SIP Transports (UDP / TCP / TLS / WSS)
SIP can run over four transports: UDP, TCP, TLS, and WebSocket Secure (WSS). They differ in reliability, encryption, NAT behavior, and latency. Picking the wrong transport is one of the most common reasons VoIP deployments break in production.
Transport comparison
| Transport | Encrypted | Connection-oriented | Default port | Best for |
|---|---|---|---|---|
| UDP | No | No | 5060 | Carrier interconnects on private networks |
| TCP | No | Yes | 5060 | SIP messages >1300 bytes (avoids UDP fragmentation) |
| TLS | Yes (TLS 1.2/1.3) | Yes | 5061 | Public internet, encrypted SIP signaling |
| WSS | Yes | Yes | 443 / 7443 | Browser-based SIP (WebRTC softphones) |
UDP: the historic default (and its problems)
SIP was designed assuming UDP. It is fast, stateless, and the SIP layer handles its own retransmissions (T1=500ms, T2=4s). For carrier interconnects on trusted private networks, UDP is fine.
Problems on the public internet:
- Fragmentation: a SIP INVITE with SDP often exceeds the 1500-byte MTU. UDP fragments are dropped by many firewalls. RFC 3261 says any message >1300 bytes must use TCP.
- NAT mapping timeout: NAT routers expire UDP mappings in 30-60 seconds. SIP keepalives (CRLF or OPTIONS pings every 30s) are required.
- No encryption: SIP credentials are visible to anyone on the path.
TCP: solves fragmentation
Same default port (5060), connection-oriented. Used automatically by most SIP stacks when the SIP message body exceeds 1300 bytes. Solves UDP fragmentation but adds connection overhead.
Still unencrypted. Don't run plain TCP on the public internet. Either use TLS or restrict TCP to private networks.
TLS: the modern public-internet default
SIP-over-TLS uses TCP port 5061 by default. It encrypts the entire SIP signaling channel including auth credentials.
What TLS protects: SIP headers, From/To/Contact, auth digests, SDP body. Note: TLS does not encrypt RTP media — you need SRTP (keyed via DTLS-SRTP or SDES) for that.
# Asterisk pjsip TLS transport [transport-tls] type=transport protocol=tls bind=0.0.0.0:5061 cert_file=/etc/asterisk/keys/asterisk.crt priv_key_file=/etc/asterisk/keys/asterisk.key ca_list_file=/etc/asterisk/keys/ca-bundle.crt method=tlsv1_2 # or tlsv1_3
WSS: SIP for browsers
WebSocket Secure runs over HTTPS port 443 (or carrier-defined like 7443). Browsers cannot open raw UDP/TCP/TLS sockets, so WSS is the only way to do SIP from a browser. See SIP WSS glossary.
Picking the right transport
- Carrier-to-PBX over private network: UDP is fine, lowest latency.
- PBX-to-carrier over public internet: always TLS. Use port 5061. Verify cert.
- Browser softphone: WSS only.
- Carrier-to-carrier interconnect: TLS + mTLS (mutual cert auth).
- SIP phones in a corporate office: TLS internally; UDP only if all traffic stays on a managed VLAN.
DNS NAPTR / SRV for transport discovery
SIP clients can discover the right transport via DNS. NAPTR records advertise supported transports; SRV records give the host/port. Modern stacks query _sips._tcp.<domain> for TLS, fall back to _sip._tcp.<domain> for TCP, then _sip._udp.<domain>.
$ dig +short SRV _sips._tcp.didhub.io 10 5 5061 sip.didhub.io. $ dig +short SRV _sip._udp.didhub.io 10 5 5060 sip.didhub.io.
Related terms
SIP over WebSocket (WSS)
SIP Authentication (Digest vs IP-ACL vs mTLS)
SIP INVITE
DTLS-SRTP (Encrypted Media Keying)
SRTP (Secure RTP)
IPv4 vs IPv6 in SIP / VoIP
Ready to get a number?
Pick a DID in 130+ countries from $1.99/month. Activates instantly on most numbers.