TLS

Click on image for animated tutorial

This is the Flash animated tutorial answer to how TLS-Transport Layer Security operates.  According to one source, “someone could die, when they try to dial 911 and the call fails to complete due to a flood of Layer 4 TCP-Transmission Control Protocol SYN packets using TLS-Transparent Layer Security for synchronization.”   TCP setups with the Destination Port number via SYNchronizes the connection, manages the transmission of data sending SEQuences (parts), sends an ACKnowlegement to confirm receipt of data  and when FINished disconnects the session.  This is where Port Level Security or TLS-Transport Layer Security takes place.  That is, control access by the Port Number such as deny access to Port 35 for email, Port 80 for HTTP-Hyper Text Transfer Protocol (web surfing) Port 21 for FTP-File Transfer Protocol or access to any other function.  This is called a Stateful Inspection for a firewall to check, alert or audit the status (state) of the TCP connection – SYN, SYN-ACK or FIN.

SIP DOS

The problem is that when a large SIP proxy goes down, it takes a significant amount of time before all the SIP user agents can re-establish a TCP (SYNchronization) connection and a security association.  That is, the SIP user agents (telephones) have to establish new TCP connections and then negotiate new security associations.  This creates an avalanche of SYN messages and acts like a classic SYN attack (DOS-Denial Of Service).

SIP DTLS

However, to overcome this problem there is an IETF draft for a security mechanism called DTLS-Datagram Transport Layer Security.  DTLS runs over UDP-User Datagram Protocol so it doesn’t succumb to TCP scaling and SYN startup issues.  The only issue with UDP-based SIP is that you need to keep the messages (voice packets) “small” to avoid fragmentation (or delay).  This could potentially eliminate MMoIP-Multi-Media over IP, webseminar, conference call, podcasting and other continuous stream message distribution applications.  Datagram Transport Layer Security SIP can run over both stream and datagram transports, including UDP and TCP.  SIP already defines how to use TLS with stream oriented transports.  This specification extends SIP to use DTLS with datagram oriented transports.

Bottom-line – Test your SIP-VoIP network for security attacks.  Get a certified ethical hacker to attack your network on a regular basis because juries are never lenient to any company being lax or lazy.