[sr-dev] why new tcp connection?

Olle E. Johansson oej at edvina.net
Sat Nov 7 09:06:24 CET 2009 

6 nov 2009 kl. 14.54 skrev Klaus Darilion:

>
>
> Iñaki Baz Castillo schrieb:
>> El Viernes, 6 de Noviembre de 2009, Klaus Darilion escribió:
>>> Hi Juha!
>>>
>>> Personally I do not like the alias approach. IIRC correctly there  
>>> were
>>> some security issues with aliases (at least some time ago) and ser  
>>> does
>>> hand aliases a little bit different then described by IETF to  
>>> avoid this
>>> issues.
>> Could I know about those security issues? (just a brief description).
>
> I do not remember anymore in detail, but I think by spoofing aliases  
> (and the proxy accepts the spoofed alias) it could be possible to  
> intercept SIP messages which are targeted to another user/client  
> behind the same NAT.
>
>>> To solve the situation there are 2 other solutions:
>>>  1. in client
>>>  2. in server
>>>
>>> 1. client:
>>> The client learns the public socket during REGISTER (Via received 
>>> +rport
>>> in response) and changes its contact in REGISTER
>> What about if the server doesn't challenge the client? XDD
>
> No problem - at least for xlite. It does:
> 1. REGISTER with local socket
> 2. 407
> 3. REGISTER with local socket
> 4. 200 ok (learn public socket)
> 5. deREGISTER local socket
> 6. 200 ok
> 7. REGISTER with public socket
> 8. 200 ok
>
> I do not know how pjsip handles this (if it is smarter :-)
>
>>> and INVITE messages to
>>> the new one learned. This is for example what xlite and pjsip  
>>> does. This
>>> approach does not work if the client does not register - if it only
>>> sends INVITE then there is no learned socket available in the  
>>> initial
>>> INVITE.
>> If the client doesn't register then it cannot receive responses  
>> anyway.
>
> e.g. call-setup would work, but BYE from callee would fail.
>
>> However, the fact is that during a TCP dialog there "should" exist  
>> *two* TCP connections (assuming binding port = 5060):
>> a) UA:random_port - Proxy:5060
>> b) Proxy:random_port - UA:5060
>
> that's the broken idea of RFC 3261. In fact that will never work due  
> to NAT/FW. The un-standardized approaches are described above and  
> work well. The standardized approach would be sip-outbound, which  
> gives the same result than the un-standardized approach.

SIP-outbound for when NAT is involved and connection-reuse drafts  
(that Andrei referred to earlier) for when there's no NAT, like  
between two sip proxys on the public Internet or a local network.

And in addition, there's a lot of work done for TCP/TLS that makes it  
even more complicated. If you opened a connection to a proxy for berlin.example.com 
  and approved the server certificate and then realize that you're  
about to set up a new connection to the same proxy, but now for stockholm.example.com 
  - you're not allowed to reuse the first connection.

/O

More information about the sr-dev mailing list