4 Jan
2009
4 Jan
'09
6:41 p.m.
2009/1/4 Aymeric Moizard <jack(a)atosc.org>rg>:
Let's describe a case:
I send an INVITE and encrypt the SDP. I'm behind a symmetric NAT. I'm
calling somebody (a UA of course) who is able to decrypt it.
Whatever trick you provide, I will not have always voice (except
if ICE is supported or if the NAT are kind with me)
Conclusion: I'm forced to provide UA and ask my customer to NOT encrypt
their signalling. NEVER encrypt their signalling.
I just can agree with those true and well explained points. It's 100% true.
For now, in a true SIP environment (this is: SIP calls between
Internet endpoints, no PSTN) NAT issue is solved by:
- Forcing RTP through a media proxy which involves SDP rewritting by
the SIP proxy (so SDP cannot be encrypted).
- The only case in which the media proxy can be avoided is that in
which both the caller and callee use STUN (no symmetric NAT) or are
behind same public IP.
- "Contact" header must be rewritten by the SIP proxy in order to
allow future in-dialog requests to an UA behind NAT.
All of this is sad. For example:
- In case of multipart SIP messages it's possible that the SIP proxy
is not capable of rewritting it properly (i.e. RtpProxy cannot handle
it for now).
- When the proxy rewrittes the private IP:port of the "Contact" header
with the received public IP:port, it means that this UA will receive
an in-dialog request with a RURI: sip:user@PUBLIC_IP:PUBLIC_PORT. If
the UA is 100% SIP stric it will reject this request since the RURI is
not itself (RFC 3261 says that the UA MUST inspect the whole RURI to
check if it matches itself, not just the RURI username).
i don't understand what you try to say in
above. sip works fine over
the internet today.
SIP works today **if**:
* no security
* no SIP message integrity is used
* sip server are well configured (...)
* sip server is not compliant (modifying contact and SDP...)
My conclusion is that it's not acceptable. I want my applications
to do security and I don't want to be dependant on badly configured
servers. I don't want "SIP works today **if**", I
want "SIP works today."
I just need a SIP compliant internet infrastructure.
All this thread is encouraging me to check and learn about ICE and try it. :)
--
Iñaki Baz Castillo
<ibc(a)aliax.net>