[VOIPSEC] Security of SIP over UDP
Mani, Mahalingam (Mahalingam)
mmani at avaya.com
Tue Mar 15 11:15:08 CST 2005
RFC3261 in "7.5 Framing SIP Messages" and section 18 states
"All SIP elements MUST implement UDP and TCP. SIP elements MAY
implement other protocols.
Making TCP mandatory for the UA is a substantial change from RFC
2543. It has arisen out of the need to handle larger messages,
which MUST use TCP, as discussed below. Thus, even if an element
never sends large messages, it may receive one and needs to be
able to handle them."
Sure enough - enterprise-class implementations conscious of securing SIP
path down the path (hop-hop) or at least UAC to the domain's proxy
server will prefer TCP (and so - TLS). Yes - the std. mandates support
for TCP, UDP.
Hence my reference to DTLS in the context of SIP/UDP.
-mani
======
-----Original Message-----
From: Christopher A. Martin [mailto:chris at infravast.com]
Sent: Friday, March 11, 2005 8:49 PM
To: Mani, Mahalingam (Mahalingam); dirk.pollet at belgacom.be;
Voipsec at voipsa.org
Subject: RE: [VOIPSEC] Security of SIP over UDP
Most clients use udp by default and it is the default in the spec still
isn't it?
Christopher A. Martin
P.O. Box 1264
Cedar Hill, Texas 75106
Chris at InfraVAST.com
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Mani, Mahalingam (Mahalingam)
> Sent: Friday, March 11, 2005 9:37 AM
> To: dirk.pollet at belgacom.be; Voipsec at voipsa.org
> Subject: RE: [VOIPSEC] Security of SIP over UDP
>
> In my opinion SIP over UDP is not common (SIP/TCP is). There are
> situations where UDP is preferred, however.
>
> So, with advent of DTLS (in advanced stages of being approved in the
> IETF http://www.ietf.org/internet-drafts/draft-rescorla-dtls-03.txt)
one
> can see the choice for securing SIP/UDP is greatly enhanced.
>
> though there's no SIP security profile yet for it (refer to
> http://www.ietf.org/internet-drafts/draft-jennings-sip-dtls-00.txt)
> there is this one in the works.
>
> ReSIProcate SIP-stack has started to incorporate support:
> www.sipfoundry.org
>
> -mani
> ======
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of dirk.pollet at belgacom.be
> Sent: Friday, February 18, 2005 9:09 AM
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Security of SIP over UDP
>
>
> Looking at VoIP services for consumers, we're wondering about the risk
> of SIP over UDP.
>
> How easy is the spoofing of SIP messages, and has anyone already
> experienced problems such as DOS attacks, call interruptions, call
> manipulations, etc. ? Has anyone knowledge of the existence of hacking
> tools to send spoofed SIP messages over UDP ?
>
> Secondly, should someone attack a SIP server using spoofed SIP
messages
> over UDP, we assume that it is very difficult to react / protect
against
> it. Any ideas/suggestions ?
>
> Are there commercial SIP implementations that accept only SIP over TCP
?
> Any known important inconveniences of using only SIP over TCP ?
>
> Regards
> Dirk
> dirk.pollet at belgacom.be
>
>
>
>
> **** DISCLAIMER ****
> http://www.belgacom.be/maildisclaimer
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list