Hi,
Hope to get some guidance here over the usage of "sips" and "sip plus transport=tls" when following RFC3263.
The RFC3263 says that a NATPR record could return something like this for a query like "host -t NAPTR example.com":
; order pref flags service regexp replacement IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com. IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.example.com IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.example.com.
This means that the client should use sips if possible when contacting example.com.
Concluding from that, I suppose it should perform an SRV lookup "host -t SRV _sips._tcp.example.com", and the result would be:
;; Priority Weight Port Target IN SRV 0 1 5061 server1.example.com IN SRV 0 2 5061 server2.example.com
What I'm curious about is how requests towards one of these servers should look like, and how they are being handled by kamailio.
A lot of clients and servers are sending "sip:user@example.com;transport=tls" in request URIs and Contact headers and Record-Route headers, and you can check with uri_param("transport","tls") which transport socket to use. This is pretty useful as you can determine hop-by-hop whether or not to use TLS. This approach has been obsoleted by RFC3261 though, and there doesn't seem to be a mechanism in RFC3263 to indicate "use schema sip, but use transport=tls".
On encounter of a NAPTR record like the one above, how does kamailio act? Does it set a "sips" schema for the next hop?
And what's the general take on this "sips" schema? As far as I understand RFC3261, it means that if a client sends a request to a sips-URI, the request is sent to the domain via TLS, and from there "the request is sent securely to the callee, but with security mechanisms that depend on the policy of the domain of the callee." (RFC3261, Chapter 4). What does this really mean in practice? Are you allowed to rewrite the schema to "sip" and pass it on for example via UDP to the callee if the callee didn't indicate transport=tls (deprecated anyways) or "sips:" in the Contact of the registration? Or should you keep "sips" as schema, but still send it via UDP, because you know based on local policy or based on client registration that the next hop is not supporting TLS? How would widespread clients react when getting a call to a "sips" URI, especially if they receive it via UDP?
Looking forward hearing your input on that, Andreas
Andreas Granig writes:
A lot of clients and servers are sending "sip:user@example.com;transport=tls" in request URIs and Contact headers and Record-Route headers, and you can check with uri_param("transport","tls") which transport socket to use. This is pretty useful as you can determine hop-by-hop whether or not to use TLS. This approach has been obsoleted by RFC3261 though, and there doesn't seem to be a mechanism in RFC3263 to indicate "use schema sip, but use transport=tls".
when rfc3261 was specified, the whole sips thing was put there at the last minute. no-one had any practical experience of it. i guess the requirement to have something like https came from ietf area directors. the result is a useless mess.
And what's the general take on this "sips" schema? As far as I understand RFC3261, it means that if a client sends a request to a sips-URI, the request is sent to the domain via TLS, and from there "the request is sent securely to the callee, but with security mechanisms that depend on the policy of the domain of the callee." (RFC3261, Chapter 4). What does this really mean in practice? Are you allowed to rewrite the schema to "sip" and pass it on for example via UDP to the callee if the callee didn't indicate transport=tls (deprecated anyways) or "sips:" in the Contact of the registration?
in that case, the proxy has to drop the request unless the last hop is "secure", i.e., uses a vpn, barb wire, or something.
Or should you keep "sips" as schema, but still send it via UDP, because you know based on local policy or based on client registration that the next hop is not supporting TLS? How would widespread clients react when getting a call to a "sips" URI, especially if they receive it via UDP?
you cannot use sips with udp transport.
-- juha
Hi Juha,
My impression is that transport=tls is something like a widely used consensus on how to securely communicate in SIP. However, is there a way how support for that is communicated towards a client, like SIPS+D2T was supposed to be the way to indicate "sips" support in NAPTR?
I'm using TLS for some months now with a couple of clients, and I'm starting to wonder why we're all still using a mechanism deprecated in RFC3261, whereas we're usually quite sensitive to shortcomings and mistakes in RFC3261 and are not shy cranking out new SIP related RFCs like there's no tomorrow...
It didn't bother me much until today where I realized there is no way to properly indicate to a client that my server supports TLS. Or is there?
Andreas
On 12/01/2012 12:29 AM, Juha Heinanen wrote:
Andreas Granig writes:
A lot of clients and servers are sending "sip:user@example.com;transport=tls" in request URIs and Contact headers and Record-Route headers, and you can check with uri_param("transport","tls") which transport socket to use. This is pretty useful as you can determine hop-by-hop whether or not to use TLS. This approach has been obsoleted by RFC3261 though, and there doesn't seem to be a mechanism in RFC3263 to indicate "use schema sip, but use transport=tls".
when rfc3261 was specified, the whole sips thing was put there at the last minute. no-one had any practical experience of it. i guess the requirement to have something like https came from ietf area directors. the result is a useless mess.
And what's the general take on this "sips" schema? As far as I understand RFC3261, it means that if a client sends a request to a sips-URI, the request is sent to the domain via TLS, and from there "the request is sent securely to the callee, but with security mechanisms that depend on the policy of the domain of the callee." (RFC3261, Chapter 4). What does this really mean in practice? Are you allowed to rewrite the schema to "sip" and pass it on for example via UDP to the callee if the callee didn't indicate transport=tls (deprecated anyways) or "sips:" in the Contact of the registration?
in that case, the proxy has to drop the request unless the last hop is "secure", i.e., uses a vpn, barb wire, or something.
Or should you keep "sips" as schema, but still send it via UDP, because you know based on local policy or based on client registration that the next hop is not supporting TLS? How would widespread clients react when getting a call to a "sips" URI, especially if they receive it via UDP?
you cannot use sips with udp transport.
-- juha
SIP Express Router (SER) and Kamailio (OpenSER) - sr-users mailing list sr-users@lists.sip-router.org http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-users
On 01.12.2012 00:25, Andreas Granig wrote:
Hi,
Hope to get some guidance here over the usage of "sips" and "sip plus transport=tls" when following RFC3263.
The RFC3263 says that a NATPR record could return something like this for a query like "host -t NAPTR example.com":
; order pref flags service regexp replacement IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com. IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.example.com IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.example.com.This means that the client should use sips if possible when contacting example.com.
Concluding from that, I suppose it should perform an SRV lookup "host -t SRV _sips._tcp.example.com", and the result would be:
;; Priority Weight Port Target IN SRV 0 1 5061 server1.example.com IN SRV 0 2 5061 server2.example.comWhat I'm curious about is how requests towards one of these servers should look like, and how they are being handled by kamailio.
(Disclaimer: non normative - this is how I understand SIP and how I would use it)
The request URI should look like the one which the user enters. E.g. if user enters "sip:12345@example.com" then the request URI should be "sip:12345@example.com" - regardless of the transport protocol chosen by the transport layer.
Thus, if NAPTR records tell you to use SIP over TLS, then use SIP over TLS but do not change the request URI.
The contact header could be any transport - but of course it makes sense if the client uses the same transport protocol as used for sending the request (which is usually the same used for registration).
When a user enters "sips:12345@example.com", then of course a secure transport must be used, which basically means that TLS will be used. Nevertheless the request URI is still "sips:12345@example.com" without any transport identifier.
The request URI only contains a transport parameter if the user entered one (e.g. to force its client to use a certain transport), or if the call forwarding logic in the proxy requires a certain transport. In this case, NAPTR lookups will be skipped (as transport is already defined).
In case if a SIPS URI entered by the user, the contact URI must be SIPS too. In a proxy it usually does not makes sense to manually change a request URI from SIP to SIPS - but there may be certain scenarios where things may get complex, e.g. the Sipwise "SIP Provider" setup:
Client1 <---TLS/TCP/UDP ----> Proxy <---UDP--> sems/b2bua / Client2 <---TLS/TCP/UDP --
As long as SIP URIs are used, there is no problem in converting from TLS to UDP. If client 1 uses a SIPS URI to call client 2, then may be problems: From standard point of view it should be fine to convert TLS to UDP, as the transport is secured by other means (in this case a local hop via loopback interface). The question is how the SIP client will react, when receiving SIP requests for SIPs URIs, but the contact contains a SIP URI. A workaround of course would be to change sems's contact to "sips:...;transport=tls" in the proxy, but still use UDP between proxy and sems.
A lot of clients and servers are sending "sip:user@example.com;transport=tls" in request URIs and Contact headers and Record-Route headers, and you can check with uri_param("transport","tls") which transport socket to use. This is pretty useful as you can determine hop-by-hop whether or not to use TLS. This approach has been obsoleted by RFC3261 though, and there doesn't seem to be a mechanism in RFC3263 to indicate "use schema sip, but use transport=tls".
RFC3263 does not enforce the format of the URI. It just tells you to use TLS/TCP/UDP - as said above, the RURI should not be changed due to NAPTR lookups.
On encounter of a NAPTR record like the one above, how does kamailio act? Does it set a "sips" schema for the next hop?
Hopefully not. The RURI should not be changed.
And what's the general take on this "sips" schema? As far as I understand RFC3261, it means that if a client sends a request to a sips-URI, the request is sent to the domain via TLS, and from there "the request is sent securely to the callee, but with security mechanisms that depend on the policy of the domain of the callee." (RFC3261, Chapter 4). What does this really mean in practice? Are you allowed to rewrite the schema to "sip" and pass it on for example via UDP to the callee if the callee didn't indicate transport=tls (deprecated anyways) or "sips:" in the Contact of the registration? Or should you keep "sips" as schema, but still send it via UDP, because you know based on local policy or based on client registration that the next hop is not supporting TLS? How would widespread clients react when getting a call to a "sips" URI, especially if they receive it via UDP?
Yes, there are lots of open issues and sips itself is broken by design as it enforces encryption between all hops, but there is no way to control or enforce that encryption is really used between all hops.
So, I personally would mandate to drop the SIPS schema completely, as it can not guarantee secure transport on all hops. The only hop where a client can enforce a secure transport is the first hop - and this can be done also with the SIPS schema.
regards Klaus
Hi Klaus,
On 12/03/2012 10:15 AM, Klaus Darilion wrote:
The request URI should look like the one which the user enters. E.g. if user enters "sip:12345@example.com" then the request URI should be "sip:12345@example.com" - regardless of the transport protocol chosen by the transport layer.
Thus, if NAPTR records tell you to use SIP over TLS, then use SIP over TLS but do not change the request URI.
So how should the NAPTR record look like if you want to use TLS with a SIP URI? Would it still be SIPS+D2T, or could you use something like SIP+D2T along with a replacement part "_sip._tcp.example.com;transport=tls"?
Andreas
Andreas Granig writes:
So how should the NAPTR record look like if you want to use TLS with a SIP URI? Would it still be SIPS+D2T, or could you use something like SIP+D2T along with a replacement part "_sip._tcp.example.com;transport=tls"?
i would use _sip._tls.example.com. the standard is broken anyway and that would be the easiest solution.
-- juha
3 dec 2012 kl. 10:43 skrev Andreas Granig agranig@sipwise.com:
Hi Klaus,
On 12/03/2012 10:15 AM, Klaus Darilion wrote:
The request URI should look like the one which the user enters. E.g. if user enters "sip:12345@example.com" then the request URI should be "sip:12345@example.com" - regardless of the transport protocol chosen by the transport layer.
Thus, if NAPTR records tell you to use SIP over TLS, then use SIP over TLS but do not change the request URI.
So how should the NAPTR record look like if you want to use TLS with a SIP URI? Would it still be SIPS+D2T, or could you use something like SIP+D2T along with a replacement part "_sip._tcp.example.com;transport=tls"?
The use of SIPS in NAPTR and SRV records does not really have much relationships with the SIPS: URI scheme.
The SIPS uri scheme force a lookup on sips in NAPTR/SRV. But NAPTR is for a domain and I can force you to use TLS with NAPTR records, but you should not change the URI scheme, since that may affect future hops and not only the hop to my proxy.
/O
On 03.12.2012 10:43, Andreas Granig wrote:
Hi Klaus,
On 12/03/2012 10:15 AM, Klaus Darilion wrote:
The request URI should look like the one which the user enters. E.g. if user enters "sip:12345@example.com" then the request URI should be "sip:12345@example.com" - regardless of the transport protocol chosen by the transport layer.
Thus, if NAPTR records tell you to use SIP over TLS, then use SIP over TLS but do not change the request URI.
So how should the NAPTR record look like if you want to use TLS with a SIP URI? Would it still be SIPS+D2T, or could you use something like SIP+D2T along with a replacement part "_sip._tcp.example.com;transport=tls"?
Just use: @ IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com.
I would interpret it as:
SIPS+D2T | \ | \ secure + TCP --> TLS
regards Klaus
Hi Klaus and Ole,
On 12/03/2012 11:43 AM, Klaus Darilion wrote:
Just use: @ IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com.
I would interpret it as:
SIPS+D2T | \ | \ secure + TCP --> TLS
Ok, this seems like a valid approach. I'll investigate further how different clients are actually interpreting it and reacting on this.
Thanks, Andreas
2012/12/1 Andreas Granig agranig@sipwise.com:
Hi,
Hope to get some guidance here over the usage of "sips" and "sip plus transport=tls" when following RFC3263.
The RFC3263 says that a NATPR record could return something like this for a query like "host -t NAPTR example.com":
; order pref flags service regexp replacement IN NAPTR 50 50 "s" "SIPS+D2T" "" _sips._tcp.example.com. IN NAPTR 90 50 "s" "SIP+D2T" "" _sip._tcp.example.com IN NAPTR 100 50 "s" "SIP+D2U" "" _sip._udp.example.com.
This means that the client should use sips if possible when contacting example.com.
The client yes, but a proxy not. This is, if the proxy is forwarding a request with RURI "sip:alice@domain.com" and NAPTR returns a SIPS+D2T (along others) the proxy could choose to send the request via TLS but must not modify the RURI scheme.
Anyhow, I strongly discourage the usage of sips schema. It was a "dream" of the IETF. Nobody uses it, nobody can use it and it provides nothing (since an intermediary proxy could decide not to honor the requested security and forward the request via UDP/TCP). Some months ago I discussed this subject in sipcore WG and the conclusion is that nobody wants sips usage.
A lot of clients and servers are sending "sip:user@example.com;transport=tls" in request URIs and Contact headers and Record-Route headers, and you can check with uri_param("transport","tls") which transport socket to use. This is pretty useful as you can determine hop-by-hop whether or not to use TLS.
This approach has been obsoleted by RFC3261 though, and there doesn't seem to be a mechanism in RFC3263 to indicate "use schema sip, but use transport=tls".
transport=tls has NEVER been real, no one RFC mentions it.
On encounter of a NAPTR record like the one above, how does kamailio act? Does it set a "sips" schema for the next hop?
As said before, the proxy could choose TLS for forwarding the request (so would add a top Via with "TLS" transport) but should not modify the URI scheme.
And what's the general take on this "sips" schema? As far as I understand RFC3261, it means that if a client sends a request to a sips-URI, the request is sent to the domain via TLS, and from there "the request is sent securely to the callee, but with security mechanisms that depend on the policy of the domain of the callee." (RFC3261, Chapter 4). What does this really mean in practice?
When a client sends a request with SIPS in the RURI, the responses must have SIPS in all the Record-Route and Contact. And the same for incoming requests in the same dialog. Otherwise the client should terminate the dialog.
Are you allowed to rewrite the schema to "sip" and pass it on for example via UDP to the callee if the callee didn't indicate transport=tls (deprecated anyways) or "sips:" in the Contact of the registration? Or should you keep "sips" as schema, but still send it via UDP, because you know based on local policy or based on client registration that the next hop is not supporting TLS?
In this case the proxy should not attempt to forward the request and, instead, reject it with 416"Unsupported URI Scheme".
How would widespread clients react when getting a call to a "sips" URI, especially if they receive it via UDP?
Good cuestion but IMHO there is no good response. They could reply normally but the UAC may later terminate the dialog when it realizes that the Contact URI in the response has no SIPS schema (since SIPS is not valid in UDP).
As said before, the easiest way to live with this is by never using SIPS as it provides nothing and adds lot of undocumented issues. Also note that it's valid for a client (or a proxy) to send a request via a TLS connection and still setting a Contact URI with transport=tcp. This would be hard for receiving incoming requests but for that Outbound (RFC 5626) does exist (the proxy would route the requests over the connection initiated by the client, regardless it is TCP or TLS and regardless the URI schema in the Contact URI).
Regards.
11 dec 2012 kl. 01:39 skrev Juha Heinanen jh@tutpro.com:
Iñaki Baz Castillo writes:
transport=tls has NEVER been real, no one RFC mentions it.
transport=tls is very real. many sip UAs and proxies support it.
The interesting part was that it was deprecated in the text of RFC 3261, but never existed. And yes, it solves a problem that we can't solve without it, so everyone implements it.
funny that you now care about RFCs, when in the same message you don't care about them regarding sips.
RFC 3261 description of the SIPS: uri scheme was kind of naive, and did not work in practise. RFC 5630 did a good job in trying to clarify the mess. Most SIP people agree that it's still not really resolved. SIPS: doesn't deliver the same promise as HTTPS - security end to end. SIPS: just guarantees the first hop.
In addition there is a lot of missing pieces to get SIPS: to work. LIke how a proxy can signal back to the originating UA that it could not set up a TLS connection because the certificate of the next hop was bad/expired/not signed by approved CA or something else.
After ten years, I think SIPS as a uri scheme is a lost cause. This does NOT mean that TLS is a lost cause, but I think we can't leave the decision about security to the end point user - and they can't decide whether or not they want to place a request for "secure signalling" in their call setup. The WebRTC way is better, just make every call more secure.
/O
2012/12/11 Olle E. Johansson oej@edvina.net:
In addition there is a lot of missing pieces to get SIPS: to work. LIke how a proxy can signal back to the originating UA that it could not set up a TLS connection because the certificate of the next hop was bad/expired/not signed by approved CA or something else.
And there are more issues (I hate to remember them) that make SIPS unfeasible.
After ten years, I think SIPS as a uri scheme is a lost cause. This does NOT mean that TLS is a lost cause, but I think we can't leave the decision about security to the end point user - and they can't decide whether or not they want to place a request for "secure signalling" in their call setup. The WebRTC way is better, just make every call more secure.
Well, WebRTC just defines the media plane (which MUST be SRTP-DTLS) but the signaling plane is up to the application/web provider, which can be as secure (or insecure) as any SIP or HTTP deployment.
Cheers.
2012/12/11 Juha Heinanen jh@tutpro.com:
Iñaki Baz Castillo writes:
transport=tls has NEVER been real, no one RFC mentions it.
transport=tls is very real. many sip UAs and proxies support it.
I know that and I never said the opposite. I said that no one RFC standarizes transport=tls.
funny that you now care about RFCs, when in the same message you don't care about them regarding sips.
sips is a bad hack and a useless pseudo-security mechanism. An IETF fail. Don't you think that?
-
Andreas Granig -
Iñaki Baz Castillo -
Juha Heinanen -
Klaus Darilion -
Olle E. Johansson