[sr-dev] TLS: Sip-Routers adds a Record-Route with "sip" scheme rather than "sips"

Olle E. Johansson oej at edvina.net
Tue Jul 5 21:23:59 CEST 2011 

5 jul 2011 kl. 20.01 skrev Martin Hoffmann:

> Juha Heinanen wrote:
>> Martin Hoffmann writes:
>> 
>>> I think the upshot of it all is that there is no more transport=tls. If
>>> you want TLS, you have to do use the sips scheme with transport=tcp; if
>>> you want DTLS, you do sips with transport=udp.
>> 
>> i don't agree with the above.
> 
> If I understand things correctly, the above is the intent of the
> standardization body in charge of SIP.
> 
>> for example, no matter which transport a
>> request arrives to a proxy, the next hop proxy may be only reachable
>> over tls, in which case i would use ;transport=tls.
> 
> Well, you shouldn't. You should use transport=tcp, because that is the
> transport protocol you are using. That you want this encrypted is
> indicated by the sips scheme of your SIP URI. Also, if you next hop is
> only reachable via TLS and, yet the transport parameter and schema
> indicate unencrypted TCP, what stops you from using the TLS connection
> you have?
> 
> Only the opposite is a problem because you would degenerate the
> security status of your transmission and that is prohibited by the sips
> scheme.

I disagree. SIPS and SIP with "transport=tls" are two different things.
RFC 3261 deprecated "transport=tls" but it is widely agreed on SIPit testings that we have no other way to handle some situations.

Quoting RFC 5630:

      in the SIPS URI scheme, transport is independent of TLS,
      and thus "sips:alice at atlanta.com;transport=TCP" and
      "sips:alice at atlanta.com;transport=sctp" are both valid (although
      note that UDP is not a valid transport for SIPS).  The use of
      "transport=tls" has consequently been deprecated, partly because
      it was specific to a single hop of the request.  This is a change
      since RFC 2543.

   The "tls" parameter has not been eliminated from the ABNF in
   [RFC3261], Section 25, since the parameter needs to remain in the
   ABNF for backward compatibility in order for parsers to be able to
   process the parameter correctly.  The transport=tls parameter has
   never been defined in an RFC, but only in some of the Internet drafts
   between [RFC2543] and [RFC3261].

   This specification does not make use of the transport=tls parameter.

   The reinstatement of the transport=tls parameter, or an alternative
   mechanism for indicating the use of the TLS on a single hop in a URI,
   is outside the scope of this specification.

   For Via header fields, the following transport protocols are defined
   in [RFC3261]: "UDP", "TCP", "TLS", "SCTP", and in [RFC4168]: "TLS-
   SCTP".

So "transport=tls" is still in need of clarification...

/O

More information about the sr-dev mailing list