[Kamailio-Users] stun/outbound draft...

Iñaki Baz Castillo ibc at aliax.net
Sun Jan 4 17:41:58 CET 2009


2009/1/4 Aymeric Moizard <jack at atosc.org>:
> Let's describe a case:
>
> I send an INVITE and encrypt the SDP. I'm behind a symmetric NAT. I'm
> calling somebody (a UA of course) who is able to decrypt it.
>
> Whatever trick you provide, I will not have always voice (except
> if ICE is supported or if the NAT are kind with me)
>
> Conclusion: I'm forced to provide UA and ask my customer to NOT encrypt
> their signalling. NEVER encrypt their signalling.
>
>> i don't understand what you try to say in above.  sip works fine over
>> the internet today.
>
> SIP works today **if**:
>  * no security
>  * no SIP message integrity is used
>  * sip server are well configured (...)
>  * sip server is not compliant (modifying contact and SDP...)
>
> My conclusion is that it's not acceptable. I want my applications
> to do security and I don't want to be dependant on badly configured
> servers.

I just can agree with those true and well explained points. It's 100% true.

For now, in a true SIP environment (this is: SIP calls between
Internet endpoints, no PSTN) NAT issue is solved by:
- Forcing RTP through a media proxy which involves SDP rewritting by
the SIP proxy (so SDP cannot be encrypted).
- The only case in which the media proxy can be avoided is that in
which both the caller and callee use STUN (no symmetric NAT) or are
behind same public IP.
- "Contact" header must be rewritten by the SIP proxy in order to
allow future in-dialog requests to an UA behind NAT.

All of this is sad. For example:
- In case of multipart SIP messages it's possible that the SIP proxy
is not capable of rewritting it properly (i.e. RtpProxy cannot handle
it for now).
- When the proxy rewrittes the private IP:port of the "Contact" header
with the received public IP:port, it means that this UA will receive
an in-dialog request with a RURI: sip:user at PUBLIC_IP:PUBLIC_PORT. If
the UA is 100% SIP stric it will reject this request since the RURI is
not itself (RFC 3261 says that the UA MUST inspect the whole RURI to
check if it matches itself, not just the RURI username).




> I don't want "SIP works today **if**", I want "SIP works today."
>
> I just need a SIP compliant internet infrastructure.

All this thread is encouraging me to check and learn about ICE and try it. :)


-- 
Iñaki Baz Castillo
<ibc at aliax.net>


More information about the Users mailing list