Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"Horvath, Ernst" <ernst.horvath@siemens-enterprise.com> Thu, 15 September 2011 13:56 UTC

Return-Path: <ernst.horvath@siemens-enterprise.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB1B21F8ABE for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:56:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_93=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5CjRkEV0Cj7M for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 06:56:52 -0700 (PDT)
Received: from senmx11-mx.siemens-enterprise.com (senmx11-mx.siemens-enterprise.com [62.134.46.9]) by ietfa.amsl.com (Postfix) with ESMTP id F3EC721F8A95 for <sip@ietf.org>; Thu, 15 Sep 2011 06:56:51 -0700 (PDT)
Received: from MCHP063A.global-ad.net (unknown [172.29.37.61]) by senmx11-mx.siemens-enterprise.com (Server) with ESMTP id ADE251EB8453; Thu, 15 Sep 2011 15:59:00 +0200 (CEST)
Received: from MCHP058A.global-ad.net ([172.29.37.55]) by MCHP063A.global-ad.net ([172.29.37.61]) with mapi; Thu, 15 Sep 2011 15:59:00 +0200
From: "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
To: =?iso-8859-1?Q?I=F1aki_Baz_Castillo?= <ibc@aliax.net>
Date: Thu, 15 Sep 2011 15:58:59 +0200
Thread-Topic: [Sip] Using TLS in the first hop - Bug in RFC 5630
Thread-Index: AcxzrM//HBXPsR+UQpu/RVSEpGBoDQAAeXuw
Message-ID: <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com>
In-Reply-To: <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE, en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 13:56:52 -0000

Comment at the end...

> -----Original Message-----
> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On 
> Behalf Of Iñaki Baz Castillo
> Sent: Donnerstag, 15. September 2011 15:39
> To: Olle E. Johansson
> Cc: sip@ietf.org
> Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
> 
> 2011/9/15 Olle E. Johansson <oej@edvina.net>et>:
> >> As a personal comment, I would like to say that nobody 
> understands the
> >> usage of "sips" schema, just nobody. And the specs do not help.
> >>
> > With the deprecation of "transport=tls" it becomes even 
> more strange.
> 
> AFAIK "transport=tls" has never been deprecated. Instead, it has never
> been an standard. Note for example that RFC 3261 says:
> 
>       Note that in the SIPS URI scheme, transport is 
> independent of TLS,
>       and thus "sips:alice@atlanta.com;transport=tcp" and
>       "sips:alice@atlanta.com;transport=sctp" are both valid (although
>       note that UDP is not a valid transport for SIPS).  The use of
>       "transport=tls" has consequently been deprecated, partly because
>       it was specific to a single hop of the request.  This 
> is a change
>       since RFC 2543.
> 
> "A change since RFC 2543"?? transport=tls has never been defined in
> RFC 2543. Check yourself:
> 
>   http://tools.ietf.org/html/rfc2543
> 
> 
> > We should really spend some time on a "hitch hikers guide 
> to SIP with TLS" and write an RFC to reinstate 
> transtport=tls, which is what we all use.
> 
> Or spend some time in a new draft that *correctly* explains how to use
> TLS in the first hop (without requiring security in the whole path).
> This is *very* easy:
> 
> As I've explained in my first mail:
> 
>   INVITE sip:bob@biloxi.com SIP/2.0
>   Via: SIP/2.0/TLS 1.2.3.4
>   From: sip:alice@atlanta.com
>   Contact: sips:alice@1.2.3.4;transport=tcp
> 
> That's all. Just:
> - Set TLS in Via transport.
> - Use "sip" schema in every URI.
> - But use "sips" schema in Contact URI.
> 
> And it works.
>
It may work for the 1st request. But in a subsequent mid-dialog request in the reverse direction the contact URI becomes the Request-URI, which is now SIPS, and therefore the Contact in this request must also become SIPS, and you end up in an all-SIPS case.

Ernst Horvath

> 
> 
> -- 
> Iñaki Baz Castillo
> <ibc@aliax.net>
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is essentially closed and only used for finishing 
> old business.
> Use sip-implementors@cs.columbia.edu for questions on how to 
> develop a SIP implementation.
> Use dispatch@ietf.org for new developments on the application of sip.
> Use sipcore@ietf.org for issues related to maintenance of the 
> core SIP specifications.