0

I'm developing a SIP mobile softphone, customer needs a complete hiding of SIP messages from softphones to SIP servers as VOIP calls are regionally prohibited, however using TLS connection was not sufficient since the message headers are easily recognized as a SIP message. What are the best common alternative? what about openvpn, IPSec tunneling?

Montaro
  • 9,240
  • 6
  • 29
  • 30

1 Answers1

6

Transmitting SIP over TLS means the SIP headers will only be viewable if someone is able to compromise your TLS keys, i.e. it's highly unlikely unless some national security agency is on your case.

What you might be encountering is port 5061 being blocked since it's the default and therefore well known SIP TLS port. To get around that simply use a different port for your SIP TLS connection. As far as anyone viewing the traffic goes if it's not suing port 5061 they won't have any idea that SIP is being used in your TLS stream.

Of course you also need to consider the RTP traffic which is what will carry the audio part of the call once SIP has set it up. There are no standardised ports for RTP but some popular VoIP softswitches do use certain ranges by default. For example Asterisk uses UDP 10,000 to 20,000. To work around that you'd really need to use SRTP but that's going to be harder to set up since not that many SIP user agents and servers support it. It will also be easier to detect for someone watching your traffic since even without knowing the contents the profile of RTP packets would be detectable. Still it's likely to need a sophisticated entity monitoring your traffic to detect a VoIP call using SIP over TLS on a non-standard port and SRTP call amongst the general noise of internet traffic.

Kermit
  • 33,827
  • 13
  • 85
  • 121
sipsorcery
  • 30,273
  • 24
  • 104
  • 155
  • I had a simple experiment; SIP dialer on Android emulator, connected to a SIP server using TLS connection, then using wireshark I filtered the packets sent to my SIP server IP and found that messages headers info contained "SIP" that is what I'm talking about!, what do you think? For SRTP and non default ports they are already on mind. – Montaro Jan 29 '12 at 00:04
  • I think the TLS problem is that the first packets used fir negotiation between client and server happen plainly before switching to TLS – Montaro Jan 29 '12 at 10:51
  • The client is faulty if you've told it to use TLS and it still sends some SIP packets over UDP; you should log that with the developer. One other thing to be aware of is if you use a hostname in your SIP server address then the client should go and lookup the SIP NAPTR and SRV records in DNS which could be another point for someone monitoring to catch you. if you use the IP address instead then no DNS lookups occur. – sipsorcery Jan 29 '12 at 11:28
  • WRT to the TLS switching I think it is standard that the handshaking is made first un-encrypted, check this [link](http://www.proceedings2006.imcsit.org/pliks/89.pdf), and I'm checking with the developers now. If it was yes so the only way to have hidden messages rom the 1st packet would be the VPN solutions? WRT to the SRV records, I'm trying to maintain it myself in the client, but I Kindly need your your advice here [link](http://stackoverflow.com/questions/8957145/srv-records-order-retrieved-from-a-dns-server/) – Montaro Jan 29 '12 at 14:11
  • who is responsible for ordering the SRV records client or the server? – Montaro Jan 29 '12 at 14:20
  • 1
    @Montaro: I can unequivocally guarantee you that for a correctly functioning SIP over TLS connection there should be NO SIP packets transmitted over an unencrypted connection. If it happens the client is faulty. – sipsorcery Jan 29 '12 at 21:57
  • yes the first TCP handshaking did not contain any SIP messages unless this header I got from wireshark: >92 23.799094 192.168.10.126 173.234.233.178 TCP 58 >60633 > sip-tls [SYN] Seq=0 Win=14600 Len=0 MSS=1460 As you can see the packet info contains "sip-tls", I do not know if this "sip-tls" is a part of the message or it is just a wireshark added info! – Montaro Jan 31 '12 at 11:39
  • Wireshark will display the protocol as sip-tls if you're using TCP port 5061. That's the only way it's got to identify SIP over TLS and even then it's not so much a recognition of the contents rather it's just recognising the well known port. And yes the sip-tls is a Wireshark display field rather than something embedded in a TCP packet. – sipsorcery Jan 31 '12 at 11:48