[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] RFC 4474 and SBC traversal

To: "Hannes Tschofenig" <Hannes.Tschofenig at gmx.net>
Subject: Re: [Sip] RFC 4474 and SBC traversal
From: "Fischer, Kai" <kai.fischer at siemens.com>
Date: Fri, 4 Apr 2008 11:46:50 +0200
Cc: sip at ietf.org, "Elwell, John" <john.elwell at siemens.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <47F5F3BF.8070508 at gmx.net>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <0D5F89FAC29E2C41B98A6A762007F5D09160BC at GBNTHT12009MSX.gb002.siemens.net> <47F5EBED.60104 at gmx.net> <198A10EC585EC74687BCA414E2A597180211AC91 at MCHP7RDA.ww002.siemens.net> <47F5F3BF.8070508 at gmx.net>
Sender: sip-bounces at ietf.org
Thread-index: AciWNcvhzfyyVHd1QziWx1dsUCoqEgAATIQA
Thread-topic: [Sip] RFC 4474 and SBC traversal

> 
> >> This issue is totally independent from E.164
> >>     
> >
> > Not fully. SBCs may exchange the domain part of the E.164 
> SIP URI, which
> > causes a break of the RFC 4474 signature. With email-style 
> URIs a simple
> > exchange is not possible.
> >   
> This is true but this applies to SIP Identity in general and not to 
> E.164 number usage with SIP Identity only.
> Hence, I would not tie it to this discussion.

My point was, that with E.164 an intermediary SBC is able to exchange
the domain part without a possibility on the terminating side to
recognize the change. With email-like SIP URIs the domain change is not
possible or only with a hack. Two cases need to be differentiated:
-SBC modifies SDP: This results in a necessity to create a new SIP
Identity signature and a change of the domain part in the From header
(valid for both types of SIP URIs email and E.164)
-SBC modifies From header field only: This is applicable to E.164 only
and as far as I have recognized from the past discussions a real world
behavior

> 
> >   
> >> I don't like the idea of requiring DTLS-SRTP to provide proof of 
> >> possession of the keying material.
> >>     
> >
> > It is also the other way round. If you use DTLS-SRTP to 
> encrypt RTP, the
> > terminating domain is interested where the call originates 
> from and in
> > which domain the SRTP connection is terminated. DTLS-SRTP is not
> > initially used as mean to establish an identity rather than as the
> > initial aim to encrypt RTP.
> >   
> 
> I understand the need to know who the end points are. However, tying 
> DTLS-SRTP is not a good idea since it
> a) increases the liklihood that SIP identity never get's 
> deployed (since 
> it is suddently far more complex than before)
> b) SIP identity is used also as a identity mechanism in areas 
> where no 
> media is exchanged.

Do you propose to not apply RFC 4474 for DTLS-SRTP fingerprint
protection and to rely on something different?

Kai

> 
> Ciao
> Hannes
> 
> > Kai
> >
> >   
> >> Ciao
> >> Hannes
> >>
> >>
> >> Elwell, John wrote:
> >>     
> >>> SBCs do exist, often for good reasons that Hadriel has expanded on
> >>> already. I firmly believe that DTLS-SRTP will not be 
> deployable in a
> >>> meaningful way without addressing this problem. Concerning 
> >>>       
> >> solutions, we
> >>     
> >>> have drafts from Kai and Dan, or perhaps a merger of the 
> two somehow
> >>> would work. It also depends to some extent whether we are 
> >>>       
> >> talking only
> >>     
> >>> about email-style URIs or about E.164-based URIs too.
> >>>
> >>> John
> >>> _______________________________________________
> >>> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> >>> This list is for NEW development of the core SIP Protocol
> >>> Use sip-implementors at cs.columbia.edu for questions on current sip
> >>> Use sipping at ietf.org for new developments on the 
> application of sip
> >>>   
> >>>       
> >> _______________________________________________
> >> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> >> This list is for NEW development of the core SIP Protocol
> >> Use sip-implementors at cs.columbia.edu for questions on current sip
> >> Use sipping at ietf.org for new developments on the application of sip
> >>
> >>     
> 
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] RFC 4474 and SBC traversal
  - From: Hannes Tschofenig

References:
- [Sip] RFC 4474 and SBC traversal
  - From: Elwell, John
- Re: [Sip] RFC 4474 and SBC traversal
  - From: Hannes Tschofenig
- Re: [Sip] RFC 4474 and SBC traversal
  - From: Fischer, Kai
- Re: [Sip] RFC 4474 and SBC traversal
  - From: Hannes Tschofenig

Prev by Date: Re: [Sip] RFC 4474 and PSTN
Next by Date: [Sip] multiple register server or multiple outbound proxies
Previous by thread: Re: [Sip] RFC 4474 and SBC traversal
Next by thread: Re: [Sip] RFC 4474 and SBC traversal
Index(es):
- Date
- Thread