Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"Olle E. Johansson" <oej@edvina.net> Thu, 15 September 2011 13:21 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D84A121F84D9 for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:21:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.158
X-Spam-Level:
X-Spam-Status: No, score=-2.158 tagged_above=-999 required=5 tests=[AWL=-0.209, BAYES_00=-2.599, HELO_EQ_SE=0.35, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yjJeChlsNBXi for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:21:34 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) by ietfa.amsl.com (Postfix) with ESMTP id 7806521F84D1 for <sip@ietf.org>; Thu, 15 Sep 2011 06:21:33 -0700 (PDT)
Received: from [192.168.20.63] (static-213-115-251-100.sme.bredbandsbolaget.se [213.115.251.100]) by smtp7.webway.se (Postfix) with ESMTPA id 04CDC754BCE4; Thu, 15 Sep 2011 13:23:42 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=iso-8859-1
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com>
Date: Thu, 15 Sep 2011 15:23:41 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com>
To: =?iso-8859-1?Q?I=F1aki_Baz_Castillo?= <ibc@aliax.net>
X-Mailer: Apple Mail (2.1244.3)
Cc: sip@ietf.org
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 13:21:49 -0000

15 sep 2011 kl. 15:01 skrev Iñaki Baz Castillo:

> Hi, there is a general confusion about the usage of TLS transport and
> SIPS schema. Even more when the RFC 5630 (which tries to clarify it)
> contains an important bug:
> 
> 
> RFC 5630 states:
> 
> -------------------------------------------------------------------
> 3.1.3.  Using TLS with SIP Instead of SIPS
> 
>   [...]
> 
>   If one wants to use "best-effort TLS" for SIP, one just needs to use
>   a SIP URI, and send the request over TLS.
> 
>   Using SIP over TLS is very simple.  A UA opens a TLS connection and
>   uses SIP URIs instead of SIPS URIs for all the header fields in a SIP
>   message (From, To, Request-URI, Contact header field, Route, etc.).
>   When TLS is used, the Via header field indicates TLS.
> -------------------------------------------------------------------
> 
> 
> So an example of INVITE sent via TLS just for the first hop would be:
> 
> 
>  INVITE sip:bob@biloxi.com SIP/2.0
>  Via: SIP/2.0/TLS 1.2.3.4
>  From: sip:alice@atlanta.com
>  Contact: sip:alice@1.2.3.4;transport=tcp
> 
> 
> Note that I've set "sip" schema in the Contact URI (as the spec says)
> so incoming in-dialog request would be received by the caller (alice)
> via TCP rather than TLS !!!
> 
> This is wrong, it should be:
> 
> 
>  INVITE sip:bob@biloxi.com SIP/2.0
>  Via: SIP/2.0/TLS 1.2.3.4
>  From: sip:alice@atlanta.com
>  Contact: sips:alice@1.2.3.4;transport=tcp
> 
> 
> Now Contact URI has "sips" schema so the proxy (assuming it does
> loose-routing) would route any in-dialog request via TLS-over-TCP to
> reach alice.
> 
> The fact that the Contact URI has "sips" schema is not a problem for
> the called (regardless it speaks TLS or not) as in-dialog request to
> be sent from Bob to Alice would contain Route headers, and those Route
> headers could have "sip" schema (in case the latest proxy contacted
> Bob using UDP or TCP). So a BYE from Bob would be sent via UDP/TCP
> based on the top most Route.
> 
> 
> As a personal comment, I would like to say that nobody understands the
> usage of "sips" schema, just nobody. And the specs do not help.
> 
With the deprecation of "transport=tls" it becomes even more strange. 
We should really spend some time on a "hitch hikers guide to SIP with TLS" and write an RFC to reinstate transtport=tls, which is what we all use.

/O