Revision as of 19:48, May 11, 2018 by Valentip (talk | contribs)
Jump to: navigation, search

Secure SIP Signaling

[FDS: https://intranet.genesys.com/pages/viewpage.action?pageId=68330919]


Starting with version 8.1.103.08, SIP Server supports the secure SIP signaling schema or SIPS, in accordance with RFC 5630.

When enabled, SIP Server forms the Request-URI, headers From, To, and Contact to include the sips schema while sending a SIP message to a device that requires that sips schema. The header Via of the message will contain the transport TLS. The Request-URI containing the sips schema might also have the transport parameter transport=tcp or transport=tls or be absent. In any case communication will be established in TLS over TCP.

While generating a response to an incoming message containing the sips schema , SIP Server forms the header Contact to include sips.

SIP Server applies the sips schema rules selectively, per leg basis. In other words, if one SIP peer needs to be communicated in secure SIP signaling while another SIP peer does not support it, SIP Server is able to interconnect these peers using their supported protocol.

SIP Headers affected by feature

Here are sets of headers affected by this feature:

Request line. Request URI with schema "sips" may have transport parameter as "trasnport=tcp", "transport=tls" or be absent. In any case communication will be established in TLS over TCP. Header Via. There is no change on header Via compare with existing transport=tls case. Header From. URI of header From will have schema the same as in Request URI ("sips") and transport parameter the same as in Request URI. Header To. URI of header To has schema the same as in Request URI ("sips") and transport parameter the same as in Request URI. Header Contact. In initial request it has schema("sips") and transport parameter the same as in request URI. In response it will have "schema" and transport parameter matched this of header Contact of incoming request.

Devices communicating with SIP Server by "sips" schema should have correspondent configuration which enforces (or allows) schema "sips" .


Example of INVITE message with "sips" schema arrived to SIP Server 

INVITE sips:5000@172.21.83.50:5314;transport=TCP SIP/2.0
From: "7789"<sips:7789@172.21.83.24>;tag=74cc50-185315ac-13c4-55013-38-2147ec74-38
To: <sips:5000@172.21.83.50:5314>
Call-ID: 75b148-185315ac-13c4-55013-38-4004bd76-38
CSeq: 1 INVITE
Via: SIP/2.0/TLS 172.21.83.24:5061;branch=z9hG4bK-38-dd24-c4644b6
Max-Forwards: 70
Supported: replaces,100rel,eventlist,timer
Allow: REGISTER, INVITE, ACK, BYE, REFER, NOTIFY, CANCEL, INFO, OPTIONS, PRACK, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: AUDC-IPPhone/2.2.12.172 (420HD-Rev1; 00908F567540)
Contact: <sips:7789@172.21.83.24:5061;transport=TCP>
Session-Expires: 1800
Min-SE: 90
Content-Type: application/sdp
Content-Length: 299
...

Example of 200 OK SIP Server response with "sips" schema 

SIP/2.0 200 OK
From: "7789"<sips:7789@172.21.83.24>;tag=74cc50-185315ac-13c4-55013-38-2147ec74-38
To: <sips:5000@172.21.83.50:5314>;tag=EBDFD947-8988-4831-9FFF-051C3B626FFA-2
Call-ID: 75b148-185315ac-13c4-55013-38-4004bd76-38
CSeq: 1 INVITE
Via: SIP/2.0/TLS 172.21.83.24:5061;branch=z9hG4bK-38-dd24-c4644b6;received=172.21.83.24
Contact: <sips:5000@172.21.83.50:5314;transport=TCP>
X-Genesys-CallUUID: 8AH5H0H7054R93EBKC9ICTN8A8000001
Allow: INVITE, ACK, PRACK, CANCEL, BYE, REFER, INFO, MESSAGE, NOTIFY, OPTIONS
User-Agent: PolycomVVX-VVX_300-UA/5.2.0.8330
Allow-Events: conference,talk,hold
Accept-Language: en
Session-Expires: 1800;refresher=uas
Supported: uui,timer
Content-Type: application/sdp
Content-Length: 193
 ...

Feature Configuration

Device Configuration Options Explicit configuration of schema Schema "sips" could be configured on next CME DN objects:

Trunk DN Extension ACD Position VoIP DN with service-type "softswitch" Schema "sips" is set inside option contact preceding IP address or hostname of the DN.

Transport parameter may be configured inside option contact following hostport of the contact.

If schema "sips" is configured any of these transport parameter may be set:

transport=tls transport=tcp transport absent. Note. Absence of transport means TLS over TCP. This is different compare to schema "sip" where it means UDP. Disregarding of the presence of transport parameter inside option contact for schema "sips" communication always is conducted by TLS over TCP.

Examples of contact values with "sips" schema.

sips:192.168.8.57;transport=tcp sips:fly.genesyslab.com;transport=tls sips:ant.genesyslab.com

Enforcing "sips:" schema by SIP registration

Self registered DNs are configured in Genesys CME with option contact="*". When incoming SIP REGISTER request from corresponding end point has schema "sips", SIP Server will make any future communication with that end point with schema "sips". Parameter transport during communication will be taken out of SIP REGISTER request.

Feature Limitations

As far as SIP proxy does not support schema "sips" yet, implementation of this feature will not cover deployments with SIP Proxy.

SIP Server guarantees consistency in using sips schema only if configuration and incoming traffic matches. In other words trunk through which INVITE with sips arrives should have sips schema configured and self registered DN must have option contact ="*" configured.

This development does not assume testing of communication with media server over sips.

Comments or questions about this documentation? Contact us for support!