1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
2025
2026
2027
2028
2029
2030
2031
2032
2033
2034
2035
2036
2037
2038
2039
2040
2041
2042
2043
2044
2045
2046
2047
2048
2049
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059
2060
2061
2062
2063
2064
2065
2066
2067
2068
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078
2079
2080
2081
2082
2083
2084
2085
2086
2087
2088
2089
2090
2091
2092
2093
2094
2095
2096
2097
2098
2099
2100
2101
2102
2103
2104
2105
2106
2107
2108
2109
2110
2111
2112
2113
2114
2115
2116
2117
2118
2119
2120
2121
2122
2123
2124
2125
2126
2127
2128
2129
2130
2131
2132
2133
2134
2135
2136
2137
2138
2139
2140
2141
2142
2143
2144
2145
2146
2147
2148
2149
2150
2151
2152
2153
2154
2155
2156
2157
2158
2159
2160
2161
2162
2163
2164
2165
2166
2167
2168
2169
2170
2171
2172
2173
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183
2184
2185
2186
2187
2188
2189
2190
2191
2192
2193
2194
2195
2196
2197
2198
2199
2200
2201
2202
2203
2204
2205
2206
2207
2208
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222
2223
2224
2225
2226
2227
2228
2229
2230
2231
2232
2233
2234
2235
2236
2237
2238
2239
2240
2241
2242
2243
2244
2245
2246
2247
2248
2249
2250
2251
2252
2253
2254
2255
2256
2257
2258
2259
2260
2261
2262
2263
2264
2265
2266
2267
2268
2269
2270
2271
2272
2273
2274
2275
2276
2277
2278
2279
2280
2281
2282
2283
2284
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300
2301
2302
2303
2304
2305
2306
2307
2308
2309
2310
2311
2312
2313
2314
2315
2316
2317
2318
2319
2320
2321
2322
2323
2324
2325
2326
2327
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341
2342
2343
2344
2345
2346
2347
2348
2349
2350
2351
2352
2353
2354
2355
2356
2357
2358
2359
2360
2361
2362
2363
2364
2365
2366
2367
2368
2369
2370
2371
2372
2373
2374
2375
2376
2377
2378
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392
2393
2394
2395
2396
2397
2398
2399
2400
2401
2402
2403
2404
2405
2406
2407
2408
2409
2410
2411
2412
2413
2414
2415
2416
2417
2418
2419
2420
2421
2422
2423
2424
2425
2426
2427
2428
2429
2430
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442
2443
2444
2445
2446
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456
2457
2458
2459
2460
2461
2462
2463
2464
2465
2466
2467
2468
2469
2470
2471
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484
2485
2486
2487
2488
2489
2490
2491
2492
2493
2494
2495
2496
2497
2498
2499
2500
2501
2502
2503
2504
2505
2506
2507
2508
2509
2510
2511
2512
2513
2514
2515
2516
2517
2518
2519
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529
2530
2531
2532
2533
2534
2535
2536
2537
2538
2539
2540
2541
2542
2543
2544
2545
2546
2547
2548
2549
2550
2551
2552
2553
2554
2555
2556
2557
2558
2559
2560
2561
2562
2563
2564
2565
2566
2567
2568
2569
2570
2571
2572
2573
2574
2575
2576
2577
2578
2579
2580
2581
2582
2583
2584
2585
2586
2587
2588
2589
2590
2591
2592
2593
2594
2595
2596
2597
2598
2599
2600
2601
2602
2603
2604
2605
2606
2607
2608
2609
2610
2611
2612
2613
2614
2615
2616
2617
2618
2619
2620
2621
2622
2623
2624
2625
2626
2627
2628
2629
2630
2631
2632
2633
2634
2635
2636
2637
2638
2639
2640
2641
2642
2643
2644
2645
2646
2647
2648
2649
2650
2651
2652
2653
2654
2655
2656
2657
2658
2659
2660
2661
2662
2663
2664
2665
2666
2667
2668
2669
2670
2671
2672
2673
2674
2675
2676
2677
2678
2679
2680
2681
2682
2683
2684
2685
2686
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700
2701
2702
2703
2704
2705
2706
2707
2708
2709
2710
2711
2712
2713
2714
2715
2716
2717
2718
2719
2720
2721
2722
2723
2724
2725
2726
2727
2728
2729
2730
2731
2732
2733
2734
2735
2736
2737
2738
2739
2740
2741
2742
2743
2744
2745
2746
2747
2748
2749
2750
2751
2752
2753
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767
2768
2769
2770
2771
2772
2773
2774
2775
2776
2777
2778
2779
2780
2781
2782
2783
2784
2785
2786
2787
2788
2789
2790
2791
2792
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803
2804
2805
2806
2807
2808
2809
2810
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822
2823
2824
2825
2826
2827
2828
2829
2830
2831
2832
2833
2834
2835
2836
2837
2838
2839
2840
2841
2842
2843
2844
2845
2846
2847
2848
2849
2850
2851
2852
2853
2854
2855
2856
2857
2858
2859
2860
2861
2862
2863
2864
2865
2866
2867
2868
2869
2870
2871
2872
2873
2874
2875
2876
2877
2878
2879
2880
2881
2882
2883
2884
2885
2886
2887
2888
2889
2890
2891
2892
2893
2894
2895
2896
2897
2898
2899
2900
2901
2902
2903
2904
2905
2906
2907
2908
2909
2910
2911
2912
2913
2914
2915
2916
2917
2918
2919
2920
2921
2922
2923
2924
2925
2926
2927
2928
2929
2930
2931
2932
2933
2934
2935
2936
2937
2938
2939
2940
2941
2942
2943
2944
2945
2946
2947
2948
2949
2950
2951
2952
2953
2954
2955
2956
2957
2958
2959
2960
2961
2962
2963
2964
2965
2966
2967
2968
2969
2970
2971
2972
2973
2974
2975
2976
2977
2978
2979
2980
2981
2982
2983
2984
2985
2986
2987
2988
2989
2990
2991
2992
2993
2994
2995
2996
2997
2998
2999
3000
3001
3002
3003
3004
3005
3006
3007
3008
3009
3010
3011
3012
3013
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023
3024
3025
3026
3027
3028
3029
3030
3031
3032
3033
3034
3035
3036
3037
3038
3039
3040
3041
3042
3043
3044
3045
3046
3047
3048
3049
3050
3051
3052
3053
3054
3055
3056
3057
3058
3059
3060
3061
3062
3063
3064
3065
3066
3067
3068
3069
3070
3071
3072
3073
3074
3075
3076
3077
3078
3079
3080
3081
3082
3083
3084
3085
3086
3087
3088
3089
3090
3091
3092
3093
3094
3095
3096
3097
3098
3099
3100
3101
3102
3103
3104
3105
3106
3107
3108
3109
3110
3111
3112
3113
3114
3115
3116
3117
3118
3119
3120
3121
3122
3123
3124
3125
3126
3127
3128
3129
3130
3131
3132
3133
3134
3135
3136
3137
3138
3139
|
Network Working Group F. Audet
Request for Comments: 5630 Skype Labs
Updates: 3261, 3608 October 2009
Category: Standards Track
The Use of the SIPS URI Scheme in the Session Initiation Protocol (SIP)
Abstract
This document provides clarifications and guidelines concerning the
use of the SIPS URI scheme in the Session Initiation Protocol (SIP).
It also makes normative changes to SIP.
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright and License Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the BSD License.
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Audet Standards Track [Page 1]
^L
RFC 5630 SIPS October 2009
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................3
3. Background ......................................................3
3.1. Models for Using TLS in SIP ................................3
3.1.1. Server-Provided Certificate .........................3
3.1.2. Mutual Authentication ...............................4
3.1.3. Using TLS with SIP Instead of SIPS ..................4
3.1.4. Usage of the transport=tls URI Parameter and
the TLS Via Parameter ...............................5
3.2. Detection of Hop-by-Hop Security ...........................6
3.3. The Problems with the Meaning of SIPS in RFC 3261 ..........7
4. Overview of Operations ..........................................9
4.1. Routing ...................................................11
5. Normative Requirements .........................................13
5.1. General User Agent Behavior ...............................13
5.1.1. UAC Behavior .......................................13
5.1.1.1. Registration ..............................14
5.1.1.2. SIPS in a Dialog ..........................15
5.1.1.3. Derived Dialogs and Transactions ..........15
5.1.1.4. GRUU ......................................16
5.1.2. UAS Behavior .......................................17
5.2. Registrar Behavior ........................................18
5.2.1. GRUU ...............................................18
5.3. Proxy Behavior ............................................18
5.4. Redirect Server Behavior ..................................20
6. Call Flows .....................................................21
6.1. Bob Registers His Contacts ................................22
6.2. Alice Calls Bob's SIPS AOR ................................27
6.3. Alice Calls Bob's SIP AOR Using TCP .......................36
6.4. Alice Calls Bob's SIP AOR Using TLS .......................50
7. Further Considerations .........................................51
8. Security Considerations ........................................52
9. IANA Considerations ............................................52
10. Acknowledgments ...............................................52
11. References ....................................................53
11.1. Normative References .....................................53
11.2. Informative References ...................................53
Appendix A. Bug Fixes for RFC 3261 ..............................55
Audet Standards Track [Page 2]
^L
RFC 5630 SIPS October 2009
1. Introduction
The meaning and usage of the SIPS URI scheme and of Transport Layer
Security (TLS) [RFC5246] are underspecified in SIP [RFC3261] and have
been a source of confusion for implementers.
This document provides clarifications and guidelines concerning the
use of the SIPS URI scheme in the Session Initiation Protocol (SIP).
It also makes normative changes to SIP (including both [RFC3261] and
[RFC3608].
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Background
3.1. Models for Using TLS in SIP
This section describes briefly the usage of TLS in SIP.
3.1.1. Server-Provided Certificate
In this model, only the TLS server provides a certificate during the
TLS handshake. This is applicable only between a user agent (UA) and
a proxy, where the UA is the TLS client and the proxy is the TLS
server, and hence the UA uses TLS to authenticate the proxy but the
proxy does not use TLS to authenticate the UA. If the proxy needs to
authenticate the UA, this can be achieved by SIP HTTP digest
authentication. This directionality implies that the TLS connection
always needs to be set up by the UA (e.g., during the registration
phase). Since SIP allows for requests in both directions (e.g., an
incoming call), the UA is expected to keep the TLS connection alive,
and that connection is expected to be reused for both incoming and
outgoing requests.
This solution of having the UA always initiate and keep alive the
connection also solves the Network Address Translation (NAT) and
firewall problem as it ensures that responses and further requests
will always be deliverable on the existing connection.
[RFC5626] provides the mechanism for initiating and maintaining
outbound connections in a standard interoperable way.
Audet Standards Track [Page 3]
^L
RFC 5630 SIPS October 2009
3.1.2. Mutual Authentication
In this model, both the TLS client and the TLS server provide a
certificate in the TLS handshake phase. When used between a UA and a
proxy (or between two UAs), this implies that a UA is in possession
of a certificate. When sending a SIP request when there is not
already a suitable TLS connection in place, a user agent client (UAC)
takes on the role of TLS client in establishing a new TLS connection.
When establishing a TLS connection for receipt of a SIP request, a
user agent server (UAS) takes on the role of TLS server. Because in
SIP a UA or a proxy acts both as UAC and UAS depending on if it is
sending or receiving requests, the symmetrical nature of mutual TLS
is very convenient. This allows for TLS connections to be set up or
torn down at will and does not rely on keeping the TLS connection
alive for further requests.
However, there are some significant limitations.
The first obvious limitation is not with mutual authentication per
se, but with the model where the underlying TCP connection can be
established by either side, interchangeably, which is not possible in
many environments. For examples, NATs and firewalls will often allow
TCP connections to be established in one direction only. This
includes most residential SIP deployments, for example. Mutual
authentication can be used in those environments, but only if the
connection is always started by the same side, for example, by using
[RFC5626] as described in Section 3.1.1. Having to rely on [RFC5626]
in this case negates many of the advantages of mutual authentication.
The second significant limitation is that mutual authentication
requires both sides to exchange a certificate. This has proven to be
impractical in many environments, in particular for SIP UAs, because
of the difficulties of setting up a certificate infrastructure for a
wide population of users.
For these reasons, mutual authentication is mostly used in server-to-
server communications (e.g., between SIP proxies, or between proxies
and gateways or media servers), and in environments where using
certificates on both sides is possible (e.g., high-security devices
used within an enterprise).
3.1.3. Using TLS with SIP Instead of SIPS
Because a SIPS URI implies that requests sent to the resource
identified by it be sent over each SIP hop over TLS, SIPS URIs are
not suitable for "best-effort TLS": they are only suitable for "TLS-
only" requests. This is recognized in Section 26.2.2 of [RFC3261].
Audet Standards Track [Page 4]
^L
RFC 5630 SIPS October 2009
Users that distribute a SIPS URI as an address-of-record may elect
to operate devices that refuse requests over insecure transports.
If one wants to use "best-effort TLS" for SIP, one just needs to use
a SIP URI, and send the request over TLS.
Using SIP over TLS is very simple. A UA opens a TLS connection and
uses SIP URIs instead of SIPS URIs for all the header fields in a SIP
message (From, To, Request-URI, Contact header field, Route, etc.).
When TLS is used, the Via header field indicates TLS.
[RFC3261], Section 26.3.2.1, states:
When a UA comes online and registers with its local administrative
domain, it SHOULD establish a TLS connection with its registrar
(...). Once the registration has been accepted by the registrar,
the UA SHOULD leave this TLS connection open provided that the
registrar also acts as the proxy server to which requests are sent
for users in this administrative domain. The existing TLS
connection will be reused to deliver incoming requests to the UA
that had just completed registration.
[RFC5626] describes how to establish and maintain a TLS connection in
environments where it can only be initiated by the UA.
Similarly, proxies can forward requests using TLS if they can open a
TLS connection, even if the route set used SIP URIs instead of SIPS
URIs. The proxies can insert Record-Route header fields using SIP
URIs even if it uses TLS transport. [RFC3261], Section 26.3.2.2,
explains how interdomain requests can use TLS.
Some user agents, redirect servers, and proxies might have local
policies that enforce TLS on all connections, independently of
whether or not SIPS is used.
3.1.4. Usage of the transport=tls URI Parameter and the TLS Via
Parameter
[RFC3261], Section 26.2.2 deprecated the "transport=tls" URI
transport parameter in SIPS or SIP URIs:
Note that in the SIPS URI scheme, transport is independent of TLS,
and thus "sips:alice@atlanta.com;transport=TCP" and
"sips:alice@atlanta.com;transport=sctp" are both valid (although
note that UDP is not a valid transport for SIPS). The use of
"transport=tls" has consequently been deprecated, partly because
it was specific to a single hop of the request. This is a change
since RFC 2543.
Audet Standards Track [Page 5]
^L
RFC 5630 SIPS October 2009
The "tls" parameter has not been eliminated from the ABNF in
[RFC3261], Section 25, since the parameter needs to remain in the
ABNF for backward compatibility in order for parsers to be able to
process the parameter correctly. The transport=tls parameter has
never been defined in an RFC, but only in some of the Internet drafts
between [RFC2543] and [RFC3261].
This specification does not make use of the transport=tls parameter.
The reinstatement of the transport=tls parameter, or an alternative
mechanism for indicating the use of the TLS on a single hop in a URI,
is outside the scope of this specification.
For Via header fields, the following transport protocols are defined
in [RFC3261]: "UDP", "TCP", "TLS", "SCTP", and in [RFC4168]: "TLS-
SCTP".
3.2. Detection of Hop-by-Hop Security
The presence of a SIPS Request-URI does not necessarily indicate that
the request was sent securely on each hop. So how does a UAS know if
SIPS was used for the entire request path to secure the request end-
to-end? Effectively, the UAS cannot know for sure. However,
[RFC3261], Section 26.4.4, recommends how a UAS can make some checks
to validate the security. Additionally, the History-Info header
field [RFC4244] could be inspected for detecting retargeting from SIP
and SIPS. Retargeting from SIP to SIPS by a proxy is an issue
because it can leave the receiver of the request with the impression
that the request was delivered securely on each hop, while in fact,
it was not.
To emphasize, all the checking can be circumvented by any proxies or
back-to-back user agents (B2BUAs) on the path that do not follow the
rules and recommendations of this specification and of [RFC3261].
Proxies can have their own policies regarding routing of requests to
SIP or SIPS URIs. For example, some proxies in some environments can
be configured to only route SIPS URIs. Some proxies can be
configured to detect non-compliances and reject unsecure requests.
For example, proxies could inspect Request-URIs, Path, Record-Route,
To, From, Contact header fields, and Via header fields to enforce
SIPS.
[RFC3261], Section 26.4.4, explains that S/MIME can also be used by
the originating UAC to ensure that the original form of the To header
field is carried end-to-end. While not specifically mentioned in
[RFC3261], Section 26.4.4, this is meant to imply that [RFC3893]
would be used to "tunnel" important header fields (such as To and
Audet Standards Track [Page 6]
^L
RFC 5630 SIPS October 2009
From) in an encrypted and signed S/MIME body, replicating the
information in the SIP message, and allowing the UAS to validate the
content of those important header fields. While this approach is
certainly legal, a preferable approach is to use the SIP Identity
mechanism defined in [RFC4474]. SIP Identity creates a signed
identity digest, which includes, among other things, the Address of
Record (AOR) of the sender (from the From header field) and the AOR
of the original target (from the To header field).
3.3. The Problems with the Meaning of SIPS in RFC 3261
[RFC3261], Section 19.1, describes a SIPS URI as follows:
A SIPS URI specifies that the resource be contacted securely.
This means, in particular, that TLS is to be used between the UAC
and the domain that owns the URI. From there, secure
communications are used to reach the user, where the specific
security mechanism depends on the policy of the domain.
Section 26.2.2 re-iterates it, with regards to Request-URIs:
When used as the Request-URI of a request, the SIPS scheme
signifies that each hop over which the request is forwarded, until
the request reaches the SIP entity responsible for the domain
portion of the Request-URI, must be secured with TLS; once it
reaches the domain in question it is handled in accordance with
local security and routing policy, quite possibly using TLS for
any last hop to a UAS. When used by the originator of a request
(as would be the case if they employed a SIPS URI as the address-
of-record of the target), SIPS dictates that the entire request
path to the target domain be so secured.
Let's take the classic SIP trapezoid to explain the meaning of a
sips:b@B URI. Instead of using real domain names like example.com
and example.net, logical names like "A" and "B" are used, for
clarity.
Audet Standards Track [Page 7]
^L
RFC 5630 SIPS October 2009
.......................... ...........................
. . . .
. +-------+ . . +-------+ .
. | | . . | | .
. | Proxy |-----TLS---- | Proxy | .
. | A | . . | B | .
. | | . . | | .
. / +-------+ . . +-------+ \ .
. / . . \ .
. / . . \ .
. TLS . . Policy-based .
. / . . \ .
. / . . \ .
. / . . \ .
. +-------+ . . +-------+ .
. | | . . | | .
. | UAC a | . . | UAS b | .
. | | . . | | .
. +-------+ . . +-------+ .
. Domain A . . Domain B .
.......................... ...........................
SIP trapezoid with last-hop exception
According to [RFC3261], if a@A is sending a request to sips:b@B, the
following applies:
o TLS is required between UA a@A and Proxy A
o TLS is required between Proxy A and Proxy B
o TLS is required between Proxy B and UA b@B, depending on local
policy.
One can then wonder why TLS is mandatory between UA a@A and Proxy A
but not between Proxy B and UA b@B. The main reason is that
[RFC3261] was written before [RFC5626]. At that time, it was
recognized that in many practical deployments, Proxy B might not be
able to establish a TLS connection with UA b because only Proxy B
would have a certificate to provide and UA b would not. Since UA b
would be the TLS server, it would then not be able to accept the
incoming TLS connection. The consequence is that an [RFC3261]-
compliant UAS b, while it might not need to support TLS for incoming
requests, will nevertheless have to support TLS for outgoing requests
as it takes the UAC role. Contrary to what many believed
erroneously, the last-hop exception was not created to allow for
using a SIPS URI to address a UAS that does not support TLS: the
last-hop exception was an attempt to allow for incoming requests to
Audet Standards Track [Page 8]
^L
RFC 5630 SIPS October 2009
not be transported over TLS when a SIPS URI is used, and it does not
apply to outgoing requests. The rationale for this was somewhat
flawed, and since then, [RFC5626] has provided a more satisfactory
solution to this problem. [RFC5626] also solves the problem that if
UA b is behind a NAT or firewall, Proxy B would not even be able to
establish a TCP session in the first place.
Furthermore, consider the problem of using SIPS inside a dialog. If
a@A sends a request to b@B using a SIPS Request-URI, then, according
to [RFC3261], Section 8.1.1.8, "the Contact header field MUST contain
a SIPS URI as well". This means that b@B, upon sending a new Request
within the dialog (e.g., a BYE or re-INVITE), will have to use a SIPS
URI. If there is no Record-Route entry, or if the last Record-Route
entry consists of a SIPS URI, this implies that b@B is expected to
understand SIPS in the first place, and is required to also support
TLS. If the last Record-Route entry however is a sip URI, then b
would be able to send requests without using TLS (but b would still
have to be able to handle SIPS schemes when parsing the message). In
either case, the Request-URI in the request from b@B to B would be a
SIPS URI.
4. Overview of Operations
Because of all the problems described in Section 3.3, this
specification deprecates the last-hop exception when forwarding a
request to the last hop (see Section 5.3). This will ensure that TLS
is used on all hops all the way up to the remote target.
Audet Standards Track [Page 9]
^L
RFC 5630 SIPS October 2009
.......................... ...........................
. . . .
. +-------+ . . +-------+ .
. | | . . | | .
. | Proxy |-----TLS---- | Proxy | .
. | A | . . | B | .
. | | . . | | .
. / +-------+ . . +-------+ \ .
. / . . \ .
. / . . \ .
. TLS . . TLS .
. / . . \ .
. / . . \ .
. / . . \ .
. +-------+ . . +-------+ .
. | | . . | | .
. | UAC a | . . | UAS b | .
. | | . . | | .
. +-------+ . . +-------+ .
. Domain A . . Domain B .
.......................... ...........................
SIP trapezoid without last-hop exception
The SIPS scheme implies transitive trust. Obviously, there is
nothing that prevents proxies from cheating (see [RFC3261], Section
26.4.4). While SIPS is useful to request that a resource be
contacted securely, it is not useful as an indication that a resource
was in fact contacted securely. Therefore, it is not appropriate to
infer that because an incoming request had a Request-URI (or even a
To header field) containing a SIPS URI, that it necessarily
guarantees that the request was in fact transmitted securely on each
hop. Some have been tempted to believe that the SIPS scheme was
equivalent to an HTTPS scheme in the sense that one could provide a
visual indication to a user (e.g., a padlock icon) to the effect that
the session is secured. This is obviously not the case, and
therefore the meaning of a SIPS URI is not to be oversold. There is
currently no mechanism to provide an indication of end-to-end
security for SIP. Other mechanisms can provide a more concrete
indication of some level of security. For example, SIP Identity
[RFC4474] provides an authenticated identity mechanism and a domain-
to-domain integrity protection mechanism.
Some have asked why is SIPS useful in a global open environment such
as the Internet, if (when used in a Request-URI) it is not an
absolute guarantee that the request will in fact be delivered over
TLS on each hop? Why is SIPS any different from just using TLS
transport with SIP? The difference is that using a SIPS URI in a
Audet Standards Track [Page 10]
^L
RFC 5630 SIPS October 2009
Request-URI means that if you are instructing the network to use TLS
over each hop and if it is not possible to reject the request, you
would rather have the request fail than have the request delivered
without TLS. Just using TLS with a SIP Request-URI instead of a SIPS
Request-URI implies a "best-effort" service: the request can but need
not be delivered over TLS on each hop.
Another common question is why not have a Proxy-Require and Require
option tag forcing the use of TLS instead? The answer is that it
would only be functionally equivalent to using SIPS in a Request-URI.
SIPS URIs however can be used in many other header fields: in Contact
for registration, Contact in dialog-creating requests, Route, Record-
Route, Path, From, To, Refer-To, Referred-By, etc. SIPS URIs can
also be used in human-usable format (e.g., business cards, user
interface). SIPS URIs can even be used in other protocols or
document formats that allow for including SIPS URIs (e.g., HTML).
This document specifies that SIPS means that the SIP resource
designated by the target SIPS URI is to be contacted securely, using
TLS on each hop between the UAC and the remote UAS (as opposed to
only to the proxy responsible for the target domain of the Request-
URI). It is outside of the scope of this document to specify what
happens when a SIPS URI identifies a UAS resource that "maps" outside
the SIP network, for example, to other networks such as the Public
Switched Telephone Network (PSTN).
4.1. Routing
SIP and SIPS URIs that are identical except for the scheme itself
(e.g., sip:alice@example.com and sips:alice@example.com) refer to the
same resource. This requirement is implicit in [RFC3261], Section
19.1, which states that "any resource described by a SIP URI can be
'upgraded' to a SIPS URI by just changing the scheme, if it is
desired to communicate with that resource securely". This does not
mean that the SIPS URI will necessarily be reachable, in particular,
if the proxy cannot establish a secure connection to a client or
another proxy. This does not suggest either that proxies would
arbitrarily "upgrade" SIP URIs to SIPS URIs when forwarding a request
(see Section 5.3). Rather, it means that when a resource is
addressable with SIP, it will also be addressable with SIPS.
For example, consider the case of a UA that has registered with a
SIPS Contact header field. If a UAC later addresses a request using
a SIP Request-URI, the proxy will forward the request addressed to a
SIP Request-URI to the UAS, as illustrated by message F13 in Sections
6.3 and in 6.4. The proxy forwards the request to the UA using a SIP
Request-URI and not the SIPS Request-URI used in registration. The
proxy does this by replacing the SIPS scheme that was used in the
Audet Standards Track [Page 11]
^L
RFC 5630 SIPS October 2009
registered Contact header field binding with a SIP scheme while
leaving the rest of the URI as is, and then by using this new URI as
the Request-URI. If the proxy did not do this, and instead used a
SIPS Request-URI, then the response (e.g., a 200 to an INVITE) would
have to include a SIPS Contact header field. That SIPS Contact
header field would then force the other UA to use a SIPS Contact
header field in any mid-dialog request, including the ACK (which
would not be possible if that UA did not support SIPS).
This specification mandates that when a proxy is forwarding a
request, a resource described by a SIPS Request-URI cannot be
"downgraded" to a SIP URI by changing the scheme, or by sending the
associated request over a nonsecure link. If a request needs to be
rejected because otherwise it would be a "downgrade", the request
would be rejected with a 480 (Temporarily Unavailable) response
(potentially with a Warning header with warn-code 380 "SIPS Not
Allowed"). Similarly, this specification mandates that when a proxy
is forwarding a request, a resource described by a SIP Request-URI
cannot be "upgraded" to a SIPS URI by changing the scheme (otherwise
it would be an "upgrade" only for that hop onwards rather than on all
hops, and would therefore mislead the UAS). If a request needs to be
rejected because otherwise it would be a misleading "upgrade", the
request would be rejected with a 480 (Temporarily Unavailable)
response (potentially with a Warning header field with warn-code 381
"SIPS Required"). See Section 5.3 for more details.
For example, the sip:bob@example.com and sips:bob@example.com AORs
refer to the same user "Bob" in the domain "example.com": the first
URI is the SIP version, and the second one is the SIPS version. From
the point of view of routing, requests to either sip:bob@example.com
or sips:bob@example.com are treated the same way. When Bob
registers, it therefore does not really matter if he is using a SIP
or a SIPS AOR, since they both refer to the same user. At first
glance, Section 19.1.4 of [RFC3261] seems to contradict this idea by
stating that a SIP and a SIPS URI are never equivalent.
Specifically, it says that they are never equivalent for the purpose
of comparing bindings in Contact header field URIs in REGISTER
requests. The key point is that this statement applies to the
Contact header field bindings in a registration: it is the
association of the Contact header field with the AOR that will
determine whether or not the user is reachable with a SIPS URI.
Consider this example: if Bob (AOR bob@example.com) registers with a
SIPS Contact header field (e.g., sips:bob@bobphone.example.com), the
registrar and the location service then know that Bob is reachable at
sips:bob@bobphone.example.com and at sip:bob@bobphone.example.com.
Audet Standards Track [Page 12]
^L
RFC 5630 SIPS October 2009
If a request is sent to AOR sips:bob@example.com, Bob's proxy will
route it to Bob at Request-URI sips:bob@bobphone.example.com. If a
request is sent to AOR sip:bob@example.com, Bob's proxy will route it
to Bob at Request-URI sip:bob@bobphone.example.com.
If Bob wants to ensure that every request delivered to him always be
transported over TLS, Bob can use [RFC5626] when registering.
However, if Bob had registered with a SIP Contact header field
instead of a SIPS Contact header field (e.g.,
sip:bob@bobphone.example.com), then a request to AOR
sips:bob@example.com would not be routed to Bob, since there is no
SIPS Contact header field for Bob, and "downgrades" from SIPS to SIP
are not allowed.
See Section 6 for illustrative call flows.
5. Normative Requirements
This section describes all the normative requirements defined by this
specification.
5.1. General User Agent Behavior
5.1.1. UAC Behavior
When presented with a SIPS URI, a UAC MUST NOT change it to a SIP
URI. For example, if a directory entry includes a SIPS AOR, the UAC
is not expected to send requests to that AOR using a SIP Request-URI.
Similarly, if a user reads a business card with a SIPS URI, it is not
possible to infer a SIP URI. If a 3XX response includes a SIPS
Contact header field, the UAC does not replace it with a SIP Request-
URI (e.g., by replacing the SIPS scheme with a SIP scheme) when
sending a request as a result of the redirection.
As mandated by [RFC3261], Section 8.1.1.8, in a request, "if the
Request-URI or top Route header field value contains a SIPS URI, the
Contact header field MUST contain a SIPS URI as well".
Upon receiving a 416 response or a 480 (Temporarily Unavailable)
response with a Warning header with warn-code 380 "SIPS Not Allowed",
a UAC MUST NOT re-attempt the request by automatically replacing the
SIPS scheme with a SIP scheme as described in [RFC3261], Section
8.1.3.5, as it would be a security vulnerability. If the UAC does
re-attempt the call with a SIP URI, the UAC SHOULD get a confirmation
from the user to authorize re-initiating the session with a SIP
Request-URI instead of a SIPS Request-URI.
Audet Standards Track [Page 13]
^L
RFC 5630 SIPS October 2009
When the route set is not empty (e.g., when a service route [RFC3608]
is returned by the registrar), it is the responsibility of the UAC to
use a Route header field consisting of all SIPS URIs when using a
SIPS Request-URI. Specifically, if the route set included any SIP
URI, the UAC MUST change the SIP URIs to SIPS URIs simply by changing
the scheme from "sip" to "sips" before sending the request. This
allows for configuring or discovering one service route with all SIP
URIs and allowing sending requests to both SIP and SIPS URIs.
When the UAC is using a SIP Request-URI, if the route set is not
empty and the topmost Route header field entry is a SIPS URI with the
lr parameter, the UAC MUST send the request over TLS (using a SIP
Request-URI). If the route is not empty and the Route header field
entry is a SIPS URI without the lr parameter, the UAC MUST send the
request over TLS using a SIPS Request-URI corresponding to the
topmost entry in the route set.
To emphasize what is already defined in [RFC3261], UAs MUST NOT use
the "transport=tls" parameter.
5.1.1.1. Registration
The UAC registers Contacts header fields to either a SIPS or a SIP
AOR.
If a UA wishes to be reachable with a SIPS URI, the UA MUST register
with a SIPS Contact header field. Requests addressed to that UA's
AOR using either a SIP or SIPS Request-URI will be routed to that UA.
This includes UAs that support both SIP and SIPS. This specification
does not provide any SIP-based mechanism for a UA to provision its
proxy to only forward requests using a SIPS Request-URI. A non-SIP
mechanism such as a web interface could be used to provision such a
preference. A SIP mechanism for provisioning such a preference is
outside the scope of this specification.
If a UA does not wish to be reached with a SIPS URI, it MUST register
with a SIP Contact header field.
Because registering with a SIPS Contact header field implies a
binding of both a SIPS Contact and a corresponding SIP Contact to the
AOR, a UA MUST NOT include both the SIPS and the SIP versions of the
same Contact header field in a REGISTER request; the UA MUST only use
the SIPS version in this case. Similarly, a UA SHOULD NOT register
both a SIP Contact header field and a SIPS Contact header field in
separate registrations as the SIP Contact header field would be
superfluous. If it does, the second registration replaces the first
one (e.g., a UA could register first with a SIP Contact header field,
meaning it does not support SIPS, and later register with a SIPS
Audet Standards Track [Page 14]
^L
RFC 5630 SIPS October 2009
Contact header field, meaning it now supports SIPS). Similarly, if a
UA registers first with a SIPS Contact header field and later
registers with a SIP Contact header field, that SIP Contact header
field replaces the SIPS Contact header field.
[RFC5626] can be used by a UA if it wants to ensure that no requests
are delivered to it without using the TLS connection it used when
registering.
If all the Contact header fields in a REGISTER request are SIPS, the
UAC MUST use SIPS AORs in the From and To header fields in the
REGISTER request. If at least one of the Contact header fields is
not SIPS (e.g., sip, mailto, tel, http, https), the UAC MUST use SIP
AORs in the From and To header fields in the REGISTER request.
To emphasize what is already defined in [RFC3261], UACs MUST NOT use
the "transport=tls" parameter.
5.1.1.2. SIPS in a Dialog
If the Request-URI in a request that initiates a dialog is a SIP URI,
then the UAC needs to be careful about what to use in the Contact
header field (in case Record-Route is not used for this hop). If the
Contact header field was a SIPS URI, it would mean that the UAS would
only accept mid-dialog requests that are sent over secure transport
on each hop. Since the Request-URI in this case is a SIP URI, it is
quite possible that the UA sending a request to that URI might not be
able to send requests to SIPS URIs. If the top Route header field
does not contain a SIPS URI, the UAC MUST use a SIP URI in the
Contact header field, even if the request is sent over a secure
transport (e.g., the first hop could be re-using a TLS connection to
the proxy as would be the case with [RFC5626]).
When a target refresh occurs within a dialog (e.g., re-INVITE
request, UPDATE request), the UAC MUST include a Contact header field
with a SIPS URI if the original request used a SIPS Request-URI.
5.1.1.3. Derived Dialogs and Transactions
Sessions, dialogs, and transactions can be "derived" from existing
ones. A good example of a derived dialog is one that was established
as a result of using the REFER method [RFC3515].
As a general principle, derived dialogs and transactions cannot
result in an effective downgrading of SIPS to SIP, without the
explicit authorization of the entities involved.
Audet Standards Track [Page 15]
^L
RFC 5630 SIPS October 2009
For example, when a REFER request is used to perform a call transfer,
it results in an existing dialog being terminated and another one
being created based on the Refer-To URI. If that initial dialog was
established using SIPS, then the UAC MUST NOT establish a new one
using SIP, unless there is an explicit authorization given by the
recipient of the REFER request. This could be a warning provided to
the user. Having such a warning could be useful, for example, for a
secure directory service application, to warn a user that a request
may be routed to a UA that does not support SIPS.
A REFER request can also be used for referring to resources that do
not result in dialogs being created. In fact, a REFER request can be
used to point to resources that are of a different type than the
original one (i.e., not SIP or SIPS). Please see [RFC3515], Section
5.2, for security considerations related to this.
Other examples of derived dialogs and transactions include the use of
Third-Party Call Control [RFC3725], the Replaces header field
[RFC3891], and the Join header field [RFC3911]. Again, the general
principle is that these mechanisms SHOULD NOT result in an effective
downgrading of SIPS to SIP, without the proper authorization.
5.1.1.4. GRUU
When a Globally Routable User Agent URI (GRUU) [RFC5627] is assigned
to an instance ID/AOR pair, both SIP and SIPS GRUUs will be assigned.
When a GRUU is obtained through registration, if the Contact header
field in the REGISTER request contains a SIP URI, the SIP version of
the GRUU is returned. If the Contact header field in the REGISTER
request contains a SIPS URI, the SIPS version of the GRUU is
returned.
If the wrong scheme is received in the GRUU (which would be an error
in the registrar), the UAC SHOULD treat it as if the proper scheme
was used (i.e., it SHOULD replace the scheme with the proper scheme
before using the GRUU).
Audet Standards Track [Page 16]
^L
RFC 5630 SIPS October 2009
5.1.2. UAS Behavior
When presented with a SIPS URI, a UAS MUST NOT change it to a SIP
URI.
As mandated by [RFC3261], Section 12.1.1:
If the request that initiated the dialog contained a SIPS URI in
the Request-URI or in the top Record-Route header field value, if
there was any, or the Contact header field if there was no Record-
Route header field, the Contact header field in the response MUST
be a SIPS URI.
If a UAS does not wish to be reached with a SIPS URI but only with a
SIP URI, the UAS MUST respond with a 480 (Temporarily Unavailable)
response. The UAS SHOULD include a Warning header with warn-code 380
"SIPS Not Allowed". [RFC3261], Section 8.2.2.1, states that UASs
that do not support the SIPS URI scheme at all "SHOULD reject the
request with a 416 (Unsupported URI scheme) response".
If a UAS does not wish to be contacted with a SIP URI but instead by
a SIPS URI, it MUST reject a request to a SIP Request-URI with a 480
(Temporarily Unavailable) response. The UAS SHOULD include a Warning
header with warn-code 381 "SIPS Required".
It is a matter of local policy for a UAS to accept incoming requests
addressed to a URI scheme that does not correspond to what it used
for registration. For example, a UA with a policy of "always SIPS"
would address the registrar using a SIPS Request-URI over TLS, would
register with a SIPS Contact header field, and the UAS would reject
requests using the SIP scheme with a 480 (Temporarily Unavailable)
response with a Warning header with warn-code 381 "SIPS Required". A
UA with a policy of "best-effort SIPS" would address the registrar
using a SIPS Request-URI over TLS, would register with a SIPS Contact
header field, and the UAS would accept requests addressed to either
SIP or SIPS Request-URIs. A UA with a policy of "No SIPS" would
address the registrar using a SIP Request-URI, could use TLS or not,
would register with a SIP AOR and a SIP Contact header field, and the
UAS would accept requests addressed to a SIP Request-URI.
If a UAS needs to reject a request because the URIs are used
inconsistently (e.g., the Request-URI is a SIPS URI, but the Contact
header field is a SIP URI), the UAS MUST reject the request with a
400 (Bad Request) response.
When a target refresh occurs within a dialog (e.g., re-INVITE
request, UPDATE request), the UAS MUST include a Contact header field
with a SIPS URI if the original request used a SIPS Request-URI.
Audet Standards Track [Page 17]
^L
RFC 5630 SIPS October 2009
To emphasize what is already defined in [RFC3261], UASs MUST NOT use
the "transport=tls" parameter.
5.2. Registrar Behavior
The UAC registers Contacts header fields to either a SIPS or a SIP
AOR. From a routing perspective, it does not matter which one is
used for registration as they identify the same resource. The
registrar MUST consider AORs that are identical except for one having
the SIP scheme and the other having the SIPS scheme to be equivalent.
A registrar MUST accept a binding to a SIPS Contact header field only
if all the appropriate URIs are of the SIPS scheme; otherwise, there
could be an inadvertent binding of a secure resource (SIPS) to an
unsecured one (SIP). This includes the Request-URI and the Contacts
and all the Path header fields, but does not include the From and To
header fields. If the URIs are not of the proper SIPS scheme, the
registrar MUST reject the REGISTER with a 400 (Bad Request).
A registrar can return a service route [RFC3608] and impose some
constraints on whether or not TLS will be mandatory on specific hops.
For example, if the topmost entry in the Path header field returned
by the registrar is a SIPS URI, the registrar is telling the UAC that
TLS is to be used for the first hop, even if the Request-URI is SIP.
If a UA registered with a SIPS Contact header field, the registrar
returning a service route [RFC3608] MUST return a service route
consisting of SIP URIs if the intent of the registrar is to allow
both SIP and SIPS to be used in requests sent by that client. If a
UA registers with a SIPS Contact header field, the registrar
returning a service route MUST return a service route consisting of
SIPS URIs if the intent of the registrar is to allow only SIPS URIs
to be used in requests sent by that UA.
5.2.1. GRUU
When a GRUU [RFC5627] is assigned to an instance ID/AOR pair through
registration, the registrar MUST assign both a SIP GRUU and a SIPS
GRUU. If the Contact header field in the REGISTER request contains a
SIP URI, the registrar MUST return the SIP version of the GRUU. If
the Contact header field in the REGISTER request contains a SIPS URI,
the registrar MUST return the SIPS version of the GRUU.
5.3. Proxy Behavior
Proxies MUST NOT use the last-hop exception of [RFC3261] when
forwarding or retargeting a request to the last hop. Specifically,
when a proxy receives a request with a SIPS Request-URI, the proxy
Audet Standards Track [Page 18]
^L
RFC 5630 SIPS October 2009
MUST only forward or retarget the request to a SIPS Request-URI. If
the target UAS had registered previously using a SIP Contact header
field instead of a SIPS Contact header field, the proxy MUST NOT
forward the request to the URI indicated in the Contact header field.
If the proxy needs to reject the request for that reason, the proxy
MUST reject it with a 480 (Temporarily Unavailable) response. In
this case, the proxy SHOULD include a Warning header with warn-code
380 "SIPS Not Allowed".
Proxies SHOULD transport requests using a SIP URI over TLS when it is
possible to set up a TLS connection, or reuse an existing one.
[RFC5626], for example, allows for re-using an existing TLS
connection. Some proxies could have policies that prohibit sending
any request over anything but TLS.
When a proxy receives a request with a SIP Request-URI, the proxy
MUST NOT forward the request to a SIPS Request-URI. If the target
UAS had registered previously using a SIPS Contact header field, and
the proxy decides to forward the request, the proxy MUST replace that
SIPS scheme with a SIP scheme while leaving the rest of the URI as
is, and use the resulting URI as the Request-URI of the forwarded
request. The proxy MUST use TLS to forward the request to the UAS.
Some proxies could have a policy of not forwarding at all requests
using a non-SIPS Request-URI if the UAS had registered using a SIPS
Contact header field. If the proxy elects to reject the request
because it has such a policy or because it is not capable of
establishing a TLS connection, the proxy MAY reject it with a 480
(Temporarily Unavailable) response with a Warning header with warn-
code 381 "SIPS Required".
If a proxy needs to reject a request because the URIs are used
inconsistently (e.g., the Request-URI is a SIPS URI, but the Contact
header field is a SIP URI), the proxy SHOULD use response code 400
(Bad Request).
It is RECOMMENDED that the proxy use the outbound proxy procedures
defined in [RFC5626] for supporting UACs that cannot provide a
certificate for establishing a TLS connection (i.e., when server-side
authentication is used).
When a proxy sends a request using a SIPS Request-URI and receives a
3XX response with a SIP Contact header field, or a 416 response, or a
480 (Temporarily Unavailable) response with a Warning header with
warn-code 380 "SIPS Not Allowed" response, the proxy MUST NOT recurse
on the response. In this case, the proxy SHOULD forward the best
response instead of recursing, in order to allow for the UAC to take
the appropriate action.
Audet Standards Track [Page 19]
^L
RFC 5630 SIPS October 2009
When a proxy sends a request using a SIP Request-URI and receives a
3XX response with a SIPS Contact header field, or a 480 (Temporarily
Unavailable) response with a Warning header with warn-code 381 "SIPS
Required", the proxy MUST NOT recurse on the response. In this case,
the proxy SHOULD forward the best response instead of recursing, in
order to allow for the UAC to take the appropriate action.
To emphasize what is already defined in [RFC3261], proxies MUST NOT
use the "transport=tls" parameter.
5.4. Redirect Server Behavior
Using a redirect server with TLS instead of using a proxy has some
limitations that have to be taken into account. Since there is no
pre-established connection between the proxy and the UAS (such as
with [RFC5626]), it is only appropriate for scenarios where inbound
connections are allowed. For example, it could be used in a server-
to-server environment (redirect server or proxy server) where TLS
mutual authentication is used, and where there are no NAT traversal
issues. A redirect server would not be able to redirect to an entity
that does not have a certificate. A redirect server might not be
usable if there is a NAT between the server and the UAS.
When a redirect server receives a request with a SIP Request-URI, the
redirect server MAY redirect with a 3XX response to either a SIP or a
SIPS Contact header field. If the target UAS had registered
previously using a SIPS Contact header field, the redirect server
SHOULD return a SIPS Contact header field if it is in an environment
where TLS is usable (as described in the previous paragraph). If the
target UAS had registered previously using a SIP Contact header
field, the redirect server MUST return a SIP Contact header field in
a 3XX response if it redirects the request.
When a redirect server receives a request with a SIPS Request-URI,
the redirect server MAY redirect with a 3XX response to a SIP or a
SIPS Contact header field. If the target UAS had registered
previously using a SIPS Contact header field, the redirect server
SHOULD return a SIPS Contact header field if it is in an environment
where TLS is usable. If the target UAS had registered previously
using a SIP Contact header field, the redirect server MUST return a
SIP Contact header field in a 3XX response if it chooses to redirect;
otherwise, the UAS MAY reject the request with a 480 (Temporarily
Unavailable) response with a Warning header with warn-code 380 "SIPS
Not Allowed". If a redirect server redirects to a UAS that it has no
knowledge of (e.g., an AOR in a different domain), the Contact header
field could be of any scheme.
Audet Standards Track [Page 20]
^L
RFC 5630 SIPS October 2009
If a redirect server needs to reject a request because the URIs are
used inconsistently (e.g., the Request-URI is a SIPS URI, but the
Contact header field is a SIP URI), the redirect server SHOULD use
response code 400 (Bad Request).
To emphasize what is already defined in [RFC3261], redirect servers
MUST NOT use the "transport=tls" parameter.
6. Call Flows
The following diagram illustrates the topology used for the examples
in this section:
example.com . example.net
.
|-------------| . |------------|
| Registrar/ |__________| Proxy A |
| Auth. Proxy | . | (proxya) |
| (pb) | . |------------|
|-------------| . |
| . |
| . |
|-----------| . |
| Edge | . |
| Proxy B | . |
| (eb) | . |
|-----------| . |
/ | . |
/ | . |
/ | . |
______ | . |
| | _____ . _____
|______| O / \ O . O / \ O
/_______/ /___\ . /___\
.
bob@bobpc bob@bobphone . alice
Topology
In the following examples, Bob has two clients; one is a SIP PC
client running on his computer, and the other one is a SIP phone.
The PC client does not support SIPS, and consequently only registers
with a SIP Contact header field. The SIP phone however does support
SIPS and TLS, and consequently registers with a SIPS Contact header
field. Both of Bob's devices are going through Edge Proxy B, and
consequently, they include a Route header field indicating
Audet Standards Track [Page 21]
^L
RFC 5630 SIPS October 2009
eb.example.com. Edge Proxy B removes the Route header field
corresponding to itself, and adds itself in a Path header field. The
registration process call flow is illustrated in Section 6.1.
After registration, there are two Contact bindings associated with
Bob's AOR of bob@example.com: sips:bob@bobphone.example.com and
sip:bob@bobpc.example.com.
Alice then calls Bob through her own Proxy A. Proxy A locates Bob's
domain example.com. In this example, that domain is owned by Bob's
Registrar/Authoritative Proxy B. Proxy A removes the Route header
field corresponding to itself, and inserts itself in the Record-Route
and forwards the request to Registrar/Authoritative Proxy B.
The following subsections illustrate registration and three examples.
In the first example (Section 6.2), Alice calls Bob's SIPS AOR. In
the second example (Section 6.3), Alice calls Bob's SIP AOR using TCP
transport. In the third example (Section 6.4), Alice calls Bob's SIP
AOR using TLS transport.
6.1. Bob Registers His Contacts
This flow illustrates the registration process by which Bob's device
registers. His PC client (Bob@bobpc) registers with a SIP scheme,
and his SIP phone (Bob@phone) registers with a SIPS scheme.
Audet Standards Track [Page 22]
^L
RFC 5630 SIPS October 2009
(eb) (pb)
Edge Registrar/
Bob@bobpc Proxy B Auth. Proxy B
| | |
| REGISTER F1 | |
|------------------>| REGISTER F2 |
| |-------------->|
| | 200 F3 |
| 200 F4 |<--------------|
|<------------------| |
| | |
| Bob@bobphone | |
| | | |
| |REGISTER F5 | |
| |----------->| REGISTER F6 |
| | |-------------->|
| | | 200 F7 |
| | 200 F8 |<--------------|
| |<-----------| |
| | | |
Bob Registers His Contacts
Message details
F1 REGISTER Bob's PC Client -> Edge Proxy B
REGISTER sip:pb.example.com SIP/2.0
Via: SIP/2.0/TCP bobpc.example.com:5060;branch=z9hG4bKnashds
Max-Forwards: 70
To: Bob <sip:bob@example.com>
From: Bob <sip:bob@example.com>;tag=456248
Call-ID: 843817637684230@998sdasdh09
CSeq: 1826 REGISTER
Supported: path, outbound
Route: <sip:eb.example.com;lr>
Contact: <sip:bob@bobpc.example.com>
;+sip.instance="<urn:uuid:0C67446E-F1A1-11D9-94D3-000A95A0E128>"
;reg-id=1
Content-Length: 0
Audet Standards Track [Page 23]
^L
RFC 5630 SIPS October 2009
F2 REGISTER Edge Proxy B -> Registrar/Authoritative Proxy B
REGISTER sip:pb.example.com SIP/2.0
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bK87asdks7
Via: SIP/2.0/TCP bobpc.example.com:5060;branch=z9hG4bKnashds
Max-Forwards: 69
To: Bob <sip:bob@example.com>
From: Bob <sip:bob@example.com>;tag=456248
Call-ID: 843817637684230@998sdasdh09
CSeq: 1826 REGISTER
Supported: path, outbound
Path: <sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>
Contact: <sip:bob@bobpc.example.com>
;+sip.instance="<urn:uuid:0C67446E-F1A1-11D9-94D3-000A95A0E128>"
;reg-id=1
Content-Length: 0
F3 200 (REGISTER) Registrar/Authoritative Proxy B -> Edge Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bK87asdks7
Via: SIP/2.0/TCP bobpc.example.com:5060;branch=z9hG4bKnashds
To: Bob <sip:bob@example.com>;tag=2493K59K9
From: Bob <sip:bob@example.com>;tag=456248
Call-ID: 843817637684230@998sdasdh09
CSeq: 1826 REGISTER
Require: outbound
Supported: path, outbound
Path: <sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>
Contact: <sip:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:0C67446E-F1A1-11D9-94D3-000A95A0E128>"
;reg-id=1
;expires=3600
Date: Mon, 12 Jun 2006 16:43:12 GMT
Content-Length: 0
Audet Standards Track [Page 24]
^L
RFC 5630 SIPS October 2009
F4 200 (REGISTER) Edge Proxy B -> Bob's PC Client
SIP/2.0 200 OK
Via: SIP/2.0/TCP bobpc.example.com:5060;branch=z9hG4bKnashds
To: Bob <sip:bob@example.com>;tag=2493K59K9
From: Bob <sip:bob@example.com>;tag=456248
Call-ID: 843817637684230@998sdasdh09
CSeq: 1826 REGISTER
Require: outbound
Supported: path, outbound
Path: <sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>
Contact: <sip:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:0C67446E-F1A1-11D9-94D3-000A95A0E128>"
;reg-id=1
;expires=3600
Date: Thu, 09 Aug 2007 16:43:12 GMT
Content-Length: 0
F5 REGISTER Bob's Phone -> Edge Proxy B
REGISTER sips:pb.example.com SIP/2.0
Via: SIP/2.0/TLS bobphone.example.com:5061;branch=z9hG4bK9555
Max-Forwards: 70
To: Bob <sips:bob@example.com>
From: Bob <sips:bob@example.com>;tag=90210
Call-ID: faif9a@qwefnwdclk
CSeq: 12 REGISTER
Supported: path, outbound
Route: <sips:eb.example.com;lr>
Contact: <sips:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:6F85D4E3-E8AA-46AA-B768-BF39D5912143>"
;reg-id=1
Content-Length: 0
Audet Standards Track [Page 25]
^L
RFC 5630 SIPS October 2009
F6 REGISTER Edge Proxy B -> Registrar/Authoritative Proxy B
REGISTER sips:pb.example.com SIP/2.0
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bK876354
Via: SIP/2.0/TLS bobphone.example.com:5061;branch=z9hG4bK9555
Max-Forwards: 69
To: Bob <sips:bob@example.com>
From: Bob <sips:bob@example.com>;tag=90210
Call-ID: faif9a@qwefnwdclk
CSeq: 12 REGISTER
Supported: path, outbound
Path: <sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Contact: <sips:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:6F85D4E3-E8AA-46AA-B768-BF39D5912143>"
;reg-id=1
Content-Length: 0
F7 200 (REGISTER) Registrar/Authoritative Proxy B -> Edge Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bK876354
Via: SIP/2.0/TLS bobphone.example.com:5061;branch=z9hG4bK9555
To: Bob <sips:bob@example.com>;tag=5150
From: Bob <sips:bob@example.com>;tag=90210
Call-ID: faif9a@qwefnwdclk
CSeq: 12 REGISTER
Require: outbound
Supported: path, outbound
Path: <sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Contact: <sips:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:6F85D4E3-E8AA-46AA-B768-BF39D5912143>"
;reg-id=1
;expires=3600
Date: Thu, 09 Aug 2007 16:43:50 GMT
Content-Length: 0
Audet Standards Track [Page 26]
^L
RFC 5630 SIPS October 2009
F8 200 (REGISTER) Edge Proxy B -> Bob's Phone
SIP/2.0 200 OK
Via: SIP/2.0/TLS bobphone.example.com:5061;branch=z9hG4bK9555
To: Bob <sips:bob@example.com>;tag=5150
From: Bob <sips:bob@example.com>;tag=90210
Call-ID: faif9a@qwefnwdclk
CSeq: 12 REGISTER
Require: outbound
Supported: path, outbound
Path: <sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Contact: <sips:bob@bobphone.example.com>
;+sip.instance="<urn:uuid:6F85D4E3-E8AA-46AA-B768-BF39D5912143>"
;reg-id=1
;expires=3600
Date: Thu, 09 Aug 2007 16:43:50 GMT
Content-Length: 0
6.2. Alice Calls Bob's SIPS AOR
Bob's registration has already occurred as per Section 6.1.
In this first example, Alice calls Bob's SIPS AOR
(sips:bob@example.com). Registrar/Authoritative Proxy B consults the
binding in the registration database, and finds the two Contact
header field bindings. Alice had addressed Bob with a SIPS Request-
URI (sips:bob@example.com), so Registrar/Authoritative Proxy B
determines that the call needs to be routed only to bobphone (which
registered using a SIPS Contact header field), and therefore the
request is only sent to sips:bob@bobphone.example.com, through Edge
Proxy B. Both Registrar/Authoritative Proxy B and Edge Proxy B
insert themselves in the Record-Route. Bob answers at
sips:bob@bobphone.example.com.
Audet Standards Track [Page 27]
^L
RFC 5630 SIPS October 2009
(eb) (pb)
Edge Registrar/
Bob@bobpc Proxy B Auth. Proxy B Proxy A Alice
| | | | |
| | | | INVITE F9 |
| Bob@bobphone | | INVITE F11 |<-----------|
| | | INVITE F13 |<-----------| 100 F10 |
| | INVITE F15 |<-----------| 100 F12 |----------->|
| |<-----------| 100 F14 |----------->| |
| | 180 F16 |----------->| | |
| |----------->| 180 F17 | | |
| | 200 F20 |----------->| 180 F18 | |
| |----------->| 200 F21 |----------->| 180 F19 |
| | |----------->| 200 F22 |----------->|
| | | |----------->| 200 F23 |
| | | | |----------->|
| | | | | ACK F24 |
| | | | ACK F25 |<-----------|
| | | ACK F26 |<-----------| |
| | ACK F27 |<-----------| | |
| |<-----------| | | |
| | | | | |
Alice Calls Bob's SIPS AOR
Message details
F9 INVITE Alice -> Proxy A
INVITE sips:bob@example.com SIP/2.0
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
Max-Forwards: 70
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Route: <sips:proxya.example.net;lr>
Contact: <sips:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
Audet Standards Track [Page 28]
^L
RFC 5630 SIPS October 2009
F10 100 (INVITE) Proxy A -> Alice
SIP/2.0 100 Trying
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
F11 INVITE Proxy A -> Registrar/Authoritative Proxy B
INVITE sips:bob@example.com SIP/2.0
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
Max-Forwards: 69
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route: <sips:proxya.example.net;lr>
Contact: <sips:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F12 100 (INVITE) Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 100 Trying
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
Audet Standards Track [Page 29]
^L
RFC 5630 SIPS October 2009
F13 INVITE Registrar/Authoritative Proxy B -> Edge Proxy B
INVITE sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
Max-Forwards: 68
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@edge.example.com;lr;ob>
Record-Route: <sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F14 100 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 100 Trying
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
Audet Standards Track [Page 30]
^L
RFC 5630 SIPS October 2009
F15 INVITE Edge Proxy B -> Bob's phone
INVITE sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKbiba
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
Max-Forwards: 67
To: Bob <sips:bob@example.com>
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F16 180 (INVITE) Bob's Phone -> Edge Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKbiba
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 31]
^L
RFC 5630 SIPS October 2009
F17 180 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
F18 180 Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
F19 180 (INVITE) Proxy A -> Alice
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 32]
^L
RFC 5630 SIPS October 2009
F20 200 (INVITE) Bob's Phone -> Edge Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKbiba
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
F21 200 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bKbalouba
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 33]
^L
RFC 5630 SIPS October 2009
F22 200 Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 200 OK
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKpouet
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
F23 200 (INVITE) Proxy A -> Alice
SIP/2.0 200 OK
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKprout
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sips:pb.example.com;lr>, <sips:proxya.example.net;lr>
Contact: <sips:bob@bobphone.example.com>
Content-Length: 0
F24 ACK Alice -> Proxy A
ACK sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKksdjf
Max-Forwards: 70
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sips:proxya.example.net;lr>, <sips:pb.example.com;lr>,
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@pb.example.com;lr;ob>
Content-Length: 0
Audet Standards Track [Page 34]
^L
RFC 5630 SIPS October 2009
F25 ACK Proxy A -> Registrar/Authoritative Proxy B
ACK sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKplo7hy
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKksdjf
Max-Forwards: 69
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sips:pb.example.com;lr>,
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@pb.example.com;lr;ob>
Content-Length: 0
F26 ACK Registrar/Authoritative Proxy B -> Edge Proxy B
ACK sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bK8msdu2
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKplo7hy
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKksdjf
Max-Forwards: 69
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sips:pb.example.com;lr>,
<sips:psodkfsj+34+kklsL+uJH-Xm816k09Kk@pb.example.com;lr;ob>
Content-Length: 0
F27 ACK Proxy B -> Bob's Phone
ACK sips:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKkmfdgk
Via: SIP/2.0/TLS pb.example.com:5061;branch=z9hG4bK8msdu2
Via: SIP/2.0/TLS proxya.example.net:5061;branch=z9hG4bKplo7hy
Via: SIP/2.0/TLS alice-1.example.net:5061;branch=z9hG4bKksdjf
Max-Forwards: 68
To: Bob <sips:bob@example.com>;tag=5551212
From: Alice <sips:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Content-Length: 0
Audet Standards Track [Page 35]
^L
RFC 5630 SIPS October 2009
6.3. Alice Calls Bob's SIP AOR Using TCP
Bob's registration has already occurred as per Section 6.1.
In the second example, Alice calls Bob's SIP AOR instead
(sip:bob@example.com), and she uses TCP as a transport. Registrar/
Authoritative Proxy B consults the binding in the registration
database, and finds the two Contact header field bindings. Alice had
addressed Bob with a SIP Request-URI (sip:bob@example.com), so
Registrar/Authoritative Proxy B determines that the call needs to be
routed both to bobpc (which registered with a SIP Contact header
field) and bobphone (which registered with a SIPS Contact header
field), and therefore the request is forked to
sip:bob@bobpc.example.com and sip:bob@bobphone.example.com, through
Edge Proxy B. Note that Registrar/Authoritative Proxy B preserved
the SIP scheme of the Request-URI instead of replacing it with the
SIPS scheme of the Contact header field that was used for
registration. Both Registrar/Authoritative Proxy B and Edge Proxy B
insert themselves in the Record-Route. Bob's phone's policy is to
accept calls to SIP and SIPS (i.e., "best effort"), so both his PC
client and his SIP phone ring simultaneously. Bob answers on his SIP
phone, and the forked call leg to the PC client is canceled.
Audet Standards Track [Page 36]
^L
RFC 5630 SIPS October 2009
(eb) (pb)
Edge Registrar/
Bob@bobpc Proxy B Auth. Proxy B Proxy A Alice
| | | | |
| | | | INVITE F9 |
| | | INVITE F11 |<-----------|
| | INVITE F13'|<-----------| 100 F10 |
| INVITE F15' |<-----------| 100 F12 |----------->|
|<------------------| 100 F14' |----------->| |
| 180 F16' |----------->| | |
|------------------>| 180 F17' | | |
| |----------->| 180 F18' | |
| Bob@bobphone | |----------->| 180 F19' |
| | | INVITE F13 | |----------->|
| | INVITE F15 |<-----------| | |
| |<-----------| 100 F14 | | |
| | 180 F16 |----------->| | |
| |----------->| 180 F17 | | |
| | 200 F20 |----------->| 180 F18 | |
| |----------->| 200 F21 |----------->| 180 F19 |
| | |----------->| 200 F22 |----------->|
| | | |----------->| 200 F23 |
| | | | |----------->|
| | | | | ACK F24 |
| | | | ACK F25 |<-----------|
| | | ACK F26 |<-----------| |
| | ACK F27 |<-----------| | |
| |<-----------| | | |
| | CANCEL F26'| | |
| CANCEL F27' |<-----------| | |
|<------------------| | | |
| 200 F28' | | | |
|------------------>| 200 F29' | | |
| 487 F30' |----------->| | |
|------------------>| 487 F31' | | |
| |----------->| | |
Alice Calls Bob's SIP AOR
Audet Standards Track [Page 37]
^L
RFC 5630 SIPS October 2009
Message details
F9 INVITE Alice -> Proxy A
INVITE sip:bob@example.com SIP/2.0
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 70
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Route: <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F10 100 (INVITE) Proxy A -> Alice
SIP/2.0 100 Trying
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
F11 INVITE Proxy A -> Registrar/Authoritative Proxy B
INVITE sip:bob@example.com SIP/2.0
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 69
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route: <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
Audet Standards Track [Page 38]
^L
RFC 5630 SIPS October 2009
F12 100 (INVITE) Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 100 Trying
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
F13' INVITE Registrar/Authoritative Proxy B -> Edge Proxy B
INVITE sip:bob@bobpc.example.com SIP/2.0
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 68
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Route: <sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>
Record-Route: <sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F14' 100 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 100 Trying
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
Audet Standards Track [Page 39]
^L
RFC 5630 SIPS October 2009
F15' INVITE Edge Proxy B -> Bob's PC Client
INVITE sip:bob@bobpc.example.com SIP/2.0
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bKbiba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 67
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F16' 180 (INVITE) Bob's PC Client -> Edge Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bKbiba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=963258
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobpc.example.com>
Content-Length: 0
Audet Standards Track [Page 40]
^L
RFC 5630 SIPS October 2009
F17' 180 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=963258
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobpc.example.com>
Content-Length: 0
F18' 180 (INVITE) Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=963258
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobpc.example.com>
Content-Length: 0
Audet Standards Track [Page 41]
^L
RFC 5630 SIPS October 2009
F19' 180 (INVITE) Proxy A -> Alice
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=963258
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:laksdyjanseg237+fsdf+uy623hytIJ8@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobpc.example.com>
Content-Length: 0
F13 INVITE Registrar/Authoritative Proxy B -> Edge Proxy B
INVITE sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 68
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Route: <sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Record-Route: <sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F14 100 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 100 Trying
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
Audet Standards Track [Page 42]
^L
RFC 5630 SIPS October 2009
F15 INVITE Edge Proxy B -> Bob's Phone
INVITE sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 68
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:alice@alice-1.example.net>
Content-Type: application/sdp
Content-Length: {as per SDP}
{SDP not shown}
F16 180 (INVITE) Bob's Phone -> Edge Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 43]
^L
RFC 5630 SIPS October 2009
F17 180 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
F18 180 (INVITE) Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 44]
^L
RFC 5630 SIPS October 2009
F19 180 (INVITE) Proxy A -> Alice
SIP/2.0 180 Ringing
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
F20 200 (INVITE) Bob's Phone -> Edge Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 45]
^L
RFC 5630 SIPS October 2009
F21 200 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
F22 200 (INVITE) Registrar/Authoritative Proxy B -> Proxy A
SIP/2.0 200 OK
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
Audet Standards Track [Page 46]
^L
RFC 5630 SIPS October 2009
F23 200 (INVITE) Proxy A -> Alice
SIP/2.0 200 OK
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Record-Route:
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>,
<sip:pb.example.com;lr>, <sip:proxya.example.net;lr>
Contact: <sip:bob@bobphone.example.com>
Content-Length: 0
F24 ACK Alice -> Proxy A
ACK sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 70
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sip:proxya.example.net;lr>, <sip:pb.example.com;lr>,
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@edge.example.com;lr;ob>
Content-Length: 0
F25 ACK Proxy A -> Registrar/Authoritative Proxy B
ACK sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 69
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sip:pb.example.com;lr>,
<sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Content-Length: 0
Audet Standards Track [Page 47]
^L
RFC 5630 SIPS October 2009
F26 ACK Registrar/Authoritative Proxy B -> Edge Proxy B
ACK sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 69
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Route: <sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Content-Length: 0
F27 ACK Proxy B -> Bob's Phone
ACK sip:bob@bobphone.example.com SIP/2.0
Via: SIP/2.0/TLS eb.example.com:5061;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.1
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
Max-Forwards: 68
To: Bob <sip:bob@example.com>;tag=5551212
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 ACK
Content-Length: 0
F26' CANCEL Registrar/Authoritative Proxy B -> Edge Proxy B
CANCEL sip:bob@bobpc.example.com SIP/2.0
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Max-Forwards: 70
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 CANCEL
Route: <sip:psodkfsj+34+kklsL+uJH-Xm816k09Kk@eb.example.com;lr;ob>
Content-Length: 0
Audet Standards Track [Page 48]
^L
RFC 5630 SIPS October 2009
F27' CANCEL Edge Proxy B -> Bob's PC Client
CANCEL sip:bob@bobpc.example.com SIP/2.0
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Max-Forwards: 69
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 CANCEL
Content-Length: 0
F28' 200 (CANCEL) Bob's PC Client -> Edge Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 CANCEL
Content-Length: 0
F29' 200 (CANCEL) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 200 OK
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 CANCEL
Content-Length: 0
Audet Standards Track [Page 49]
^L
RFC 5630 SIPS October 2009
F30' 487 (INVITE) Bob's PC Client -> Edge Proxy B
SIP/2.0 487 Request Terminated
Via: SIP/2.0/TCP eb.example.com:5060;branch=z9hG4bKtroubaba
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
F31' 487 (INVITE) Edge Proxy B -> Registrar/Authoritative Proxy B
SIP/2.0 487 Request Terminated
Via: SIP/2.0/TCP pb.example.com:5060;branch=z9hG4bKbalouba.2
Via: SIP/2.0/TCP proxya.example.net:5060;branch=z9hG4bKpouet
Via: SIP/2.0/TCP alice-1.example.net:5060;branch=z9hG4bKprout
To: Bob <sip:bob@example.com>
From: Alice <sip:alice@example.net>;tag=8675309
Call-ID: lzksjf8723k@sodk6587
CSeq: 1 INVITE
Content-Length: 0
6.4. Alice Calls Bob's SIP AOR Using TLS
Bob's registration has already occurred as per Section 6.1.
The third example is identical to the second one, except that Alice
uses TLS as the transport for her connection to her proxy. Such an
arrangement would be common if Alice's UA supported TLS and wanted to
use a single connection to the proxy (as would be the case when using
[RFC5626]). In the example below, Proxy A is also using TLS as a
transport to communicate with Outbound Proxy B, but it is not
necessarily the case.
When using a SIP URI in the Request-URI but TLS as a transport for
sending the request, the Via field indicates TLS. The Route header
field (if present) typically would use a SIP URI (but it could also
be a SIPS URI). The Contact header fields and To and From, however
would also normally indicate a SIP URI.
The call flow would be exactly as per the second example
(Section 6.3). The only difference would be that all the Via header
fields would use TLS Via parameters. The URIs would remain SIP URIs
and not SIPS URIs.
Audet Standards Track [Page 50]
^L
RFC 5630 SIPS October 2009
7. Further Considerations
SIP [RFC3261] itself introduces some complications with using SIPS,
for example, when Record-Route is not used. When a SIPS URI is used
in a Contact header field in a dialog-initiating request and Record-
Route is not used, that SIPS URI might not be usable by the other
end. If the other end does not support SIPS and/or TLS, it will not
be able to use it. The last-hop exception is an example of when this
can occur. In this case, using Record-Route so that the requests are
sent through proxies can help in making it work. Another example is
that even in a case where the Contact header field is a SIPS URI, no
Record-Route is used, and the far end supports SIPS and TLS, it might
still not be possible for the far end to establish a TLS connection
with the SIP originating end if the certificate cannot be validated
by the far end. This could typically be the case if the originating
end was using server-side authentication as described below, or if
the originating end is not using a certificate that can be validated.
TLS itself has a significant impact on how SIPS can be used. Server-
side authentication (where the server side provides its certificate
but the client side does not) is typically used between a SIP end-
user device acting as the TLS client side (e.g., a phone or a
personal computer) and its SIP server (proxy or registrar) acting as
the TLS server side. TLS mutual authentication (where both the
client side and the server side provide their respective
certificates) is typically used between SIP servers (proxies,
registrars), or statically configured devices such as PSTN gateways
or media servers. In the mutual authentication model, for two
entities to be able to establish a TLS connection, it is required
that both sides be able to validate each other's certificates, either
by static configuration or by being able to recurse to a valid root
certificate. With server-side authentication, only the client side
is capable of validating the server side's certificate, as the client
side does not provide a certificate. The consequences of all this
are that whenever a SIPS URI is used to establish a TLS connection,
it is expected to be possible for the entity establishing the
connection (the client) to validate the certificate from the server
side. For server-side authentication, [RFC5626] is the recommended
approach. For mutual authentication, one needs to ensure that the
architecture of the network is such that connections are made between
entities that have access to each other's certificates. Record-Route
[RFC3261] and Path [RFC3327] are very useful in ensuring that
previously established TLS connections can be reused. Other
mechanisms might also be used in certain circumstances: for example,
using root certificates that are widely recognized allows for more
easily created TLS connections.
Audet Standards Track [Page 51]
^L
RFC 5630 SIPS October 2009
8. Security Considerations
Most of this document can be considered to be security considerations
since it applies to the usage of the SIPS URI.
The "last-hop exception" of [RFC3261] introduced significant
potential vulnerabilities in SIP, and it has therefore been
deprecated by this specification.
Section 26.4.4 of [RFC3261] describes the security considerations for
the SIPS URI scheme. These security considerations also applies
here, as modified by Appendix A.
9. IANA Considerations
This specification registers two new warning codes, namely, 380 "SIPS
Not Allowed" and 381 "SIPS Required". The warning codes are defined
as follows, and have been included in the Warning Codes (warn-codes)
sub-registry of the SIP Parameters registry available from
http://www.iana.org.
380 SIPS Not Allowed: The UAS or proxy cannot process the request
because the SIPS scheme is not allowed (e.g., because there are
currently no registered SIPS contacts).
381 SIPS Required: The UAS or proxy cannot process the request
because the SIPS scheme is required.
Reference: RFC 5630
The note in the Warning Codes sub-registry is as follows:
Warning codes provide information supplemental to the status code
in SIP response messages.
10. Acknowledgments
The author would like to thank Jon Peterson, Cullen Jennings,
Jonathan Rosenberg, John Elwell, Paul Kyzivat, Eric Rescorla, Robert
Sparks, Rifaat Shekh-Yusef, Peter Reissner, Tina Tsou, Keith Drage,
Brian Stucker, Patrick Ma, Lavis Zhou, Joel Halpern, Hisham
Karthabil, Dean Willis, Eric Tremblay, Hans Persson, and Ben Campbell
for their careful review and input. Many thanks to Rohan Mahy for
helping me with the subtleties of [RFC5626].
Audet Standards Track [Page 52]
^L
RFC 5630 SIPS October 2009
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5626] Jennings, C., "Managing Client-Initiated Connections in
the Session Initiation Protocol (SIP)", RFC 5626, October
2009.
11.2. Informative References
[RFC2543] Handley, M., Schulzrinne, H., Schooler, E., and J.
Rosenberg, "SIP: Session Initiation Protocol", RFC 2543,
March 1999.
[RFC3327] Willis, D. and B. Hoeneisen, "Session Initiation Protocol
(SIP) Extension Header Field for Registering Non-Adjacent
Contacts", RFC 3327, December 2002.
[RFC3515] Sparks, R., "The Session Initiation Protocol (SIP) Refer
Method", RFC 3515, April 2003.
[RFC3608] Willis, D. and B. Hoeneisen, "Session Initiation Protocol
(SIP) Extension Header Field for Service Route Discovery
During Registration", RFC 3608, October 2003.
[RFC3725] Rosenberg, J., Peterson, J., Schulzrinne, H., and G.
Camarillo, "Best Current Practices for Third Party Call
Control (3pcc) in the Session Initiation Protocol (SIP)",
BCP 85, RFC 3725, April 2004.
[RFC3891] Mahy, R., Biggs, B., and R. Dean, "The Session Initiation
Protocol (SIP) "Replaces" Header", RFC 3891,
September 2004.
[RFC3893] Peterson, J., "Session Initiation Protocol (SIP)
Authenticated Identity Body (AIB) Format", RFC 3893,
September 2004.
Audet Standards Track [Page 53]
^L
RFC 5630 SIPS October 2009
[RFC3911] Mahy, R. and D. Petrie, "The Session Initiation Protocol
(SIP) "Join" Header", RFC 3911, October 2004.
[RFC4168] Rosenberg, J., Schulzrinne, H., and G. Camarillo, "The
Stream Control Transmission Protocol (SCTP) as a Transport
for the Session Initiation Protocol (SIP)", RFC 4168,
October 2005.
[RFC4244] Barnes, M., "An Extension to the Session Initiation
Protocol (SIP) for Request History Information", RFC 4244,
November 2005.
[RFC4474] Peterson, J. and C. Jennings, "Enhancements for
Authenticated Identity Management in the Session
Initiation Protocol (SIP)", RFC 4474, August 2006.
[RFC5627] Rosenberg, J., "Obtaining and Using Globally Routable User
Agent URIs (GRUU) in the Session Initiation Protocol
(SIP)", RFC 5627, October 2009.
Audet Standards Track [Page 54]
^L
RFC 5630 SIPS October 2009
Appendix A. Bug Fixes for RFC 3261
In order to support the material in this document, this section makes
corrections to RFC 3261.
The last sentence of the fifth paragraph of Section 8.1.3.5 is
replaced by:
The client SHOULD retry the request, this time, using a SIP URI
unless the original Request-URI used a SIPS scheme, in which case
the client MUST NOT retry the request automatically.
The fifth paragraph of Section 10.2.1 is replaced by:
If the Address of Record in the To header field of a REGISTER
request is a SIPS URI, then the UAC MUST also include only SIPS
URIs in any Contact header field value in the requests.
In Section 16.7 on p. 112 describing Record-Route, the second
paragraph is deleted.
The last paragraph of Section 19.1 is reworded as follows:
A SIPS URI specifies that the resource be contacted securely.
This means, in particular, that TLS is to be used on each hop
between the UAC and the resource identified by the target SIPS
URI. Any resources described by a SIP URI (...)
In the third paragraph of Section 20.43, the words "the session
description" in the first sentence are replaced with "SIP". Later in
the paragraph, "390" is replaced with "380", and "miscellaneous
warnings" is replaced with "miscellaneous SIP-related warnings".
The second paragraph of Section 26.2.2 is reworded as follows:
(...) When used as the Request-URI of a request, the SIPS scheme
signifies that each hop over which the request is forwarded, until
the request reaches the resource identified by the Request-URI, is
secured with TLS. When used by the originator of a request (as
would be the case if they employed a SIPS URI as the address-of-
record of the target), SIPS dictates that the entire request path
to the target domain be so secured.
The first paragraph of Section 26.4.4 is replaced by the following:
Actually using TLS on every segment of a request path entails that
the terminating UAS is reachable over TLS (by registering with a
SIPS URI as a contact address). The SIPS scheme implies
Audet Standards Track [Page 55]
^L
RFC 5630 SIPS October 2009
transitive trust. Obviously, there is nothing that prevents
proxies from cheating. Thus, SIPS cannot guarantee that TLS usage
will be truly respected end-to-end on each segment of a request
path. Note that since many UAs will not accept incoming TLS
connections, even those UAs that do support TLS will be required
to maintain persistent TLS connections as described in the TLS
limitations section above in order to receive requests over TLS as
a UAS.
The first sentence of the third paragraph of Section 26.4.4 is
replaced by the following:
Ensuring that TLS will be used for all of the request segments up
to the target UAS is somewhat complex.
The fourth paragraph of Section 26.4.4 is deleted.
The last sentence of the fifth paragraph of Section 26.4.4 is
reworded as follows:
S/MIME or, preferably, [RFC4474] may also be used by the
originating UAC to help ensure that the original form of the To
header field is carried end-to-end.
In the third paragraph of Section 27.2, the phrase "when the failure
of the transaction results from a Session Description Protocol (SDP)
(RFC 2327 [1]) problem" is deleted.
In the fifth paragraph of Section 27.2, "390" is replaced with "380",
and "miscellaneous warnings" is replaced with "miscellaneous SIP-
related warnings".
Author's Address
Francois Audet
Skype Labs
EMail: francois.audet@skypelabs.com
Audet Standards Track [Page 56]
^L
|
