[asterisk-dev] Registration state for SIP over TCP or TLS

Olle E. Johansson oej at edvina.net
Mon Jan 9 13:08:45 CST 2017 

> On 09 Jan 2017, at 19:52, Joshua Colp <jcolp at digium.com> wrote:
> 
> On Mon, Jan 9, 2017, at 02:10 PM, Steve Davies wrote:
>> Hi,
>> 
>> I believe that the current state of affairs with Asterisk's SIP over TCP
>> or
>> TLS registration is that if a connection is dropped or closed, then the
>> registration is allowed to persist.
>> 
>> Given that a re-connect will almost certainly not be from the same
>> IP/port
>> pair, should a TCP or TLS disconnect result in an under-the-hood
>> de-register?
>> 
>> I believe the issue does currently exist because I have seen dropped TCP
>> or
>> TLS connections result in an "xmit_error" when the next OPTIONS ping is
>> attempted.
>> 
>> Thoughts? Am I missing something, or would this be useful for me to look
>> into patching?
> 
> It... depends.
> 
> In a world with connection reuse you can assume that when the connection
> is dropped that you can't reach the other side anymore. However, if you
> are expected to establish an outgoing connection to the remote side then
> the logic that the connection has dropped and you can't reach them is
> not true. The Contact in that case should be valid.

THere are basically two situations to consider:

1. NAT: If there’s a connection from behind a NAT, asterisk can’t reconnect
    and deleting the registration is propably for the best. Asterisk can only
    reuse the inbound TLS connection is the client is using SIP Outbound.

2. Public IP: The TLS connection can ONLY be reused if the client use SIP outbound.
   Asterisk needs to set up a separate connection to the client as soon as we have a 
   request going in that direction, unless there’s a TLS client cert used and verified
   to match the contact URI.

I am trying to get some traction in the IETF for developing a solution for case #1
when there’s a TLS connection - a solution that doesn’t require that there is a
client cert or any use of SIP outbound. Right now, such a solution does not exist,
so Asterisk formally can’t reuse the inbound TLS connection for outbound requests.
Please support this work :-)

For more info, please visit
- http://www.slideshare.net/oej/sip-half-outbound-random-notes
- http://www.slideshare.net/oej/sip-tls-security-in-a-peer-to-peer-world

Kamailio actually reuse the inbound connection for outbound
requests, which is a working solution - but this requires a disregard of the Contact
URI provided by the client and a blind eye when reading the RFCs.

Removing registrations for clients behind NAT when 
a TCP or TCP/TLS or WSS connection dies saves a lot of resources.

/O

More information about the asterisk-dev mailing list