SIP/RTP compatibility and security issues

API Bugs
1

Hello, reporting a few issues with the SIP APIs.

  1. Looks like the Open AI SIP servers require some level of TLS signalling but reject RTP encryption leaving us with unencrypted audio over the open internet. And to top it off OpenAI server is sending a Contact header without transport=tls and further optionally could use a sips:URI as per the SIP RFC (especially when the endpoint only supports TLS). Here is what OpenAI sends in Contact now:

Contact: <sip:OAI@sip.api.openai.com:5061>

This breaks some SIP implementations that would send unencrypted signals to port 5061 when the socket dies for some reason. I suggest you either encrypt everything or don’t encrypt anything, ideally letting the users choose in the admin panels plus allowing configurable transport. I understand that transport param is deprecated but it was used in the document here https://platform.openai.com/docs/guides/realtime-sip and is still widely used as a hint to the stack. Both sips and transport can cause compatibility issues so it is advised to support any permutation.

  1. The bigger issue I have is that the OpenAI doesn’t send useful error message, either in SIP or TLS. It just sends error codes 400, 408 interchangeably and occasionally just hangs up with no Reason header. A helpful error header would help a lot. And ideally there should be debug logs available in the admin panels.
  2. Last but not least we need IP ranges to configure firewalls properly, IPs change often, media is one subnet, signalling is another, we need both ranges.

Thank you.

2
  1. All media exchange should be SRTP using TLS signaling. This is a bug if not.
  2. Yes, this should be transport=tls. We’ll look into why this isn’t the case.
  3. This is a new API and there may be some bugs. Please post specific examples of incorrect behavior.
  4. We’ll post some info on this shortly.
3

Many different clients change the transport when sending ACK to UDP by default due to the lack of transport=tls in Contact:

Example

17:34:37.857225 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [S], seq 3650208468, win 62727, options [mss 8961,sackOK,TS val 3493165477 ecr 0,nop,wscale 7], length 0
17:34:37.858095 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [S.], seq 1618891692, ack 3650208469, win 65535, options [mss 1400,sackOK,TS val 23125452 ecr 3493165477,nop,wscale 13], length 0
17:34:37.858253 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [P.], seq 1:518, ack 1, win 491, options [nop,nop,TS val 3493165478 ecr 23125452], length 517
17:34:37.859088 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [.], ack 518, win 16, options [nop,nop,TS val 23125453 ecr 3493165478], length 0
17:34:37.865506 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [P.], seq 1:2880, ack 518, win 16, options [nop,nop,TS val 23125459 ecr 3493165478], length 2879
17:34:37.865770 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [.], ack 2880, win 469, options [nop,nop,TS val 3493165486 ecr 23125459], length 0
17:34:37.873322 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [.], seq 518:1906, ack 2880, win 469, options [nop,nop,TS val 3493165493 ecr 23125459], length 1388
17:34:37.873347 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [P.], seq 1906:2862, ack 2880, win 469, options [nop,nop,TS val 3493165493 ecr 23125459], length 956
17:34:37.874262 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [.], ack 2862, win 16, options [nop,nop,TS val 23125468 ecr 3493165493], length 0
17:34:38.150371 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [P.], seq 2880:3320, ack 2862, win 16, options [nop,nop,TS val 23125744 ecr 3493165493], length 440
17:34:38.192464 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [.], ack 3320, win 466, options [nop,nop,TS val 3493165813 ecr 23125744], length 0
17:34:38.661052 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [P.], seq 3320:3761, ack 2862, win 16, options [nop,nop,TS val 23126255 ecr 3493165813], length 441
17:34:38.661118 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [.], ack 3761, win 463, options [nop,nop,TS val 3493166281 ecr 23126255], length 0
17:34:41.661148 IP 172.65.182.150.5061 > 10.20.0.240.41979: Flags [P.], seq 3761:4523, ack 2862, win 16, options [nop,nop,TS val 23129255 ecr 3493166281], length 762
17:34:41.661200 IP 10.20.0.240.41979 > 172.65.182.150.5061: Flags [.], ack 4523, win 458, options [nop,nop,TS val 3493169281 ecr 23129255], length 0
17:34:41.674616 IP 10.20.0.240.5060 > 172.65.182.150.5061: SIP: ACK sip:[my email]:5061 SIP/2.0

4

Thanks for the details. A fix for the Contact header issue has been deployed. We have also improved error responses with additional details.

2 Likes