Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Jiri Kuthan <jiri@iptel.org> Mon, 23 November 2009 08:23 UTC
Return-Path: <jiri@iptel.org>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9118B3A693F for <dispatch@core3.amsl.com>; Mon, 23 Nov 2009 00:23:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.553
X-Spam-Level:
X-Spam-Status: No, score=-1.553 tagged_above=-999 required=5 tests=[AWL=-0.443, BAYES_05=-1.11]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vqYtAYwkJnIv for <dispatch@core3.amsl.com>; Mon, 23 Nov 2009 00:23:10 -0800 (PST)
Received: from mail.iptel.org (smtp.iptel.org [213.192.59.67]) by core3.amsl.com (Postfix) with ESMTP id 456793A67F3 for <dispatch@ietf.org>; Mon, 23 Nov 2009 00:23:10 -0800 (PST)
Received: from [127.0.0.1] (shell.iptel.org [213.192.59.74]) by mail.iptel.org (Postfix) with ESMTP id 2360A37093A; Mon, 23 Nov 2009 09:23:05 +0100 (CET)
Message-ID: <4B0A4668.2090700@iptel.org>
Date: Mon, 23 Nov 2009 09:23:04 +0100
From: Jiri Kuthan <jiri@iptel.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Cullen Jennings <fluffy@cisco.com>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail> <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
In-Reply-To: <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "dispatch@ietf.org" <dispatch@ietf.org>, Hadriel Kaplan <HKaplan@acmepacket.com>
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2009 08:23:11 -0000
Cullen Jennings wrote: > > If we all believe the only thing SBC rewrite is the IP and port of the > media, I'm sure we can solve this in no time flat. I think there are certainly many who believe this is a reasonable thing to do .... > Unfortunately, when a > solution to solve that problem have been presented, it has become clear > that SBC change much more than that. ... and it would be probably more efficient than trying to overload the work with other interesting features. what are the next steps then? -jiri > > Cullen <in my individual contributor role> > > On Nov 18, 2009, at 12:11 PM, Hadriel Kaplan wrote: > >> >> Forget the NAT traversal piece, or even media steering, and just tell >> me what signing the IP Address/port in the SDP buys you. Not the >> whole SDP, just the IP/ports. Imagine if the media IP/ports were in a >> SIP header, and tell me why we MUST sign that header to get "SIP >> Identity". >> >> My claim is signing those IP/ports is neither necessary nor sufficient >> for the purposes of SIP Identity nor media identity. It's an emperor >> with no clothes, except we end up getting the bill for the clothing. >> >> It is not sufficient because it does not prove the authenticity and >> identity of the media. And I don't just mean in an academic sense of >> "prove". Not only can the media IP/ports still be spoofed and even >> intercepted - but nothing prevents me from just sending media from >> another address/port to get you to listen to my advertisement, >> instructions to call my number to "verify your credit card", or whatever. >> >> Only a media-plane mechanism will be sufficient for media identity, >> such as DTLS-SRTP. >> >> It is not necessary because, given a mechanism such as DTLS-SRTP >> (which *is* necessary for the property of media identity), signing the >> IP/ports is superfluous. It's making the mistake of confusing IP with >> an identity, vs. a routing identifier. (ie, the argument HIP makes) >> >> -hadriel >> >>> -----Original Message----- >>> From: dispatch-bounces@ietf.org [mailto:dispatch-bounces@ietf.org] On >>> Behalf Of Jon Peterson >>> Sent: Monday, November 16, 2009 3:45 PM >>> >>> To rehash arguments that have circulated in this discussion many times, >>> one must distinguish the NAT traversal case from the "media steering" >>> requirement that has motivated much of the re-examination of identity. >>> RFC4474 signatures are applied not by the user agent (at least not in >>> the typical case), but rather by a server operated by the user agent's >>> administrative domain. The administrative domain can more or less modify >>> signaling arbitrarily before adding an Identity header per RFC4474. >>> Thus, some sort of intermediary that modifies SIP signaling for the sake >>> of NAT traversal can work with RFC4474, provided that the intermediary >>> acts before the Identity header is added. >>> >>> While it can therefore be argued that RFC4474 does not rule out >>> intermediary-based NAT traversal entirely, it does protect against any >>> intermediary altering SDP once a request has left the originating >>> administrative domain with an Identity header. The "media steering" use >>> cases that challenge this design are predicated on an intermediary with >>> no necessary relationship to the originating or terminating >>> administrative domain unilaterally modifying SDP in transit, usually in >>> order to force layer 3 routing of media to pass through one or more >>> anchor points in a network - perhaps for the sake of drawing the traffic >>> across a managed circuit with carefully-managed quality, or to >>> facilitate lawful intercept, or what have you. It is that requirement >>> which I have consistently argued is equivalent to exposing this >>> mechanism to a man-in-the-middle attack. If we removed enough >>> protections in the design of RFC4474 to enable media steering by "good" >>> intermediaries, we are effectively also enabling any malicious entities >>> to change those aspects of SIP requests as well. >> _______________________________________________ >> dispatch mailing list >> dispatch@ietf.org >> https://www.ietf.org/mailman/listinfo/dispatch >
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John