2011/9/16 DRAGE, Keith (Keith) <[email protected]>: > This conclusion is nothing new - it was essentially the conclusion of those > working on RFC 5630. But it is not RFC 5630 that needs the rework; that > document is pretty much correct within the constraints we gave it, which is > to define what happens with the existing protocol and make minimum fixes to > the existing protocol (indeed the original charter item was only the first > half of this). > > There was a recognition that more could be achieved with a new mechanism (for > example there was a draft from Vijay Gurbani), but that would have been a > separate charter item, and noone seemed to have the enthusiasm at the time to > work on it. That doesn't mean that that situation still persists and I'm sure > you understand the process for bringing new work into IETF if you want to do > something. But that is what it is, new work.
Thanks, I understand what you mean. IMHO the main problem is "mixing" the transport for a specific node in the path with the requirement of a secure transport for the whole path. Given this thread is clear that there are errors in the design making it unusable. Another "error" (IMHO) is the aim of RFC 3261 in considering TLS (over TCP) not a transport, but a secure layer over TCP. But that is ironic since that just applies to URI ;transport param, but in Via transport field we do have "TLS" and "TCP" as separate values. Things would be much easier as follows (just an initial idea): - Consider TLS-over-TCP as a real transport (the same for TLS over SCTP) so we have ;transport=tls / tls-sctp. - Completely remove SIPS schema (the real pain here). - Create any new mechanism for requiring a whole secure path. For example, by adding a ;sec param to the Request URI and Contact URI. In this way, the UAS MUST also add ;sec to the Contact header in the response, so all the in-dialog requests would have ;sec in the Request URI. Proxies should add ;sec to Record-Route headers in this case. If an UAC or proxy has to route a request whose top Route (or RURI if no Route is present) has ;sec param, then it MUST use a secure transport. If such URI contains a ;transport param with values "udp", "tcp" or "sctp" then that's an error and the request should be rejected. And that's all. Of course this idea must be improved (a lot) :) Regards. -- Iñaki Baz Castillo <[email protected]> _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is essentially closed and only used for finishing old business. Use [email protected] for questions on how to develop a SIP implementation. Use [email protected] for new developments on the application of sip. Use [email protected] for issues related to maintenance of the core SIP specifications.
