IETF Logo Mail Archive

Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 15 September 2011 16:29 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6338B21F8B92 for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 09:29:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.059
X-Spam-Level:
X-Spam-Status: No, score=-2.059 tagged_above=-999 required=5 tests=[AWL=-0.360, BAYES_00=-2.599, J_CHICKENPOX_52=0.6, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gdOHVFTaErDr for <sip@ietfa.amsl.com>; Thu, 15 Sep 2011 09:29:12 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6556521F8B9B for <sip@ietf.org>; Thu, 15 Sep 2011 09:29:12 -0700 (PDT)
Received: from MAIL2.acmepacket.com (10.0.0.22) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 15 Sep 2011 12:31:20 -0400
Received: from MAIL1.acmepacket.com ([169.254.1.150]) by Mail2.acmepacket.com ([169.254.2.157]) with mapi id 14.01.0270.001; Thu, 15 Sep 2011 12:31:15 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
Thread-Topic: [Sip] Using TLS in the first hop - Bug in RFC 5630
Thread-Index: AQHMc6eXae1uSA/v6Uey9VYXn1elkZVOsR2AgAAENQCAAAJFAIAACsQAgAAP84CAAAFkgP//wOzggABJJ4CAAAe+gA==
Date: Thu, 15 Sep 2011 16:31:14 +0000
Message-ID: <2966AE2F-BBED-4E97-A27B-6E55279ED9FF@acmepacket.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <3EBDBBCF-C3F3-4C64-B010-4F275B0A5A96@edvina.net> <CALiegfkKSHiEWF5+Lz5FBEawNc6ST1s3+MLYeBnUJedFjxQoDw@mail.gmail.com> <40FFF683-2CA1-4436-9421-42ACC205A42C@acmepacket.com> <CALiegf=Z3qZey-+0=wqN80BjS6Jn5V8tFU_w2LtS7O5v-jXK+Q@mail.gmail.com> <9825F789-887F-44CD-BD43-C000929E5B17@acmepacket.com> <CALiegfms0=Khcc_kKiGfcO6hUcd8-nDxG16bBN_SxCatuvAejA@mail.gmail.com>
In-Reply-To: <CALiegfms0=Khcc_kKiGfcO6hUcd8-nDxG16bBN_SxCatuvAejA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.0.0.30]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <4D1393D552E1BF4BB009196EE2DE8F47@acmepacket.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<sip@ietf.org>" <sip@ietf.org>, "Olle E. Johansson" <oej@edvina.net>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Sep 2011 16:29:14 -0000

Oh I'm well aware of that. :)
I assumed this whole discussion was theoretical.
In *practice* using sips is tough.  Some systems don't support it and will choke on the scheme, while some systems seem to ignore the extra "s".  And there are real problems with it even if you do everything by the book.  For example, it's not like Alice's UA will actually have a TLS cert to be able to be a TLS server/listen-socket, so you can't open a TLS connection to her UA regardless, ever.  And with TCP in general you have to treat her Registered Contact connection as an outbound-style flow (ie, like an alias'ed connection-reuse), even if the UAC doesn't indicate RFC 5626 nor 5923.  Once you do that, using "sip" instead of "sips" contact works, or has so far for us.  YMMV.

-hadriel


On Sep 15, 2011, at 12:03 PM, Iñaki Baz Castillo wrote:

> 2011/9/15 Hadriel Kaplan <HKaplan@acmepacket.com>:
>> No I mean if Bob wants to Refer Carol to Alice, or Alice to Carol (since that Refer can be sent out of dialog to Alice's contact).
> 
> Initial requests sent to a Contact address rather than being sent to
> an AoR are always problematic. The same occurs in attended trasfer
> when the REFER is sent within the dialog and contains a Refer-To with
> the endpoint Contact URI. Such URI could be no reachable if it's
> between some kind of NAT's (regardless the user used STUN).
> 
> -- 
> Iñaki Baz Castillo
> <ibc@aliax.net>

v2.23.0 | Report a Bug | By Email