All geek questions in one place

Why TLS for SIP

Why is TLS the chosen link encryption for SIP?

From the article, it seems that TLS cannot handle UDP, while SIP does not require anyone to use only TCP! So, how is compatibility with TLS ensured!

What would be the problem if IPsec was used instead?

+4
source share
6 answers

From the document, it seems that TLS cannot handle UDP, while SIP does not require anyone to use only TCP!

TLS works at the TCP level, so TLS requires the use of SIP over TCP.

SIP is created under the influence of HTTP. TLS is optimized for HTTP (and for SIP too).

One of the main disadvantages of IPSec is the extra size added to the original package. TLS requires less overhead than IPSec.

Some comparison between TLS and IPsec

What would be the problem if IPsec was used instead?

According to RFC 2119, the RECOMMENDED has the same power as SHOULD.

"3. SHOULD This word or the adjective" RECOMMENDED "means that there may be reasonable reasons in certain circumstances to ignore a specific paragraph, but all consequences should be understood and carefully considered before choosing a different course."

Discussion

+3
source

From the article, it seems that TLS cannot handle UDP, while SIP does not require anyone to use only TCP! So, how interaction is provided by TLS!

That was true. DTLS provides TLS for datagram-based protocols such as UDP

+4
source

You have other methods for UDP, for example, to encrypt headers.

23.4.3 Tunneling encryption in rfc 3261

+1
source

You can use SIP through IPSec. 3GPP IMS SIP even prefers this. But IPsec has some serious flaws. To configure IPSec, you must have administrator rights on your computer.

  • IPSec has many configuration parameters that the user will have to configure if the SIP providers do not agree with one profile.
  • Configuring IPsec on a general-purpose OS is a huge mess that SIP client providers tend to avoid.
  • Getting IPSec through NAT routers is more difficult.

Compared to this, TLS is much easier to deploy.

+1
source

In the best case, basic UDP performance is three times with TLS (proxy network mode); in the worst case, UDP is 17 times faster than TLS (local proxy with TLS and mutual authentication). the results of the work depend primarily on whether the TLS connection is frequently set up because TLS session negotiation carries an expensive RSA public key

http://www.cs.columbia.edu/~hgs/papers/Shen1008_TLS.pdf

0
source

Currently, TLS for SIP protects only part of the call flow (invites and registers). TLS for SIP over TCP makes sense for registration because the UAC will transmit credentials. Additional SIP and multimedia commands (audio / video) will still be transmitted over UDP, not encrypted. This is the most common use of TLS over SIP, used by most popular SIP-based VoIP phones (e.g. Skype, WhatsApp).

Alternatively, you can use TLS for SIP over TCP and configure a β€œbuilt-in” RTCP stream in which all TLS, SIP and media (audio / video / DTMF) are sent over the same encrypted TCP stream; however, I'm not sure if popular SIP-based VoIP phones (like Skype, WhatsApp) can support this, although this method can be deployed. Conversely, all RTSP clients (Windows Media, Apple QuickTime) can support embedded RTCP through a single stream (indicating this because RTSP and SIP are almost identical, minus verbs).

0
source

Source: https://habr.com/ru/post/1381849/

More articles:


All Articles