[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[midcom] SIP over TLS via NAT/Firewall/SIP-ALG

To: <midcom at ietf.org>
Subject: [midcom] SIP over TLS via NAT/Firewall/SIP-ALG
From: "SUNIL J. KUMAR" <sunilkumar_j at spanservices.com>
Date: Wed, 25 Oct 2006 17:15:36 +0530
List-help: <mailto:midcom-request@ietf.org?subject=help>
List-id: midcom.ietf.org
List-post: <mailto:midcom@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/midcom>, <mailto:midcom-request@ietf.org?subject=unsubscribe>
References: <8DA47B9A5400DE40ADB30B051C215CCE02C05957@mail.spanservices.com> <8DA47B9A5400DE40ADB30B051C215CCE02C0595A@mail.spanservices.com>
Thread-index: Acb393ZlkAt5rz3qTq+gBEVYw1RJ/AABxuJ/AAsg/UA=
Thread-topic: SIP over TLS via NAT/Firewall/SIP-ALG

Hi All,

I am Sunil developing a SIP-ALG which will coexist with NAT/Firewall on the edge of a trusted network. Aparting from NATting functionality which ALG will perform, we want to provide support for SIP Security as well because there could be lot many possible Attacks on the SIP messages e.g. like Eavesdropping, Session hijacking, DOS Attacks, Sessions tear down, Impersonnating a server, Registration hijacking etc and as a solution SIP RFC 3261 suggests that TLS can be a good way to provide security, which strictly offers hop-by-hop security and this security we want to provide at SIP-ALG itself sitting along with NAT/Firewall on the edge.

TLS features are:

1. TLS strictly offers hop-by-hop security

2. TLS only allows SIP entities to authenticate servers to which they are adjacent.

3. TLS does not allow clients to authenticate proxy servers to whom they cannot form a direct TCP connection.

And hence TLS-encrypted message cannot be intercepted by a NAT or firewall
device because SIP-ALG/NAT/Frewall is NOT a SIP Entity (like proxy/redirect/UA etc).

But since I am planning to provide support for TLS at SIP-ALG/NAT so that we can provide SIP Security from various possible Attacks discussed above, which means that I should have a SIP Proxy that will co-exist with SIP-ALG/NAT/Firewall so that it can be on the path of any SIP Message
> > in-coming to or outgoing from the trusted network and I shall be able to intercept SIP Messages recieved through TLS. Please let us know whether it'll be an advantageous solution else any suggestion on other solutions would be of great help.

In future I am planning High Avalability support as well for SIP ALG.

Regards,

Sunil

_______________________________________________
midcom mailing list
midcom at ietf.org
https://www1.ietf.org/mailman/listinfo/midcom

Prev by Date: Re: [midcom] I-D ACTION:draft-ietf-midcom-mib-09.txt
Next by Date: [midcom] Normative References in draft-ietf-midcom-mib-09
Previous by thread: [midcom] I-D ACTION:draft-ietf-midcom-mib-09.txt
Next by thread: [midcom] Normative References in draft-ietf-midcom-mib-09
Index(es):
- Date
- Thread