[Gen-art] Re: Gen ART Early Review of draft-ietf-sip-e2m-sec-03.txt
Cullen Jennings <fluffy@cisco.com> Fri, 15 September 2006 19:57 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GOJp0-0007wE-Dt; Fri, 15 Sep 2006 15:57:58 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GOJoz-0007vw-DL for gen-art@ietf.org; Fri, 15 Sep 2006 15:57:57 -0400
Received: from sj-iport-5.cisco.com ([171.68.10.87]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GOJog-0002Mq-47 for gen-art@ietf.org; Fri, 15 Sep 2006 15:57:57 -0400
Received: from sj-dkim-8.cisco.com ([171.68.10.93]) by sj-iport-5.cisco.com with ESMTP; 15 Sep 2006 12:57:37 -0700
X-IronPort-AV: i="4.09,171,1157353200"; d="scan'208"; a="321789750:sNHT45722210"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-8.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k8FJvbFj024819; Fri, 15 Sep 2006 12:57:37 -0700
Received: from [192.168.1.3] (sjc-vpn4-129.cisco.com [10.21.80.129]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k8FJva6W029557; Fri, 15 Sep 2006 12:57:36 -0700 (PDT)
In-Reply-To: <F222151D3323874393F83102D614E05502B6737E@CORPUSMX20A.corp.emc.com>
References: <F222151D3323874393F83102D614E05502B6737E@CORPUSMX20A.corp.emc.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <9F1D59A9-6287-4170-870A-870B8D837169@cisco.com>
Content-Transfer-Encoding: 7bit
From: Cullen Jennings <fluffy@cisco.com>
Date: Fri, 15 Sep 2006 12:57:36 -0700
To: Black_David@emc.com
X-Mailer: Apple Mail (2.752.2)
DKIM-Signature: a=rsa-sha1; q=dns; l=10176; t=1158350257; x=1159214257; c=relaxed/relaxed; s=sjdkim8002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:Cullen=20Jennings=20<fluffy@cisco.com> |Subject:Re=3A=20Gen=20ART=20Early=20Review=20of=20draft-ietf-sip-e2m-sec-03.txt; X=v=3Dcisco.com=3B=20h=3Dfz1uo7lh70CTsd61PgxzH9FpaKA=3D; b=PAhSwfamAQo2sWJSLdtxzuCPDyIbh/muId5e14Dj/9gaA3upOnBwXCE8IKKOOn2bRX2QpQ5x PgjY2QSHCuN792PfnZxff6x2lqpPGgarJY8yMEtZZgmEfg2gGhcZ/hj9;
Authentication-Results: sj-dkim-8.cisco.com; header.From=fluffy@cisco.com; dkim=pass ( 54 extraneous bytes; sig from cisco.com verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 17bdfcaea25d1444baef0e24abc38874
Cc: sip-chairs@tools.ietf.org, General Area Review Team <gen-art@ietf.org>, Rohan Mahy <rohan.mahy@plantronics.com>, Kumiko Ono <kumiko@cs.columbia.edu>, tachimoto.shinya@lab.ntt.co.jp
Subject: [Gen-art] Re: Gen ART Early Review of draft-ietf-sip-e2m-sec-03.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
Errors-To: gen-art-bounces@ietf.org
Hi David, Thank for doing this review - I have not got to go thorught the comments yet but I will. And thank you to the Gen ART team for experimenting doing an early review for this draft - I think this will help the draft be clearer to people during IETF LC and thus result in a better IETF LC. Cullen On Sep 14, 2006, at 5:16 PM, Black_David@emc.com wrote: > Ono-san and Tachimoto-san, > > I am the assigned Gen-ART reviewer for an Early Review of > draft-ietf-sip-e2m-sec-03.txt . > > For background on Gen-ART, please see the FAQ at > <http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html>. > > Please resolve these comments along with any other comments from your > AD. > > This draft is on the right track but has open issues, described > in the review. > > I should first caution everyone that this is my first serious > encounter > with both SIP and S/MIME, so I've probably tripped over some things > that > are obvious to those more familiar with these technologies. > > Overall, I think the structure of using multiple explicit S/MIME > recipients to obtain control over selective disclosure of sensitive > information to proxies between the SIP UAs is the right design, > along with the related use of S/MIME integrity, as SIP already uses > S/MIME. > > I consider the following three issues to be significant problems: > 1) The missing structural explanation that has me confused about > whether > a proxy can see that an SDP type was encrypted. > 2) Section 4.1's failure to authenticate sources of certificates > in error messages. > 3) Section 5's mixing of example discussion with protocol > requirements. > I've marked these three issues with *** below. > > Here are the details ... > > The Abstract says: > > This specification is approved at the proposed standards level > due to > the IANA registration requirements. Is is of sufficient quality > for > that level, however, the use of this mechanism in this > specification > are considered experimental. > > Ouch. I suspect Cullen is well aware of this issue, and a scan of the > IANA registration procedures for SIP don't indicate any other > obviously > appropriate way to go about this (e.g., a "P-" header does not appear > to be appropriate, as there are significant behavioral changes > involved). > > This draft needs to be looked at by an S/MIME expert, which is not me. > The I-D tracker indicates that Eric Rescorla has looked at the draft, > which may suffice - Eric is definitely a security expert, I just don't > know off the top of my head whether he's an S/MIME expert. > > Section 2.1: > > A discussion is needed in Section 2.1 about how to provide integrity > for data destined for a proxy. The answer (to be found much later > in the draft) is that one puts SignedData inside the envelope. In > addition to explaining that, the operational order of > sign-before-encrypt > ought to be a MUST, not a SHOULD for simplicity. Would putting > Digested-data inside the envelope also be acceptable? If not, it > should be prohibited with text here. > > Section 2.2: > > A UA MAY generate a signature in the SIP Identity [9] > header, only if the UA has its own public and private key. > > I think this is combining two statements that should be separated for > clarity: > - SIP identity and the signature it contains are optional (MAY) > - Generating that signature requires that the UA have a public/private > key pair that the UA is not required to have. > > Section 3: > > This sentence about the "Proxy-Required-Body" header is problematic: > > This indication is not mandatory implementation, since the proxy > server that has it own security policy attempts to view the message > body due to their own services, regardless of the indication by > UAs. > > I think "mandatory implementation" needs to be separated into UA and > proxy requirements. The "be conservative in what you send, be liberal > in what you accept" design philosophy suggests that use of > Proxy-Required-Body > ought to be a "MUST" for UAs when using the encryption functionality > in this draft, and a "MAY" for proxies under the same conditions (the > sentence quoted above is in support of the "MAY"), accompanied by the > discussion already in the draft about why a proxy might want to use > this > header to optimize message handling. The current language implies > that > a proxy implementer cannot rely on presence of this header - to change > that without adding the "MUST", add a discussion of what a proxy > implementer MAY do if this header that SHOULD have been present is > actually missing. > > Name of "Proxy-Required-Body": This sort of naming is a "SIP Police" > issue, and I'm not a member of the "SIP Police" in any sense. > Nonetheless, > the SIP "Proxy-Require" header appears to tell a proxy that it MUST > deal > with certain things that it could otherwise choose to ignore. In > contrast, > the "Proxy-Required-Body" header in this draft tells a proxy where to > find things that it will be able to decrypt. The use of "Require" for > this purpose could be interpreted to require a proxy to process > anything > it can decrypt. If that was not intended, a different name should be > chosen, perhaps Proxy-Recipient-Body. > > Section 4: > > *** I think I'm missing something. If I apply the technique in > Section > 4.1 of this draft to the example in section 23.4 of RFC 3261, then I > think the error that comes back from a proxy that wants to view > encrypted > content will contain the content type application/pkcs7-mime . If > that's what happens in general, then there are two types of proxies > wrt > encryption - those that allow encrypted content and those that don't > (and that really should be explained). This is similar to the digital > signature policy (either the proxy requires it or the proxy doesn't). > OTOH, I'm not clear on where in the structure of a SIP message the > S/MIME > message bodies discussed in Section 2 are allowed to occur, so I may > not be correct about what content type comes back for an encrypted > body > that a proxy wants to read - this suggests that Section 2 ought to be > expanded with a structural discussion that starts from a complete > SIP message and includes enough discussion of an SDP request in an > INVITE to set up the examples later. This concern also turns up in > the example in Section 5.1. > > Section 4.1 also needs to discuss proxy behavior with respect to > the SIP security tunneling techniques in Sections 23.4.2 and 23.4.3 > of RFC 3161. For the latter section, the draft needs to be explicit > about whether it is ok for a proxy to require that it be able to > decrypt a tunneled encrypted SIP body. > > *** Section 4.1 passes the proxy certificate back in the error > messages > without doing anything that would demonstrate that the certificate > came > from the holder of the corresponding private key. This allows for > some > interesting mischief that could be denial-of-service - the attacker > collects all the potentially valid proxy certificates and feeds them > back to the poor victim one at a time in these new SIP error messages > resulting in a lot of crypto calculation at the victim, and possibly > exposing message content to proxies or other entities that don't > actually > need to see the data. The requirements in Section 8.1 do not prevent > this attack as long as the attacker uses certificates that validate > appropriately (readily obtainable, as certificates are not secrets). > The proxy really should use its certificate to actually sign > something in the error message, and that should be something that > the UA > will know is fresh (i.e., that the proxy could not have seen > previously) > to prevent replay of the signed chunk - the call ID looks like it may > be sufficiently fresh for this purpose, and hence signing the SIP > headers > (or some subset thereof) in the error message should suffice. > > Figure 3's ASCII graphics need some tweaking to make it clear that > both firewall traversal and IM logging are on Proxy #1 and not > Proxy #2. > > Section 5: > > *** This whole section has structural problems as it describes a > specific example, making the use of "MUST" and "SHOULD" questionable. > The general specification of protocol requirements ought to be > separated out from this very useful discussion of a specific example. > > Section 5.1 - if the only encryption is end-to-end, why is there > no Content-Type in the error that comes back from the proxy? The > answer is in Section 5.3, and needs to be explained here. > > The discussion about enveloping SignedData in Section 5.1 needs to > be repeated in Section 2 - see above comment on Section 2.1. Also > the SHOULD for signing before encrypting ought to be a MUST for > simplicity if that's possible. > > Section 8.1 > > The discussion of certificate verification here needs to explicitly > invoke the requirements in RFC 3280, otherwise all sorts of security > sloppiness is possible. For example, there's no requirement in > this text to check for certificate revocation and the text on chaining > doesn't say that one needs to check that all certificates aside > from the leaf are allowed to sign other certificates. Just invoke > RFC 3280 to avoid "death by a thousand cuts" - there are lots of > details that matter, and they're all in RFC 3280 (Section 6). > > Section 8.2 > > In order to prevent such tampering, the UA SHOULD protect the data > integrity before encryption, when the encrypted data is meant to be > shared with multiple proxy servers, or to be shared with the UAS > and > selected proxy servers. > > That "SHOULD" ought to be a "MUST", and similarly for the rest of this > section. > > Thanks, > --David > ---------------------------------------------------- > David L. Black, Senior Technologist > EMC Corporation, 176 South St., Hopkinton, MA 01748 > +1 (508) 293-7953 FAX: +1 (508) 293-7786 > black_david@emc.com Mobile: +1 (978) 394-7754 > ---------------------------------------------------- _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
- [Gen-art] Gen ART Early Review of draft-ietf-sip-… Black_David
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Ono, Kumiko
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Cullen Jennings
- [Gen-art] Re: Gen ART Early Review of draft-ietf-… Ono, Kumiko
- [Gen-art] RE: Gen ART Early Review of draft-ietf-… Black_David