>-----Original Message----- >From: Cullen Jennings [mailto:[EMAIL PROTECTED] >Sent: Sunday, December 19, 2004 11:36 AM >To: Todd Huang >Cc: [EMAIL PROTECTED] >Subject: Re: [Sip-implementors] SIP TLS > >I have seen UA that set up a new TLS connection for every transaction - this >is really bad - totally broken - and will never work in a production >environment. > I> have see UA that set up a TLS connection per call - this is bad, unlikely >to work well and means that incoming calls can't use TLS because there is no >session to the proxy when their is no call active (assuming UA does not have >a cert) > >I think the best is the UA tries to keep it open forever, and if the proxy >wants to close it due to running out of resources, it can.
Keeping connetion forever is probably not the best options according to my opinion. Consider a case where a UA register and never makes a call. That UA will occupy the resources. Remember proxy will have max of 65,536 port (aprox. initial 2000 ports are reserved for system). It can't have more than that many UA to register. I think keeping TLS connetion per call is a better option. You make a connetion when you need it. Once you are doen then release it. >On 12/15/04 4:40 PM, "Todd Huang" <[EMAIL PROTECTED]> wrote: > Mr. Jennings: > > Thanks. > > On what condition will the client break down the TLS channel? > > I saw one implementation that will disconnect the TCP connection of the > active call session > and establish a new TCP connection when sending BYE to terminate the call. > It will then > break down the TLS channel. Is it necessary? > > If any request message sent from the client gets the error response > (500, 603,....), should > the client need to break down the TLS channel and establish a new one? > > Is it possible for the proxy server to send close_notify alert to turn > off the TLS channel? > > Thanks. > >> From: Cullen Jennings <[EMAIL PROTECTED]> >> To: Todd Huang <[EMAIL PROTECTED]> >> CC: <[EMAIL PROTECTED]> >> Subject: Re: [Sip-implementors] SIP TLS >> Date: Tue, 14 Dec 2004 19:54:21 -0700 >> >> >> yes, If a TLS connection is made to foo.com, then it can be left up for a >> long time and any message destined for foo.com can be sent over it. >> >> inline ... >> >> On 12/13/04 4:59 AM, "Todd Huang" <[EMAIL PROTECTED]> wrote: >> >>> Mr. Jennings: >>> >>> Thanks. >>> >>> As you mentioned, the TLS channels should be kept up for a ling time >> and >>> can be used for >>> many transactions. Do you mean that the TLS channel should be always >> there >>> once it had been >>> successfully established between the client and the proxy server? >>> >>> For example, the client successfully establishes the TLS channel >> with >>> the proxy server and >>> does the following operations: >>> >>> 1. Sends Register to the Proxy server >>> 2. Sends Invite to another user, but cancels it before the party >> answers it >>> 3. Sends Invite to another user, and terminates the call by sending Bye >>> 4. Sends Invite to the same user again later >>> >>> Will all these SIP messages be sent on the same TLS channel without >>> breaking it down and >> yes - assuming all these messages were sent to the same outbound proxy >> >>> >>> If the client is equipped with two voice ports, should we establish >>> independent TLS channel >>> for each voice port respectively? Or all of the transactions held >> between >>> the client and the Proxy >>> server can use the same TLS channel no matter which port generating it? >>> >> They can be done on one port (assuming they both connect to the same proxy) > > _________________________________________________________________ > Express yourself instantly with MSN Messenger! Download today it's FREE! > http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ > > _______________________________________________ > Sip-implementors mailing list > [EMAIL PROTECTED] > http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors NOTE: This message, including any attachments, may include privileged, confidential and/or inside information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then delete it from your system. Thank you. _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
