[prev in list] [next in list] [prev in thread] [next in thread]
List: asterisk-dev
Subject: Re: [asterisk-dev] Registration state for SIP over TCP or TLS
From: "Olle E. Johansson" <oej () edvina ! net>
Date: 2017-01-09 19:08:45
Message-ID: 52F79F4E-2335-471D-96DC-CF2691F28D1D () edvina ! net
[Download RAW message or body]
> On 09 Jan 2017, at 19:52, Joshua Colp <jcolp@digium.com> wrote:
>
> On Mon, Jan 9, 2017, at 02:10 PM, Steve Davies wrote:
>> Hi,
>>
>> I believe that the current state of affairs with Asterisk's SIP over TCP
>> or
>> TLS registration is that if a connection is dropped or closed, then the
>> registration is allowed to persist.
>>
>> Given that a re-connect will almost certainly not be from the same
>> IP/port
>> pair, should a TCP or TLS disconnect result in an under-the-hood
>> de-register?
>>
>> I believe the issue does currently exist because I have seen dropped TCP
>> or
>> TLS connections result in an "xmit_error" when the next OPTIONS ping is
>> attempted.
>>
>> Thoughts? Am I missing something, or would this be useful for me to look
>> into patching?
>
> It... depends.
>
> In a world with connection reuse you can assume that when the connection
> is dropped that you can't reach the other side anymore. However, if you
> are expected to establish an outgoing connection to the remote side then
> the logic that the connection has dropped and you can't reach them is
> not true. The Contact in that case should be valid.
THere are basically two situations to consider:
1. NAT: If there's a connection from behind a NAT, asterisk can't reconnect
and deleting the registration is propably for the best. Asterisk can only
reuse the inbound TLS connection is the client is using SIP Outbound.
2. Public IP: The TLS connection can ONLY be reused if the client use SIP outbound.
Asterisk needs to set up a separate connection to the client as soon as we have a
request going in that direction, unless there's a TLS client cert used and verified
to match the contact URI.
I am trying to get some traction in the IETF for developing a solution for case #1
when there's a TLS connection - a solution that doesn't require that there is a
client cert or any use of SIP outbound. Right now, such a solution does not exist,
so Asterisk formally can't reuse the inbound TLS connection for outbound requests.
Please support this work :-)
For more info, please visit
- http://www.slideshare.net/oej/sip-half-outbound-random-notes
- http://www.slideshare.net/oej/sip-tls-security-in-a-peer-to-peer-world
Kamailio actually reuse the inbound connection for outbound
requests, which is a working solution - but this requires a disregard of the Contact
URI provided by the client and a blind eye when reading the RFCs.
Removing registrations for clients behind NAT when
a TCP or TCP/TLS or WSS connection dies saves a lot of resources.
/O
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-dev mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic