Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Cullen Jennings <fluffy@cisco.com> Thu, 19 November 2009 05:31 UTC
Return-Path: <fluffy@cisco.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B87F428C108 for <dispatch@core3.amsl.com>; Wed, 18 Nov 2009 21:31:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.54
X-Spam-Level:
X-Spam-Status: No, score=-106.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vTnqaZpMSZPa for <dispatch@core3.amsl.com>; Wed, 18 Nov 2009 21:31:16 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id C3D2E28C102 for <dispatch@ietf.org>; Wed, 18 Nov 2009 21:31:16 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAO1mBEurR7H+/2dsb2JhbAC/V4gUj2KCNg6BdwSNBg
X-IronPort-AV: E=Sophos;i="4.44,769,1249257600"; d="scan'208";a="435695715"
Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 19 Nov 2009 05:31:14 +0000
Received: from [192.168.4.177] (rcdn-fluffy-8711.cisco.com [10.99.9.18]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id nAJ5VDrt001255; Thu, 19 Nov 2009 05:31:14 GMT
From: Cullen Jennings <fluffy@cisco.com>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail>
Impp: xmpp:cullenfluffyjennings@jabber.org
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz> <E6C2E8958BA59A4FB960963D475F7AC31A12B5F01F@mail>
Message-Id: <812A0021-6334-49E4-8B91-BBC053B2132B@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Wed, 18 Nov 2009 22:31:12 -0700
X-Mailer: Apple Mail (2.936)
Cc: "dispatch@ietf.org" <dispatch@ietf.org>
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2009 05:31:17 -0000
If we all believe the only thing SBC rewrite is the IP and port of the media, I'm sure we can solve this in no time flat. Unfortunately, when a solution to solve that problem have been presented, it has become clear that SBC change much more than that. Cullen <in my individual contributor role> On Nov 18, 2009, at 12:11 PM, Hadriel Kaplan wrote: > > Forget the NAT traversal piece, or even media steering, and just > tell me what signing the IP Address/port in the SDP buys you. Not > the whole SDP, just the IP/ports. Imagine if the media IP/ports > were in a SIP header, and tell me why we MUST sign that header to > get "SIP Identity". > > My claim is signing those IP/ports is neither necessary nor > sufficient for the purposes of SIP Identity nor media identity. > It's an emperor with no clothes, except we end up getting the bill > for the clothing. > > It is not sufficient because it does not prove the authenticity and > identity of the media. And I don't just mean in an academic sense > of "prove". Not only can the media IP/ports still be spoofed and > even intercepted - but nothing prevents me from just sending media > from another address/port to get you to listen to my advertisement, > instructions to call my number to "verify your credit card", or > whatever. > > Only a media-plane mechanism will be sufficient for media identity, > such as DTLS-SRTP. > > It is not necessary because, given a mechanism such as DTLS-SRTP > (which *is* necessary for the property of media identity), signing > the IP/ports is superfluous. It's making the mistake of confusing > IP with an identity, vs. a routing identifier. (ie, the argument HIP > makes) > > -hadriel > >> -----Original Message----- >> From: dispatch-bounces@ietf.org [mailto:dispatch-bounces@ietf.org] On >> Behalf Of Jon Peterson >> Sent: Monday, November 16, 2009 3:45 PM >> >> To rehash arguments that have circulated in this discussion many >> times, >> one must distinguish the NAT traversal case from the "media steering" >> requirement that has motivated much of the re-examination of >> identity. >> RFC4474 signatures are applied not by the user agent (at least not in >> the typical case), but rather by a server operated by the user >> agent's >> administrative domain. The administrative domain can more or less >> modify >> signaling arbitrarily before adding an Identity header per RFC4474. >> Thus, some sort of intermediary that modifies SIP signaling for the >> sake >> of NAT traversal can work with RFC4474, provided that the >> intermediary >> acts before the Identity header is added. >> >> While it can therefore be argued that RFC4474 does not rule out >> intermediary-based NAT traversal entirely, it does protect against >> any >> intermediary altering SDP once a request has left the originating >> administrative domain with an Identity header. The "media steering" >> use >> cases that challenge this design are predicated on an intermediary >> with >> no necessary relationship to the originating or terminating >> administrative domain unilaterally modifying SDP in transit, >> usually in >> order to force layer 3 routing of media to pass through one or more >> anchor points in a network - perhaps for the sake of drawing the >> traffic >> across a managed circuit with carefully-managed quality, or to >> facilitate lawful intercept, or what have you. It is that requirement >> which I have consistently argued is equivalent to exposing this >> mechanism to a man-in-the-middle attack. If we removed enough >> protections in the design of RFC4474 to enable media steering by >> "good" >> intermediaries, we are effectively also enabling any malicious >> entities >> to change those aspects of SIP requests as well. > _______________________________________________ > dispatch mailing list > dispatch@ietf.org > https://www.ietf.org/mailman/listinfo/dispatch
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John