10 Oct
2011
10 Oct
'11
3:36 p.m.
10 okt 2011 kl. 14:15 skrev Juha Heinanen:
IƱaki Baz Castillo writes:
For platforms where you want some sort of integrity check in the message, like
with S/MIME or SIP Identity,
rewriting the message will break security. If we want to build secure platforms in SIP,
we need to find solutions that doesn't require SDP and SIP rewrites in the proxys.
That's why ICE puts the burden of finding IP addresses and relay servers on the UA and
SIP outbound puts connection management on the UA. If the UA can handle all of this
and have all data correct when sending the message, a message rewrite that breaks
digital signatures should not be needed any more.
One thing I realized the other night during a SIP discussion was that Ice doesn't
allow
a network provider to implement a policy. I don't think a proxy can't say
"442 Always use media relay"
and force the client to drop local addresses, like if there's a requirement for
lawful
intercept in the network. That will be something that needs to be added to ICE.
/O
Forget the two ob proxies if you want. The rest
of the specification
is the best answer for NAT and TCP/TLS, much better than the
half-solutions we use today (those that makes the registrar to mantain
40 bindings for the same AoR when the device is a movile using SIP
over TCP and reconnects every few minutes).
i don't have anything against that when ua registers it tells its unique
id so that registrar can discard the old ones.
what i was trying to say that outbound does not bring any help to
implementing redundant sip infrastructure, where two active proxies
could have worked together each with its own ip address.
What are you proposing then Juha? not
implementing RFC 5626 and
continuing with custom solutions that don't work well? continuing with
Contact rewritting? No please.
what comes to nat traversal, what are the problems with contact
rewriting? so far it has worked quite well for me.