[midcom] SIP over TLS via NAT/Firewall/SIP-ALG

"SUNIL J. KUMAR" <sunilkumar_j@spanservices.com> Wed, 25 October 2006 11:44 UTC

Received: from [] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GchBq-0002YL-A8; Wed, 25 Oct 2006 07:44:58 -0400
Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GchBo-0002YB-R2 for midcom@ietf.org; Wed, 25 Oct 2006 07:44:56 -0400
Received: from [] (helo=mail.spanservices.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GchBl-0005zz-Gh for midcom@ietf.org; Wed, 25 Oct 2006 07:44:56 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 25 Oct 2006 17:15:36 +0530
Message-ID: <8DA47B9A5400DE40ADB30B051C215CCE02C05964@mail.spanservices.com>
Thread-Topic: SIP over TLS via NAT/Firewall/SIP-ALG
Thread-Index: Acb393ZlkAt5rz3qTq+gBEVYw1RJ/AABxuJ/AAsg/UA=
References: <8DA47B9A5400DE40ADB30B051C215CCE02C05957@mail.spanservices.com> <8DA47B9A5400DE40ADB30B051C215CCE02C0595A@mail.spanservices.com>
From: "SUNIL J. KUMAR" <sunilkumar_j@spanservices.com>
To: <midcom@ietf.org>
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 4adaf050708fb13be3316a9eee889caa
Subject: [midcom] SIP over TLS via NAT/Firewall/SIP-ALG
X-BeenThere: midcom@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: midcom.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:midcom@ietf.org>
List-Help: <mailto:midcom-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
Errors-To: midcom-bounces@ietf.org

Hi All,

I am Sunil developing a SIP-ALG which will coexist with NAT/Firewall on the edge of a trusted network. Aparting from NATting functionality which ALG will perform, we want to provide support for SIP Security as well because there could be lot many possible Attacks on the SIP messages e.g. like Eavesdropping, Session hijacking, DOS Attacks, Sessions tear down, Impersonnating a server, Registration hijacking etc and as a solution SIP RFC 3261 suggests that TLS can be a good way to provide security, which strictly offers hop-by-hop security and this security we want to provide at SIP-ALG itself sitting along with NAT/Firewall on the edge.

TLS features are:

1.      TLS strictly offers hop-by-hop security

2.   TLS only allows SIP entities to authenticate servers to which they are adjacent.

3.      TLS does not allow clients to authenticate proxy servers to whom they cannot form a direct TCP connection.

And hence   TLS-encrypted message cannot be intercepted by a NAT or firewall
device because SIP-ALG/NAT/Frewall is NOT a SIP Entity (like proxy/redirect/UA etc).

But since I am planning to provide support for TLS at SIP-ALG/NAT so that we can provide SIP Security from various possible Attacks discussed above, which means that I should have a SIP Proxy that will co-exist with SIP-ALG/NAT/Firewall so that it can be on the path of any SIP Message
> > in-coming to or outgoing from the trusted network and I shall be able to intercept SIP Messages recieved through TLS. Please let us know whether it'll be an advantageous solution else any suggestion on other solutions would be of great help.

In future I am planning High Avalability support as well for SIP ALG.



midcom mailing list