Why TLS for SIP
https://stackoverflow.com/questions/8178963
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Why is TLS the chosen link encryption for SIP?
From a paper, it seems that TLS can't handle UDP, whereas SIP doesn't require anyone to use TCP alone! So how is the interoperability ensured by TLS!
What would have been the issues if IPSec would have been used instead?
La solution
From a paper, it seems that TLS can't handle UDP, whereas SIP doesn't require anyone to use TCP alone!
TLS is working on TCP level, so TLS requires to use SIP over TCP.
SIP is created under influence of HTTP. TLS is optimized for HTTP (and for SIP too).
One main disadvantage of IPSec is the extra size added to the original packet. TLS needs less overhead than IPSec.
Some comparison between TLS and IPsec
What would have been the issues if IPSec would have been used instead?
According to RFC 2119, RECOMMENDED has the same strength as SHOULD.
"3. SHOULD This word, or the adjective "RECOMMENDED", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course."
Autres conseils
From a paper, it seems that TLS can't handle UDP, whereas SIP doesn't require anyone to use TCP alone! So how is the interoperability ensured by TLS!
That used to be true. DTLS provides TLS for datagram based protocols like UDP
You have other methods for UDP like header encryption.
23.4.3 Tunneling Encryption in rfc 3261
You can use SIP over IPSec. 3GPP IMS SIP even prefers that. But IPsec has some serious drawbacks. To configure IPSec, you have to have admin rights on your machine.
- IPSec has dozens of configuration options that a user would have to configure, unless SIP providers agreed on a single profile.
- Configuring IPsec on a general purpose OS is a huge mess that SIP client vendors tend to avoid.
- Getting IPSec through NAT routers is tricky.
Compared to this, TLS is far simpler to deploy.
In the best case, the baseline UDP performance is about three times that with TLS (the proxy chain mode); in the worst case, UDP is 17 times the performance than with TLS (the local proxy with TLS and mutual authentication). The performance results depend primarily on whether and how frequent TLS connection establishment is performed, since TLS session negotiation incurs expensive RSA public key operations
Currently, TLS for SIP only protected part of the call flow (invites and registration). TLS for SIP over TCP makes sense for Registration, because the UAC will transmit credentials. Additional SIP commands and media (audio/video) will still be sent over UDP, un-encrypted. The is the most common use of TLS over SIP, employed by most-all popular SIP-based VoIP phones (i.e. Skype, WhatsApp).
Alternatively, its possible to use TLS for SIP via TCP and setup an "inline" RTCP stream, wherein all TLS, SIP and media (audio/video/DTMF) are sent over the same encrypted TCP stream; however, I'm uncertain if popular SIP-based VoIP phones (i.e. Skype, WhatsApp) can support this, despite that this technique can be deployed. Conversely, all RTSP clients (Windows Media, Apple QuickTime) can support inline RTCP over a single stream (pointing this out because RTSP and SIP are almost identical, minus the verbs).
