> -----Original Message----- > From: Vijay K. Gurbani [mailto:[EMAIL PROTECTED] > Sent: Friday, November 16, 2007 6:05 PM > To: Hadriel Kaplan > Cc: IETF SIP List; Rohan Mahy; Brett Tate > Subject: Re: [Sip] WGLC: draft-ietf-sip-connect-reuse-08.txt > > > Sec 8.1, p.11: Further, next sentence says "It MUST only accept > > responses over this connection and MUST NOT accept any requests over > > this connection." Why is that? The far-end chose to send a request > > over an open connection. It's definitely not clear that the far-end > > should have done so (nor how it would have resolved to do so), but is > > there anything wrong from a protocol perspective with the local end > > accepting it? For example if the far-end is manually configured to > > do so. > > The tact the draft takes is not to accept requests from the far > end unless the far end has been authenticated through TLS. So I > would find it rather disconcerting if the draft allowed an entity > to accept a request over an unauthenticated connection.
I wouldn't. :) It is no more "authenticated" than if the remote end opened a connection using an ephemeral port to the local host's listen port. The local host client knows little about the validity of the remote end. Actually, the client knows slightly more about the validity of a connection it opened to the far-end than the other way-around, especially if it did single-sided TLS to the far-end, so in that sense it makes more sense to accept requests over its client socket than over the listen port. It just doesn't make much sense for the remote end to send them over it, unless it can authenticate (e.g., using digest). And that's the rub. Today certain types of devices fix NAT traversal for SIP/TCP or SIP/TLS without needing the client to do sip-outbound, so long as the client can accept requests over its persistent connection, because they can authenticate the client. It's worked so far, anyway. But this new MUST would break it. -hadriel _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
