Rohini My replies inline
Regards Ranjit -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] On Behalf Of Kamath Rohini-a23049 Sent: Monday, April 28, 2008 4:18 PM To: [email protected] Subject: [Sip-implementors] Security Agreement - RFC 3329 Hi, I have some questions regarding Security Agreement RFC 3329 1. If an EndPoint (EP) has negotiated a Security Mechanism with its Outbound Proxy (OP) using REGISTER and the lifetime of this security association is X hrs. What is the behaviour of the OP after the completion of X hrs if the EP does not renew its registration? i.e will it send an Error response (494) to any further SIP rqsts it receives from EP ? or silently discard the packets? <Ranjit> After X hours, the OP could initiate a de-registration of the EP and the EP would re register with the OP and re negotiate the security mechanism as per RFC 3329. ya OP could send 494 if required and ask EP to re negotiate. Also it cannot silently discard packets. 2. The EndPoint (EP) has negotiated a Security Mechanism with its Outbound Proxy (OP) using OPTIONS / INVITE and the lifetime of this association is X hrs. What should be the behaviour of the EP after the completion of X hrs? a. Should EP send its next SIP rqst with Security-Client as well as Security-Verify and expect a re-negotiation from OP? b. Should it only re-new the previously chosen Security Mechanism and not negotiate again? <Ranjit> EP cannot use OPTIONS to negotiate a security mechanism. OPTIONS can only understand the capabilities. Ok after X hours I would say that OP asks the EP to re negotiate or ask the EP to establish the negotiated security mechanism again. If required, the EP can re negotiate. if EP is using the previously negotiated security mechanism, then it needs to re authenticate itself. 3. The EP has successfully completed Sec-Agreement negotiation with OP. EP later initiates an INVITE with security-verify, if the OP sends a 494 response to this, what should be the behaviour at the EP ? Should it renegotiate ? Should EP check if the new Security-Server is same as previously sent? <Ranjit> why would OP send 494? ya it it sends then a security negotiation procedure has to be restarted by EP. it need not check . It can just folow the normal security negotiation procedures and select the security mechanism with highest "q" value. Thanks and Rgds Rohini Kamath _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors <https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors> _______________________________________________ Sip-implementors mailing list [email protected] https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
