[sr-dev] TLS: Sip-Routers adds a Record-Route with "sip" scheme rather than "sips"

Olle E. Johansson oej at edvina.net
Wed Jul 6 13:23:15 CEST 2011


6 jul 2011 kl. 10.23 skrev Iñaki Baz Castillo:

> 2011/7/6 Olle E. Johansson <oej at edvina.net>:
>> https puts a requirement for TLS all the way.
>> 
>> SIPS: in RFC3261 did not. It's simply a request, a proposal. Now if you don't want to change the properties of the original request, but still require your infrastructure to use TLS for the next hop you do not want to change to a SIPS: uri, which will put a new requirement for the rest of the signalling. You want to add an attribute like ";transport=tls".
> 
> I don't think so. If you add ";transport=tls" in the request RURI you
> are telling all the nodes in the path to use SIP over TLS over TCP.
> What about if there are two nodes in the patch which just can talk TLS
> over SCTP?
Right. That is a problem. But I personally don't think it's  one you solve by using SIPS.

The most important part of RFC 5630 is this:
  This document specifies that SIPS means that the SIP resource
   designated by the target SIPS URI is to be contacted securely, using
   TLS on each hop between the UAC and the remote UAS (as opposed to
   only to the proxy responsible for the target domain of the Request-
   URI). 

Which means
 - IPsec and other VPNs are no longer valid
 - We need TLS to the UAS - the last hop also needs security now.

Unfortunately ( I think) it also says:
   To emphasize what is already defined in [RFC3261], UAs MUST NOT use
   the "transport=tls" parameter.


> 
> In contrast, if you add "sips:" and no ;transport param in the RURI,
> you are telling all the nodes in the path to use TLS (over TCP, over
> SCTP, maybe DTLS...). With a "sips:" schema yuo are mandating all the
> communication to be secure, regardless the exact transport protocol
> used in each hop. As Klaus has pointed out in other mail, what about
> if a node in the path speaks SIP over UDP/TCP/SCTP over IPSEC? I
> expect it would also fullfil the requeriments of a "sips" request.
> 
> Also, I've already make a question previously: you say that
> "transport=tls" is correct, so is "tls-sctp" also correct? RFC 4168
> (SIP over SCTP) defines "SCTP" and "TLS-SCTP" for Via transport,
> similar to "TCP" and "TLS" (which means TCP over TLS). But RFC 4168
> does not define "tls-sctp" for an URI transport param. Why not?
> because the correct way is "sips" schema and ";transport=sctp".

THis is defined according to RFC5630:
 For Via header fields, the following transport protocols are defined
   in [RFC3261]: "UDP", "TCP", "TLS", "SCTP", and in [RFC4168]: "TLS-
   SCTP".


> 
> 
> 
>> Yes, SIPS: is really messy and hard to understand. How would you guys handle a Contact: with SIPS: ? Can you reuse a connection like outbound? I guess not, since you have to verify the endpoint certificate.
> 
> I read RFC 5630 recently and I think I understood all the sips topic
> (there is there a response for your question, sure). However it's hard
> to remember and I must read it again XDD
> 
Me too. And if people like us on this list can't figure this out, it's broken.

/O


More information about the sr-dev mailing list