| Revision as of 16:17, 23 October 2013 editK7L (talk | contribs)Extended confirmed users9,362 editsm K7L moved page Sips URI scheme to SIP address: include sip: and sips: together as they are part of the same RFC← Previous edit | Latest revision as of 07:29, 17 September 2022 edit undoLapsus Linguae (talk | contribs)Extended confirmed users1,228 editsm →Spam and security issues: Update wikilink. | ||
| (29 intermediate revisions by 10 users not shown) | |||
| Line 1: | Line 1: | ||
| {{Short description|Addressing format}} | |||
| The '''SIP URI scheme''' is a ] (URI) scheme for the ] (SIP) multimedia communications protocol. A '''SIP address''' is a URI that addresses a specific ] on a ] system. Such a number could be a ] or an ] telephone number dialled through a specific gateway. The scheme was defined in {{IETF RFC|3261}}. | |||
| The SIP and SIPS URI schemes are described in , which defines the ]. The default Internet port address is :5060 for sip: and :5061 for sips: unless explicitly specified in the URI. | |||
| ==Operation== | ==Operation== | ||
| A SIP address is written in user@domain.tld format in a similar fashion to an ]. An address like: | |||
| An address like: | |||
| : sip:1-999-123-4567@voip-provider.example.net | : '''<nowiki>sip:1-999-123-4567@voip-provider.example.net</nowiki>''' | ||
| instructs a SIP client to |
instructs a SIP client to use the ] and ] schemes to look up the SIP server associated with the ] name voip-provider.example.net and connect to that server. If those records are not found, but the name is associated with an IP address, the client will directly contact the SIP server at that IP address on port 5060, by default using the ] transport protocol.<ref>{{cite IETF |rfc=3263 |title=Session Initiation Protocol (SIP): Locating SIP Servers}}</ref> It will ask the server (which may be a gateway) to be connected to the destination user at 1-999-123-4567. The gateway may require the user REGISTER using SIP before placing this call. If a destination port is provided as part of the SIP URI, the NAPTR/SRV lookups are not used; rather, the client directly connects to the specified host and port. | ||
| As a SIP address is text, much like an e-mail address, it may contain non-numeric characters. As the client may be a ] or other device with just a numeric, telephone-like keypad, various schemes exist to associate an entirely |
As a SIP address is text, much like an e-mail address, it may contain non-numeric characters. As the client may be a ] or other device with just a numeric, telephone-like keypad, various schemes exist to associate an entirely numeric identifier to a publicly reachable SIP address. These include the ] (which issues E.164-formatted numbers, where the corresponding SIP address is the number '@sip.inum.net'), SIP Broker-style services (which associate a numeric *prefix to the SIP domain name) and the ] and ] domain name servers (which convert numbers to addresses one-by-one as DNS reverse-lookups). | ||
| SIP addresses may be used directly in configuration files (for instance, in ] installations) or specified through the web interface of a voice-over-IP gateway provider (usually as a ] destination or an address book entry). Systems which allow ] from a user's address book using a ] may allow a short numeric code (like *75xx) to be translated to a pre-stored alphanumeric SIP address. | |||
| ==Spam and security issues== | ==Spam and security issues== | ||
| In theory, the owner of a SIP-capable telephone handset could publish a SIP address from which they could be freely and directly reached worldwide, in much the same way that ] e-mail recipients may be contacted from anywhere at almost no cost to the message sender. Anyone with a broadband connection could install a ] (such as ]) and call any of these SIP addresses for free. | In theory, the owner of a SIP-capable telephone handset could publish a SIP address from which they could be freely and directly reached worldwide, in much the same way that ] e-mail recipients may be contacted from anywhere at almost no cost to the message sender. Anyone with a broadband connection could install a ] (such as ]) and call any of these SIP addresses for free. | ||
| In practice, various forms of ] are discouraging creation and publication of openly |
In practice, various forms of ] are discouraging creation and publication of openly reachable SIP addresses: | ||
| * The ] which has rendered SMTP the "spam mail transport protocol" could potentially make published sip: numbers unusable as the numbers are flooded with automatic announcement devices delivering pre-recorded advertisements. Unlike mailto:, sip: establishes a voice call which interrupts the human recipient in real time with a ringing telephone. | * The ] which has rendered SMTP the "spam mail transport protocol" could potentially make published sip: numbers unusable as the numbers are flooded with ], usually automatic announcement devices delivering pre-recorded advertisements. Unlike <nowiki>mailto:</nowiki>, sip: establishes a voice call which interrupts the human recipient in real time with a ringing telephone. | ||
| * SIP is vulnerable to ] as the displayed name and number, much like the return address on e-mail, is supplied by the sender and not authenticated. | * SIP is vulnerable to ] as the displayed name and number, much like the return address on e-mail, is supplied by the sender and not authenticated. | ||
| * Servers supporting inbound sip: connections are routinely targeted with unauthorised REGISTER attempts with random numeric usernames and passwords, a ] intended to impersonate individual ]s on the local PBX | * Servers supporting inbound sip: connections are routinely targeted with unauthorised REGISTER attempts with random numeric usernames and passwords, a ] intended to impersonate individual ]s on the local PBX | ||
| * Servers supporting inbound sip: connections are also targeted with unsolicited attempts to reach outside numbers, usually premium-rate destinations such as caller-pays-airtime mobile exchanges in foreign countries. | * Servers supporting inbound sip: connections are also targeted with unsolicited attempts to reach outside numbers, usually premium-rate destinations such as caller-pays-airtime mobile exchanges in foreign countries. | ||
| In the server logs, this looks like: | In the server logs, this looks like: | ||
| : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '011972599950423' rejected because extension not found in context 'default'. | : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '<nowiki/>' to extension '011972599950423' rejected because extension not found in context 'default'. | ||
| : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '9011972599950423' rejected because extension not found in context 'default'. | : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '<nowiki/>' to extension '9011972599950423' rejected because extension not found in context 'default'. | ||
| : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '7011972599950423' rejected because extension not found in context 'default'. | : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '<nowiki/>' to extension '7011972599950423' rejected because extension not found in context 'default'. | ||
| : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '972599950423' rejected because extension not found in context 'default'. | : NOTICE: chan_sip.c:21614 handle_request_invite: Call from '<nowiki/>' to extension '972599950423' rejected because extension not found in context 'default'. | ||
| an attempt to call a Palestinian mobile telephone (Israel, country code +972) by randomly trying 9- (a common code for an outside line from an office PBX), 011- (the overseas call prefix in the ] and 7- (on the off-chance a PBX is using it instead of 9- for an outside line). Security tools such as ]s or ] must therefore be deployed to prevent unauthorised outside call attempts; many VoIP providers also disable overseas calls to all but countries specifically requested as enabled by the subscriber. | an attempt to call a Palestinian mobile telephone (Israel, country code +972) by randomly trying 9- (a common code for an outside line from an office PBX), 011- (the overseas call prefix in the ]) and 7- (on the off-chance a PBX is using it instead of 9- for an outside line). Security tools such as ]s or ] must therefore be deployed to prevent unauthorised outside call attempts; many VoIP providers also disable overseas calls to all but countries specifically requested as enabled by the subscriber. | ||
| == |
==SIPS URI scheme== | ||
| The SIPS |
The SIPS URI scheme adheres to the syntax of the ] ], differing only in that the scheme is <code>sips</code> rather than <code>sip</code>. The default Internet port address for SIPS is 5061 unless explicitly specified in the URI. | ||
| SIPS allows resources to specify that they should be reached securely. It mandates that each hop over which the request is forwarded up to the target domain must be secured with ]. The last hop from the proxy of the target domain to the user agent has to be secured according to local policies. | SIPS allows resources to specify that they should be reached securely. It mandates that each hop over which the request is forwarded up to the target domain must be secured with ]. The last hop from the proxy of the target domain to the user agent has to be secured according to local policies. | ||
| Line 35: | Line 36: | ||
| ==See also== | ==See also== | ||
| * ] and ] | |||
| * ] | |||
| * ] | |||
| * ] | * ] | ||
| * ] key exchange method | * ] key exchange method | ||
| * ] end-to-end key exchange proposal | * ] end-to-end key exchange proposal | ||
| ==References== | |||
| {{Internet-stub}} | |||
| {{Reflist}} | |||
| {{URI scheme}} | {{URI scheme}} | ||
| ] | ] | ||
Latest revision as of 07:29, 17 September 2022
Addressing formatThe SIP URI scheme is a Uniform Resource Identifier (URI) scheme for the Session Initiation Protocol (SIP) multimedia communications protocol. A SIP address is a URI that addresses a specific telephone extension on a voice over IP system. Such a number could be a private branch exchange or an E.164 telephone number dialled through a specific gateway. The scheme was defined in RFC 3261.
Operation
A SIP address is written in user@domain.tld format in a similar fashion to an email address. An address like:
- sip:1-999-123-4567@voip-provider.example.net
instructs a SIP client to use the NAPTR and SRV schemes to look up the SIP server associated with the DNS name voip-provider.example.net and connect to that server. If those records are not found, but the name is associated with an IP address, the client will directly contact the SIP server at that IP address on port 5060, by default using the UDP transport protocol. It will ask the server (which may be a gateway) to be connected to the destination user at 1-999-123-4567. The gateway may require the user REGISTER using SIP before placing this call. If a destination port is provided as part of the SIP URI, the NAPTR/SRV lookups are not used; rather, the client directly connects to the specified host and port.
As a SIP address is text, much like an e-mail address, it may contain non-numeric characters. As the client may be a SIP phone or other device with just a numeric, telephone-like keypad, various schemes exist to associate an entirely numeric identifier to a publicly reachable SIP address. These include the iNum Initiative (which issues E.164-formatted numbers, where the corresponding SIP address is the number '@sip.inum.net'), SIP Broker-style services (which associate a numeric *prefix to the SIP domain name) and the e164.org and e164.arpa domain name servers (which convert numbers to addresses one-by-one as DNS reverse-lookups).
SIP addresses may be used directly in configuration files (for instance, in Asterisk (PBX) installations) or specified through the web interface of a voice-over-IP gateway provider (usually as a call forwarding destination or an address book entry). Systems which allow speed dial from a user's address book using a vertical service code may allow a short numeric code (like *75xx) to be translated to a pre-stored alphanumeric SIP address.
Spam and security issues
In theory, the owner of a SIP-capable telephone handset could publish a SIP address from which they could be freely and directly reached worldwide, in much the same way that SMTP e-mail recipients may be contacted from anywhere at almost no cost to the message sender. Anyone with a broadband connection could install a softphone (such as Ekiga) and call any of these SIP addresses for free.
In practice, various forms of network abuse are discouraging creation and publication of openly reachable SIP addresses:
- The spam which has rendered SMTP the "spam mail transport protocol" could potentially make published sip: numbers unusable as the numbers are flooded with VoIP spam, usually automatic announcement devices delivering pre-recorded advertisements. Unlike mailto:, sip: establishes a voice call which interrupts the human recipient in real time with a ringing telephone.
- SIP is vulnerable to Caller ID spoofing as the displayed name and number, much like the return address on e-mail, is supplied by the sender and not authenticated.
- Servers supporting inbound sip: connections are routinely targeted with unauthorised REGISTER attempts with random numeric usernames and passwords, a brute force attack intended to impersonate individual off-premises extensions on the local PBX
- Servers supporting inbound sip: connections are also targeted with unsolicited attempts to reach outside numbers, usually premium-rate destinations such as caller-pays-airtime mobile exchanges in foreign countries.
In the server logs, this looks like:
- NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '011972599950423' rejected because extension not found in context 'default'.
- NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '9011972599950423' rejected because extension not found in context 'default'.
- NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '7011972599950423' rejected because extension not found in context 'default'.
- NOTICE: chan_sip.c:21614 handle_request_invite: Call from '' to extension '972599950423' rejected because extension not found in context 'default'.
an attempt to call a Palestinian mobile telephone (Israel, country code +972) by randomly trying 9- (a common code for an outside line from an office PBX), 011- (the overseas call prefix in the North American Numbering Plan) and 7- (on the off-chance a PBX is using it instead of 9- for an outside line). Security tools such as firewalls or fail2ban must therefore be deployed to prevent unauthorised outside call attempts; many VoIP providers also disable overseas calls to all but countries specifically requested as enabled by the subscriber.
SIPS URI scheme
The SIPS URI scheme adheres to the syntax of the SIP URI, differing only in that the scheme is sips rather than sip. The default Internet port address for SIPS is 5061 unless explicitly specified in the URI.
SIPS allows resources to specify that they should be reached securely. It mandates that each hop over which the request is forwarded up to the target domain must be secured with TLS. The last hop from the proxy of the target domain to the user agent has to be secured according to local policies.
SIPS protects against attackers which try to listen on the signaling link. It does not provide real end-to-end security, since encryption is only hop-by-hop and every single intermediate proxy has to be trusted.
See also
- Federated VoIP and telephone number mapping
- e164.arpa
- Security Descriptions for SDP
- Mikey key exchange method
- ZRTP end-to-end key exchange proposal
References
| Uniform Resource Identifier (URI) schemes | |
|---|---|
| Official | |
| Unofficial | |
| Protocol list | |