159The Security Considerations Section of RFC 3261 begins with the following:
“SIP is not an easy protocol to secure. Its use of intermediaries, its multifaceted
trust relationships, its expected usage between elements with no trust at all, and
its user-to-user operation make security far from trivial.” [1]SIP security is tricky, and there are many pitfalls for implementers and ser-
vice providers. This chapter will summarize some of the risks and threats and
point to the various mechanisms that can be used to protect against them. For
a more detailed coverage of these points, including an introduction to cryp-
tography and security concepts, see Johnston and Piscitello [2].
Threats
This section will summarize the basic threats to SIP, by looking at two common
applications of SIP: session setup, and presence and IM. The following sections
will discuss security mechanisms to protect against problems involving them.