Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Thanks a lot. Its a very valid comment. That means, if at all we have to
intercept any SIP Message on the NAT/Firewall/SIP-ALG which was sent over TLS,
there MUST be a proxy server coexisting with the SIP-ALG/NAT so that it'll
become a SIP Entity and can be on the path of any SIP Message in-coming to or
outgoing from the trusted network. if one can suggest what should be minimal
proxy functionality? I am sure that just Stateless Proxy won't suffice. Please
comments.
Best Regards,
Sunil
________________________________
From: Dan Wing [mailto:dwing@xxxxxxxxx]
Sent: Mon 10/23/2006 6:36 PM
To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> Hi,
>
> Would like to know about SIP negotiations on TLS. It is the
> fact that TLS strictly provides hop-by-hop security in a SIP
> Network and even encryption is also on hop-by-hop basis.
>
> It'll be great if someone let me know if there is a SIP ALG
> coexisting with NAT/Firewall on the edge of an enterprise
> network and there is a SIP Server on the public network. If
> suppose an UA sends a SIP request message on TLS, can it be
> incepted by NAT/Firewall on the edge
No, a TLS-encrypted message cannot be intercepted by a NAT or firewall
device. If a NAT or firewall could examine the plaintext contents of a
TLS-encrypted message, TLS wouldn't have much value!
-d
> or it'll bypass
> NAT/Firewall and directly go to the SIP Server on the public
> network?
>
>
> Private Network |
> Public Network
>
> |
>
> UA-----------------> NAT/Firewal
> l/SIP-ALG------------------------------------> SIP Server
>
> tls |
> tls
>
> |
>
>
>
> Regards,
>
> Sunil
>
>
>
>
>
> _______________________________________________
> Ietf-behave mailing list
> Ietf-behave@xxxxxxxxxxxxxxxxxxx
> https://list.sipfoundry.org/mailman/listinfo/ietf-behave
