Re: [Sip-implementors] Does UDP fragmentation of SIP packets violate RFC3261?

2019-01-02 Thread Roman Shpount 
RFC 3261 does not prohibit receiving fragmented UDP packets. As far as I
remember, handling fragmented UDP packets was a standard test during SIP
interop. Sending fragmented UDP packets should be avoided since it
negatively affects SIP protocol stability.

P.S. For reliable SIP usage it is probably better to use SIPS or avoid
firewalls. Firewall and router SIP handling is almost universally broken
and should be turned of, if SIP usage is expected.
_
Roman Shpount


On Wed, Jan 2, 2019 at 6:32 PM Philipp Schöning 
wrote:

> Sonicwall Firewalls are dropping fragmented SIP packets beginning with
> SonicOS 5.8 by default. This is justified by the following sentence:
>
> > Fragmented UDP traffic, especially SIP traffic, is a clear violation of
> > RFC protocol, which SonicOS Enhanced firmware 5.8 and above very strictly
> > adhere to in these circumstances. RFC 3261 is the RFC standard for SIP
> > traffic, and states the following:
>
>
>
> 18.1.1 Sending Requests The client side of the transport layer is
> > responsible for sending the request and receiving responses. The user of
> > the transport layer passes the client transport the request, an IP
> address,
> > port, transport, and possibly TTL for multicast destinations. *If a
> > request is within 200 bytes of the path MTU, or if it is larger than 1300
> > bytes and the path MTU is unknown, the request MUST be sent using an RFC
> > 2914 [43] congestion controlled transport protocol, such as TCP.*
>
>
> My question is now: Does this last sentence really mean, that UDP
> fragmentation is violating RFC3261?
>
> There is also an additional statement on their page:
>
> > SonicOS enhanced firmware 5.6, which is no longer supported, was less RFC
> > compliant on this, but 5.8 has enhanced security by becoming more strict.
> > RFC 4693 goes into additional detail regarding security concerns of
> > unnecessary packet fragmentation.
>
> Unfortunately RFC4693 covers a completely different topic. Is there any RFC
> which covers the topic of security concerns when using packet
> fragmentation?
>
> I only found this statement in an older posting:
>
> > SIP ALGs, STUN servers, etcetera, must allow UDP fragmentation unless
> they
> > are intentionally sacrificing interoperability for security reasons.
>
>
> https://lists.cs.columbia.edu/pipermail/sip-implementors/2005-May/009187.html
>
> BR
> Philipp
> ___
> Sip-implementors mailing list
> Sip-implementors@lists.cs.columbia.edu
> https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
>
___
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors

[Sip-implementors] Does UDP fragmentation of SIP packets violate RFC3261?

2019-01-02 Thread Philipp Schöning 
Sonicwall Firewalls are dropping fragmented SIP packets beginning with
SonicOS 5.8 by default. This is justified by the following sentence:

> Fragmented UDP traffic, especially SIP traffic, is a clear violation of
> RFC protocol, which SonicOS Enhanced firmware 5.8 and above very strictly
> adhere to in these circumstances. RFC 3261 is the RFC standard for SIP
> traffic, and states the following:



18.1.1 Sending Requests The client side of the transport layer is
> responsible for sending the request and receiving responses. The user of
> the transport layer passes the client transport the request, an IP address,
> port, transport, and possibly TTL for multicast destinations. *If a
> request is within 200 bytes of the path MTU, or if it is larger than 1300
> bytes and the path MTU is unknown, the request MUST be sent using an RFC
> 2914 [43] congestion controlled transport protocol, such as TCP.*


My question is now: Does this last sentence really mean, that UDP
fragmentation is violating RFC3261?

There is also an additional statement on their page:

> SonicOS enhanced firmware 5.6, which is no longer supported, was less RFC
> compliant on this, but 5.8 has enhanced security by becoming more strict.
> RFC 4693 goes into additional detail regarding security concerns of
> unnecessary packet fragmentation.

Unfortunately RFC4693 covers a completely different topic. Is there any RFC
which covers the topic of security concerns when using packet fragmentation?

I only found this statement in an older posting:

> SIP ALGs, STUN servers, etcetera, must allow UDP fragmentation unless they
> are intentionally sacrificing interoperability for security reasons.

https://lists.cs.columbia.edu/pipermail/sip-implementors/2005-May/009187.html

BR
Philipp
___
Sip-implementors mailing list
Sip-implementors@lists.cs.columbia.edu
https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors