[OpenSIPS-Users] UpenSIPS and sips
olle.frimanson at keystream.se
Thu Oct 16 07:58:30 CEST 2008
Hi Inaki, if you keep reading in section 4 of the same draft you refer to
you see that the new way to do address the problems in RFC3261 with the last
hop exception is to use TLS all the way.
And this actually is a problem in some cases if you want to use SRTP then
the encryption keys will be wide open on the receiving domain.
From: users-bounces at lists.opensips.org
[mailto:users-bounces at lists.opensips.org] On Behalf Of Iñaki Baz Castillo
Sent: den 15 oktober 2008 22:55
To: users at lists.opensips.org
Subject: Re: [OpenSIPS-Users] UpenSIPS and sips
El Miércoles, 15 de Octubre de 2008, Bogdan-Andrei Iancu escribió:
> Hi Klaus,
> I quote from the email I sent you:
> During some testings today, I had a chat with Robert Sparks about sips
> scheme - what he is saying is that the "liberty" you mentioned in
> RFC3261 is bogus and there is a new RFC (queued) that fixes this and
> that makes mandatory the usage of a secured protocol through all the
> segments (with sips scheme).
> So, if the registrar gets a sips call and callee device is registered
> with UDP, the call must be rejected.
Hi Bogdan, take a look to this draft:
Specially section "3.3. The Problems with the Meaning of SIPS in RFC 3261".
RFC 3261 section 19.1 says:
"A SIPS URI specifies that the resource be contacted securely.
This means, in particular, that TLS is to be used between the UAC
and the domain that owns the URI. From there, secure
communications are used to reach the user, where the specific
security mechanism depends on the policy of the domain."
The above draft says that, when using draft-outbound it's "more" possible to
have a full hop-by-hop TLS, but AFAIK nobody mandates it. The final decision
is done by the proxy responsible for the AoR.
Iñaki Baz Castillo
Users mailing list
Users at lists.opensips.org
More information about the Users