IETF Logo Mail Archive

Re: [dispatch] Identity Adhoc - Nov 9th: Notes available

Jon Peterson <jon.peterson@neustar.biz> Mon, 16 November 2009 20:45 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B3043A6ADF for <dispatch@core3.amsl.com>; Mon, 16 Nov 2009 12:45:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6302rAjVQHZZ for <dispatch@core3.amsl.com>; Mon, 16 Nov 2009 12:45:34 -0800 (PST)
Received: from neustar.com (ns6.neustar.com [156.154.16.88]) by core3.amsl.com (Postfix) with ESMTP id 47EE93A690E for <dispatch@ietf.org>; Mon, 16 Nov 2009 12:45:34 -0800 (PST)
Received: from ([192.168.128.225]) by stihiron1.va.neustar.com with ESMTP id G6K7MJ1.2440599; Mon, 16 Nov 2009 15:45:28 -0500
Message-ID: <4B01B9E8.7050507@neustar.biz>
Date: Mon, 16 Nov 2009 12:45:28 -0800
From: Jon Peterson <jon.peterson@neustar.biz>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Jiri Kuthan <jiri@iptel.org>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org>
In-Reply-To: <4B01A877.4010306@iptel.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dispatch@ietf.org
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2009 20:45:35 -0000

I was not arguing against NAT traversal, actually. From the start of the 
SIP identity work, we considered support for NAT traversal as a 
requirement. Of course, the authors of RFC4474 assumed that something 
roughly like ICE would take over this role, and obviously the deployment 
situation is bit more complicated (we similarly hoped that GRUU would 
make it unnecessary for intermediaries to modify Contact headers, and so 
on). Regardless, I still believe we need to have a reasonable story for 
how an identity mechanism will accommodate NAT traversal.

To rehash arguments that have circulated in this discussion many times, 
one must distinguish the NAT traversal case from the "media steering" 
requirement that has motivated much of the re-examination of identity. 
RFC4474 signatures are applied not by the user agent (at least not in 
the typical case), but rather by a server operated by the user agent's 
administrative domain. The administrative domain can more or less modify 
signaling arbitrarily before adding an Identity header per RFC4474. 
Thus, some sort of intermediary that modifies SIP signaling for the sake 
of NAT traversal can work with RFC4474, provided that the intermediary 
acts before the Identity header is added.

While it can therefore be argued that RFC4474 does not rule out 
intermediary-based NAT traversal entirely, it does protect against any 
intermediary altering SDP once a request has left the originating 
administrative domain with an Identity header. The "media steering" use 
cases that challenge this design are predicated on an intermediary with 
no necessary relationship to the originating or terminating 
administrative domain unilaterally modifying SDP in transit, usually in 
order to force layer 3 routing of media to pass through one or more 
anchor points in a network - perhaps for the sake of drawing the traffic 
across a managed circuit with carefully-managed quality, or to 
facilitate lawful intercept, or what have you. It is that requirement 
which I have consistently argued is equivalent to exposing this 
mechanism to a man-in-the-middle attack. If we removed enough 
protections in the design of RFC4474 to enable media steering by "good" 
intermediaries, we are effectively also enabling any malicious entities 
to change those aspects of SIP requests as well.

I do not find the requirement for NAT traversal unacceptable, but I do 
consider the requirement for media steering highly dubious at best.

Jon Peterson
NeuStar, Inc

Jiri Kuthan wrote:
> I think it is worth mentioning and doublechecking a problem we touched
> in this conversation, which is SIP servers modifying SDP to facilitate
> NAT traversal. I think Jon P. has said this was unacceptable use-case not
> good enough as motivation for work related to it, because it exposes
> such calls to MiTM attacks. Is that right, Jon?
>
> -jiri
>
> Mary Barnes wrote:
>>
>> Hi all,
>>
>> I have uploaded Jim McEachern's notes from the Identity Adhoc yesterday:
>> http://www.softarmor.com/dispatch/IETF76/Meeting%20notes/Identity-AdHoc-Notes-jmce.doc 
>>
>>
>> Regards,
>> Mary.
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> dispatch mailing list
>> dispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/dispatch

v2.23.0 | Report a Bug | By Email