Media Description for IKE in SDP

1

• Media Description for IKE in SDP
• draft-saito-mmusic-sdp-ike-01
• Makoto Saito
• ma.saito_at_nttv6.jp
• Dan Wing
• dwing_at_cisco.com

2
Purpose

• Setting up IPsec (IKE) Using SIP
• VPN to a home router (or NAT device), etc.

• INVITE
• Transaction

SIP Proxy
Home Network
(2) IKE (Media Session)
(3) Validate Fingerprint of Certificate
Home Router
Remote Client
(4) Tunnel Mode IPsec

• Comedia-tls (RFC4572) for Self-Signed
  Certificate Auth
• ( afingerprint in SDP)

3
SIP or DNS?
Static DNS Dynamic DNS SIP
Name Resolution to Floating IP Address - Support Support
Authentication Authorization - - Delegate to 3rd Party No Signed Cert No Whitelist
UDP Hole Punching (ICE) for IKE IPsec - - Applicable
Deployment - - Prompt Re-use of Providers Existing SIP Infrastructure
4
SDP-IKE is ...

• Functionally the same as Comedia-tls (RFC4572)
• afingerprint which must match TLS/IKE
  certificate
• Like IPsec, TLS can also create a tunnel (SSL
  VPN,
• WebVPN)

5
Next Step

• Good idea to move forward in MMUSIC WG?
• (after the confirmation of Security ADs)
• Any Comments?