On Jun 4, 2007, at 12:28 PM, Francois Audet wrote:
1) Some still have to operate in an environment that has no
DNS, even in the core.
Their customers are demanding transport=tls to control
the use of tls over one hop in this situation.
Which hop???
Any of them - Be sure to notice the lack of DNS there.
UAC -----> Proxy 1 ------> Proxy 2 ------> UAS
How (if they don't have DNS) do they specify the use of TLS between
Proxy1 and 2?
More specifically - if Proxy1 retargets an initial request to
Proxy2 based on either
configuration or a registered contact, what's the RURI of the
emitted request going to be?
Then, what should it record route with?
If you put Request-URI of sip:[EMAIL PROTECTED];transport=tls, to me, it
means the link between Proxy 2 and UAS would use TLS. I.e., the
parameter would apply to the
resource identified in the URI. (I'm assuming Record-Routing is used
here).
The first hop (between UAC and Proxy 1) is basically what you would
select before sending the message (or if a Route header was used, it
would be in the Route
header). To me, it's self-evident in the actual transport anyways.
I don't understand the last sentence - especially in the record-route/
route case.
Everytime I run into this issue, it seems to me that basically what
people
are asking for is just a way to select TLS for the first hop. We don't
need
protocol on the wire for this: just a config option in the UAC.
This is not what I'm pointing at.
2) Some have indicated they operate in large enterprise-like
networks, where the endpoint has an ephemeral address,
one for which there's no way to populate NAPTR/SRVs to
indicate a use of TLS when reaching that endpoint.
Additionally, the endpoint has a cert (!). They are
required to register a contact that causes them to be reached
with TLS, and are using transport=tls to do so.
Surely they need to register with TLS for this to be secure.
The transport could be self-evident again, from the one used
while performing the registration.
So the unusual case here is that it _is possible_ (and even
meaningful) for the proxy to open a new connection to the UA
if the old one is gone. Are you saying that you would like the
proxy/registrar to remember that it should use TLS when it did so
as a side-effect of the registration arriving over TLS?
That would be a way we could go (and we should go all the way
and ignore what's in contact altogether if we go here), but you will
have to explicitly make 3rd party registration and any registration
that installs state that doesn't point exactly to the registering
instance
illegal. (I know several people think this is a good idea, but I
don't think
we've made that the official position of the working group yet have we?)
RjS
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
