IETF Logo Mail Archive

Re: [dispatch] Identity Adhoc - Nov 9th: Notes available

Hadriel Kaplan <HKaplan@acmepacket.com> Thu, 19 November 2009 14:51 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2635A3A6801 for <dispatch@core3.amsl.com>; Thu, 19 Nov 2009 06:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmmTQ5XznwQ3 for <dispatch@core3.amsl.com>; Thu, 19 Nov 2009 06:51:41 -0800 (PST)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id E816B3A6935 for <dispatch@ietf.org>; Thu, 19 Nov 2009 06:51:40 -0800 (PST)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Thu, 19 Nov 2009 09:51:36 -0500
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Thu, 19 Nov 2009 09:51:36 -0500
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Cullen Jennings <fluffy@cisco.com>
Date: Thu, 19 Nov 2009 09:51:35 -0500
Thread-Topic: [dispatch] Identity Adhoc - Nov 9th: Notes available
Thread-Index: Acpo4oDxbYpW51pVQMauzQYlxyvfhAAQ/RRg
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC31A12BEE473@mail>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail> <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
In-Reply-To: <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "dispatch@ietf.org" <dispatch@ietf.org>
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 14:51:42 -0000

Sure, but I'm taking it one bite-size issue at a time, starting with the biggest bite. :) 

Some of the things SBC's change *should* fail a 4474-type signature I think.  And some of them are either not that commonly done, or are done in the originating or terminating domain anyway where changing them doesn't matter for the mechanism (e.g., transcoding).

-hadriel

> -----Original Message-----
> From: Cullen Jennings [mailto:fluffy@cisco.com]
> Sent: Thursday, November 19, 2009 12:31 AM
> To: Hadriel Kaplan
> Cc: Jon Peterson; Jiri Kuthan; dispatch@ietf.org
> Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
> 
> 
> If we all believe the only thing SBC rewrite is the IP and port of the
> media, I'm sure we can solve this in no time flat. Unfortunately, when
> a solution to solve that problem have been presented, it has become
> clear that SBC change much more than that.
> 
> Cullen <in my individual contributor role>
> 
> On Nov 18, 2009, at 12:11 PM, Hadriel Kaplan wrote:
> 
> >
> > Forget the NAT traversal piece, or even media steering, and just
> > tell me what signing the IP Address/port in the SDP buys you.  Not
> > the whole SDP, just the IP/ports.  Imagine if the media IP/ports
> > were in a SIP header, and tell me why we MUST sign that header to
> > get "SIP Identity".
> >
> > My claim is signing those IP/ports is neither necessary nor
> > sufficient for the purposes of SIP Identity nor media identity.
> > It's an emperor with no clothes, except we end up getting the bill
> > for the clothing.
> >
> > It is not sufficient because it does not prove the authenticity and
> > identity of the media.  And I don't just mean in an academic sense
> > of "prove".  Not only can the media IP/ports still be spoofed and
> > even intercepted - but nothing prevents me from just sending media
> > from another address/port to get you to listen to my advertisement,
> > instructions to call my number to "verify your credit card", or
> > whatever.
> >
> > Only a media-plane mechanism will be sufficient for media identity,
> > such as DTLS-SRTP.
> >
> > It is not necessary because, given a mechanism such as DTLS-SRTP
> > (which *is* necessary for the property of media identity), signing
> > the IP/ports is superfluous.  It's making the mistake of confusing
> > IP with an identity, vs. a routing identifier. (ie, the argument HIP
> > makes)
> >
> > -hadriel
> >
> >> -----Original Message-----
> >> From: dispatch-bounces@ietf.org [mailto:dispatch-bounces@ietf.org] On
> >> Behalf Of Jon Peterson
> >> Sent: Monday, November 16, 2009 3:45 PM
> >>
> >> To rehash arguments that have circulated in this discussion many
> >> times,
> >> one must distinguish the NAT traversal case from the "media steering"
> >> requirement that has motivated much of the re-examination of
> >> identity.
> >> RFC4474 signatures are applied not by the user agent (at least not in
> >> the typical case), but rather by a server operated by the user
> >> agent's
> >> administrative domain. The administrative domain can more or less
> >> modify
> >> signaling arbitrarily before adding an Identity header per RFC4474.
> >> Thus, some sort of intermediary that modifies SIP signaling for the
> >> sake
> >> of NAT traversal can work with RFC4474, provided that the
> >> intermediary
> >> acts before the Identity header is added.
> >>
> >> While it can therefore be argued that RFC4474 does not rule out
> >> intermediary-based NAT traversal entirely, it does protect against
> >> any
> >> intermediary altering SDP once a request has left the originating
> >> administrative domain with an Identity header. The "media steering"
> >> use
> >> cases that challenge this design are predicated on an intermediary
> >> with
> >> no necessary relationship to the originating or terminating
> >> administrative domain unilaterally modifying SDP in transit,
> >> usually in
> >> order to force layer 3 routing of media to pass through one or more
> >> anchor points in a network - perhaps for the sake of drawing the
> >> traffic
> >> across a managed circuit with carefully-managed quality, or to
> >> facilitate lawful intercept, or what have you. It is that requirement
> >> which I have consistently argued is equivalent to exposing this
> >> mechanism to a man-in-the-middle attack. If we removed enough
> >> protections in the design of RFC4474 to enable media steering by
> >> "good"
> >> intermediaries, we are effectively also enabling any malicious
> >> entities
> >> to change those aspects of SIP requests as well.
> > _______________________________________________
> > dispatch mailing list
> > dispatch@ietf.org
> > https://www.ietf.org/mailman/listinfo/dispatch

v2.23.0 | Report a Bug | By Email