Re: [dane] DANE SRV draft and SIP
Viktor Dukhovni <viktor1dane@dukhovni.org> Tue, 23 April 2013 22:38 UTC
Return-Path: <viktor1dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35BC921F935D for <dane@ietfa.amsl.com>; Tue, 23 Apr 2013 15:38:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.431
X-Spam-Level:
X-Spam-Status: No, score=-2.431 tagged_above=-999 required=5 tests=[AWL=0.168, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAjBCp7ZUOxf for <dane@ietfa.amsl.com>; Tue, 23 Apr 2013 15:38:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [208.77.212.107]) by ietfa.amsl.com (Postfix) with ESMTP id 54CDB21F937D for <dane@ietf.org>; Tue, 23 Apr 2013 15:38:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id A86182AAA84; Tue, 23 Apr 2013 22:38:38 +0000 (UTC)
Date: Tue, 23 Apr 2013 22:38:38 +0000
From: Viktor Dukhovni <viktor1dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20130423223838.GX23664@mournblade.imrryr.org>
References: <A4E7BF8C-AF95-4669-8855-497C46067C1A@edvina.net> <CAL02cgQSYF_1Ywwa1nEWYPDapR265BZ+yMQ7Xg+uf1AWxhCWDw@mail.gmail.com> <41F21ED5-04F6-4088-BEDD-664E6041A263@edvina.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <41F21ED5-04F6-4088-BEDD-664E6041A263@edvina.net>
User-Agent: Mutt/1.5.21 (2010-09-15)
Subject: Re: [dane] DANE SRV draft and SIP
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2013 22:38:40 -0000
On Tue, Apr 23, 2013 at 10:34:02PM +0200, Olle E. Johansson wrote: > RFC 5922 will still apply for non-DANE clients - but my biggest > worry is the certificates. > > RFC 5922 hasn't really been used, I've seen no commercial vendors that > sign certs with SIP URI's in subj alt names. If a server needs to support > both (and doesn't support TLS SNI) the certificate requirements will lead > to a messy cert indeed. We will have to have server names for all the > servers in the SRV DNS alt names, all the supported SIP domains in URI > subj alt names. That's quite a lot of information in one certificate for > a service, and something that will be hard to get people to create and > install. Perhaps the lack of deployment of the public CA PKI with SIP is not unrelated to similar lack of deployment with SMTP. If the legacy PKI is neither used nor usable, then the specification defining it is practically irrelevant. So unlike the browser case you could perhaps assume that DANE is starting with a clean slate. > If we're not going down this route, which name do we use in DNS to find data > related to the SIP certificate for a domain? Presumably the goal with SIP is to build a hop-by-hop secure channel to a given destination. With protocols like SMTP that obtain peer gateway information from DNS, this leads to two questions: - How do you securely determine the peer gateway endpoint. - How do you establish a secure connection to that endpoint. Before DNSSEC the first question had no adequate answer, so all the security effort went into overloading a single certificate to answer both questions by authenticating the gateway's association with the destination domain. This scales poorly and deployments are isolated islands. With DNSSEC and DANE the two questions become independent. - Use DNSSEC to securely obtain a binding from the destination domaint to the gateway. - Use certificates to authenticate the gateway connection. This means that the gateway certificate with DANE encodes the name of the gateway ideally in a subjectAltName that also specifies the protocol or service. So I would go with: sip:gateway.example.com as the name in a DANE-compatible SIP server certificate. I would also strongly recommend that any server publish exclusively "IN TLSA 3 1 1 ?" associations, which make the name in the certificate moot, since these certificates are matched by public-key alone. They can carry the legacy altnames for the old PKI if desired. If an organization wishes to deploy a multi-level PKI, and publish "IN TLSA 2 1 1" associations, then the name comes into play, and the server may need to support SNI when virtual hosting 3rd-party domains with TLS security. In practice this may be sufficiently inconvenient that almost nobody does it. This brings us back to my upthread point about "discovery" of TLS support. With SMTP we have a fortuitous accident, nothing in either the email address or the MX record gives us any information about TLS. This means that we can overload DANE TLSA RRs to securely infer TLS support *with* DANE verification (falling back to just mandatory TLS when all the TLSA RRs are unusable). With SIP, if I understood correctly, TLS transport is encoded in NAPTR records, which are not DANE-specific. This creates a problem, because NAPTR might mean TLS with legacy PKI and perhaps DANE, if appropriate TLSA records are found. So a SIP domain can't signal TLS support to DANE-enabled clients without also signalling TLS support to legacy PKI clients. My proposal would be to find a way to use DANE TLSA RRs to *upgrade* what look to legacy clients like non-TLS NAPTR records to TLS. Then, one can deploy servers that only support TLS with DANE, and non-DANE clients get legacy (in)security. (This would mimmic closely the SMTP situation where sans TLSA RRs, there is no explicit security except by prior bilateral arrangement). If you're stuck with bolting DANE into a TLS channel implied by NAPTR records that apply to both legacy and DANE PKIs, then indeed the certificate requirements are rather messy, but in that case using exclusively "IN TLSA 3 1 1" gets the server out of any DANE-specific naming mess. It need only support SANs for the legacy PKI, with "3 1 1" only the server public key is relevant with DANE (there is a bug to fix in draft-ietf-dane-srv in this respect, as it incorrectly requires name checks for all certificate usages). For SIP neophites like me, can you sketch out the channel discovery in a bit more detail, by posting a complete example of all the relevant DNS records for some hypothetical SIP service @example.com? What does the phone do? What does its local gateway do? Is DANE intended to be pertinent for both, or are we primarily interested in the gateway-to-gateway traffic? -- Viktor.
- [dane] DANE SRV draft and SIP Olle E. Johansson
- Re: [dane] DANE SRV draft and SIP Warren Kumari
- Re: [dane] DANE SRV draft and SIP Viktor Dukhovni
- Re: [dane] DANE SRV draft and SIP Olle E. Johansson
- Re: [dane] DANE SRV draft and SIP Olle E. Johansson
- Re: [dane] DANE SRV draft and SIP Richard Barnes
- Re: [dane] DANE SRV draft and SIP Olle E. Johansson
- Re: [dane] DANE SRV draft and SIP James Cloos
- Re: [dane] DANE SRV draft and SIP Viktor Dukhovni