Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

Iñaki Baz Castillo <ibc@aliax.net> Fri, 16 September 2011 11:05 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD1B21F8BF9 for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 04:05:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Level:
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZoID1M0v+Ep1 for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 04:05:57 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 5093521F8BF7 for <sip@ietf.org>; Fri, 16 Sep 2011 04:05:57 -0700 (PDT)
Received: by qyk32 with SMTP id 32so336200qyk.10 for <sip@ietf.org>; Fri, 16 Sep 2011 04:08:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.67.166 with SMTP id r38mr1769631qci.254.1316171290772; Fri, 16 Sep 2011 04:08:10 -0700 (PDT)
Received: by 10.229.79.207 with HTTP; Fri, 16 Sep 2011 04:08:10 -0700 (PDT)
In-Reply-To: <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net> <CALiegfkqnVMHSZuim33XNy8rPdBRmJsB6VRxF3mR1dEXvEdK-Q@mail.gmail.com> <CALiegf=jX6pkdw+xYueuEjgAoo_9XVhYqOgc0Uwx2yt7gqto1Q@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net>
Date: Fri, 16 Sep 2011 13:08:10 +0200
Message-ID: <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 11:05:58 -0000

2011/9/16 Horvath, Ernst <ernst.horvath@siemens-enterprise.com>om>:
> Well, I read RFC 3261 differently. 8.1.2 says:
>
>   Otherwise, the procedures are applied to the first Route header field
>   value in the request (if one exists), or to the request's Request-URI
>   if there is no Route header field present.  These procedures yield an
>   ordered set of address, port, and transports to attempt.  Independent
>   of which URI is used as input to the procedures of [4], if the
>   Request-URI specifies a SIPS resource, the UAC MUST follow the
>   procedures of [4] as if the input URI were a SIPS URI.
>
> This behaviour overrides the transport indicated in the Route header if
> the Request-URI is SIPS. And it applies to mid-dialog requests as well.
> BTW, RFC 5630 has some text on your original point:
>
> 5.1.1.2.  SIPS in a Dialog
>
>   If the Request-URI in a request that initiates a dialog is a SIP URI,
>   then the UAC needs to be careful about what to use in the Contact
>   header field (in case Record-Route is not used for this hop).  If the
>   Contact header field was a SIPS URI, it would mean that the UAS would
>   only accept mid-dialog requests that are sent over secure transport
>   on each hop.  Since the Request-URI in this case is a SIP URI, it is
>   quite possible that the UA sending a request to that URI might not be
>   able to send requests to SIPS URIs.  If the top Route header field
>   does not contain a SIPS URI, the UAC MUST use a SIP URI in the
>   Contact header field, even if the request is sent over a secure
>   transport (e.g., the first hop could be re-using a TLS connection to
>   the proxy as would be the case with [RFC5626]).

Hi, this definitely tells me that SIPS and TLS is impossible, but just
in the case of full TLS in the whole path.

I insist on the bug I've reported for RFC 5630: If the client sets a
SIP Contact URI and sends the request using TLS, then it would receive
incoming in-dialog requests via UDP or TCP, but not TLS. This does not
make sense as the caller could use just SIP over TLS, and in case of
NAT this would never work as the proxy/server could never send a TCP
or UDP request to the client.

So IMHO SIPS and TLS is broken and it can only work when the full path
is secure (which is unfeasible in most of the environments). This
needs a rework, or maybe Olle is right and we should use
;transport=tls (with SIP schema), ;transport=tls-sctp and so on.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>