proxy server
Click on the red underlined text to get to the source
... Bob on his SIP phone over the Internet. Also shown are two SIP proxy
servers that act on behalf of Alice and Bob to facilitate the session
establishment. This typical arrangement is often referred to as the
"SIP ...
... The atlanta.com SIP server is a type of SIP server known as a proxy
server. A proxy server receives SIP requests and forwards them on
...
... SIP server is a type of SIP server known as a proxy
server. A proxy server receives SIP requests and forwards them on
behalf of the requestor. In this example, the proxy server ...
... proxy server receives SIP requests and forwards them on
behalf of the requestor. In this example, the proxy server receives
the INVITE request and sends a 100 (Trying) response back to Alice's
...
... INVITE, which allows Alice's softphone to correlate this response to
the sent INVITE. The atlanta.com proxy server locates the proxy
server at biloxi.com, possibly by performing a particular type of DNS
...
... the sent INVITE. The atlanta.com proxy server locates the proxy
server at biloxi.com, possibly by performing a particular type of DNS
(Domain Name Service ...
... 4]. As a result, it
obtains the IP address of the biloxi.com proxy server and forwards,
or proxies, the INVITE ...
... proxies, the INVITE request there. Before forwarding the request,
the atlanta.com proxy server adds an additional Via header field
value that contains its own address ...
... INVITE already contains
Alice's address in the first Via). The biloxi.com proxy server
receives the INVITE and responds with a 100 (Trying) response back to
...
... receives the INVITE and responds with a 100 (Trying) response back to
the atlanta.com proxy server to indicate that it has received the
INVITE and is processing the request. The proxy server ...
... proxy server to indicate that it has received the
INVITE and is processing the request. The proxy server consults a
database, generically called a location service ...
... IP address of Bob. (We shall see in the next section how
this database can be populated.) The biloxi.com proxy server adds
another Via header field value with its own address ...
... service lookups shown in this
example, proxy servers can make flexible "routing decisions" to
decide where to send a request. For example, if Bob's SIP ...
... decide where to send a request. For example, if Bob's SIP phone
returned a 486 (Busy Here) response, the biloxi.com proxy server
could proxy the INVITE ...
... proxy the INVITE to Bob's voicemail server. A proxy server can
also send an INVITE to a number of locations at the same time. This
...
... endpoints for the duration of
the session. For example, if the biloxi.com proxy server wished to
remain in the SIP messaging path beyond the initial INVITE ...
... Record-Route header field being passed back in
the 200 (OK)) Alice's softphone and stored for the duration of the
dialog. The biloxi.com proxy server would then receive and proxy the
ACK ...
... user agent client (UAC) and
generates requests. Unlike a proxy server, it maintains dialog
state and must participate in all requests sent on the dialogs
...
... service is used by a SIP redirect or
proxy server to obtain information about a callee's possible
location(s). It contains a list of bindings of address ...
... client for the purpose of making requests on
behalf of other clients. A proxy server primarily plays the
role of routing ...
... Sequential Search: In a sequential search, a proxy server attempts
each contact address in sequence, proceeding to the next one
...
... UAS when receiving a BYE request from the callee.
Similarly, the same software can act as a proxy server for one
request and as a redirect server for the next request.
...
... When a UAC sends a request, the request passes through some number of
proxy servers, which forward the request towards the UAS. When the
UAS ...
... In some architectures it may be desirable to reduce the processing
load on proxy servers that are responsible for routing requests, and
improve signaling ...
... frequently accomplished by SIP network elements such as proxy servers
and redirect servers which are responsible for receiving ...
... REGISTER requests. This location service is then
typically consulted by a proxy server that is responsible for routing
requests for that domain ...
... An illustration of the overall registration process is given in
Figure 2. Note that the registrar and proxy server are logical roles
that can be played by a single device in a network ...
... clarity the two are separated in this illustration. Also note that
UAs may send requests through a proxy server in order to reach a
registrar if the two are separate elements.
...
... reading that same data. A registrar MAY be co-located with a
particular SIP proxy server for the same domain.
...
... domain chicago.com. Her
registrations would then be used by a proxy server in the chicago.com
domain to route ...
... bindings for this address-of-record. Section 16.6 describes
how a proxy server uses this preference indication.
...
... REGISTER requests and maintains
a list of bindings that are accessible to proxy servers and redirect
servers within its administrative domain. A registrar handles
...
... domain identified in the
Request-URI. If not, and if the server also acts as a proxy
server, the server SHOULD forward the request to the addressed
domain, following the general behavior for proxying messages
...
... UA to query another UA or a proxy
server as to its capabilities. This allows a client to discover
information about the supported methods ...
... UA or a SIP server. If the OPTIONS is
addressed to a proxy server, the Request-URI is set without a user
part, similar to the way a Request-URI ...
... for the normative details.
If the response to an OPTIONS is generated by a proxy server, the
proxy returns a 200 (OK), listing the capabilities of the server.
...
... elements. Specifically, they exist within user agents and stateful
proxy servers. Consider the example in Section 4. In this example,
the UAC executes the client ...
... reason for the call failure.
This status is also returned by a redirect or proxy server that
recognizes the user identified by the Request-URI, but does not
...
... authentication in HTTP. Any time
that a proxy server or UA receives a request (with the exceptions
given in Section 22.1), it MAY challenge the initiator ...
...
Operators of user agents or proxy servers that will authenticate
received requests MUST adhere to the following guidelines for
...
...
Similarly, when a UAC sends a request to a proxy server, the proxy
server MAY authenticate the originator before the request is
...
... Similarly, when a UAC sends a request to a proxy server, the proxy
server MAY authenticate the originator before the request is
processed. If no credentials ...
... Any UA that wishes to authenticate itself to a proxy server --
usually, but not necessarily, after receiving a 407 (Proxy ...
... Proxy-Authorization header field, a proxy server MUST
attempt to parse all Proxy-Authorization ...
... Authorization header field values to
determine whether one of them has what the proxy server considers to
be valid credentials ...
... credentials. Because this is potentially very time-
consuming in large networks, proxy servers SHOULD use an
authentication scheme that supports realms in the Proxy ...
... header field.
If a request is forked (as described in Section 16.7), various proxy
servers and/or UAs may wish to challenge the UAC. In this case, the
...
... UAs may wish to challenge the UAC. In this case, the
forking proxy server is responsible for aggregating these challenges
into a single response. Each WWW-Authenticate and Proxy ...
... header field values is not significant.
When a proxy server issues a challenge in response to a request,
it will not proxy the request until the UAC ...
... credentials. A forking proxy may forward a
request simultaneously to multiple proxy servers that require
authentication, each of which in turn will not forward the request
until the originating UAC ...
... credentials for
each challenge, the proxy servers that issued the challenges will
not forward requests to the UA where the destination ...
... Implementers should note, however, that there
may be rare network intermediaries (not typical proxy servers) that
rely on viewing or modifying the bodies of SIP messages (especially
...
...
Header fields that can be legitimately modified by proxy servers are:
Request-URI, Via, Record-Route ...
... Authenticate. This category also includes those header fields that
can be changed by proxy servers (described in the preceding section).
UAs SHOULD never include these in an "inner" message if they are not
...
... SIP UAs route requests through trusted proxy
servers. Regardless of how that trust is established (authentication
...
... UA may trust a
proxy server to route a request, but not to inspect or possibly
modify the bodies contained in that request.
...
... encryption keys for a media session. Although it trusts the proxy
server of the domain it is contacting to deliver signaling properly,
...
... domain to be capable of
decrypting any subsequent media session. Worse yet, if the proxy
server were actively malicious, it could modify the session key,
either acting as a man-in-the-middle ...
... example). However, since many header fields are legitimately
inspected or altered by proxy servers as a request is routed, not all
header fields should be secured end-to-end ...
... services should be independent of
the means used to secure interactions with intermediaries such as
proxy servers.
...
... confidentiality, it would not be possible to forge the BYE. However,
some intermediaries (like proxy servers) will need to inspect those
parameters as the session is established.
...
...
In many architectures, SIP proxy servers face the public Internet in
order to accept requests from worldwide IP ...
... host for a given address-of-record in order to
use the registrar and any associated proxy servers as amplifiers in a
denial-of-service attack. Attackers ...
... architectures
so that SIP requests are routed correctly. Note that proxy servers
need to modify some features of messages as well (such as adding Via
header field ...
... header field values) in order for SIP to function. Proxy servers
must therefore be trusted, to some degree, by SIP UAs ...
... identity of its user to a
peer UA or to a proxy server, that identity should in some way be
verifiable. A cryptographic authentication mechanism ...
... hosts would be arduous. UAs that
have a pre-shared keying relationship with their first-hop proxy
server are also good candidates to use IPSec. Any deployment ...
... trust association. For example, Alice trusts
her local proxy server, which after a certificate exchange decides to
trust ...
... certificate exchange decides to
trust Bob's local proxy server, which Bob trusts, hence Bob and Alice
can communicate securely.
...
... a UA that sends requests over TLS to a proxy server has no assurance
that TLS will be used end-to-end ...
... SIP application. For
purposes of backwards compatibility, proxy servers, redirect servers,
and registrars SHOULD support TLS ...
... confidentiality is not appropriate because network
intermediaries (like proxy servers) need to view certain header
fields in order to route messages correctly, and if these
...
... UAs MAY also
be capable of acting as a TLS server. Proxy servers, redirect
servers, and registrars SHOULD possess a site certificate whose
...
... TLS connections as well.
Proxy servers, redirect servers, registrars, and UAs MUST implement
...
... Digest Authorization, encompassing all of the aspects required in 22.
Proxy servers, redirect servers, and registrars SHOULD be configured
with at least one Digest realm, and at least one "realm" string
...
... high
level, UAs authenticate themselves to servers (proxy servers,
redirect servers, and registrars) with a Digest username ...
... SHOULD leave this TLS connection open provided that the registrar
also acts as the proxy server to which requests are sent for users in
this administrative domain. The existing TLS connection ...
... TLS connection, all requests that come over this
connection are known to have passed through the proxy server -
attackers cannot create ...
... attackers cannot create spoofed requests that appear to have been
sent through that proxy server.
...
... outbound proxy.
The proxy server that handles inbound requests for an administrative
domain MAY also act as a local outbound proxy; for simplicity's sake
...
... client has completed the registration
process described in the preceding section, it SHOULD reuse the TLS
connection to the local proxy server when it sends an INVITE request
to another user. The UA ...
... Request-URI had corresponded to the local
domain (atlanta.com) rather than biloxi.com, then the proxy server
would have consulted its location service to determine how best to
...
... authenticated channel, he would be assured that
Alice's request had been authorized by the proxy server of the
local administrative domain.
...
... outbound proxy server at atlanta.com SHOULD therefore
establish a TLS connection with the remote proxy server at
biloxi.com. Since both of the participants in this TLS connection
...
... comparison with the header fields of SIP
messages. The atlanta.com proxy server, for example, SHOULD verify
at this stage that the certificate received from the remote side
...
... biloxi.com.
The proxy server at biloxi.com SHOULD inspect the certificate of the
proxy server ...
... proxy server at biloxi.com SHOULD inspect the certificate of the
proxy server at atlanta.com in turn and compare the domain asserted
by the certificate ...
... Once the INVITE has been approved by the biloxi proxy, the proxy
server SHOULD identify the existing TLS channel, if any, associated
...
... identity.
Before they forward the request, both proxy servers SHOULD add a
Record-Route header field ...
... Route header field to the request so that all future requests
in this dialog will pass through the proxy servers. The proxy
servers can thereby continue to provide security services for the
...
... header field to the request so that all future requests
in this dialog will pass through the proxy servers. The proxy
servers can thereby continue to provide security services for the
lifetime ...
... security services for the
lifetime of this dialog. If the proxy servers do not add themselves
to the Record-Route, future messages will pass directly end-to-end ...
... TCP connection to a UA. In
these cases, proxy servers could also potentially relay requests
to UAs in a way that has no trust ...
...
When the host on which a SIP proxy server is operating is routable
from the public Internet, it SHOULD be deployed in an administrative
domain ...
... No matter what security solutions are deployed, floods of messages
directed at proxy servers can lock up proxy server resources and
prevent desirable traffic ...
... security solutions are deployed, floods of messages
directed at proxy servers can lock up proxy server resources and
prevent desirable traffic from reaching its destination ...
... SIP transaction at
a proxy server, and that expense is greater for stateful proxy
servers than it is for stateless proxy servers ...
... transaction at
a proxy server, and that expense is greater for stateful proxy
servers than it is for stateless proxy servers. Therefore, stateful
...
... proxy server, and that expense is greater for stateful proxy
servers than it is for stateless proxy servers. Therefore, stateful
proxies are more susceptible to flooding ...
...
UAs and proxy servers SHOULD challenge questionable requests with
only a single 401 (Unauthorized) or 407 (Proxy Authentication
Required ...
...
In summary, the mutual authentication of proxy servers through
mechanisms such as TLS significantly reduces the potential for rogue
...
... domain is somewhat complex. It is possible that
cryptographically authenticated proxy servers along the way that are
non-compliant or compromised may choose to disregard the forwarding
rules associated with SIPS (and the general forwarding rules in
...
... record set that
effectively removes all SIPS records for a proxy server, then any
SIPS requests that traverse this proxy server may fail. When a user,
...
... removes all SIPS records for a proxy server, then any
SIPS requests that traverse this proxy server may fail. When a user,
however, sees that repeated calls to a SIPS AOR are failing, they
...