[Devel] RE: [Users] NEW FEATURE: NAPTR lookup

Joachim Fabini Joachim.Fabini at tuwien.ac.at
Fri Feb 3 23:17:47 CET 2006 

Hi Bogdan,

Excellent news! Many, many thanks for this feature, 
I'll integrate and test it at the beginning of next week. 
And if I read Daniel's email correctly we can expect 
dynamic AVP names to be available within the next weeks, 
too. :)

> According to the RFC, for a SIPS uri, the only protocol to be 
> used is TLS. My question is : if SIPS is found force TLS as 
> proto and do SRV lookup or perform NAPTR lookup and look for 
> TLS entries.

Hmmh, I did not yet deploy TLS. My personal opinion is that 
doing NAPTR is the safer way - OpenSER can, e.g., detect 
that a given domain does _not_ support sips. Reusing your 
example: a direct SRV query on "_sips._tcp.domainA" might 
be negative but NAPTR on "domainA" might return, as you
wrote "_sips._tcp.domainB". I.e., if you rely on the SRV
query you might get a negative response, although domainA
_does_ support TLS.

Thanks again and have a nice weekend,
best regards
--Joachim

> -----Original Message-----
> From: users-bounces at openser.org 
> [mailto:users-bounces at openser.org] On Behalf Of Bogdan-Andrei Iancu
> Sent: Freitag, 03. Februar 2006 21:35
> To: devel; users openser.org
> Subject: [Users] NEW FEATURE: NAPTR lookup
> 
> Hi,
> 
> A new feature is available in openser, devel version : NAPTR lookup.
> 
> Overview
> =========
> 
> OpenSER is now RFC3263 (Locating SIP Server) compliant. See 
> http://www.ietf.org/rfc/rfc3263.txt
> 
> NAPTR queries are used to discovered the transport protocols 
> for SIP that are supported (and a preference order) by a SIP 
> server. Combining the protocols that are supported by the 
> remote server and the protocols that re locally implemented, 
> the local server will choose the protocol to be used (if an 
> explicit one is not provided). One the protocol is selected, 
> SRV queries are used to discover the port to be used; after 
> that A record query is made to get the IP address.
> 
> This will make possible for a proxy to advertise its 
> preferred protocols. Like : if supported, use TLS, otherwise 
> try TCP and if not UDP. Establishing 
> relationships/connections via TLS will be much simpler to 
> configure and it would be dynamically done - if both proxies 
> supports TLS they will use TLS, but this will not exclude UDP 
> and TCP to be used as alternatives....
> 
> 
> How it works
> ============
> 
> If NAPTR / SRV lookup is used depends if the proto and port 
> are known. 
> Here is a small diagram:
> 
> 
>     if port specify
>         then -> do just A record lookup and use defaults 
> protos (UDP for SIP and TLS for SIPS) if not specified; done
> 
>     # no port
>     if no proto
>         then -> do NAPTR to get proto; if no results, use 
> defaults protos (UDP for SIP and TLS for SIPS); continue
> 
>     # we have proto now
>     do SRV to get port; if no results, use defaults ports 
> (5060 for SIP and 5061 for SIPS); continue
> 
>     # we have proto and port
>     do A record lookup to get IP
> 
> 
> The resolver will sequentially try all NAPTR and SRV results 
> until it successfully gets an IP address. NAPTR / SRV records 
> which cannot be completely followed (resolved) will be skipped.
> If the TLS / TCP support is compiled and enabled, the proxy 
> will consider this protos to use; otherwise it will skip them.
> 
> 
> How to use
> ==========
> 
> NAPTR will be used only if proto is not specify neither via 
> the relaying function nor via the RURI. Ex:
> 
>     t_relay("openser.org"); # send to openser.org and use 
> NAPTR and SRV to resolve the address
>     t_relay(); # RURI=sip:user at domain.org
>     forward(uri:host,uri:port); # RURI=sip:user at domain.org
> 
> NOTE: these will not use NAPTR
>     t_relay("tcp:openser.org");
>     t_relay(); # RURI=sip:user at domain.org;transport=udp
> 
> NOTE: these will not use NAPTR/SRV
>     t_relay("openser.org:5060");
>     t_relay(); # RURI=sip:user at domain.org:5060
> 
> 
> 
> 
> The difference may be: one extra query (from NAPTR) versus 
> the fact that the NAPTR query may lead to a SRV into another domain.
> 
> Ex: for sips:user at domainA
>     If forcing TLS -> do SRV for "_sips._tcp.domainA." -> port
> server1.domainA:5061
> 
>     If using first NAPTR -> do NAPTR on "domainA" and get 
> "_sips._tcp.domainB." which will lead somewhere else than 
> using directly SRV. According the RFC this is possible.
> 
> 
> What I'm not sure about is if this cross domain NAPTR records 
> are allowed for TLS: see chapter 4.1 :
> 
>    For NAPTR records with SIPS protocol fields, (if the 
> server is using
>    a site certificate), the domain name in the query and the 
> domain name
>    in the replacement field MUST both be valid based on the site
>    certificate handed out by the server in the TLS exchange.  
> Similarly,
>    the domain name in the SRV query and the domain name in 
> the target in
>    the SRV record MUST both be valid based on the same site 
> certificate.
>    Otherwise, an attacker could modify the DNS records to contain
>    replacement values in a different domain, and the client could not
>    validate that this was the desired behavior or the result of an
>    attack.
> 
> 
> for the moment, NAPTR and SRV are used for SIPS....but any 
> other opinions on this TLS matter are welcomed...
> 
> 
> regards,
> Bogdan
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
>

More information about the Devel mailing list