SIP over TLS via NAT/Firewall

Hi,

Would like to know about SIP negotiations on TLS. It is the
fact that TLS strictly provides hop-by-hop security in a SIP
Network and even encryption is also on hop-by-hop basis.

It'll be great if someone let me know if there is a SIP ALG
coexisting with NAT/Firewall on the edge of an enterprise
network and there is a SIP Server on the public network. If
suppose an UA sends a SIP request message on TLS, can it be
incepted by NAT/Firewall on the edge or it'll bypass
NAT/Firewall and directly go to the SIP Server on the public
network?

 

  Private Network              |                        
Public Network

                                         |

UA-----------------> NAT/Firewal
l/SIP-ALG------------------------------------> SIP Server

       tls                               |                  
       tls

                                          |          

 

Regards,

Sunil

 



_______________________________________________
Ietf-behave mailing list
Ietf-behavelist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/ietf-behave

Le Monday 23 October 2006 15:55, ext SUNIL J. krishna a
écrit :
> It'll be great if someone let me know if there is a SIP
ALG coexisting with
> NAT/Firewall on the edge of an enterprise network and
there is a SIP Server
> on the public network. If suppose an UA sends a SIP
request message on TLS,
> can it be incepted by NAT/Firewall on the edge or it'll
bypass NAT/Firewall
> and directly go to the SIP Server on the public
network?

Obviously, the NAT won't be able to decipher the traffic, so
it won't be able 
to act as SIP/SDP ALG. As for the firewall, it won't do
connection tracking, 
so it won't be able to allow media to flow.

And anyway, I doubt a NAT or a firewall would be willing to
decipher and 
recipher SIP traffic even if it could. That being said,
quite many SIP ALG 
out there are quite broken, so you might be better off with
preventing these 
from seeing your SIP signaling.

-- 
Rémi Denis-Courmont <Remi.Denis-Courmontnokia.com>
Assistant Research Engineer

_______________________________________________
Ietf-behave mailing list
Ietf-behavelist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/ietf-behave

> Hi,
> 
> Would like to know about SIP negotiations on TLS. It is
the 
> fact that TLS strictly provides hop-by-hop security in
a SIP 
> Network and even encryption is also on hop-by-hop
basis.
> 
> It'll be great if someone let me know if there is a SIP
ALG 
> coexisting with NAT/Firewall on the edge of an
enterprise 
> network and there is a SIP Server on the public
network. If 
> suppose an UA sends a SIP request message on TLS, can
it be 
> incepted by NAT/Firewall on the edge

No, a TLS-encrypted message cannot be intercepted by a NAT
or firewall
device.  If a NAT or firewall could examine the plaintext
contents of a
TLS-encrypted message, TLS wouldn't have much value!

-d

> or it'll bypass 
> NAT/Firewall and directly go to the SIP Server on the
public 
> network?
>  
> 
>   Private Network              |                       
 
> Public Network
> 
>                                          |
> 
> UA-----------------> NAT/Firewal 
> l/SIP-ALG------------------------------------> SIP
Server
> 
>        tls                               |             
      
>       tls
> 
>                                           |          
> 
>  
> 
> Regards,
> 
> Sunil
> 
>  
> 
> 
> 
> _______________________________________________
> Ietf-behave mailing list
> Ietf-behavelist.sipfoundry.org
> https://list.sipfoundry.org/mailman/listinfo/ietf-behave

_______________________________________________
Ietf-behave mailing list
Ietf-behavelist.sipfoundry.org
https://list.sipfoundry.org/mailman/listinfo/ietf-behave