Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 19 November 2009 14:51 UTC
Return-Path: <HKaplan@acmepacket.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2635A3A6801 for <dispatch@core3.amsl.com>; Thu, 19 Nov 2009 06:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmmTQ5XznwQ3 for <dispatch@core3.amsl.com>; Thu, 19 Nov 2009 06:51:41 -0800 (PST)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id E816B3A6935 for <dispatch@ietf.org>; Thu, 19 Nov 2009 06:51:40 -0800 (PST)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Thu, 19 Nov 2009 09:51:36 -0500
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Thu, 19 Nov 2009 09:51:36 -0500
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Cullen Jennings <fluffy@cisco.com>
Date: Thu, 19 Nov 2009 09:51:35 -0500
Thread-Topic: [dispatch] Identity Adhoc - Nov 9th: Notes available
Thread-Index: Acpo4oDxbYpW51pVQMauzQYlxyvfhAAQ/RRg
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC31A12BEE473@mail>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail> <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
In-Reply-To: <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dispatch@ietf.org" <dispatch@ietf.org>
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 14:51:42 -0000
Sure, but I'm taking it one bite-size issue at a time, starting with the biggest bite. :) Some of the things SBC's change *should* fail a 4474-type signature I think. And some of them are either not that commonly done, or are done in the originating or terminating domain anyway where changing them doesn't matter for the mechanism (e.g., transcoding). -hadriel > -----Original Message----- > From: Cullen Jennings [mailto:fluffy@cisco.com] > Sent: Thursday, November 19, 2009 12:31 AM > To: Hadriel Kaplan > Cc: Jon Peterson; Jiri Kuthan; dispatch@ietf.org > Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available > > > If we all believe the only thing SBC rewrite is the IP and port of the > media, I'm sure we can solve this in no time flat. Unfortunately, when > a solution to solve that problem have been presented, it has become > clear that SBC change much more than that. > > Cullen <in my individual contributor role> > > On Nov 18, 2009, at 12:11 PM, Hadriel Kaplan wrote: > > > > > Forget the NAT traversal piece, or even media steering, and just > > tell me what signing the IP Address/port in the SDP buys you. Not > > the whole SDP, just the IP/ports. Imagine if the media IP/ports > > were in a SIP header, and tell me why we MUST sign that header to > > get "SIP Identity". > > > > My claim is signing those IP/ports is neither necessary nor > > sufficient for the purposes of SIP Identity nor media identity. > > It's an emperor with no clothes, except we end up getting the bill > > for the clothing. > > > > It is not sufficient because it does not prove the authenticity and > > identity of the media. And I don't just mean in an academic sense > > of "prove". Not only can the media IP/ports still be spoofed and > > even intercepted - but nothing prevents me from just sending media > > from another address/port to get you to listen to my advertisement, > > instructions to call my number to "verify your credit card", or > > whatever. > > > > Only a media-plane mechanism will be sufficient for media identity, > > such as DTLS-SRTP. > > > > It is not necessary because, given a mechanism such as DTLS-SRTP > > (which *is* necessary for the property of media identity), signing > > the IP/ports is superfluous. It's making the mistake of confusing > > IP with an identity, vs. a routing identifier. (ie, the argument HIP > > makes) > > > > -hadriel > > > >> -----Original Message----- > >> From: dispatch-bounces@ietf.org [mailto:dispatch-bounces@ietf.org] On > >> Behalf Of Jon Peterson > >> Sent: Monday, November 16, 2009 3:45 PM > >> > >> To rehash arguments that have circulated in this discussion many > >> times, > >> one must distinguish the NAT traversal case from the "media steering" > >> requirement that has motivated much of the re-examination of > >> identity. > >> RFC4474 signatures are applied not by the user agent (at least not in > >> the typical case), but rather by a server operated by the user > >> agent's > >> administrative domain. The administrative domain can more or less > >> modify > >> signaling arbitrarily before adding an Identity header per RFC4474. > >> Thus, some sort of intermediary that modifies SIP signaling for the > >> sake > >> of NAT traversal can work with RFC4474, provided that the > >> intermediary > >> acts before the Identity header is added. > >> > >> While it can therefore be argued that RFC4474 does not rule out > >> intermediary-based NAT traversal entirely, it does protect against > >> any > >> intermediary altering SDP once a request has left the originating > >> administrative domain with an Identity header. The "media steering" > >> use > >> cases that challenge this design are predicated on an intermediary > >> with > >> no necessary relationship to the originating or terminating > >> administrative domain unilaterally modifying SDP in transit, > >> usually in > >> order to force layer 3 routing of media to pass through one or more > >> anchor points in a network - perhaps for the sake of drawing the > >> traffic > >> across a managed circuit with carefully-managed quality, or to > >> facilitate lawful intercept, or what have you. It is that requirement > >> which I have consistently argued is equivalent to exposing this > >> mechanism to a man-in-the-middle attack. If we removed enough > >> protections in the design of RFC4474 to enable media steering by > >> "good" > >> intermediaries, we are effectively also enabling any malicious > >> entities > >> to change those aspects of SIP requests as well. > > _______________________________________________ > > dispatch mailing list > > dispatch@ietf.org > > https://www.ietf.org/mailman/listinfo/dispatch
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John