< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

Re: [Ietf-behave] SIP over TLS via NAT/Firewall

From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Tue, 24 Oct 2006 09:21:27 -0700

> Thanks a lot. Its a very valid comment. That means, if at all 
> we have to intercept any SIP Message on the 
> NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a 
> proxy server coexisting with the SIP-ALG/NAT so that it'll 
> become a SIP Entity and can be on the path of any SIP Message 
> in-coming to or outgoing from the trusted network.

Why do you believe this is a requirement?  There are several
disadvantages to such an approach, and few -- if any -- 
advantages.

-d

> if one can 
> suggest what should be minimal proxy functionality? I am sure 
> that just Stateless Proxy won't suffice. Please comments.
>  
> Best Regards,
> Sunil
> 
> ________________________________
> 
> From: Dan Wing [mailto:dwing@xxxxxxxxx]
> Sent: Mon 10/23/2006 6:36 PM
> To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
> 
> 
> 
> > Hi,
> >
> > Would like to know about SIP negotiations on TLS. It is the
> > fact that TLS strictly provides hop-by-hop security in a SIP
> > Network and even encryption is also on hop-by-hop basis.
> >
> > It'll be great if someone let me know if there is a SIP ALG
> > coexisting with NAT/Firewall on the edge of an enterprise
> > network and there is a SIP Server on the public network. If
> > suppose an UA sends a SIP request message on TLS, can it be
> > incepted by NAT/Firewall on the edge
> 
> No, a TLS-encrypted message cannot be intercepted by a NAT or firewall
> device.  If a NAT or firewall could examine the plaintext 
> contents of a
> TLS-encrypted message, TLS wouldn't have much value!
> 
> -d
> 
> > or it'll bypass
> > NAT/Firewall and directly go to the SIP Server on the public
> > network?
> > 
> >
> >   Private Network              |                        
> > Public Network
> >
> >                                          |
> >
> > UA-----------------> NAT/Firewal
> > l/SIP-ALG------------------------------------> SIP Server
> >
> >        tls                               |                   
> >       tls
> >
> >                                           |         
> >
> > 
> >
> > Regards,
> >
> > Sunil
> >
> > 
> >
> >
> >
> > _______________________________________________
> > Ietf-behave mailing list
> > Ietf-behave@xxxxxxxxxxxxxxxxxxx
> > https://list.sipfoundry.org/mailman/listinfo/ietf-behave
>

Follow-Ups:
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall
  - From: SUNIL J. KUMAR

References:
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall
  - From: SUNIL J. KUMAR

Prev by Date: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Next by Date: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Previous by thread: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Next by thread: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Index(es):
- Date
- Thread