IETF Logo Mail Archive

Re: [Ietf-behave] SIP over TLS via NAT/Firewall

"Dan Wing" <dwing@cisco.com> Tue, 24 October 2006 20:07 UTC

From: Dan Wing <dwing@cisco.com>
Date: Tue, 24 Oct 2006 15:07:07 -0500
Subject: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
In-Reply-To: <8DA47B9A5400DE40ADB30B051C215CCE02C05954@mail.spanservices.com>
Message-ID: <019001c6f7a7$f4ea6940$5b82200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain

It might be best if you asked your question on the SIPPING working group's
mailing list.  I believe many of the things you want to do will require a
SIP back-to-back user agent (B2BUA) that also handles media.  Those
functions, when combined, are commonly called an SBC.

-d


> -----Original Message-----
> From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx] 
> Sent: Tuesday, October 24, 2006 12:10 PM
> To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> 
> Looks like a good draft. But SIP security still a major 
> concern in this draft as well. Many of the functions this 
> document describes have important SIP security and privacy 
> implications, which I am planning to provide at NAT/Firewall 
> itself for SIP Message (Requests/responses.
> 
> ________________________________
> 
> From: Dan Wing [mailto:dwing@xxxxxxxxx]
> Sent: Tue 10/24/2006 11:48 PM
> To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> 
> 
> 
> Check out draft-camarillo-sipping-sbc-funcs-04.txt which is
> what I think you're asking about?
> 
> -d
> 
> 
> > -----Original Message-----
> > From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx]
> > Sent: Tuesday, October 24, 2006 11:01 AM
> > To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx
> > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> >
> > Hi Dan,
> > 
> > Since we are planning to provide more security at SIP ALG
> > level from number of possible attacks like evesdropping,
> > session hijacking, DOS Attacks, sessions tear down,
> > impersonnating a server, Registration hijacking etc and SIP
> > RFC 3261 suggests that TLS can be a good way to provide
> > security. But this security we want to have at SIP-ALG/NAT
> > level itself. An idea on this solution would be of great help.
> > 
> > Thanks,
> > Sunil
> >
> > ________________________________
> >
> > From: Dan Wing [mailto:dwing@xxxxxxxxx]
> > Sent: Tue 10/24/2006 9:51 PM
> > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> >
> >
> >
> > > Thanks a lot. Its a very valid comment. That means, if at all
> > > we have to intercept any SIP Message on the
> > > NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a
> > > proxy server coexisting with the SIP-ALG/NAT so that it'll
> > > become a SIP Entity and can be on the path of any SIP Message
> > > in-coming to or outgoing from the trusted network.
> >
> > Why do you believe this is a requirement?  There are several
> > disadvantages to such an approach, and few -- if any --
> > advantages.
> >
> > -d
> >
> > > if one can
> > > suggest what should be minimal proxy functionality? I am sure
> > > that just Stateless Proxy won't suffice. Please comments.
> > >
> > > Best Regards,
> > > Sunil
> > >
> > > ________________________________
> > >
> > > From: Dan Wing [mailto:dwing@xxxxxxxxx]
> > > Sent: Mon 10/23/2006 6:36 PM
> > > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> > > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> > >
> > >
> > >
> > > > Hi,
> > > >
> > > > Would like to know about SIP negotiations on TLS. It is the
> > > > fact that TLS strictly provides hop-by-hop security in a SIP
> > > > Network and even encryption is also on hop-by-hop basis.
> > > >
> > > > It'll be great if someone let me know if there is a SIP ALG
> > > > coexisting with NAT/Firewall on the edge of an enterprise
> > > > network and there is a SIP Server on the public network. If
> > > > suppose an UA sends a SIP request message on TLS, can it be
> > > > incepted by NAT/Firewall on the edge
> > >
> > > No, a TLS-encrypted message cannot be intercepted by a NAT
> > or firewall
> > > device.  If a NAT or firewall could examine the plaintext
> > > contents of a
> > > TLS-encrypted message, TLS wouldn't have much value!
> > >
> > > -d
> > >
> > > > or it'll bypass
> > > > NAT/Firewall and directly go to the SIP Server on the public
> > > > network?
> > > >
> > > >
> > > >   Private Network              |                      
> > > > Public Network
> > > >
> > > >                                          |
> > > >
> > > > UA-----------------> NAT/Firewal
> > > > l/SIP-ALG------------------------------------> SIP Server
> > > >
> > > >        tls                               |                 
> > > >       tls
> > > >
> > > >                                           |       
> > > >
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Sunil
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ietf-behave mailing list
> > > > Ietf-behave@xxxxxxxxxxxxxxxxxxx
> > > > https://list.sipfoundry.org/mailman/listinfo/ietf-behave
> > >
> >
>

v2.23.0 | Report a Bug | By Email