[VOIPSEC] RE: Security of SIP over UDP

[Geoff Devine]

I'd like to point out that just because something is a normative
requirement in a specification doesn't mean that people implement that
requirement.  I just conducted an experiment and tried to bring up a TCP
connection to the Motorola VT-1000 Vonage shipped me.  It ignores TCP
connection requests on port 5060.  I didn't try any other ports but it
appears that TCP is disabled on those UAs. 

Geoff

----------------------------------------------------------
From: "Mani, Mahalingam \(Mahalingam\)" <mmani at avaya.com>

RFC3261 in "7.5 Framing SIP Messages" and section 18 states

"All SIP elements MUST implement UDP and TCP.  SIP elements MAY
   implement other protocols.

      Making TCP mandatory for the UA is a substantial change from RFC
      2543.  It has arisen out of the need to handle larger messages,
      which MUST use TCP, as discussed below.  Thus, even if an element
      never sends large messages, it may receive one and needs to be
      able to handle them."

Sure enough - enterprise-class implementations conscious of securing SIP
path down the path (hop-hop) or at least UAC to the domain's proxy
server will prefer TCP (and so - TLS). Yes - the std. mandates support
for TCP, UDP.

Hence my reference to DTLS in the context of SIP/UDP.

-mani
======