old sip: URIs (UDP, no
>>TLS). It's like Jabber in the jabberd 1.0 days (1999-2000) when we
>>didn't have dialback.
>>
>>  
>>    
>>
>>>Does jabber then validate 'from' - in a way more than syntactically
>>>checking if things are ok? Maybe I am missing the point, but why is this
>>>so important? 
>>>      
>>>
>
>Makes it relatively to do the following:
>
>1. Send unsolicited communications.
>
>2. Launch deregistration attacks.
>
>3. Perform call flooding.
>
>4. Terminate calls from a third party.
>
>5. Hijack sessions.
>
>6. Perform unauthorized call transfers.
>
>7. Register unauthorized devices.
>
>And yes I consider those fairly serious.
>  
>
You are absolutely right.

But, and I hope this shines through from my other mails a well, for 
pc2pc your list does not hold, since all issues are XMPP related - SIP 
is used for state and session parameters etc, not the addressing part.

For pc2pstn (and vice versa) the Jingle-SIP  gateway would face the same 
problems, so maybe we should solve those?

Is there a Jingle-SIP gateway available? I believe someone mentioned 
this here on the mailing list...

We are in the process of making a SIP-XMPP gateway (most likely GPL too) 
and maybe we can compare notes here?

Dirk

>Peter
>
>- --
>Peter Saint-Andre
>Jabber Software Foundation
>http://www.jabber.org/people/stpeter.shtml
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (Darwin)
>Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
>iD8DBQFD8RfCNF1RSzyt3NURAnViAJ9Whinuq1QAyCGmmz3O5zWwv1Mg5gCfU9fk
>MbNEyJHmFuUEJdzRgKNGLQM=
>=eZl4
>-----END PGP SIGNATURE-----
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.jabber.org/pipermail/standards/attachments/20060216/2d289fb9/attachment.html>


More information about the Standards mailing list