< Previous by Date	Date Index	Next by Date >
< Previous in Thread	Thread Index	Next in Thread >

Re: [Ietf-behave] SIP over TLS via NAT/Firewall

From: "SUNIL J. KUMAR" <sunilkumar_j@xxxxxxxxxxxxxxxx>
Date: Tue, 24 Oct 2006 23:31:03 +0530

Hi Dan,
 
Since we are planning to provide more security at SIP ALG level from number of 
possible attacks like evesdropping, session hijacking, DOS Attacks, sessions 
tear down, impersonnating a server, Registration hijacking etc and SIP RFC 3261 
suggests that TLS can be a good way to provide security. But this security we 
want to have at SIP-ALG/NAT level itself. An idea on this solution would be of 
great help.
 
Thanks,
Sunil

________________________________

From: Dan Wing [mailto:dwing@xxxxxxxxx]
Sent: Tue 10/24/2006 9:51 PM
To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall



> Thanks a lot. Its a very valid comment. That means, if at all
> we have to intercept any SIP Message on the
> NAT/Firewall/SIP-ALG which was sent over TLS, there MUST be a
> proxy server coexisting with the SIP-ALG/NAT so that it'll
> become a SIP Entity and can be on the path of any SIP Message
> in-coming to or outgoing from the trusted network.

Why do you believe this is a requirement?  There are several
disadvantages to such an approach, and few -- if any --
advantages.

-d

> if one can
> suggest what should be minimal proxy functionality? I am sure
> that just Stateless Proxy won't suffice. Please comments.
> 
> Best Regards,
> Sunil
>
> ________________________________
>
> From: Dan Wing [mailto:dwing@xxxxxxxxx]
> Sent: Mon 10/23/2006 6:36 PM
> To: SUNIL J. KUMAR; ietf-behave@xxxxxxxxxxxxxxxxxxx
> Subject: RE: [Ietf-behave] SIP over TLS via NAT/Firewall
>
>
>
> > Hi,
> >
> > Would like to know about SIP negotiations on TLS. It is the
> > fact that TLS strictly provides hop-by-hop security in a SIP
> > Network and even encryption is also on hop-by-hop basis.
> >
> > It'll be great if someone let me know if there is a SIP ALG
> > coexisting with NAT/Firewall on the edge of an enterprise
> > network and there is a SIP Server on the public network. If
> > suppose an UA sends a SIP request message on TLS, can it be
> > incepted by NAT/Firewall on the edge
>
> No, a TLS-encrypted message cannot be intercepted by a NAT or firewall
> device.  If a NAT or firewall could examine the plaintext
> contents of a
> TLS-encrypted message, TLS wouldn't have much value!
>
> -d
>
> > or it'll bypass
> > NAT/Firewall and directly go to the SIP Server on the public
> > network?
> >
> >
> >   Private Network              |                       
> > Public Network
> >
> >                                          |
> >
> > UA-----------------> NAT/Firewal
> > l/SIP-ALG------------------------------------> SIP Server
> >
> >        tls                               |                  
> >       tls
> >
> >                                           |        
> >
> >
> >
> > Regards,
> >
> > Sunil
> >
> >
> >
> >
> >
> > _______________________________________________
> > Ietf-behave mailing list
> > Ietf-behave@xxxxxxxxxxxxxxxxxxx
> > https://list.sipfoundry.org/mailman/listinfo/ietf-behave
>

Follow-Ups:
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall
  - From: Dan Wing

References:
- Re: [Ietf-behave] SIP over TLS via NAT/Firewall
  - From: Dan Wing

Prev by Date: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Next by Date: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Previous by thread: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Next by thread: Re: [Ietf-behave] SIP over TLS via NAT/Firewall
Index(es):
- Date
- Thread