6 Jul
2011
6 Jul
'11
1:23 p.m.
6 jul 2011 kl. 10.23 skrev IƱaki Baz Castillo:
Me too. And if people like us on this list can't figure this out, it's
broken.
/O
2011/7/6 Olle E. Johansson <oej(a)edvina.net>et>:
Right. That is a problem. But I personally don't think it's one
you solve by using SIPS.
The most important part of RFC 5630 is this:
This document specifies that SIPS means that the SIP resource
designated by the target SIPS URI is to be contacted securely, using
TLS on each hop between the UAC and the remote UAS (as opposed to
only to the proxy responsible for the target domain of the Request-
URI).
Which means
- IPsec and other VPNs are no longer valid
- We need TLS to the UAS - the last hop also needs security now.
Unfortunately ( I think) it also says:
To emphasize what is already defined in [RFC3261], UAs MUST NOT use
the "transport=tls" parameter.
https puts a requirement for TLS all the way.
SIPS: in RFC3261 did not. It's simply a request, a proposal. Now if you don't
want to change the properties of the original request, but still require your
infrastructure to use TLS for the next hop you do not want to change to a SIPS: uri, which
will put a new requirement for the rest of the signalling. You want to add an attribute
like ";transport=tls".
I don't think so. If you add ";transport=tls" in the request RURI you
are telling all the nodes in the path to use SIP over TLS over TCP.
What about if there are two nodes in the patch which just can talk TLS
over SCTP?
In contrast, if you add "sips:" and no ;transport param in the RURI,
you are telling all the nodes in the path to use TLS (over TCP, over
SCTP, maybe DTLS...). With a "sips:" schema yuo are mandating all the
communication to be secure, regardless the exact transport protocol
used in each hop. As Klaus has pointed out in other mail, what about
if a node in the path speaks SIP over UDP/TCP/SCTP over IPSEC? I
expect it would also fullfil the requeriments of a "sips" request.
Also, I've already make a question previously: you say that
"transport=tls" is correct, so is "tls-sctp" also correct? RFC 4168
(SIP over SCTP) defines "SCTP" and "TLS-SCTP" for Via transport,
similar to "TCP" and "TLS" (which means TCP over TLS). But RFC 4168
does not define "tls-sctp" for an URI transport param. Why not?
because the correct way is "sips" schema and ";transport=sctp".
THis is defined according to RFC5630:
For Via header fields, the following transport protocols are defined
in [RFC3261]: "UDP", "TCP", "TLS", "SCTP", and
in [RFC4168]: "TLS-
SCTP".
Yes, SIPS: is really messy and hard to
understand. How would you guys handle a Contact: with SIPS: ? Can you reuse a connection
like outbound? I guess not, since you have to verify the endpoint certificate.
I read RFC 5630 recently and I think I understood all the sips topic
(there is there a response for your question, sure). However it's hard
to remember and I must read it again XDD