Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Jon Peterson <jon.peterson@neustar.biz> Tue, 17 November 2009 12:20 UTC
Return-Path: <jon.peterson@neustar.biz>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 642953A6A88 for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 04:20:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uHHgy2BFewKP for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 04:20:35 -0800 (PST)
Received: from neustar.com (ns6.neustar.com [156.154.16.88]) by core3.amsl.com (Postfix) with ESMTP id F2C243A6A75 for <dispatch@ietf.org>; Tue, 17 Nov 2009 04:20:34 -0800 (PST)
Received: from ([192.168.128.225]) by stihiron1.va.neustar.com with ESMTP id G6K7MJ1.2463587; Tue, 17 Nov 2009 07:20:26 -0500
Message-ID: <4B02950A.9060902@neustar.biz>
Date: Tue, 17 Nov 2009 04:20:26 -0800
From: Jon Peterson <jon.peterson@neustar.biz>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Jiri Kuthan <jiri@iptel.org>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <4B025E6A.60900@iptel.org>
In-Reply-To: <4B025E6A.60900@iptel.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dispatch@ietf.org
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 12:20:36 -0000
>> The "media steering" use cases that challenge this design are >> predicated on an intermediary with no necessary relationship to the >> originating or terminating administrative domain unilaterally >> modifying SDP in transit, usually in order to force layer 3 routing >> of media to pass through one or more anchor points in a network - >> perhaps for the sake of drawing the traffic across a managed circuit >> with carefully-managed quality, or to facilitate lawful intercept, or >> what have you. It is that requirement which I have consistently >> argued is equivalent to exposing this mechanism to a >> man-in-the-middle attack. > how is that different from a MiTM attacking SDP on the path from UA > to a 4474-enable proxy? I'm not sure how to answer your question except to say that it is a fundamental difference in the protection scope of the mechanism. The path between the user agent and the RFC4474-enabled proxy must be secured in some fashion, it's true, and there are a number of ways that security might be provided that can either allow for the presence of other intermediaries in the administrative domain or not, depending on the SIP deployment of the domain (RFC4474 does talk about this a bit). If those protections aren't in place, then of course any adversary can alter the signaling arbitrarily with fear of detection. Once an Identity header is in place, however, any subsequent modifications to the signaling that could lead to impersonation (in so far as the threat of impersonation is defined in the draft) are supposed to show up as violations. That's the protection that the Identity mechanism affords. So the difference is that in one case, there's supposed to be security, and in the other case there isn't. >> If we removed enough >> protections in the design of RFC4474 to enable media steering by >> "good" intermediaries, we are effectively also enabling any malicious >> entities to change those aspects of SIP requests as well. > I'm wondering if RFC4474 can prevent MiTM as it is not guaranteed to > provide > end-to-end protection in the typical case. No mechanism can "prevent" a man-in-the-middle, it can merely detect it. RFC4474 provides its protections within its defined scope, which is from an authentication service in the administrative domain to the terminating user agent. If the path between the originating user agent and the authentication service is insecure and vulnerable, as discussed above, then yes, RFC4474 doesn't provide end-to-end protection. >> >> I do not find the requirement for NAT traversal unacceptable, but I >> do consider the requirement for media steering highly dubious at best. > Some while ago I would have thought that in this typical case there > are two administrative zones under respective control with a pipe in > between. Then it shall be manageable to put a SDP-manipulating closer > to UA than 4474 processing. In the meantime I think it became hard to > find a SIP path which in between two 4474 entities has nothing that > rewrites SDP. You are not the first one to make this observation, but I don't think this information is very useful in drafting the sorts of requirements in Mr. Elwell's document. The stated requirement for "media steering" assumes something much more specific than simply wanting to rewrite SDP. An intermediary that wants to rewrite SDP may have one of several relationships with the originating and terminating user agents or administrative domains. The "media steering" use cases invariably assume an entity acting unilaterally, without necessarily the knowledge or consent of either side of the transaction - it acts by virtue of being in the path of signaling, even if only as an ALG. If we design a security mechanism that allows an entity to act with that sort of impunity, it may facilitate some few beneficial services but it will also facilitate a variety of attacks. I believe we can do better - we can find ways to allow intermediaries to perform the services they'd like to perform without acting unilaterally. Certainly at the time RFC4474 was under development, we believed that mechanisms like session-policy would eventually provide a way for intermediaries to force user agents to conform with intermediary policy, including session dependent policy cases for SDP. If we're going to dedicate design energy to solving problems in this neighborhood, one could argue that solving for these building blocks first (allowing intermediaries to modify signaling in a collaborative manner rather than unilaterally) will make the path to an identity solution much, much easier. From a requirements perspective, this is much closer to what I'd like to see expressed than something like "media steering," which basically equates to reducing the protection space. Jon Peterson NeuStar, Inc. > -jiri > >
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John