I’m currently swimming through the deep waters of SIP RFCs in order to get an overview of TLS implementation requirements. Reading RFC 3428 – The SIP Message Extension– I found something I did not know. In section 11, Security Considerations, the RFC states:

In normal usage, most SIP requests are used to setup and modify communication sessions. The actual communication between participants happens in the media sessions, not in the SIP requests themselves. The MESSAGE method changes this assumption; MESSAGE requests normally carry the actual communication between participants as payload. This implies that MESSAGE requests have a greater need for security than most other SIP requests. In particular, UAs that support the MESSAGE request MUST implement end-to-end authentication, body integrity, and body confidentiality mechanisms.

I have seen quite a few implementations of MESSAGE, but none has been compliant with RFC 3428.

The SIP MESSAGE implements a way to send short messages over SIP, within a dialog or outside of a dialog. MESSAGE requests does not create dialog, thus there’s no “session”. For chat sessions that , MSRP – the message session relay protocol – was developed. I’ll try to write more about that protocol in another blog post.