[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] TLS post connection verification

To: James Ford <james_s_ford@hotmail.com>
Subject: Re: [Sip] TLS post connection verification
From: Amit Bhadoria <bhadoria@cisco.com>
Date: Mon, 24 Mar 2003 15:23:29 -0800 (PST)
Cc: sip@ietf.org, eronstein@hotmail.com
In-reply-to: <F15FKQRwgF0Z9hvPlmk00004a2b@hotmail.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>,<mailto:sip-request@ietf.org?subject=unsubscribe>
Sender: sip-admin@ietf.org

answer to these questions depend on whether the connection is intra domain
or inter domain. for an intra domain connection, when proxy is talking to
its clients, then yes it does'nt need to do post connection authentication
unless the clients are capable of it. however, it is recommended that for
this intra domain signalling, digest authentication should be used with
TLS. hence, this digest over TLS presents a pretty secured model.

things are different for inter domain connection though! it makes most
sense to perform mutual authentication (post-connection) for inter domain
signalling. for client side, its straignt forward. however, RFC also
mentions recommendations (section 26.3.2.2) for server side to verify the
certificate for domainname portion of the From header. this makes much
sense, coz interdomain signalling SHOULD be going thru proxies (which
should be able to present certificates), and there should'nt be more than
one interdomain hop involved in a sip session establishement.

as a side note, its highly unlikely (atleast inefficient) to have parsed
the message (for via) while TLS connection is still happening. hence, it
makes more sense to authenticate the certificate against the domain
of source IP addr in the connection instead of IP addr mention in Via
header.

regards,
-amit.
On Mon, 24 Mar 2003, James Ford wrote:

> Hi Eron,
> The standard does not elaborate on that, but here is what I think:
> 
> For the second question: for sending responses on broken connections, I 
> don't think that there is a need to do post connection assertion. for two 
> reasons:
> a - The server does not need to authenticate the client.
> b - allot of applications put their specific IP address on the via field 
> while a certificate is more likely issued to an FQDN.
> 
> The first question is more tricky. My guess is the "incoming" connection 
> should only check for the correctness of the certificate and not do a post 
> connection assertion. This might be a security issue though. Maybe someone 
> with some hands on experience can would be more helpful here.
> 
> Regards,
> James S. Ford
> 
> 
> >Hi,
> >
> >When sending a request (ie REGISTER) to a server I can compare the request
> >URI to the common name (or the alt dns name) in the certificate. If the
> >names match, I can conclude that the certificate is OK.
> >(I'm using OpenSSL, and they recommend this post connection assertion).
> >
> >I have two questions thou:
> >
> >1 - What name should I use for comparison when accepting a connection?
> >Usually only the UAC will demand certificate, I am concerned with te case 
> >of
> >
> >two proxies trying to connect using TLS and the UAS proxy asking for client
> >certificates. (what uri will the UAS proxy has, there is no message yet).
> >
> >2 - how should broken connection be handled? lets say UAC1 sent a request
> >over TLS to UAS1. the handshake went well and the request sent. than for
> >some reason, the connection was broken and UAS1 now needs to reestablish 
> >the
> >
> >connection. What should UAS1 do? use TLS w/out certificates?
> >
> >
> >Regards,
> >Eron Stein
> >
> >_________________________________________________________________
> >The new MSN 8: advanced junk mail protection and 2 months FREE*
> >http://join.msn.com/?page=features/junkmail
> >
> >_______________________________________________
> >Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> >This list is for NEW development of the core SIP Protocol
> >Use sip-implementors@cs.columbia.edu for questions on current sip
> >Use sipping@ietf.org for new developments on the application of sip
> 
> 
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
> http://join.msn.com/?page=features/featuredemail
> 
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
> 

----------------------------------------------------------------------------
Next to being shot at and missed, nothing is really quite as satisfying
as an income tax refund.
   -- gnulib

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

References:
- Re: [Sip] TLS post connection verification
  - From: James Ford

Prev by Date: Re: [Sip] SIP MIB implementations?
Next by Date: [Sip] Eating our own Dog Food...could the IAB and IESG use SIP forconference calls
Previous by thread: Re: [Sip] TLS post connection verification
Next by thread: [Sip] Referred-By
Index(es):
- Date
- Thread