Re: [Ietf-behave] SIP over TLS via NAT/Firewall
"Dan Wing" <dwing@cisco.com> Tue, 24 October 2006 20:07 UTC
From: Dan Wing <dwing@cisco.com>
Date: Tue, 24 Oct 2006 15:07:07 -0500
Subject: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
In-Reply-To: <8DA47B9A5400DE40ADB30B051C215CCE02C05954@mail.spanservices.com>
Message-ID: <019001c6f7a7$f4ea6940$5b82200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain
It might be best if you asked your question on the SIPPING working group's mailing list. I believe many of the things you want to do will require a SIP back-to-back user agent (B2BUA) that also handles media. Those functions, when combined, are commonly called an SBC. -d > -----Original Message----- > From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx] > Sent: Tuesday, October 24, 2006 12:10 PM > To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > Looks like a good draft. But SIP security still a major > concern in this draft as well. Many of the functions this > document describes have important SIP security and privacy > implications, which I am planning to provide at NAT/Firewall > itself for SIP Message (Requests/responses. > > ________________________________ > > From: Dan Wing [mailto:dwing@xxxxxxxxx] > Sent: Tue 10/24/2006 11:48 PM > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > Check out draft-camarillo-sipping-sbc-funcs-04.txt which is > what I think you're asking about? > > -d > > > > -----Original Message----- > > From: SUNIL J. KUMAR [mailto:sunilkumar_j@xxxxxxxxxxxxxxxx] > > Sent: Tuesday, October 24, 2006 11:01 AM > > To: Dan Wing; ietf-behave@xxxxxxxxxxxxxxxxxxx > > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > Hi Dan, > > > > Since we are planning to provide more security at SIP ALG > > level from number of possible attacks like evesdropping, > > session hijacking, DOS Attacks, sessions tear down, > > impersonnating a server, Registration hijacking etc and SIP > > RFC 3261 suggests that TLS can be a good way to provide > > security. But this security we want to have at SIP-ALG/NAT > > level itself. An idea on this solution would be of great help. > > > > Thanks, > > Sunil > > > > ________________________________ > > > > From: Dan Wing [mailto:dwing@xxxxxxxxx] > > Sent: Tue 10/24/2006 9:51 PM > > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx > > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > > > > > > Thanks a lot. Its a very valid comment. That means, if at all > > > we have to intercept any SIP Message on the > > > NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a > > > proxy server coexisting with the SIP-ALG/NAT so that it'll > > > become a SIP Entity and can be on the path of any SIP Message > > > in-coming to or outgoing from the trusted network. > > > > Why do you believe this is a requirement? There are several > > disadvantages to such an approach, and few -- if any -- > > advantages. > > > > -d > > > > > if one can > > > suggest what should be minimal proxy functionality? I am sure > > > that just Stateless Proxy won't suffice. Please comments. > > > > > > Best Regards, > > > Sunil > > > > > > ________________________________ > > > > > > From: Dan Wing [mailto:dwing@xxxxxxxxx] > > > Sent: Mon 10/23/2006 6:36 PM > > > To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx > > > Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall > > > > > > > > > > > > > Hi, > > > > > > > > Would like to know about SIP negotiations on TLS. It is the > > > > fact that TLS strictly provides hop-by-hop security in a SIP > > > > Network and even encryption is also on hop-by-hop basis. > > > > > > > > It'll be great if someone let me know if there is a SIP ALG > > > > coexisting with NAT/Firewall on the edge of an enterprise > > > > network and there is a SIP Server on the public network. If > > > > suppose an UA sends a SIP request message on TLS, can it be > > > > incepted by NAT/Firewall on the edge > > > > > > No, a TLS-encrypted message cannot be intercepted by a NAT > > or firewall > > > device. If a NAT or firewall could examine the plaintext > > > contents of a > > > TLS-encrypted message, TLS wouldn't have much value! > > > > > > -d > > > > > > > or it'll bypass > > > > NAT/Firewall and directly go to the SIP Server on the public > > > > network? > > > > > > > > > > > > Private Network | > > > > Public Network > > > > > > > > | > > > > > > > > UA-----------------> NAT/Firewal > > > > l/SIP-ALG------------------------------------> SIP Server > > > > > > > > tls | > > > > tls > > > > > > > > | > > > > > > > > > > > > > > > > Regards, > > > > > > > > Sunil > > > > > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > > > Ietf-behave mailing list > > > > Ietf-behave@xxxxxxxxxxxxxxxxxxx > > > > https://list.sipfoundry.org/mailman/listinfo/ietf-behave > > > > > >
- [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall RĂ©mi Denis-Courmont
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall SUNIL J. KUMAR
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall Dan Wing