Re: [Sip] B2BUA - Security
Jonathan Rosenberg <jdrosen@dynamicsoft.com> Fri, 06 December 2002 06:14 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16093 for <sip-archive@odin.ietf.org>; Fri, 6 Dec 2002 01:14:57 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gB66HSH22608 for sip-archive@odin.ietf.org; Fri, 6 Dec 2002 01:17:28 -0500
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB66H9v22554; Fri, 6 Dec 2002 01:17:09 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB66ETv22444 for <sip@optimus.ietf.org>; Fri, 6 Dec 2002 01:14:29 -0500
Received: from mail3.dynamicsoft.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16013 for <sip@ietf.org>; Fri, 6 Dec 2002 01:11:27 -0500 (EST)
Received: from dynamicsoft.com ([63.113.46.83]) by mail3.dynamicsoft.com (8.12.1/8.12.1) with ESMTP id gB66DlYH012846; Fri, 6 Dec 2002 01:13:48 -0500 (EST)
Message-ID: <3DF04018.7050200@dynamicsoft.com>
Date: Fri, 06 Dec 2002 01:13:44 -0500
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Mahey, Sonit" <Sonit.Mahey@icn.siemens.com>
CC: 'Christian Huitema' <huitema@windows.microsoft.com>, Pete Cordell <pete@tech-know-ware.com>, sip@ietf.org
Subject: Re: [Sip] B2BUA - Security
References: <DC26B4448BEC824C8C4E58845FF9F04CA774EE@EMAIL2>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
When STUN is used, there is no need to translate. THe client itself inserts the proper addresses. If you are not using stun, and rather using an ALG or an FCP ala midcom, and the SIP body is encrypted, well, right now you are out of luck. I will once again point out that this is the reason I wrote the session policy draft: http://www.jdrosen.net/papers/draft-rosenberg-sipping-session-policy-00.txt -Jonathan R. Mahey, Sonit wrote: > Thanks, Christian. > > Assuming IPv4 addresses and without delving into the draft RFC on STUN: > The SDP contains the RTP/RTCP port numbers that are private and these are > also required to be NAT'd. Now, if the SDP, which forms part of the SIP > body, is encrypted, how will RTP/RTCP ports be translated? > > regards, > - sonit > > >>-----Original Message----- >>From: Christian Huitema [mailto:huitema@windows.microsoft.com] >>Sent: Thursday, December 05, 2002 12:54 PM >>To: Mahey, Sonit; Jonathan Rosenberg; Pete Cordell >>Cc: sip@ietf.org >>Subject: RE: [Sip] B2BUA - Security >> >> >> >>>From: Mahey, Sonit [mailto:Sonit.Mahey@icn.siemens.com] >>>Sent: Thursday, December 05, 2002 9:14 AM >>> >>>I agree with Jonathan. >>> >>>That brings up the question: >>>Is NAT traversal for encrypted SIP traffic addressed anywhere? >> >>There are two possibilities. If your application only uses UDP, it is >>possible to use IPv4 and STUN to find out the "outside ports" for your >>UDP traffic (check draft-ietf-midcom-stun-03.txt); you may need to use >>the "a:rtcp" convention to encode port numbers in SDP (check >>draft-ietf-mmusic-sdp4nat-03.txt). If you need to also support TCP, or >>use IPSEC, or generally do away with the complications of >>NAT, the best >>solution is to just move to IPv6; see Teredo >>(draft-ietf-ngtrans-shipworm-08.txt) for one possible way to >>carry IPv6 >>across NAT, and 6to4 (RFC 3056 & 3068) for a possible way to >>upgrade the >>NAT and make it an IPv6 router. >> >>-- Christian Huitema >> > > -- Jonathan D. Rosenberg, Ph.D. 72 Eagle Rock Ave. Chief Scientist First Floor dynamicsoft East Hanover, NJ 07936 jdrosen@dynamicsoft.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.dynamicsoft.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- RE: [Sip] B2BUA - Security Mahey, Sonit
- RE: [Sip] B2BUA - Security Christian Huitema
- RE: [Sip] B2BUA - Security Mahey, Sonit
- RE: [Sip] B2BUA - Security Adam Roach
- RE: [Sip] B2BUA - Security Christian Huitema
- Re: [Sip] B2BUA - Security Jonathan Rosenberg
- Re: [Sip] B2BUA - Security Rohan Mahy
- RE: [Sip] B2BUA - Security Mark Watson
- Re: [Sip] B2BUA - Security Jonathan Rosenberg
- RE: [Sip] B2BUA - Security Mahey, Sonit
- Re: [Sip] B2BUA - Security Rohan Mahy
- Re: [Sip] B2BUA - Security Pete Cordell
- Re: [Sip] B2BUA - Security Rohan Mahy