Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
"Olle E. Johansson" <oej@edvina.net> Thu, 15 September 2011 13:21 UTC
Return-Path: <oej@edvina.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D84A121F84D9 for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.158
X-Spam-Level:
X-Spam-Status: No, score=-2.158 tagged_above=-999 required=5 tests=[AWL=-0.209, BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yjJeChlsNBXi for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:21:34 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) by ietfa.amsl.com (Postfix) with ESMTP id 7806521F84D1 for <sip@ietf.org>; Thu, 15 Sep 2011 06:21:33 -0700 (PDT)
Received: from [192.168.20.63] (static-213-115-251-100.sme.bredbandsbolaget.se [213.115.251.100]) by smtp7.webway.se (Postfix) with ESMTPA id 04CDC754BCE4; Thu, 15 Sep 2011 13:23:42 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset="iso-8859-1"
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com>
Date: Thu, 15 Sep 2011 15:23:41 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
X-Mailer: Apple Mail (2.1244.3)
Cc: sip@ietf.org
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 13:21:49 -0000
15 sep 2011 kl. 15:01 skrev Iñaki Baz Castillo: > Hi, there is a general confusion about the usage of TLS transport and > SIPS schema. Even more when the RFC 5630 (which tries to clarify it) > contains an important bug: > > > RFC 5630 states: > > ------------------------------------------------------------------- > 3.1.3. Using TLS with SIP Instead of SIPS > > [...] > > If one wants to use "best-effort TLS" for SIP, one just needs to use > a SIP URI, and send the request over TLS. > > Using SIP over TLS is very simple. A UA opens a TLS connection and > uses SIP URIs instead of SIPS URIs for all the header fields in a SIP > message (From, To, Request-URI, Contact header field, Route, etc.). > When TLS is used, the Via header field indicates TLS. > ------------------------------------------------------------------- > > > So an example of INVITE sent via TLS just for the first hop would be: > > > INVITE sip:bob@biloxi.com SIP/2.0 > Via: SIP/2.0/TLS 1.2.3.4 > From: sip:alice@atlanta.com > Contact: sip:alice@1.2.3.4;transport=tcp > > > Note that I've set "sip" schema in the Contact URI (as the spec says) > so incoming in-dialog request would be received by the caller (alice) > via TCP rather than TLS !!! > > This is wrong, it should be: > > > INVITE sip:bob@biloxi.com SIP/2.0 > Via: SIP/2.0/TLS 1.2.3.4 > From: sip:alice@atlanta.com > Contact: sips:alice@1.2.3.4;transport=tcp > > > Now Contact URI has "sips" schema so the proxy (assuming it does > loose-routing) would route any in-dialog request via TLS-over-TCP to > reach alice. > > The fact that the Contact URI has "sips" schema is not a problem for > the called (regardless it speaks TLS or not) as in-dialog request to > be sent from Bob to Alice would contain Route headers, and those Route > headers could have "sip" schema (in case the latest proxy contacted > Bob using UDP or TCP). So a BYE from Bob would be sent via UDP/TCP > based on the top most Route. > > > As a personal comment, I would like to say that nobody understands the > usage of "sips" schema, just nobody. And the specs do not help. > With the deprecation of "transport=tls" it becomes even more strange. We should really spend some time on a "hitch hikers guide to SIP with TLS" and write an RFC to reinstate transtport=tls, which is what we all use. /O
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Olle E. Johansson
- [Sip] Using TLS in the first hop - Bug in RFC 5630 Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Olle E. Johansson
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Horvath, Ernst
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Olle E. Johansson
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Hadriel Kaplan
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Hadriel Kaplan
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Hadriel Kaplan
- Re: [Sip] Using TLS in the first hop - Bug in RFC… DRAGE, Keith (Keith)
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Horvath, Ernst
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… DRAGE, Keith (Keith)
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Vijay K. Gurbani
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Olle E. Johansson
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… DRAGE, Keith (Keith)
- Re: [Sip] Using TLS in the first hop - Bug in RFC… DRAGE, Keith (Keith)
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Iñaki Baz Castillo
- Re: [Sip] Using TLS in the first hop - Bug in RFC… Samir Srivastava
- Re: [Sip] Using TLS in the first hop - Bug in RFC… DRAGE, Keith (Keith)