IETF Logo Mail Archive

Re: [Sip] B2BUA - Security

Jonathan Rosenberg <jdrosen@dynamicsoft.com> Fri, 06 December 2002 06:14 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16093 for <sip-archive@odin.ietf.org>; Fri, 6 Dec 2002 01:14:57 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id gB66HSH22608 for sip-archive@odin.ietf.org; Fri, 6 Dec 2002 01:17:28 -0500
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB66H9v22554; Fri, 6 Dec 2002 01:17:09 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id gB66ETv22444 for <sip@optimus.ietf.org>; Fri, 6 Dec 2002 01:14:29 -0500
Received: from mail3.dynamicsoft.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA16013 for <sip@ietf.org>; Fri, 6 Dec 2002 01:11:27 -0500 (EST)
Received: from dynamicsoft.com ([63.113.46.83]) by mail3.dynamicsoft.com (8.12.1/8.12.1) with ESMTP id gB66DlYH012846; Fri, 6 Dec 2002 01:13:48 -0500 (EST)
Message-ID: <3DF04018.7050200@dynamicsoft.com>
Date: Fri, 06 Dec 2002 01:13:44 -0500
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Mahey, Sonit" <Sonit.Mahey@icn.siemens.com>
CC: 'Christian Huitema' <huitema@windows.microsoft.com>, Pete Cordell <pete@tech-know-ware.com>, sip@ietf.org
Subject: Re: [Sip] B2BUA - Security
References: <DC26B4448BEC824C8C4E58845FF9F04CA774EE@EMAIL2>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit

When STUN is used, there is no need to translate. THe client itself 
inserts the proper addresses.

If you are not using stun, and rather using an ALG or an FCP ala midcom, 
and the SIP body is encrypted, well, right now you are out of luck. I 
will once again point out that this is the reason I wrote the session 
policy draft:

http://www.jdrosen.net/papers/draft-rosenberg-sipping-session-policy-00.txt

-Jonathan R.

Mahey, Sonit wrote:
> Thanks, Christian.
> 
> Assuming IPv4 addresses and without delving into the draft RFC on STUN:
> The SDP contains the RTP/RTCP port numbers that are private and these are
> also required to be NAT'd. Now, if the SDP, which forms part of the SIP
> body, is encrypted, how will RTP/RTCP ports be translated?
> 
> regards,
> - sonit
> 
> 
>>-----Original Message-----
>>From: Christian Huitema [mailto:huitema@windows.microsoft.com]
>>Sent: Thursday, December 05, 2002 12:54 PM
>>To: Mahey, Sonit; Jonathan Rosenberg; Pete Cordell
>>Cc: sip@ietf.org
>>Subject: RE: [Sip] B2BUA - Security
>>
>>
>>
>>>From: Mahey, Sonit [mailto:Sonit.Mahey@icn.siemens.com]
>>>Sent: Thursday, December 05, 2002 9:14 AM
>>>
>>>I agree with Jonathan.
>>>
>>>That brings up the question:
>>>Is NAT traversal for encrypted SIP traffic addressed anywhere?
>>
>>There are two possibilities. If your application only uses UDP, it is
>>possible to use IPv4 and STUN to find out the "outside ports" for your
>>UDP traffic (check draft-ietf-midcom-stun-03.txt); you may need to use
>>the "a:rtcp" convention to encode port numbers in SDP (check
>>draft-ietf-mmusic-sdp4nat-03.txt). If you need to also support TCP, or
>>use IPSEC, or generally do away with the complications of 
>>NAT, the best
>>solution is to just move to IPv6; see Teredo
>>(draft-ietf-ngtrans-shipworm-08.txt) for one possible way to 
>>carry IPv6
>>across NAT, and 6to4 (RFC 3056 & 3068) for a possible way to 
>>upgrade the
>>NAT and make it an IPv6 router.
>>
>>-- Christian Huitema
>>
> 
> 

-- 
Jonathan D. Rosenberg, Ph.D.                72 Eagle Rock Ave.
Chief Scientist                             First Floor
dynamicsoft                                 East Hanover, NJ 07936
jdrosen@dynamicsoft.com                     FAX:   (973) 952-5050
http://www.jdrosen.net                      PHONE: (973) 952-5000
http://www.dynamicsoft.com

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email