[dispatch] SIP, TLS and oppurtunistic encryption
"Olle E. Johansson" <oej@edvina.net> Mon, 03 February 2014 14:01 UTC
Return-Path: <oej@edvina.net>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F28E1A01D4 for <dispatch@ietfa.amsl.com>; Mon, 3 Feb 2014 06:01:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.551
X-Spam-Level:
X-Spam-Status: No, score=-1.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZmGtIzDy-rzy for <dispatch@ietfa.amsl.com>; Mon, 3 Feb 2014 06:01:19 -0800 (PST)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id 334801A01D7 for <dispatch@ietf.org>; Mon, 3 Feb 2014 02:01:57 -0800 (PST)
Received: from [192.168.40.68] (h87-96-134-129.dynamic.se.alltele.net [87.96.134.129]) by smtp7.webway.se (Postfix) with ESMTPA id 7FEF493C2A2; Mon, 3 Feb 2014 10:01:56 +0000 (UTC)
From: "Olle E. Johansson" <oej@edvina.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 03 Feb 2014 11:01:55 +0100
Message-Id: <6033D22C-8EB7-405C-AD6A-56C64D44261A@edvina.net>
To: DISPATCH <dispatch@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\))
X-Mailer: Apple Mail (2.1827)
Subject: [dispatch] SIP, TLS and oppurtunistic encryption
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 14:01:21 -0000
Hi! Paul Hoffman has written a document that defines "Oppurtunistic Encryption" in regards to TLS and separates this from unauthenticated sessions. It's a good read. (and discussed in the UTA wg) http://tools.ietf.org/html/draft-hoffman-uta-opportunistic-tls-00 This got my head busy with applying this to SIP. In SIP we already have a kind of oppurtunistic encryption where the user has not required a confidential session. If a service sets up NAPTR records and SRV ONLY indicating and supporting TLS and _sips there's no choice for a SIP implementation than to set up a TLS connection. The user is not involved and a phone should propably not indicate a lock. The first hop may or may not be TLS, if there is a proxy in the middle. If we follow the thinking in Paul's document and configure a SIP client to always look for and try to use TLS by using DNS or simply trying a connection to port 5061 before anything else, then we have oppurtunistic encryption again. Regardless of SIP uri scheme and ;transport headers. Should the via headers signal TLS or TCP in this case? We use TLS for authenticated and in some cases encrypted SIP signalling. The use of "TLS" in the via adds requirements on authentication on the response path back. Can a proxy add something to the Record-route header to indicate that it supports TLS if the other end wants to use it - in order to speed up the process? If we assume we should use "TCP" in the via - should we somehow record that we actually used TLS? Like every other area in the IETF we need to focus on responding to the attack on the Internet. Adding oppurtunistic encryption in our applications seems like a good thing, but it should not cause unexpected behaviour. /O
- [dispatch] SIP, TLS and oppurtunistic encryption Olle E. Johansson