Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Jiri Kuthan <jiri@iptel.org> Tue, 17 November 2009 08:27 UTC
Return-Path: <jiri@iptel.org>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0DBE93A67F2 for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 00:27:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[AWL=0.604, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EnrY0ExQ4Z4N for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 00:27:37 -0800 (PST)
Received: from mail.iptel.org (smtp.iptel.org [213.192.59.67]) by core3.amsl.com (Postfix) with ESMTP id ABA9028C0EC for <dispatch@ietf.org>; Tue, 17 Nov 2009 00:27:36 -0800 (PST)
Received: from jirimac-2.local (shell.iptel.org [213.192.59.74]) by mail.iptel.org (Postfix) with ESMTP id 0F27837080E; Tue, 17 Nov 2009 09:27:35 +0100 (CET)
Message-ID: <4B025E76.2060301@iptel.org>
Date: Tue, 17 Nov 2009 09:27:34 +0100
From: Jiri Kuthan <jiri@iptel.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Francois Audet <audet.francois@gmail.com>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <9D78C8C9-96FB-49D7-8B9E-ED6FAA6F8CA3@gmail.com>
In-Reply-To: <9D78C8C9-96FB-49D7-8B9E-ED6FAA6F8CA3@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dispatch@ietf.org
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 08:27:38 -0000
Francois Audet wrote: > So, in summary: SDP (and other) modification should only be done on a UA's behalf by its administrative domain, otherwise, it's unsafe. Hi Francois, I'm not quite yet sure what administrative domain means? The picture I'm having in my mind is using say iptel.org service (located in Central Europe in a facility administered by iptel.org's administrator) from an IETF meeting (administered by the IETF team) to my family (located within what a German ISP administers). -jiri > > Seems reasonable to me. > > We seem to recycle the same arguments over and over again.... > > On Nov 16, 2009, at 22:45 , Jon Peterson wrote: > >> I was not arguing against NAT traversal, actually. From the start of the SIP identity work, we considered support for NAT traversal as a requirement. Of course, the authors of RFC4474 assumed that something roughly like ICE would take over this role, and obviously the deployment situation is bit more complicated (we similarly hoped that GRUU would make it unnecessary for intermediaries to modify Contact headers, and so on). Regardless, I still believe we need to have a reasonable story for how an identity mechanism will accommodate NAT traversal. >> >> To rehash arguments that have circulated in this discussion many times, one must distinguish the NAT traversal case from the "media steering" requirement that has motivated much of the re-examination of identity. RFC4474 signatures are applied not by the user agent (at least not in the typical case), but rather by a server operated by the user agent's administrative domain. The administrative domain can more or less modify signaling arbitrarily before adding an Identity header per RFC4474. Thus, some sort of intermediary that modifies SIP signaling for the sake of NAT traversal can work with RFC4474, provided that the intermediary acts before the Identity header is added. >> >> While it can therefore be argued that RFC4474 does not rule out intermediary-based NAT traversal entirely, it does protect against any intermediary altering SDP once a request has left the originating administrative domain with an Identity header. The "media steering" use cases that challenge this design are predicated on an intermediary with no necessary relationship to the originating or terminating administrative domain unilaterally modifying SDP in transit, usually in order to force layer 3 routing of media to pass through one or more anchor points in a network - perhaps for the sake of drawing the traffic across a managed circuit with carefully-managed quality, or to facilitate lawful intercept, or what have you. It is that requirement which I have consistently argued is equivalent to exposing this mechanism to a man-in-the-middle attack. If we removed enough protections in the design of RFC4474 to enable media steering by "good" intermediaries, we are effectively als o enabling any malicious entities to change those aspects of SIP requests as well. >> >> I do not find the requirement for NAT traversal unacceptable, but I do consider the requirement for media steering highly dubious at best. >> >> Jon Peterson >> NeuStar, Inc >> >> Jiri Kuthan wrote: >>> I think it is worth mentioning and doublechecking a problem we touched >>> in this conversation, which is SIP servers modifying SDP to facilitate >>> NAT traversal. I think Jon P. has said this was unacceptable use-case not >>> good enough as motivation for work related to it, because it exposes >>> such calls to MiTM attacks. Is that right, Jon? >>> >>> -jiri >>> >>> Mary Barnes wrote: >>>> Hi all, >>>> >>>> I have uploaded Jim McEachern's notes from the Identity Adhoc yesterday: >>>> http://www.softarmor.com/dispatch/IETF76/Meeting%20notes/Identity-AdHoc-Notes-jmce.doc >>>> >>>> Regards, >>>> Mary. >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> _______________________________________________ >>>> dispatch mailing list >>>> dispatch@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dispatch >> _______________________________________________ >> dispatch mailing list >> dispatch@ietf.org >> https://www.ietf.org/mailman/listinfo/dispatch >
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John