Discussion:
[Sip-implementors] SIP URI scheme "sip" and ; transport=tls, what to do in a proxy?
Iñaki Baz Castillo
2011-06-15 19:52:45 UTC
Permalink
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).

So the correct way is using a "sips" scheme and ;transport=tcp (or
omit ;transport param). In this case the proxy should forward the
request using TLS over TCP.

Ok, but there are legacy (and not so legacy) SIP clients that still
use ;transport=tls. So what should do a proxy if it receives a request
like the following?:

sip:alice at lalala.com;transport=tls

a) Perform _sips._tcp.lalala.com SRV query or, if it does not exist,
use port 5061, and open a TLS over TCP connection.

b) Behave as if ;transport=tcp is given, so perform
_sip._tcp.lalala.com SRV query or, if it does not exist, use port
5060, and open a TCP connection.

c) Whatever other solution.


Thanks.
--
I?aki Baz Castillo
<ibc at aliax.net>
Iñaki Baz Castillo
2011-06-15 20:04:36 UTC
Permalink
Post by Iñaki Baz Castillo
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).
Obviously I meant:

it should be "tcp" in case of TLS over TCP, or "sctp" in case of TLS over SCTP
--
I?aki Baz Castillo
<ibc at aliax.net>
Brez Borland
2011-06-16 08:15:57 UTC
Permalink
Post by Iñaki Baz Castillo
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).
So the correct way is using a "sips" scheme and ;transport=tcp (or
omit ;transport param). In this case the proxy should forward the
request using TLS over TCP.
Ok, but there are legacy (and not so legacy) SIP clients that still
use ;transport=tls. So what should do a proxy if it receives a request
sip:alice at lalala.com;transport=tls
a) Perform _sips._tcp.lalala.com SRV query or, if it does not exist,
use port 5061, and open a TLS over TCP connection.
b) Behave as if ;transport=tcp is given, so perform
_sip._tcp.lalala.com SRV query or, if it does not exist, use port
5060, and open a TCP connection.
c) Whatever other solution.
I would say that "sip:alice at lalala.com;transport=tls" should be treated as "
sips:alice at lalala.com". And only (a) in the example makes sense.


Regards,

Brez
Post by Iñaki Baz Castillo
Thanks.
--
I?aki Baz Castillo
<ibc at aliax.net>
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Aaron Clauson
2011-06-17 12:07:47 UTC
Permalink
Post by Iñaki Baz Castillo
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).
Is RFC 3261 really stating that transport=tls is no longer valid? The
mention of transport=tls being deprecated in "Section 26.2.2 SIPS URI
Scheme" indicates that the use of the transport=tls option is deprecated for
SIPS URIs which means it should still be a perfectly valid option for SIP
URIs. And in fact in "Section 28.2 Minor Functional Changes" one of the
items is "Added TLS and SCTP as valid SIP transports" so it would seem
strange for RFC 3261 to add it and deprecate it at the same time. And of
course transport=tls is perfectly valid according to the BNF.

The reason I'm interested in this is I do have a lot of cases where
transport=tls is required to solve user connectivity issues. Some Middle
East countries do everything they can to block VoIP but they are powerless
if UAs connect over a TLS transport on a non-standard port. At the same time
the users don't want to use SIPS URIs since that has a whole lot of
connotations about the end-to-end call forwarding which are not relevant.
All that's required is that a single hop, in this case the first one, is
carried out over a TLS transport.

Regards,
Aaron
Iñaki Baz Castillo
2011-06-17 12:39:06 UTC
Permalink
Post by Aaron Clauson
Post by Iñaki Baz Castillo
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).
Is RFC 3261 really stating that transport=tls is no longer valid? The
mention of transport=tls being deprecated in "Section 26.2.2 SIPS URI
Scheme" indicates that the use of the transport=tls option is deprecated for
SIPS URIs which means it should still be a perfectly valid option for SIP
URIs. And in fact in "Section 28.2 Minor Functional Changes" one of the
items is "Added TLS and SCTP as valid SIP transports" so it would seem
strange for RFC 3261 to add it and deprecate it at the same time. And of
course transport=tls is perfectly valid according to the BNF.
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
--
I?aki Baz Castillo
<ibc at aliax.net>
Aaron Clauson
2011-06-17 12:59:31 UTC
Permalink
From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
My understanding is that transport=tls is a valid option for SIP URIs. For SIPS URIs it's a valid but deprecated option and I guess the reason it's deprecated is that TLS is already implied to be mandatory.

I wonder how you would specify a SIP URI that used TLS over SCTP?
Brez Borland
2011-06-17 13:46:26 UTC
Permalink
Post by Aaron Clauson
From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
My understanding is that transport=tls is a valid option for SIP URIs. For
SIPS URIs it's a valid but deprecated option and I guess the reason it's
deprecated is that TLS is already implied to be mandatory.
I wonder how you would specify a SIP URI that used TLS over SCTP?
I understand this is not possible. If you use SIP you don't use TLS.

Where there is intention to use security _only_ to the next hop, protocol
tunneling/encapsulation techniques should be used which is out of scope of
the SIP protocol itself.



Regards,

Brez
Post by Aaron Clauson
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Brez Borland
2011-06-17 13:49:50 UTC
Permalink
Post by Brez Borland
Post by Aaron Clauson
From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
My understanding is that transport=tls is a valid option for SIP URIs. For
SIPS URIs it's a valid but deprecated option and I guess the reason it's
deprecated is that TLS is already implied to be mandatory.
I wonder how you would specify a SIP URI that used TLS over SCTP?
I understand this is not possible. If you use SIP you don't use TLS.
Correcting myself. This was in regards to the compliance with 3261 and
later..
Post by Brez Borland
Where there is intention to use security _only_ to the next hop, protocol
tunneling/encapsulation techniques should be used which is out of scope of
the SIP protocol itself.
Regards,
Brez
Post by Aaron Clauson
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Brett Tate
2011-06-17 13:53:25 UTC
Permalink
For what it is worth... rfc5630 updates rfc3261 and may be helpful since it doesn't just discuss sips.
-----Original Message-----
From: sip-implementors-bounces at lists.cs.columbia.edu [mailto:sip-
implementors-bounces at lists.cs.columbia.edu] On Behalf Of Brez Borland
Sent: Friday, June 17, 2011 9:46 AM
To: Aaron Clauson
Cc: sip-implementors at lists.cs.columbia.edu
Subject: Re: [Sip-implementors] SIP URI scheme "sip" and ;
transport=tls, what to do in a proxy?
Post by Aaron Clauson
From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
My understanding is that transport=tls is a valid option for SIP
URIs. For
Post by Aaron Clauson
SIPS URIs it's a valid but deprecated option and I guess the reason
it's
Post by Aaron Clauson
deprecated is that TLS is already implied to be mandatory.
I wonder how you would specify a SIP URI that used TLS over SCTP?
I understand this is not possible. If you use SIP you don't use TLS.
Where there is intention to use security _only_ to the next hop, protocol
tunneling/encapsulation techniques should be used which is out of scope of
the SIP protocol itself.
Regards,
Brez
Post by Aaron Clauson
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Brez Borland
2011-06-17 15:01:10 UTC
Permalink
Post by Brett Tate
For what it is worth... rfc5630 updates rfc3261 and may be helpful since it
doesn't just discuss sips.
-----Original Message-----
From: sip-implementors-bounces at lists.cs.columbia.edu [mailto:sip-
implementors-bounces at lists.cs.columbia.edu] On Behalf Of Brez Borland
Sent: Friday, June 17, 2011 9:46 AM
To: Aaron Clauson
Cc: sip-implementors at lists.cs.columbia.edu
Subject: Re: [Sip-implementors] SIP URI scheme "sip" and ;
transport=tls, what to do in a proxy?
Post by Aaron Clauson
From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sips" with ;transport=tls. Is "tls" a real
transport or not? why "sips" and ;transport=tls is deprecated?
My understanding is that transport=tls is a valid option for SIP
URIs. For
Post by Aaron Clauson
SIPS URIs it's a valid but deprecated option and I guess the reason
it's
Post by Aaron Clauson
deprecated is that TLS is already implied to be mandatory.
I wonder how you would specify a SIP URI that used TLS over SCTP?
I understand this is not possible. If you use SIP you don't use TLS.
Where there is intention to use security _only_ to the next hop, protocol
tunneling/encapsulation techniques should be used which is out of scope of
the SIP protocol itself.
Thanks Brett. After looking into rfc5630 I think I might have been wrong.
The UAC should be able to send SIP requests through SIPS connection, because
it would be the matter of what exactly the next hop resolves to, or what the
UAC is configured to use for the next hop. Say if UAC is configured to use a
next hop _sip.tcp.host.com then it would open a TLS/TCP connection to that
host, and send a SIP request. Therefore this way having non-secure request
over the secure connection to the first hop.

Comments please,


Regards,

Brez
Post by Brett Tate
Regards,
Brez
Post by Aaron Clauson
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Iñaki Baz Castillo
2011-06-18 14:47:48 UTC
Permalink
I agree. Rfc 5360 says that a client could send a request over tls to the
proxy without the need of using sips schema in the request uri. However what
should it set in contact header? sip and transport=tls or sips and
transport=tcp?

In the second case it would require all requests in dialog from the called
to use tls in all the path!! So I assume sip and transport=tls is the way.
Opinions?
For what it is worth... ...
Thanks Brett. After looking into rfc5630 I think I might have been wrong.
The UAC should be able to send SIP requests through SIPS connection, because
it would be the matter of what exactly the next hop resolves to, or what the
UAC is configured to use for the next hop. Say if UAC is configured to use a
next hop _sip.tcp.host.com then it would open a TLS/TCP connection to that
host, and send a SIP request. Therefore this way having non-secure request
over the secure connection to the first hop.

Comments please,


Regards,

Brez
Post by Brez Borland
Regards,
Brez
_____________________________...
Brez Borland
2011-06-18 22:43:43 UTC
Permalink
Post by Iñaki Baz Castillo
I agree. Rfc 5360 says that a client could send a request over tls to the
proxy without the need of using sips schema in the request uri. However what
should it set in contact header? sip and transport=tls or sips and
transport=tcp?
In the second case it would require all requests in dialog from the called
to use tls in all the path!! So I assume sip and transport=tls is the way.
Opinions?
I can't see how SIP and "transport=tls" would enable the registering user to
indicate that it wants to be contacted over SIP, but for the last hop on the
path to use TLS. This looks like the NAT case to me. Where there is no way
to directly address the user, but rather reach him through the proxy. Where
party trying to reach the user will contact proxy in clear-text SIP, and
then proxy will contact the actual user through the secure connection. Am I
talking rfc5626 here?


Regards,
Post by Iñaki Baz Castillo
For what it is worth... ...
Thanks Brett. After looking into rfc5630 I think I might have been wrong.
The UAC should be able to send SIP requests through SIPS connection, because
it would be the matter of what exactly the next hop resolves to, or what the
UAC is configured to use for the next hop. Say if UAC is configured to use a
next hop _sip.tcp.host.com then it would open a TLS/TCP connection to that
host, and send a SIP request. Therefore this way having non-secure request
over the secure connection to the first hop.
Comments please,
Regards,
Brez
Post by Brez Borland
Regards,
Brez
_____________________________...
Iñaki Baz Castillo
2011-06-19 17:45:02 UTC
Permalink
Post by Brez Borland
Post by Iñaki Baz Castillo
I agree. Rfc 5360 says that a client could send a request over tls to the
proxy without the need of using sips schema in the request uri. However what
should it set in contact header? sip and transport=tls or sips and
transport=tcp?
In the second case it would require all requests in dialog from the called
to use tls in all the path!! So I assume sip and transport=tls is the way.
Opinions?
I can't see how SIP and "transport=tls" would enable the registering user to
indicate that it wants to be contacted over SIP, but for the last hop on the
path to use TLS. This looks like the NAT case to me. Where there is no way
to directly address the user, but rather reach him through the proxy.
After re-thinking it, I was wrong: The caller could send an INVITE as follows:

INVITE sip:bob at domain.org
Via: SIP/2.0/TLS ....
Contact: <sips:alice at 1.1.1.1;transport=tcp>

and send it via TLS to the proxy. Note that the request URI is not
sips but just sip, so the proxy can route it by using UDP/TCP/TLS or
whatever (RFC 3263 and so). The proxy could insert Record-Route with
"sip" scheme and "udp"/"tcp" transport params.

So when bob (the called) sends an in-dialog requests as BYE it would
send it over UDP/TCP/TLS or whatever (depending first Route
transport). When the request arrives to Alice outbound proxy, it would
remove all the Routes and inspect the Request URI, which contains
"sips" and ;transport=tcp, so would route it using TLS. Of course in
case of NAT RFC 5626 is required and so...
Post by Brez Borland
Where
party trying to reach the user will contact proxy in clear-text SIP, and
then proxy will contact the actual user through the secure connection. Am I
talking rfc5626 here?
I think so :)
--
I?aki Baz Castillo
<ibc at aliax.net>
Brez Borland
2011-06-20 22:18:22 UTC
Permalink
Also, to secure the outgoing connection to the first hop we could use
rfc3329?


Regards
Post by Iñaki Baz Castillo
On Sat, Jun 18, 2011 at 3:47 PM, I?aki Baz Castillo <ibc at aliax.net>
Post by Iñaki Baz Castillo
I agree. Rfc 5360 says that a client could send a request over tls to
the
Post by Iñaki Baz Castillo
proxy without the need of using sips schema in the request uri. However
what
Post by Iñaki Baz Castillo
should it set in contact header? sip and transport=tls or sips and
transport=tcp?
In the second case it would require all requests in dialog from the
called
Post by Iñaki Baz Castillo
to use tls in all the path!! So I assume sip and transport=tls is the
way.
Post by Iñaki Baz Castillo
Opinions?
I can't see how SIP and "transport=tls" would enable the registering user
to
indicate that it wants to be contacted over SIP, but for the last hop on
the
path to use TLS. This looks like the NAT case to me. Where there is no
way
to directly address the user, but rather reach him through the proxy.
INVITE sip:bob at domain.org
Via: SIP/2.0/TLS ....
Contact: <sips:alice at 1.1.1.1;transport=tcp>
and send it via TLS to the proxy. Note that the request URI is not
sips but just sip, so the proxy can route it by using UDP/TCP/TLS or
whatever (RFC 3263 and so). The proxy could insert Record-Route with
"sip" scheme and "udp"/"tcp" transport params.
So when bob (the called) sends an in-dialog requests as BYE it would
send it over UDP/TCP/TLS or whatever (depending first Route
transport). When the request arrives to Alice outbound proxy, it would
remove all the Routes and inspect the Request URI, which contains
"sips" and ;transport=tcp, so would route it using TLS. Of course in
case of NAT RFC 5626 is required and so...
Where
party trying to reach the user will contact proxy in clear-text SIP, and
then proxy will contact the actual user through the secure connection. Am
I
talking rfc5626 here?
I think so :)
--
I?aki Baz Castillo
<ibc at aliax.net>
Iñaki Baz Castillo
2011-06-21 08:02:52 UTC
Permalink
Post by Brez Borland
Also, to secure the outgoing connection to the first hop we could use
rfc3329?
Too much exotic, too much ways of doing the same, just too much (IMHO)....
--
I?aki Baz Castillo
<ibc at aliax.net>
Iñaki Baz Castillo
2011-06-17 16:07:24 UTC
Permalink
sips schema and transport=sctp.

El 17/06/2011 13:59, "Aaron Clauson" <aaron at sipsorcery.com> escribi?:

From: I?aki Baz Castillo [mailto:ibc at aliax.net]
Post by Iñaki Baz Castillo
Good point. But honestly, this becomes ugly and complex. So, "sips"
with ;transport=tcp but "sip...
My understanding is that transport=tls is a valid option for SIP URIs. For
SIPS URIs it's a valid but deprecated option and I guess the reason it's
deprecated is that TLS is already implied to be mandatory.

I wonder how you would specify a SIP URI that used TLS over SCTP?
Brez Borland
2011-06-17 13:10:41 UTC
Permalink
Post by Aaron Clauson
Post by Iñaki Baz Castillo
Hi, according to RFC 3261 a SIP URI should not contain ;transport=tls
as "tls" is not a valid transport (it should be "tcp" in case of TLS
over SCTP, or "sctp" in case of TLS over SCTP and so).
Is RFC 3261 really stating that transport=tls is no longer valid? The
mention of transport=tls being deprecated in "Section 26.2.2 SIPS URI
Scheme" indicates that the use of the transport=tls option is deprecated for
SIPS URIs which means it should still be a perfectly valid option for SIP
URIs. And in fact in "Section 28.2 Minor Functional Changes" one of the
items is "Added TLS and SCTP as valid SIP transports" so it would seem
strange for RFC 3261 to add it and deprecate it at the same time. And of
course transport=tls is perfectly valid according to the BNF.
rfc3261 requires all elements to support TCP, this is a change from rfc2543,
check out the last paragraph of Section 18, of rfc3261. Also, there was
nothing said about SCTP in the rfc2543, therefore SCTP is defined in
rfc3261.

Deducting from this, I'd say it is an editorial mistake in the Section 28.2
of rfc3261, where it should rather say "Added TCP and SCTP as valid SIP
transports."

Any thoughts on this?
Post by Aaron Clauson
The reason I'm interested in this is I do have a lot of cases where
transport=tls is required to solve user connectivity issues. Some Middle
East countries do everything they can to block VoIP but they are powerless
if UAs connect over a TLS transport on a non-standard port. At the same time
the users don't want to use SIPS URIs since that has a whole lot of
connotations about the end-to-end call forwarding which are not relevant.
All that's required is that a single hop, in this case the first one, is
carried out over a TLS transport.
If one needs to secure the connection only to the next hop, it would make
sense to indicate this somehow but not in the URI.

i.e. If a user wants a connection to be secure, she want it to be secure
end-to-end. Like browsing the web, if it's https it's secure from the
browser all the way to the server. If you want your connection to be secure
only to the next(first) hop, you configure to use a proxy explicitly.
Post by Aaron Clauson
From here is the question, should the protocol implement the rule where
security is used only to the next hop? IMHO, it would only complicate it.


Regards,

Brez
Post by Aaron Clauson
Regards,
Aaron
_______________________________________________
Sip-implementors mailing list
Sip-implementors at lists.cs.columbia.edu
https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
Continue reading on narkive:
Search results for '[Sip-implementors] SIP URI scheme "sip" and ; transport=tls, what to do in a proxy?' (Questions and Answers)
8
replies
What's the meaning of http. in the Internet?
started 2007-02-15 00:59:53 UTC
internet
Loading...