RFC3261: SIP:26.2.1 传输和网络层安全

26.2.1 Transport and Network Layer Security
26.2.1 传输和网络层安全

   Transport or network layer security encrypts signaling traffic, guaranteeing message confidentiality and integrity.

传输或网络层安全性对信令流量进行加密，保证消息的机密性和完整性。

   Oftentimes, certificates are used in the establishment of lower-layer security, and these certificates can also be used to provide a means of authentication in many architectures.

通常，证书用于建立较低层的安全性，并且这些证书也可以用于在许多体系结构中提供身份验证手段。

   Two popular alternatives for providing security at the transport and network layer are, respectively, TLS [25] and IPSec [26].

​在传输层和网络层提供安全性的两种流行替代方案分别是TLS[25]和IPSec[26]。

   IPSec is a set of network-layer protocol tools that collectively can be used as a secure replacement for traditional IP (Internet Protocol).  IPSec is most commonly used in architectures in which a set of hosts or administrative domains have an existing trust relationship with one another.  IPSec is usually implemented at the operating system level in a host, or on a security gateway that provides confidentiality and integrity for all traffic it receives from a particular interface (as in a VPN architecture).  IPSec can also be used on a hop-by-hop basis.

IPSec是一组网络层协议工具，可以共同用作传统IP（互联网协议）的安全替代品。IPSec最常用于一组主机或管理域彼此之间具有现有信任关系的体系结构中。IPSec通常在主机的操作系统级别实现，或者在安全网关上实现，该安全网关为其从特定接口接收的所有流量提供机密性和完整性（如在VPN体系结构中）。IPSec也可以在逐跳的基础上使用。

   In many architectures IPSec does not require integration with SIP applications; IPSec is perhaps best suited to deployments in which adding security directly to SIP hosts would be arduous.  UAs that have a pre-shared keying relationship with their first-hop proxy server are also good candidates to use IPSec.  Any deployment of IPSec for SIP would require an IPSec profile describing the protocol tools that would be required to secure SIP.  No such profile is given in this document.

在许多体系结构中，IPSec不需要与SIP应用程序集成；IPSec可能最适合直接向SIP主机添加安全性的部署。与第一跳代理服务器具有预共享密钥关系的UA也是使用IPSec的好候选者。任何针对SIP的IPSec部署都需要描述保护SIP所需的协议工具的IPSec配置文件。本文件中未提供此类简介。

  TLS provides transport-layer security over connection-oriented protocols (for the purposes of this document, TCP); "tls" (signifying TLS over TCP) can be specified as the desired transport protocol within a Via header field value or a SIP-URI.  TLS is most suited to architectures in which hop-by-hop security is required between hosts with no pre-existing trust association.  For example, Alice trusts her local proxy server, which after a certificate exchange decides to trust Bob's local proxy server, which Bob trusts, hence Bob and Alice can communicate securely.

TLS通过面向连接的协议（就本文档而言，为TCP）提供传输层安全性；“tls”（表示TCP上的tls）可以在Via报头字段值或SIP-URI中指定为所需的传输协议。tls最适用于在没有预先存在的信任关联的主机之间需要逐跳安全的体系结构。例如，Alice信任她的本地代理服务器，在证书交换后，该服务器决定信任Bob信任的本地代理服务器。因此Bob和Alice可以安全地通信。

   TLS must be tightly coupled with a SIP application.  Note that transport mechanisms are specified on a hop-by-hop basis in SIP, thus a UA that sends requests over TLS to a proxy server has no assurance that TLS will be used end-to-end.

TLS必须与SIP应用程序紧密耦合。请注意，传输机制是在SIP中逐跳指定的，因此通过TLS向代理服务器发送请求的UA无法保证端到端使用TLS。

   The TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite [6] MUST be supported at a minimum by implementers when TLS is used in a SIP application.  For purposes of backwards compatibility, proxy servers, redirect servers, and registrars SHOULD support TLS_RSA_WITH_3DES_EDE_CBC_SHA. Implementers MAY also support any other ciphersuite.

​在SIP应用程序中使用TLS时，实现者必须至少支持TLS_RSA_WITH_AES_128_CBC_SHA密码套件[6]。出于向后兼容性的目的，代理服务器、重定向服务器和注册器应支持TLS_RSA_WITH_3DES_EDE_CBC_SHA。实现者还可以支持任何其他密码套件。