26 Security Considerations: Threat Model and Security Usage Recommen-
26.2 Security Mechanisms
5886
From the threats described above, we gather that the fundamental security services required for the SIP
5887
protocol are: preserving the confidentiality and integrity of messaging, preventing replay attacks or message
5888
spoofing, providing for the authentication and privacy of the participants in a session, and preventing
denial-5889
of-service attacks. Bodies within SIP messages separately require the security services of confidentiality,
5890
integrity, and authentication.
5891
Rather than defining new security mechanisms specific to SIP, SIP reuses wherever possible existing
5892
security models derived from the HTTP and SMTP space.
5893
Full encryption of messages provides the best means to preserve the confidentiality of signaling - it
5894
can also guarantee that messages are not modified by any malicious intermediaries. However, SIP requests
5895
and responses cannot be naively encrypted end-to-end in their entirety because message fields such as the
5896
Request-URI, Route, and Via need to be visible to proxies in most network architectures so that SIP
5897
requests are routed correctly. Note that proxy servers need to modify some features of messages as well (such
5898
as addingViaheader field values) in order for SIP to function. Proxy servers must therefore be trusted, to
5899
some degree, by SIP UAs. To this purpose, low-layer security mechanisms for SIP are recommended, which
5900
encrypt the entire SIP requests or responses on the wire on a hop-by-hop basis, and that allow endpoints to
5901
verify the identity of proxy servers to whom they send requests.
5902
SIP entities also have a need to identify one another in a secure fashion. When a SIP endpoint asserts
5903
the identity of its user to a peer UA or to a proxy server, that identity should in some way be verifiable. A
5904
cryptographic authentication mechanism is provided in SIP to address this requirement.
5905
An independent security mechanism for SIP message bodies supplies an alternative means of end-to-end
5906
mutual authentication, as well as providing a limit on the degree to which user agents must trust
intermedi-5907
aries.
5908
26.2.1 Transport and Network Layer Security
5909
Transport or network layer security encrypts signaling traffic, guaranteeing message confidentiality and
5910
integrity.
5911
Oftentimes, certificates are used in the establishment of lower-layer security, and these certificates can
5912
also be used to provide a means of authentication in many architectures.
5913
Two popular alternatives for providing security at the transport and network layer are, respectively,
5914
TLS [25] and IPSec [26].
5915
IPSec is a set of network-layer protocol tools that collectively can be used as a secure replacement for
5916
traditional IP (Internet Protocol). IPSec is most commonly used in architectures in which a set of hosts or
5917
administrative domains have an existing trust relationship with one another. IPSec is usually implemented
5918
at the operating system level in a host, or on a security gateway that provides confidentiality and integrity
5919
for all traffic it receives from a particular interface (as in a VPN architecture). IPSec can also be used on a
5920
hop-by-hop basis.
5921
In many architectures IPSec does not require integration with SIP applications; IPSec is perhaps best
5922
suited to deployments in which adding security directly to SIP hosts would be arduous. UAs that have a
5923
pre-shared keying relationship with their first-hop proxy server are also good candidates to use IPSec. Any
5924
deployment of IPSec for SIP would require an IPSec profile describing the protocol tools that would be
5925
required to secure SIP. No such profile is given in this document.
5926
TLS provides transport-layer security over connection-oriented protocols (for the purposes of this
docu-5927
ment, TCP); “tls” (signifying TLS over TCP) can be specified as the desired transport protocol within aVia
5928
header field value or a SIP-URI. TLS is most suited to architectures in which hop-by-hop security is required
5929
between hosts with no pre-existing trust association. For example, Alice trusts her local proxy server, which
5930
after a certificate exchange decides to trust Bob’s local proxy server, which Bob trusts, hence Bob and Alice
5931
can communicate securely.
5932
TLS must be tightly coupled with a SIP application. Note that transport mechanisms are specified on
5933
a hop-by-hop basis in SIP, thus a UA that sends requests over TLS to a proxy server has no assurance that
5934
TLS will be used end-to-end.
5935
The TLS RSA WITH AES 128 CBC SHA ciphersuite MUST be supported at a minimum by
imple-5936
menters when TLS is used in a SIP application. For purposes of backwards compatibility, proxy servers,
5937
redirect servers, and registrars SHOULD support TLS RSA WITH 3DES EDE CBC SHA. Implementers
5938
MAYalso support any other ciphersuite.
5939
26.2.2 SIPS URI Scheme
5940
The SIPS URI scheme adheres to the syntax of the SIP URI (described in 19), although the scheme string is
5941
”sips” rather than ”sip”. The semantics of SIPS are very different from the SIP URI, however. SIPS allows
5942
resources to specify that they should be reached securely.
5943
A SIPS URI can be used as an address-of-record for a particular user - the URI by which the user is
5944
canonically known (on their business cards, in theFromheader field of their requests, in theToheader field
5945
ofREGISTER requests). When used as the Request-URIof a request, the SIPS scheme signifies that
5946
each hop over which the request is forwarded, until the request reaches the SIP entity responsible for the
5947
domain portion of theRequest-URI, must be secured with TLS; once it reaches the domain in question it
5948
is handled in accordance with local security and routing policy, quite possibly using TLS for any last hop to
5949
a UAS. When used by the originator of a request (as would be the case if they employed a SIPS URI as the
5950
address-of-record of the target), SIPS dictates that the entire request path to the target domain be so secured.
5951
The SIPS scheme is applicable to many of the other ways in which SIP URIs are used in SIP today in
5952
addition to theRequest-URI, including in addresses-of-record, contact addresses (the contents ofContact
5953
headers, including those ofREGISTER methods), andRoute headers. In each instance, the SIPS URI
5954
scheme allows these existing fields to designate secure resources. The manner in which a SIPS URI is
5955
dereferenced in any of these contexts has its own security properties which are detailed in [4].
5956
The use of SIPS in particular entails that mutual TLS authentication SHOULDbe employed, asSHOULD
5957
the ciphersuite TLS RSA WITH AES 128 CBC SHA. Certificates received in the authentication process
5958
SHOULDbe validated with root certificates held by the client; failure to validate a certificateSHOULDresult
5959
in the failure of the request.
5960
motivationNote that in the SIPS URI scheme, transport is independent of TLS, and thus “sips:[email protected];transport
5961
and “sips:[email protected];transport=sctp” are both valid (although note that UDP is not a valid transport
5962
for SIPS). The use of “transport=tls” has consequently been deprecated, partly because it was specific to a
5963
single hop of the request. This is a change since RFC 2543.
5964
Users that distribute a SIPS URI as an address-of-record may elect to operate devices that refuse requests
5965
over insecure transports.
5966
26.2.3 HTTP Authentication
5967
SIP provides a challenge capability, based on HTTP authentication, that relies on the 401 and 407 response
5968
codes as well as header fields for carrying challenges and credentials. Without significant modification, the
5969
reuse of the HTTP Digest authentication scheme in SIP allows for replay protection and one-way
authenti-5970
cation.
5971
The usage of Digest authentication in SIP is detailed in Section 22.
5972
26.2.4 S/MIME
5973
As is discussed above, encrypting entire SIP messages end-to-end for the purpose of confidentiality is not
5974
appropriate because network intermediaries (like proxy servers) need to view certain header fields in order
5975
to route messages correctly, and if these intermediaries are excluded from security associations, then SIP
5976
messages will essentially be non-routable.
5977
However, S/MIME allows SIP UAs to encrypt MIME bodies within SIP, securing these bodies
end-to-5978
end without affecting message headers. S/MIME can provide end-to-end confidentiality and integrity for
5979
message bodies, as well as mutual authentication. It is also possible to use S/MIME to provide a form of
5980
integrity and confidentiality for SIP header fields through SIP message tunneling.
5981
The usage of S/MIME in SIP is detailed in Section 23.
5982