IETF Logo Mail Archive

Re: [dispatch] Identity Adhoc - Nov 9th: Notes available

Hadriel Kaplan <HKaplan@acmepacket.com> Wed, 18 November 2009 19:12 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 99D053A67C2 for <dispatch@core3.amsl.com>; Wed, 18 Nov 2009 11:12:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uaPKln9SEiRm for <dispatch@core3.amsl.com>; Wed, 18 Nov 2009 11:12:36 -0800 (PST)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 787C828C122 for <dispatch@ietf.org>; Wed, 18 Nov 2009 11:12:29 -0800 (PST)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Wed, 18 Nov 2009 14:12:23 -0500
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Wed, 18 Nov 2009 14:12:20 -0500
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Jon Peterson <jon.peterson@neustar.biz>, Jiri Kuthan <jiri@iptel.org>
Date: Wed, 18 Nov 2009 14:11:49 -0500
Thread-Topic: [dispatch] Identity Adhoc - Nov 9th: Notes available
Thread-Index: Acpm/cz2ifgzC7UdSOKGWYUpvT4R7ABgzUnw
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz>
In-Reply-To: <4B01B9E8.7050507@neustar.biz>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dispatch@ietf.org" <dispatch@ietf.org>
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2009 19:12:42 -0000

Forget the NAT traversal piece, or even media steering, and just tell me what signing the IP Address/port in the SDP buys you.  Not the whole SDP, just the IP/ports.  Imagine if the media IP/ports were in a SIP header, and tell me why we MUST sign that header to get "SIP Identity".

My claim is signing those IP/ports is neither necessary nor sufficient for the purposes of SIP Identity nor media identity.  It's an emperor with no clothes, except we end up getting the bill for the clothing.

It is not sufficient because it does not prove the authenticity and identity of the media.  And I don't just mean in an academic sense of "prove".  Not only can the media IP/ports still be spoofed and even intercepted - but nothing prevents me from just sending media from another address/port to get you to listen to my advertisement, instructions to call my number to "verify your credit card", or whatever.

Only a media-plane mechanism will be sufficient for media identity, such as DTLS-SRTP.

It is not necessary because, given a mechanism such as DTLS-SRTP (which *is* necessary for the property of media identity), signing the IP/ports is superfluous.  It's making the mistake of confusing IP with an identity, vs. a routing identifier. (ie, the argument HIP makes)

-hadriel

> -----Original Message-----
> From: dispatch-bounces@ietf.org [mailto:dispatch-bounces@ietf.org] On
> Behalf Of Jon Peterson
> Sent: Monday, November 16, 2009 3:45 PM
> 
> To rehash arguments that have circulated in this discussion many times,
> one must distinguish the NAT traversal case from the "media steering"
> requirement that has motivated much of the re-examination of identity.
> RFC4474 signatures are applied not by the user agent (at least not in
> the typical case), but rather by a server operated by the user agent's
> administrative domain. The administrative domain can more or less modify
> signaling arbitrarily before adding an Identity header per RFC4474.
> Thus, some sort of intermediary that modifies SIP signaling for the sake
> of NAT traversal can work with RFC4474, provided that the intermediary
> acts before the Identity header is added.
> 
> While it can therefore be argued that RFC4474 does not rule out
> intermediary-based NAT traversal entirely, it does protect against any
> intermediary altering SDP once a request has left the originating
> administrative domain with an Identity header. The "media steering" use
> cases that challenge this design are predicated on an intermediary with
> no necessary relationship to the originating or terminating
> administrative domain unilaterally modifying SDP in transit, usually in
> order to force layer 3 routing of media to pass through one or more
> anchor points in a network - perhaps for the sake of drawing the traffic
> across a managed circuit with carefully-managed quality, or to
> facilitate lawful intercept, or what have you. It is that requirement
> which I have consistently argued is equivalent to exposing this
> mechanism to a man-in-the-middle attack. If we removed enough
> protections in the design of RFC4474 to enable media steering by "good"
> intermediaries, we are effectively also enabling any malicious entities
> to change those aspects of SIP requests as well.

v2.23.0 | Report a Bug | By Email