Re: [Ietf-behave] SIP over TLS via NAT/Firewall

Looks like a good draft. But SIP security still a major concern in this draft 
as well. Many of the functions this document describes have important SIP 
security and privacy implications, which I am planning to provide at 
NAT/Firewall itself for SIP Message (Requests/responses.

________________________________

From: Dan Wing [mailto:dwing@xxxxxxxxx]
Sent: Tue 10/24/2006 11:48 PM
To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall

Check out draft-camarillo-sipping-sbc-funcs-04.txt which is
what I think you're asking about?

-d

> -----Original Message-----
> From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx]
> Sent: Tuesday, October 24, 2006 11:01 AM
> To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
>
> Hi Dan,
> 
> Since we are planning to provide more security at SIP ALG
> level from number of possible attacks like evesdropping,
> session hijacking, DOS Attacks, sessions tear down,
> impersonnating a server, Registration hijacking etc and SIP
> RFC 3261 suggests that TLS can be a good way to provide
> security. But this security we want to have at SIP-ALG/NAT
> level itself. An idea on this solution would be of great help.
> 
> Thanks,
> Sunil
>
> ________________________________
>
> From: Dan Wing [mailto:dwing@xxxxxxxxx]
> Sent: Tue 10/24/2006 9:51 PM
> To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
>
>
>
> > Thanks a lot. Its a very valid comment. That means, if at all
> > we have to intercept any SIP Message on the
> > NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a
> > proxy server coexisting with the SIP-ALG/NAT so that it'll
> > become a SIP Entity and can be on the path of any SIP Message
> > in-coming to or outgoing from the trusted network.
>
> Why do you believe this is a requirement?  There are several
> disadvantages to such an approach, and few -- if any --
> advantages.
>
> -d
>
> > if one can
> > suggest what should be minimal proxy functionality? I am sure
> > that just Stateless Proxy won't suffice. Please comments.
> >
> > Best Regards,
> > Sunil
> >
> > ________________________________
> >
> > From: Dan Wing [mailto:dwing@xxxxxxxxx]
> > Sent: Mon 10/23/2006 6:36 PM
> > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> >
> >
> >
> > > Hi,
> > >
> > > Would like to know about SIP negotiations on TLS. It is the
> > > fact that TLS strictly provides hop-by-hop security in a SIP
> > > Network and even encryption is also on hop-by-hop basis.
> > >
> > > It'll be great if someone let me know if there is a SIP ALG
> > > coexisting with NAT/Firewall on the edge of an enterprise
> > > network and there is a SIP Server on the public network. If
> > > suppose an UA sends a SIP request message on TLS, can it be
> > > incepted by NAT/Firewall on the edge
> >
> > No, a TLS-encrypted message cannot be intercepted by a NAT
> or firewall
> > device.  If a NAT or firewall could examine the plaintext
> > contents of a
> > TLS-encrypted message, TLS wouldn't have much value!
> >
> > -d
> >
> > > or it'll bypass
> > > NAT/Firewall and directly go to the SIP Server on the public
> > > network?
> > >
> > >
> > >   Private Network              |                      
> > > Public Network
> > >
> > >                                          |
> > >
> > > UA-----------------> NAT/Firewal
> > > l/SIP-ALG------------------------------------> SIP Server
> > >
> > >        tls                               |                 
> > >       tls
> > >
> > >                                           |       
> > >
> > >
> > >
> > > Regards,
> > >
> > > Sunil
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Ietf-behave mailing list
> > > Ietf-behave@xxxxxxxxxxxxxxxxxxx
> > > https://list.sipfoundry.org/mailman/listinfo/ietf-behave
> >
>