Trusting SIP messages from external domains
The general approach for providing secure communications between two independent domains or communities (each maintaining distinct directories) relies on identity assertion, where a trust relationship is established between two distinct domains using a certificate exchange during the setup of the physical SSL connection between the two domains.
Authentication of Session Initiation Protocol (SIP) messages sent by end users needs to occur only in the local domain for the user. All user messages pass through the SIP container local domain before being sent on to the external domain. If a message is received from a external domain over a secured connection that is mutually authenticated in the manner described as follows, it is assumed that the message is authenticated by the external domain because of the trust relationship. An administrator can enable support for external domains in the SIP proxy as follows:
- Enable client authentication within the SSL repertoire assigned to all the inbound channel chains (or endpoints) that are to receive inbound connections from external domains.
- Ensure that all trusted certificate authorities are set up in the trust store assigned to the SSL repertoires mentioned in the previous step. Set up the asymmetric key pair (public and private keys) for the local domain, with the proper chain of certificates that is associated with the local domain.
- Configure the distinguished names (DNs) associated with the external domains to support. The DN is part of the X.509 certificate that is sent by the external domain server when the SSL connection is set up. Within the configuration model, each SIP external domain entry includes a field for the external DN.
- Assuming that the SIP infrastructure is deployed within each domain, provide the DN to the external domain administrator included in the local domain's public certificate. With this action, the external domain administrator can configure the proper external DN.
With this approach, the Java Secure Socket Extension (JSSE) is responsible for authorizing the certificate that is received over a new inbound connection from a external domain. This authorization is based on the agreed upon certificate authorities whose certificates are set up in the local trust store. If the external domain certificate is authorized, it is then the responsibility of the SIP proxy to filter the connections, based on the DN that is associated with the external domain certificate. The proxy also validates outbound connections by ensuring that the DN that is received in the remote server certificate matches the DN configured for the external domain.
The SIP proxy must recognize when identity assertion is in use so that it can inform the SIP container that no message authentication is required over this mutually authenticated connection. This communication is done by adding the P-Preferred-Identity SIP header, which is described in RFC 3325, in all SIP messages sent from the proxy to the SIP container that arrive over the authenticated connection. The SIP container only recognizes this header when it is received from a device that resides in the trusted domain, specifically the SIP proxy. It is up to the SIP proxy to remove this header from any inbound messages that are received over any connections to remote devices that are not considered part of the trusted domain. We can also use this header to support the addition of proxy authentication.