IETF Logo Mail Archive

Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00

"Scott Lawrence" <scott.lawrence@nortel.com> Tue, 26 May 2009 14:43 UTC

Return-Path: <scott.lawrence@nortel.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9327828C31A for <dispatch@core3.amsl.com>; Tue, 26 May 2009 07:43:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.064
X-Spam-Level:
X-Spam-Status: No, score=-6.064 tagged_above=-999 required=5 tests=[AWL=0.535, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vEFIBlfbBXsg for <dispatch@core3.amsl.com>; Tue, 26 May 2009 07:43:07 -0700 (PDT)
Received: from zrtps0kp.nortel.com (zrtps0kp.nortel.com [47.140.192.56]) by core3.amsl.com (Postfix) with ESMTP id 24C943A710B for <dispatch@ietf.org>; Tue, 26 May 2009 07:41:35 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zrtps0kp.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id n4QEgwa12676; Tue, 26 May 2009 14:42:59 GMT
Received: from [127.0.0.1] ([47.17.25.99]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 May 2009 10:42:57 -0400
From: Scott Lawrence <scott.lawrence@nortel.com>
To: fanyanping <fanyanping@huawei.com>
In-Reply-To: <003c01c9dd99$6de66400$271d550a@china.huawei.com>
References: <003c01c9dd99$6de66400$271d550a@china.huawei.com>
Content-Type: text/plain; charset="UTF-8"
Organization: Nortel Networks
Date: Tue, 26 May 2009 14:42:56 +0000
Message-Id: <1243348976.3432.4114.camel@host.home.skrb.org>
Mime-Version: 1.0
X-Mailer: Evolution 2.24.5 (2.24.5-1.fc10)
Content-Transfer-Encoding: quoted-printable
X-OriginalArrivalTime: 26 May 2009 14:42:57.0770 (UTC) FILETIME=[42C32CA0:01C9DE10]
Cc: dispatch@ietf.org
Subject: Re: [dispatch] draft-lawrence-sip-3rd-party-authorization-00
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2009 14:43:08 -0000

On Tue, 2009-05-26 at 08:32 +0800, fanyanping wrote:
> Hi Scott,
> 
> I spend some time reading your draft,there is one place i don’t
> understand clearly, could you please explain more detail, thanks.
> 
> “The requirement for adjacency interferes with a property of SIP that
> is otherwise one of its great strengths: that a proxy (or other
> well-behaved Intermediate) need not understand every aspect of the
> requests and responses it forwards. 。。。。。。。。“
> 
> I’m understanding that you imply a new feature needs the Intermediate
> entites which make the authorization decision to be upgraded.
> However,Is there something associated with adjacency?
> 
Clearly this point needs elaboration... I don't know if you saw my reply
last week to Alan on this same point [1] - the example I gave was:
        
        Suppose I have a wiz-bang new feature.  I figure out how to negotiate
        sessions that use it in SIP, and implement it in some spiffy new UAs.
        Given a good SIP fabric, the feature works.  But this feature has some
        characteristics that mean that I want it to be subject to an
        organizational security policy (using it has privacy implications, or it
        costs lots of money).  If I don't want to trust the endpoints to
        evaluate the policy (for reasons described elsewhere), then I need to
        have something else do so.  But the next-hop device those spiffy new UAs
        are attached to is my old-reliable edge intermediate; it's hard to get
        changes made to that, and it doesn't know anything about my new wiz-bang
        feature, so there's no way to get it to do any security policy
        evaluation for me on that feature.   If delivery implies authorization,
        then all an attacker needs to do is find a way to get the request to the
        next-hop old-reliable edge intermediate (probably not hard).
        
Authorization-by-delivery is weakened by each hop (including the last
one) by which the authorizing entity is separated from the protected
resource.  If the authorizing entity and the protected resource are
separated by only one hop, and if that hop is always TLS used so that
the protected resource can authenticate the authorizing entity, then
there is little opportunity for an attacker to exploit the separation;
but if there is more than one hop, then TLS cannot be used to
authenticate the authorizing entity and the authorization-by-delivery
model breaks down.  

> In addition, i agree that the issues described in your draft are
> really very important. But I don’t understand clearly how the
> requirement of “Authorizing Third Party” can solve them. I can’t get
> the requirements you proposed from these problems.

I guess I'd have to ask you what problem you think is not addressed.

> PS: 
> 
> there is one suggestion about the section 2.2, I think the following
> paragraphs could be in the section 2.2.1 and have a new title “User
> Agent Based Authorization”. Because all of them are describing the
> problems of “User Agent Based Authorization”.

That's a thought... 


[1] http://www.ietf.org/mail-archive/web/dispatch/current/msg00070.html

v2.23.0 | Report a Bug | By Email