Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
Jiri Kuthan <jiri@iptel.org> Tue, 17 November 2009 08:27 UTC
Return-Path: <jiri@iptel.org>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 725DD3A69FD for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 00:27:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.392
X-Spam-Level:
X-Spam-Status: No, score=-1.392 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 71DhkD58+bS9 for <dispatch@core3.amsl.com>; Tue, 17 Nov 2009 00:27:25 -0800 (PST)
Received: from mail.iptel.org (smtp.iptel.org [213.192.59.67]) by core3.amsl.com (Postfix) with ESMTP id E0E6F3A67F2 for <dispatch@ietf.org>; Tue, 17 Nov 2009 00:27:24 -0800 (PST)
Received: from jirimac-2.local (shell.iptel.org [213.192.59.74]) by mail.iptel.org (Postfix) with ESMTP id DC72A37080E; Tue, 17 Nov 2009 09:27:22 +0100 (CET)
Message-ID: <4B025E6A.60900@iptel.org>
Date: Tue, 17 Nov 2009 09:27:22 +0100
From: Jiri Kuthan <jiri@iptel.org>
User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812)
MIME-Version: 1.0
To: Jon Peterson <jon.peterson@neustar.biz>
References: <F592E36A5C943E4E91F25880D05AD1140CC8E1F3@zrc2hxm0.corp.nortel.com> <4B01A877.4010306@iptel.org> <4B01B9E8.7050507@neustar.biz>
In-Reply-To: <4B01B9E8.7050507@neustar.biz>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: dispatch@ietf.org
Subject: Re: [dispatch] Identity Adhoc - Nov 9th: Notes available
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2009 08:27:26 -0000
Jon Peterson wrote: > > I was not arguing against NAT traversal, actually. From the start of the > SIP identity work, we considered support for NAT traversal as a > requirement. Of course, the authors of RFC4474 assumed that something > roughly like ICE would take over this role, and obviously the deployment > situation is bit more complicated (we similarly hoped that GRUU would > make it unnecessary for intermediaries to modify Contact headers, and so > on). Regardless, I still believe we need to have a reasonable story for > how an identity mechanism will accommodate NAT traversal. > > To rehash arguments that have circulated in this discussion many times, > one must distinguish the NAT traversal case from the "media steering" > requirement that has motivated much of the re-examination of identity. > RFC4474 signatures are applied not by the user agent (at least not in > the typical case), but rather by a server operated by the user agent's > administrative domain. The administrative domain can more or less modify > signaling arbitrarily before adding an Identity header per RFC4474. > Thus, some sort of intermediary that modifies SIP signaling for the sake > of NAT traversal can work with RFC4474, provided that the intermediary > acts before the Identity header is added. > > While it can therefore be argued that RFC4474 does not rule out > intermediary-based NAT traversal entirely, it does protect against any > intermediary altering SDP once a request has left the originating > administrative domain with an Identity header. > The "media steering" use > cases that challenge this design are predicated on an intermediary with > no necessary relationship to the originating or terminating > administrative domain unilaterally modifying SDP in transit, usually in > order to force layer 3 routing of media to pass through one or more > anchor points in a network - perhaps for the sake of drawing the traffic > across a managed circuit with carefully-managed quality, or to > facilitate lawful intercept, or what have you. It is that requirement > which I have consistently argued is equivalent to exposing this > mechanism to a man-in-the-middle attack. how is that different from a MiTM attacking SDP on the path from UA to a 4474-enable proxy? > If we removed enough > protections in the design of RFC4474 to enable media steering by "good" > intermediaries, we are effectively also enabling any malicious entities > to change those aspects of SIP requests as well. I'm wondering if RFC4474 can prevent MiTM as it is not guaranteed to provide end-to-end protection in the typical case. > > I do not find the requirement for NAT traversal unacceptable, but I do > consider the requirement for media steering highly dubious at best. Some while ago I would have thought that in this typical case there are two administrative zones under respective control with a pipe in between. Then it shall be manageable to put a SDP-manipulating closer to UA than 4474 processing. In the meantime I think it became hard to find a SIP path which in between two 4474 entities has nothing that rewrites SDP. -jiri > > Jon Peterson > NeuStar, Inc > > Jiri Kuthan wrote: >> I think it is worth mentioning and doublechecking a problem we touched >> in this conversation, which is SIP servers modifying SDP to facilitate >> NAT traversal. I think Jon P. has said this was unacceptable use-case not >> good enough as motivation for work related to it, because it exposes >> such calls to MiTM attacks. Is that right, Jon? >> >> -jiri >> >> Mary Barnes wrote: >>> >>> Hi all, >>> >>> I have uploaded Jim McEachern's notes from the Identity Adhoc yesterday: >>> http://www.softarmor.com/dispatch/IETF76/Meeting%20notes/Identity-AdHoc-Notes-jmce.doc >>> >>> >>> Regards, >>> Mary. >>> >>> >>> ------------------------------------------------------------------------ >>> >>> _______________________________________________ >>> dispatch mailing list >>> dispatch@ietf.org >>> https://www.ietf.org/mailman/listinfo/dispatch >
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- [dispatch] Identity Adhoc - Nov 9th: Notes availa… Mary Barnes
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Henry Sinnreich
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Francois Audet
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jon Peterson
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Victor Pascual Avila
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dean Willis
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Paul Kyzivat
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Dan Wing
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Bernard Aboba
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Cullen Jennings
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Hadriel Kaplan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Jiri Kuthan
- Re: [dispatch] Identity Adhoc - Nov 9th: Notes av… Elwell, John