On Thu, May 21, 2015 at 10:23 AM, Iñaki Baz Castillo <i...@aliax.net> wrote:

> 2015-05-20 23:13 GMT+02:00 Roman Shpount <ro...@telurix.com>:
> > I think RFC 7118 example 8.2 is missing that language that WSS is used
> based
> > on the local client policy. This would make the entire example correct
> and
> > compliant with RFC 3621. From my point of view this is more of an
> editorial
> > nit, then the actual specification issue, but this can be discussed in
> more
> > details in sipcore.
>
> Let's clarify that in all the examples the client is connecting to an
> Outbound proxy, so it makes LOT of sense that it wants to keep and
> reuse the single connection it opened with the Outbound proxy for any
> future request (initial or in-dialog). That's seems "implicit local
> policy" IMHO, but yes, it should be specified somewhere.
>
> And IMHO the issue is in
> http://tools.ietf.org/html/rfc5630#section-3.1.3. Let continue with
> it:
>
> --------------------------------------
>    If one wants to use "best-effort TLS" for SIP, one just needs to use
>    a SIP URI, and send the request over TLS.
>
>    Using SIP over TLS is very simple.  A UA opens a TLS connection and
>    uses SIP URIs instead of SIPS URIs for all the header fields in a SIP
>    message (From, To, Request-URI, Contact header field, Route, etc.).
>    When TLS is used, the Via header field indicates TLS.
> ---------------------------------------
>
> There is the "problem". Given that initial "sip" INVITE sent over TLS,
> how is supposed the proxy to indicate the client that it should send
> ACK and any in-dialog request over the same connection? There is no
> way for the proxy to indicate that, and there is the problem IMHO.
>
>
I agree there is a real use case for the proxy to specify that it wants to
use "best effort TLS" for one hop only. I doubt we will get it adopted
though, since IETF now adapted a policy that everything must be secure, so
they will not adopt "partially secure" solutions.

In general, some sort of language that in practical deployments client
would typically use a local policy to send all the SIP messages through a
pre-configured WSS proxy would make a lot of sense.
_____________
Roman Shpount
_______________________________________________
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

Reply via email to