SlideShare una empresa de Scribd logo

The problem with SIP outbound - Why we need a half-outbound solution

Olle E Johansson
Olle E Johansson

Trying to get a grip on what's needed for TLS UA-server connections in SIP. Version 1.1 (update)

Tecnología
1 de 14
Descargar para leer sin conexión
The problem with SIP outbound Why we need a half-outbound oej@edvina.net | 2016-06-10 | v1.1
SIP problem • UAs move to TCP for TLS or for connection handling over mobile networks • UAs are behind NAT • The server needs to reuse the connection to the client for outbound requests - typically an INVITE to the UA • Connection reuse for clients is defined in SIP Outbound
SIP Outbound • Has a requirement of support of TWO flows • SIP over websockets RFC ignores this silently • Is a SIP extension, needs to be advertised • Adds instance-ID and reg-ID and flow-token handling • Only solves initial transactions, doesn’t handle connection changes during a dialog (not in scope)
SIP Outbound • Presentation:
 http://www.slideshare.net/oej/sip2012-outbound • RFC 5626
 https://tools.ietf.org/html/rfc5626
RFC 3261 18.1.1
What does this mean • If the contact provided in a registration actually matches the connection (the IP/port used to set up the connection) the server can reuse the connection • The URI needs to match • The client needs to keep the connection open
What about TLS? • TLS adds a property to the matching of the URI - verification of the other end. • UA verify and validate connection to server • But how does the server validate the connection to the UA?
SIPit tests • UAs provided contacts either with SIPS or with “;transport=tls” • UAs had no client cert • Server can not reuse the connection • “;transport=TLS” is deprecated in RFC 3261 • Only outbound can solve this
BUT DEVELOPERS DOESN’T WANT TO DO OUTBOUND.
Implementations
 known to me • Javascript SIP client libraries have half-outbound (it’s a requirement for websocket transport) • Kamailio.org has outbound support in the server • At least one UA at SIPit claimed support, but it was not tested • Any others?
Ideas for half-outbound for TLS • UA (client) opens TLS connection to server and validates cert • Client indicates support for “connreuse” as “Supported:” extension in REGISTER request after connection is setup • Server is allowed to ignore (as always) • Client registers to AOR (and authenticates) • If server answers 200 OK REGISTER with “Require: connreuse” the client is supposed to manage an open connection • Server is allowed to reuse connection for outbound SIP requests to the AOR or associated GRUU (only after successful auth) • Regardless of contact used in registration (maybe copy websockets with .invalid) IDEA
Server handling • If client indicated connreuse and TLS connection exist, reuse that for outbound requests • If client close flow, delete registred contact and connection identifiers from location database
Contact URI • No “;transport=tls” any more • Maybe re-use “.invalid” contact URI’s from RFC 7118 (SIP over websockets) • Require GRUU, Record-route or OUTBOUND to avoid peer-to-peer connection attempts
Differences compared to Outbound • Only one connection required • No extra indicators in contact • No flow identifiers in headers • No reg-id • No failover between flows • New connection can be setup mid-call and used for new in-dialog transactions Simplification

Recomendados

Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLSVarnish Software
 
Infura
InfuraInfura
InfuraDeepanshu Tyagi
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASADhruv Sharma
 
OpenStack Ops Meetup
OpenStack Ops MeetupOpenStack Ops Meetup
OpenStack Ops MeetupRomana Project
 
OpenStack Summit Pluggable IPAM
OpenStack Summit Pluggable IPAMOpenStack Summit Pluggable IPAM
OpenStack Summit Pluggable IPAMRomana Project
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 

Recomendados

Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
Vandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksVandyke SecureCRT tips and tricks
Vandyke SecureCRT tips and tricksBasim Aly (JNCIP-SP, JNCIP-ENT)
 
Varnish TLS
Varnish TLSVarnish TLS
Varnish TLSVarnish Software
 
Infura
InfuraInfura
InfuraDeepanshu Tyagi
 
Setting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASASetting up VPN between F5 LTM & ASA
Setting up VPN between F5 LTM & ASADhruv Sharma
 
OpenStack Ops Meetup
OpenStack Ops MeetupOpenStack Ops Meetup
OpenStack Ops MeetupRomana Project
 
OpenStack Summit Pluggable IPAM
OpenStack Summit Pluggable IPAMOpenStack Summit Pluggable IPAM
OpenStack Summit Pluggable IPAMRomana Project
 
Vital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLVital Aspects of SSL Support in MySQL
Vital Aspects of SSL Support in MySQLLesa Cote
 
Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityDhruv Sharma
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)Port25 Solutions
 
Terminal Access Controller
Terminal Access ControllerTerminal Access Controller
Terminal Access ControllerKHNOG
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
Simplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romanaSimplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romanaJuergen Brendel
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detectionMarko Heijnen
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and SysdigJoshua Eichorn
 
CrossFIX
CrossFIXCrossFIX
CrossFIXKonstantin Dmitriev
 
Securing OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial SystemsSecuring OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial SystemsByres Security Inc.
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLSAvi Networks
 
RIPP Notes
RIPP NotesRIPP Notes
RIPP NotesGiacomo Vacca
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPCMark Corwin
 
Remote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPRemote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPАнтон Еремин
 
VLAN
VLANVLAN
VLANVarsha Honde
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44Jisc
 
Meetup tdd
Meetup tddMeetup tdd
Meetup tddSantosh Ojha
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Duncan Wannamaker
 
Netflow slides
Netflow slidesNetflow slides
Netflow slidesJose Manuel Vega Monroy
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 
Jalipo
JalipoJalipo
Jaliposammybaby219
 
Kent Beck Effective Design
Kent Beck Effective DesignKent Beck Effective Design
Kent Beck Effective Designdeimos
 

Más contenido relacionado

La actualidad más candente

Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityDhruv Sharma
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)Port25 Solutions
 
Terminal Access Controller
Terminal Access ControllerTerminal Access Controller
Terminal Access ControllerKHNOG
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guideSopon Tumchota
 
Simplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romanaSimplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romanaJuergen Brendel
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detectionMarko Heijnen
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and SysdigJoshua Eichorn
 
Securing OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial SystemsSecuring OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial SystemsByres Security Inc.
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLSAvi Networks
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureHui Cheng
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPCMark Corwin
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44Jisc
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Duncan Wannamaker
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyNGINX, Inc.
 

La actualidad más candente (20)

Get vpn multicast for CCIE Security
Get vpn multicast for CCIE SecurityGet vpn multicast for CCIE Security
Get vpn multicast for CCIE Security
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)
 
Terminal Access Controller
Terminal Access ControllerTerminal Access Controller
Terminal Access Controller
 
pfSense firewall workshop guide
pfSense firewall workshop guidepfSense firewall workshop guide
pfSense firewall workshop guide
 
Simplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romanaSimplifying open stack and kubernetes networking with romana
Simplifying open stack and kubernetes networking with romana
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
 
Debugging with Strace and Sysdig
Debugging with Strace and SysdigDebugging with Strace and Sysdig
Debugging with Strace and Sysdig
 
CrossFIX
CrossFIXCrossFIX
CrossFIX
 
Securing OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial SystemsSecuring OPC Classic Communications in Industrial Systems
Securing OPC Classic Communications in Industrial Systems
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
 
RIPP Notes
RIPP NotesRIPP Notes
RIPP Notes
 
Integrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing InfrastructureIntegrating OpenStack To Existing Infrastructure
Integrating OpenStack To Existing Infrastructure
 
Service Discovery: From Classic to VPC
Service Discovery: From Classic to VPCService Discovery: From Classic to VPC
Service Discovery: From Classic to VPC
 
Remote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDPRemote Console: Say goodbye to RDP
Remote Console: Say goodbye to RDP
 
VLAN
VLANVLAN
VLAN
 
IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44IPv6 at Mythic Beasts - Networkshop44
IPv6 at Mythic Beasts - Networkshop44
 
Meetup tdd
Meetup tddMeetup tdd
Meetup tdd
 
Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018Encrypt your volumes with barbican open stack 2018
Encrypt your volumes with barbican open stack 2018
 
Netflow slides
Netflow slidesNetflow slides
Netflow slides
 
Improve App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX AmplifyImprove App Performance & Reliability with NGINX Amplify
Improve App Performance & Reliability with NGINX Amplify
 

Destacado

Kent Beck Effective Design
Kent Beck Effective DesignKent Beck Effective Design
Kent Beck Effective Designdeimos
 
energy resources
energy resourcesenergy resources
energy resourcesbbrendaa
 
The World of OpenSpime - Infrastructure For An Open Internet Of Things
The World of OpenSpime - Infrastructure For An Open Internet Of ThingsThe World of OpenSpime - Infrastructure For An Open Internet Of Things
The World of OpenSpime - Infrastructure For An Open Internet Of ThingsOpenSpime
 
Ideas and Evaluation of Digital Notetaking
Ideas and Evaluation of Digital NotetakingIdeas and Evaluation of Digital Notetaking
Ideas and Evaluation of Digital NotetakingAndrew McCarthy
 
Beyond Bait: Video Games and Literacy
Beyond Bait: Video Games and LiteracyBeyond Bait: Video Games and Literacy
Beyond Bait: Video Games and LiteracyMaggie Hommel Thomann
 
Can we measure Creativity, Design and Innovation? The case of México.
Can we measure Creativity, Design and Innovation? The case of México.Can we measure Creativity, Design and Innovation? The case of México.
Can we measure Creativity, Design and Innovation? The case of México.Marco Ferruzca
 
Beau et quelle_musique!!!_(jmjp)
Beau et quelle_musique!!!_(jmjp)Beau et quelle_musique!!!_(jmjp)
Beau et quelle_musique!!!_(jmjp)amfelisa
 
Social Media & Freelancers Seminar
Social Media & Freelancers SeminarSocial Media & Freelancers Seminar
Social Media & Freelancers SeminarShashi Bellamkonda
 
BBA Mkt(2010)_PolyU
BBA Mkt(2010)_PolyUBBA Mkt(2010)_PolyU
BBA Mkt(2010)_PolyUpolyduck
 
Temporal En El CantáBrico
Temporal En El CantáBricoTemporal En El CantáBrico
Temporal En El CantáBriconuria88
 
五則新聞整理
五則新聞整理五則新聞整理
五則新聞整理junia
 
Segmentation = Happiness: SEMPDX Presentation
Segmentation = Happiness: SEMPDX PresentationSegmentation = Happiness: SEMPDX Presentation
Segmentation = Happiness: SEMPDX PresentationIan Lurie
 
OCWC Slide Template
OCWC Slide TemplateOCWC Slide Template
OCWC Slide TemplateTerri Bays
 
電腦作業2
電腦作業2電腦作業2
電腦作業2junia
 

Destacado (20)

Jalipo
JalipoJalipo
Jalipo
 
Kent Beck Effective Design
Kent Beck Effective DesignKent Beck Effective Design
Kent Beck Effective Design
 
energy resources
energy resourcesenergy resources
energy resources
 
Italia
ItaliaItalia
Italia
 
Comenius
ComeniusComenius
Comenius
 
The World of OpenSpime - Infrastructure For An Open Internet Of Things
The World of OpenSpime - Infrastructure For An Open Internet Of ThingsThe World of OpenSpime - Infrastructure For An Open Internet Of Things
The World of OpenSpime - Infrastructure For An Open Internet Of Things
 
Ideas and Evaluation of Digital Notetaking
Ideas and Evaluation of Digital NotetakingIdeas and Evaluation of Digital Notetaking
Ideas and Evaluation of Digital Notetaking
 
Beyond Bait: Video Games and Literacy
Beyond Bait: Video Games and LiteracyBeyond Bait: Video Games and Literacy
Beyond Bait: Video Games and Literacy
 
Can we measure Creativity, Design and Innovation? The case of México.
Can we measure Creativity, Design and Innovation? The case of México.Can we measure Creativity, Design and Innovation? The case of México.
Can we measure Creativity, Design and Innovation? The case of México.
 
Demisie Draguta
Demisie DragutaDemisie Draguta
Demisie Draguta
 
Beau et quelle_musique!!!_(jmjp)
Beau et quelle_musique!!!_(jmjp)Beau et quelle_musique!!!_(jmjp)
Beau et quelle_musique!!!_(jmjp)
 
Social Media & Freelancers Seminar
Social Media & Freelancers SeminarSocial Media & Freelancers Seminar
Social Media & Freelancers Seminar
 
BBA Mkt(2010)_PolyU
BBA Mkt(2010)_PolyUBBA Mkt(2010)_PolyU
BBA Mkt(2010)_PolyU
 
Marketing to the customers
Marketing to the customers Marketing to the customers
Marketing to the customers
 
Temporal En El CantáBrico
Temporal En El CantáBricoTemporal En El CantáBrico
Temporal En El CantáBrico
 
Imagenes navidad
Imagenes navidadImagenes navidad
Imagenes navidad
 
五則新聞整理
五則新聞整理五則新聞整理
五則新聞整理
 
Segmentation = Happiness: SEMPDX Presentation
Segmentation = Happiness: SEMPDX PresentationSegmentation = Happiness: SEMPDX Presentation
Segmentation = Happiness: SEMPDX Presentation
 
OCWC Slide Template
OCWC Slide TemplateOCWC Slide Template
OCWC Slide Template
 
電腦作業2
電腦作業2電腦作業2
電腦作業2
 

Similar a The problem with SIP outbound - Why we need a half-outbound solution

Web Clients for Ruby and What they should be in the future
Web Clients for Ruby and What they should be in the futureWeb Clients for Ruby and What they should be in the future
Web Clients for Ruby and What they should be in the futureToru Kawamura
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with LumenKit Brennan
 
Architecture Sustaining LINE Sticker services
Architecture Sustaining LINE Sticker servicesArchitecture Sustaining LINE Sticker services
Architecture Sustaining LINE Sticker servicesLINE Corporation
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxAkashMalkood1
 
AWS Outage Analysis
AWS Outage AnalysisAWS Outage Analysis
AWS Outage AnalysisThousandEyes
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application TechnologiesSam Bowne
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
Subscribed 2017: Understanding Zuora’s API Framework
Subscribed 2017: Understanding Zuora’s API FrameworkSubscribed 2017: Understanding Zuora’s API Framework
Subscribed 2017: Understanding Zuora’s API FrameworkZuora, Inc.
 
SignalR: Add real-time to your applications
SignalR: Add real-time to your applicationsSignalR: Add real-time to your applications
SignalR: Add real-time to your applicationsEugene Zharkov
 
Monolithic to microservices migration journey with spring cloud
Monolithic to microservices migration journey with spring cloudMonolithic to microservices migration journey with spring cloud
Monolithic to microservices migration journey with spring cloudzeynelkocak
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Tatsuo Kudo
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsMaarten Smeets
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter PresentationBeny Haddad
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIPMahmoud Abudaqa
 
Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Sebastian Davidsohn
 
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...serge luca
 
Monolithic to Microservices Migration Journey of iyzico with Spring Cloud
Monolithic to Microservices Migration Journey of iyzico with Spring CloudMonolithic to Microservices Migration Journey of iyzico with Spring Cloud
Monolithic to Microservices Migration Journey of iyzico with Spring CloudMustafa Can Tekir
 
Spca2014 harbar workflow
Spca2014 harbar workflowSpca2014 harbar workflow
Spca2014 harbar workflowNCCOMMS
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOCoLaboraDK
 

Similar a The problem with SIP outbound - Why we need a half-outbound solution (20)

Web Clients for Ruby and What they should be in the future
Web Clients for Ruby and What they should be in the futureWeb Clients for Ruby and What they should be in the future
Web Clients for Ruby and What they should be in the future
 
Building Awesome APIs with Lumen
Building Awesome APIs with LumenBuilding Awesome APIs with Lumen
Building Awesome APIs with Lumen
 
Architecture Sustaining LINE Sticker services
Architecture Sustaining LINE Sticker servicesArchitecture Sustaining LINE Sticker services
Architecture Sustaining LINE Sticker services
 
Cisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptxCisco-Wireless-Guest-v10.pptx
Cisco-Wireless-Guest-v10.pptx
 
AWS Outage Analysis
AWS Outage AnalysisAWS Outage Analysis
AWS Outage Analysis
 
Ch 3: Web Application Technologies
Ch 3: Web Application TechnologiesCh 3: Web Application Technologies
Ch 3: Web Application Technologies
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
Subscribed 2017: Understanding Zuora’s API Framework
Subscribed 2017: Understanding Zuora’s API FrameworkSubscribed 2017: Understanding Zuora’s API Framework
Subscribed 2017: Understanding Zuora’s API Framework
 
Java socket programming
Java socket programmingJava socket programming
Java socket programming
 
SignalR: Add real-time to your applications
SignalR: Add real-time to your applicationsSignalR: Add real-time to your applications
SignalR: Add real-time to your applications
 
Monolithic to microservices migration journey with spring cloud
Monolithic to microservices migration journey with spring cloudMonolithic to microservices migration journey with spring cloud
Monolithic to microservices migration journey with spring cloud
 
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
Authorization Architecture Patterns: How to Avoid Pitfalls in #OAuth / #OIDC ...
 
WebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck ThreadsWebLogic Stability; Detect and Analyse Stuck Threads
WebLogic Stability; Detect and Analyse Stuck Threads
 
Diameter Presentation
Diameter PresentationDiameter Presentation
Diameter Presentation
 
session initiation protocol - SIP
session initiation protocol - SIPsession initiation protocol - SIP
session initiation protocol - SIP
 
Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015Presentacion inConcert Allegro 2015
Presentacion inConcert Allegro 2015
 
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...
Doctor Flow: Enterprise Flows best practices - patterns (SharePoint Saturday...
 
Monolithic to Microservices Migration Journey of iyzico with Spring Cloud
Monolithic to Microservices Migration Journey of iyzico with Spring CloudMonolithic to Microservices Migration Journey of iyzico with Spring Cloud
Monolithic to Microservices Migration Journey of iyzico with Spring Cloud
 
Spca2014 harbar workflow
Spca2014 harbar workflowSpca2014 harbar workflow
Spca2014 harbar workflow
 
Azure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSOAzure PTA vs ADFS vs Desktop SSO
Azure PTA vs ADFS vs Desktop SSO
 

Más de Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeOlle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoOlle E Johansson
 

Más de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: Manifesto
 

Último

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Último (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

The problem with SIP outbound - Why we need a half-outbound solution

  • 1. The problem with SIP outbound Why we need a half-outbound oej@edvina.net | 2016-06-10 | v1.1
  • 2. SIP problem • UAs move to TCP for TLS or for connection handling over mobile networks • UAs are behind NAT • The server needs to reuse the connection to the client for outbound requests - typically an INVITE to the UA • Connection reuse for clients is defined in SIP Outbound
  • 3. SIP Outbound • Has a requirement of support of TWO flows • SIP over websockets RFC ignores this silently • Is a SIP extension, needs to be advertised • Adds instance-ID and reg-ID and flow-token handling • Only solves initial transactions, doesn’t handle connection changes during a dialog (not in scope)
  • 6. What does this mean • If the contact provided in a registration actually matches the connection (the IP/port used to set up the connection) the server can reuse the connection • The URI needs to match • The client needs to keep the connection open
  • 7. What about TLS? • TLS adds a property to the matching of the URI - verification of the other end. • UA verify and validate connection to server • But how does the server validate the connection to the UA?
  • 8. SIPit tests • UAs provided contacts either with SIPS or with “;transport=tls” • UAs had no client cert • Server can not reuse the connection • “;transport=TLS” is deprecated in RFC 3261 • Only outbound can solve this
  • 10. Implementations
 known to me • Javascript SIP client libraries have half-outbound (it’s a requirement for websocket transport) • Kamailio.org has outbound support in the server • At least one UA at SIPit claimed support, but it was not tested • Any others?
  • 11. Ideas for half-outbound for TLS • UA (client) opens TLS connection to server and validates cert • Client indicates support for “connreuse” as “Supported:” extension in REGISTER request after connection is setup • Server is allowed to ignore (as always) • Client registers to AOR (and authenticates) • If server answers 200 OK REGISTER with “Require: connreuse” the client is supposed to manage an open connection • Server is allowed to reuse connection for outbound SIP requests to the AOR or associated GRUU (only after successful auth) • Regardless of contact used in registration (maybe copy websockets with .invalid) IDEA
  • 12. Server handling • If client indicated connreuse and TLS connection exist, reuse that for outbound requests • If client close flow, delete registred contact and connection identifiers from location database
  • 13. Contact URI • No “;transport=tls” any more • Maybe re-use “.invalid” contact URI’s from RFC 7118 (SIP over websockets) • Require GRUU, Record-route or OUTBOUND to avoid peer-to-peer connection attempts
  • 14. Differences compared to Outbound • Only one connection required • No extra indicators in contact • No flow identifiers in headers • No reg-id • No failover between flows • New connection can be setup mid-call and used for new in-dialog transactions Simplification