<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>The final recommendation must be based on calculus of risks and costs, which is dependent on a given network. Begin by considering these:</div><div><br></div><div>1. IP network transport equipment is often in the same physical location with legacy telecom equipment. There's no substantial, generalizable difference the physical security of the two systems.</div><div><br></div><div>2. As Lee Riemer mentioned, "Private" MPLS networks are often built on ordinary "public" links, using the very same equipment.</div><div><br></div><div>3. Encryption for RTP is trendy among the IETF draft-writers, and others who don't have to build, operate, and troubleshoot the networks.</div><div><br></div><div>4. Encrypted RTP (sRTP) adds some costs: (a) It limits the choice of devices, excluding some lower-cost options; (b) Key distribution must be handled; (c) RTP can be analyzed only after it is decrypted, so the cost of troubleshooting is greater; (d) the PSTN cannot be used as a transport for the RTP; (e) There is a modest increase in overhead; </div><div><br></div><div>5. sRTP is supported by exceptionally few media servers, conferencing servers, voicemail systems. If the intention is to support end-to-end encrypted RTP for every conversation, then the implementation options are limited. Many SP implementations of sRTP are encrypted only from the CPE to the SBC, or between similar CPE.</div><div><br></div><div>6. ISDN is exceptionally easy to wiretap, although most CCNA's don't have the equipment sitting around. US $2k will buy a SunSet tester with PRI module that lets you see all calls and listen to them.</div><div><br></div><div>7. Key distribution is nontrivial, but you have to get it right for the encryption to work. How will you ensure that only the right people have access to the sRTP keys in use?</div><div><br></div><div><span class="Apple-style-span" style="font-size: 14px; ">8. When contemplating any security measure, you must determine who the enemy is against whom you are defending; e.g.,</span></div><div><span class="Apple-style-span" style="font-size: 14px; "><span class="Apple-tab-span" style="white-space:pre"> </span>---- Are you concerned that the service provider will wiretap? </span></div><div><span class="Apple-style-span" style="font-size: 14px; "><span class="Apple-tab-span" style="white-space:pre"> </span>---- Or other employees or contractors? </span></div><div><span class="Apple-tab-span" style="white-space:pre"> </span>---- Strangers with physical access to your building?</div><div><span class="Apple-style-span" style="font-size: 14px; "><span class="Apple-tab-span" style="white-space:pre"> </span>---- Corporate spies? </span></div><div><span class="Apple-style-span" style="font-size: 14px; "><span class="Apple-tab-span" style="white-space:pre"> </span>---- The Government? </span></div><div><span class="Apple-style-span" style="font-size: 14px; "><span class="Apple-tab-span" style="white-space:pre"> </span>---- Other Governments?</span></div><div>Each of these attackers has certain resources. The Government, for example, has the FBI and the NSA. Corporate spies may have large funding -- enough to attack captured sRTP.</div><div><br></div><div>9. When contemplating any encryption technique, you must determine the intended <i>lifetime</i> of protection. All encryption mechanisms can eventually be broken, given enough time. How long do you need the conversation to remain a secret? With sRTP done badly, you may have the appearance of encryption, but remain vulnerable to decryption within minutes.</div><div><br></div><div>10. IANAL. In the US, it's a Federal Crime to do what you're trying to defend against. From <span class="Apple-style-span" style="font-size: 14px; "><a href="http://openjurist.org/713/f2d/389/united-states-v-ross">http://openjurist.org/713/f2d/389/united-states-v-ross</a> --<span class="Apple-style-span" style="font-size: medium; "> <span class="Apple-style-span" style="line-height: 20px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>Under federal wiretapping law it is a felony for any person to willfully intercept or willfully disclose the contents of a wire communication. 8 U.S.C. § 2511(1)(a) & (c) It is, however, not unlawful for an officer or employee of a communication common carrier to intercept or disclose the contents of a wire communication while engaged in an activity which is necessary to the rendition of his services. 18 U.S.C. § 2511(2)(a)(i).</i></span></font></span></span></span></div><div><span class="Apple-style-span" style="line-height: 20px;"><i><span class="Apple-style-span" style="line-height: normal;"><br></span></i></span></div><span class="Apple-style-span" style="line-height: 20px; "><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><i><span class="Apple-style-span" style="font-size: 14px; ">18 U.S.C. § 2511(1)(a) & (c) provide in pertinent part:</span></i></div><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>(1) Except as otherwise specifically provided in this chapter any person who--</i></span></font></div><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>(a) willfully intercepts ... any wire communication; [or] ...</i></span></font></div><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>(c) willfully discloses ... to any other person the contents of any wire--... communication, knowing or having reason to know that the information was obtained through the interception of a wire ... communication in violation of this subsection ... shall be fined not more than $10,000 or imprisoned not more than five years, or both."</i></span></font></div></span><div><span class="Apple-style-span" style="line-height: 20px; "><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>18 U.S.C. § 2511(2)(a)(i) provides:</i></span></font></div><div style="margin-top: 0.7em; margin-right: 0px; margin-bottom: 0.7em; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 2em; text-indent: 0px; "><font class="Apple-style-span" size="4"><span class="Apple-style-span" style="font-size: 14px;"><i>(2)(a)(i) It shall not be unlawful ... for an operator of a switchboard, or an officer, employee or agent of any communication common carrier, whose facilities are used in the transmission of a wire communication, to intercept, disclose or use that communication in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service ... Provided, That said communication common carriers shall not utilize service observing or random monitoring except for mechanical or service quality control checks.</i></span></font></div></span></div><div><br></div><div><br></div><div><div><font class="Apple-style-span" face="Calibri" size="1"><span class="Apple-style-span" style="font-size: 9px; "><i>mark r lindsey@e-c-group.com <a href="http://e-c-group.com/~lindsey">http://e-c-group.com/~lindsey</a> +12293160013</i></span></font></div><div><font class="Apple-style-span" face="Calibri" size="1"><span class="Apple-style-span" style="font-size: 9px;"><i><br></i></span></font></div></div><div><br></div><div><div><div>On Oct 14, 2009, at 12:32 PM, <<a href="mailto:Guy.Ram@t-systems.com">Guy.Ram@t-systems.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Cambria; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div lang="EN-US" link="blue" vlink="purple"><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="City"><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place"><div class="Section1"><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Hello,<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Like your kind response to this question:<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Would folks agree that for SIP traffic in a private MPLS network should not necessarily require encryption. What is your advise for the normal<span class="Apple-converted-space"> </span><st1:city w:st="on"><st1:place w:st="on">Enterprise</st1:place></st1:city><span class="Apple-converted-space"> </span>? I’m trying to understand where it makes prudent sense to enable encryption and where it’s redundant.<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" face="Arial"><span style="font-size: 10pt; font-family: Arial; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">I’m trying to counter this statement:<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 10pt; font-family: 'Courier New'; "><i><font size="2" face="Courier New"><span style="font-size: 10pt; font-style: italic; "><o:p> </o:p></span></font></i></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.25in; font-size: 10pt; font-family: 'Courier New'; "><i><font size="2" face="Courier New"><span style="font-size: 10pt; font-style: italic; ">that encryption of the media stream should be encouraged. Although the MPLS network is private, it is easy to setup a traffic sniffer on computers and to tap and record calls. This is unlike the ISDN world where telecoms equipment is usually locked up and inaccessible to most employees. Companies do accept encryption as normal overhead”<o:p></o:p></span></font></i></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0.25in; font-size: 10pt; font-family: 'Courier New'; "><font size="2" face="Courier New"><span style="font-size: 10pt; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">What I’ve been told that most enterprise networks are switched, so the connection from the desk goes to a switch and then right to the VoIP system, so it’s basically non-trivial to tap a phone line that way. VoWiFi is different, but there are more issues than security with that. Legacy environment equivalent for wired VoIP.<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Also that Encryption will increase delay, reduce quality, and increase BW consumption. I don’t see a lot of need for encryption except across a peering point for example</span></font><font size="1" color="blue" face="Verdana"><span style="font-size: 8pt; font-family: Verdana; color: blue; ">.<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="1" color="blue" face="Verdana"><span style="font-size: 8pt; font-family: Verdana; color: blue; "><o:p> </o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">Thanks,<o:p></o:p></span></font></div><div style="margin-top: 0in; margin-right: 0in; margin-bottom: 0.0001pt; margin-left: 0in; font-size: 12pt; font-family: 'Times New Roman'; "><font size="2" color="navy" face="Arial"><span style="font-size: 10pt; font-family: Arial; color: navy; ">-guy<o:p></o:p></span></font></div></div>_______________________________________________<br>VoiceOps mailing list<br><a href="mailto:VoiceOps@voiceops.org" style="color: blue; text-decoration: underline; ">VoiceOps@voiceops.org</a><br><a href="https://puck.nether.net/mailman/listinfo/voiceops" style="color: blue; text-decoration: underline; ">https://puck.nether.net/mailman/listinfo/voiceops</a><br></o:smarttagtype></o:smarttagtype></div></span></blockquote></div><br><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Cambria; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Cambria; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Cambria; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Cambria; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><font class="Apple-style-span" face="Calibri" size="1"><span class="Apple-style-span" style="font-size: 9px;"><i><br></i></span></font></div></div></span></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"> </div><br></div></body></html>