Re: [Ietf-behave] SIP over TLS via NAT/Firewall
"SUNIL J. KUMAR" <sunilkumar_j@spanservices.com> Tue, 24 October 2006 19:11 UTC
From: "SUNIL J. KUMAR" <sunilkumar_j@spanservices.com>
Date: Tue, 24 Oct 2006 14:11:42 -0500
Subject: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
In-Reply-To: <143001c6f798$ce876ff0$c5f0200a@amer.cisco.com>
Message-ID: <8DA47B9A5400DE40ADB30B051C215CCE02C05954@mail.spanservices.com>
MIME-Version: 1.0
Content-Type: text/plain
Looks like a good draft. But SIP security still a major concern in this draft as well. Many of the functions this document describes have important SIP security and privacy implications, which I am planning to provide at NAT/Firewall itself for SIP Message (Requests/responses. ________________________________ From: Dan Wing [mailto:dwing@xxxxxxxxx] Sent: Tue 10/24/2006 11:48 PM To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall Check out draft-camarillo-sipping-sbc-funcs-04.txt which is what I think you're asking about? -d > -----Original Message----- > From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx] > Sent: Tuesday, October 24, 2006 11:01 AM > To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > Hi Dan, > > Since we are planning to provide more security at SIP ALG > level from number of possible attacks like evesdropping, > session hijacking, DOS Attacks, sessions tear down, > impersonnating a server, Registration hijacking etc and SIP > RFC 3261 suggests that TLS can be a good way to provide > security. But this security we want to have at SIP-ALG/NAT > level itself. An idea on this solution would be of great help. > > Thanks, > Sunil > > ________________________________ > > From: Dan Wing [mailto:dwing@xxxxxxxxx] > Sent: Tue 10/24/2006 9:51 PM > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > > Thanks a lot. Its a very valid comment. That means, if at all > > we have to intercept any SIP Message on the > > NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a > > proxy server coexisting with the SIP-ALG/NAT so that it'll > > become a SIP Entity and can be on the path of any SIP Message > > in-coming to or outgoing from the trusted network. > > Why do you believe this is a requirement? There are several > disadvantages to such an approach, and few -- if any -- > advantages. > > -d > > > if one can > > suggest what should be minimal proxy functionality? I am sure > > that just Stateless Proxy won't suffice. Please comments. > > > > Best Regards, > > Sunil > > > > ________________________________ > > > > From: Dan Wing [mailto:dwing@xxxxxxxxx] > > Sent: Mon 10/23/2006 6:36 PM > > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx > > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > > > > > > Hi, > > > > > > Would like to know about SIP negotiations on TLS. It is the > > > fact that TLS strictly provides hop-by-hop security in a SIP > > > Network and even encryption is also on hop-by-hop basis. > > > > > > It'll be great if someone let me know if there is a SIP ALG > > > coexisting with NAT/Firewall on the edge of an enterprise > > > network and there is a SIP Server on the public network. If > > > suppose an UA sends a SIP request message on TLS, can it be > > > incepted by NAT/Firewall on the edge > > > > No, a TLS-encrypted message cannot be intercepted by a NAT > or firewall > > device. If a NAT or firewall could examine the plaintext > > contents of a > > TLS-encrypted message, TLS wouldn't have much value! > > > > -d > > > > > or it'll bypass > > > NAT/Firewall and directly go to the SIP Server on the public > > > network? > > > > > > > > > Private Network | > > > Public Network > > > > > > | > > > > > > UA-----------------> NAT/Firewal > > > l/SIP-ALG------------------------------------> SIP Server > > > > > > tls | > > > tls > > > > > > | > > > > > > > > > > > > Regards, > > > > > > Sunil > > > > > > > > > > > > > > > > > > _______________________________________________ > > > Ietf-behave mailing list > > > Ietf-behave@xxxxxxxxxxxxxxxxxxx > > > https://list.sipfoundry.org/mailman/listinfo/ietf-behave > > >
- [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall RĂ©mi Denis-Courmont
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing