[asterisk-users] IEEE 802.1x capable sip phones
Robert Moskowitz
rgm at htt-consult.com
Thu Jan 10 09:23:24 CST 2008
Olivier wrote:
>
>
> 2008/1/10, Robert Moskowitz <rgm at htt-consult.com
> <mailto:rgm at htt-consult.com>>:
>
> Olivier wrote:
> >
> >
> > 2008/1/10, Robert Moskowitz <rgm at htt-consult.com
> <mailto:rgm at htt-consult.com>
> > <mailto:rgm at htt-consult.com <mailto:rgm at htt-consult.com>>>:
> >
> > Jeronimo Romero wrote:
> > >
> > > Does anyone know if sip phones from any of the major IP phone
> > vendors
> > > support 802.1x authentication? Any feedback would be greatly
> > appreciated.
> > >
> > This is so unlikely. I worked on 802.1X and 802.11i. There is
> > just too
> > much overhead there. No way to meet the ITU 50ms disruption
> > requirement.
> >
> >
> > Do you mean ITU is asking phone to authenticate within a 50ms
> time frame ?
> > Or do you mean, RTP flow encryption shouldn't exceed 50ms ?
> The later. So an authenticate while a flow is in process can kill
> the
> call. This is what can happen during a roam (or a re-key).
>
>
> OK : now I understand what you meant .
> Myself, I was thinking about desktop hardphones so I didn't why this
> authentication process duration would matter.
Depends on what your 802.1X timeout is set at. There is still rekeying
based on the expected 'lifetime' of your key. With 802.1AE we had to
design for 10Gb and typical rekeying would be every few minutes! So the
actual protection is done with sub-keys. But today, pretty much every
protocol we design has a 'key hierarchy'. Burn me once ok, but not twice...
> Have you looked at Meru or Extricom stuff ?
Meru way back and they were 'on track'. Not Extricom.
More information about the asterisk-users
mailing list