[Sip] Using TLS in the first hop - Bug in RFC 5630

Iñaki Baz Castillo <ibc@aliax.net> Thu, 15 September 2011 12:59 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B356F21F8AF5 for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 05:59:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.65
X-Spam-Level:
X-Spam-Status: No, score=-2.65 tagged_above=-999 required=5 tests=[AWL=0.027, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rW9QgYXMykfX for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 05:59:11 -0700 (PDT)
Received: from mail-qy0-f172.google.com (mail-qy0-f172.google.com [209.85.216.172]) by ietfa.amsl.com (Postfix) with ESMTP id 2505121F8ACE for <sip@ietf.org>; Thu, 15 Sep 2011 05:59:11 -0700 (PDT)
Received: by qyk32 with SMTP id 32so5000023qyk.10 for <sip@ietf.org>; Thu, 15 Sep 2011 06:01:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.67.166 with SMTP id r38mr832980qci.254.1316091682589; Thu, 15 Sep 2011 06:01:22 -0700 (PDT)
Received: by 10.229.79.207 with HTTP; Thu, 15 Sep 2011 06:01:22 -0700 (PDT)
Date: Thu, 15 Sep 2011 15:01:22 +0200
Message-ID: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: sip@ietf.org
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Subject: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 12:59:11 -0000

Hi, there is a general confusion about the usage of TLS transport and
SIPS schema. Even more when the RFC 5630 (which tries to clarify it)
contains an important bug:


RFC 5630 states:

-------------------------------------------------------------------
3.1.3.  Using TLS with SIP Instead of SIPS

   [...]

   If one wants to use "best-effort TLS" for SIP, one just needs to use
   a SIP URI, and send the request over TLS.

   Using SIP over TLS is very simple.  A UA opens a TLS connection and
   uses SIP URIs instead of SIPS URIs for all the header fields in a SIP
   message (From, To, Request-URI, Contact header field, Route, etc.).
   When TLS is used, the Via header field indicates TLS.
-------------------------------------------------------------------


So an example of INVITE sent via TLS just for the first hop would be:


  INVITE sip:bob@biloxi.com SIP/2.0
  Via: SIP/2.0/TLS 1.2.3.4
  From: sip:alice@atlanta.com
  Contact: sip:alice@1.2.3.4;transport=tcp


Note that I've set "sip" schema in the Contact URI (as the spec says)
so incoming in-dialog request would be received by the caller (alice)
via TCP rather than TLS !!!

This is wrong, it should be:


  INVITE sip:bob@biloxi.com SIP/2.0
  Via: SIP/2.0/TLS 1.2.3.4
  From: sip:alice@atlanta.com
  Contact: sips:alice@1.2.3.4;transport=tcp


Now Contact URI has "sips" schema so the proxy (assuming it does
loose-routing) would route any in-dialog request via TLS-over-TCP to
reach alice.

The fact that the Contact URI has "sips" schema is not a problem for
the called (regardless it speaks TLS or not) as in-dialog request to
be sent from Bob to Alice would contain Route headers, and those Route
headers could have "sip" schema (in case the latest proxy contacted
Bob using UDP or TCP). So a BYE from Bob would be sent via UDP/TCP
based on the top most Route.


As a personal comment, I would like to say that nobody understands the
usage of "sips" schema, just nobody. And the specs do not help.

Best regards.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>