RE: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00
"Dan Wing" <dwing@cisco.com> Sun, 11 March 2007 21:27 UTC
Return-path: <mmusic-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQVZP-00080b-Pu; Sun, 11 Mar 2007 17:27:11 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HQVZO-00080W-Gc for mmusic@ietf.org; Sun, 11 Mar 2007 17:27:10 -0400
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HQVZM-0005RG-0K for mmusic@ietf.org; Sun, 11 Mar 2007 17:27:10 -0400
Received: from sj-dkim-7.cisco.com ([171.68.10.88]) by sj-iport-2.cisco.com with ESMTP; 11 Mar 2007 14:27:07 -0700
X-IronPort-AV: i="4.14,271,1170662400"; d="scan'208"; a="365042428:sNHT51607204"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-7.cisco.com (8.12.11/8.12.11) with ESMTP id l2BLR779022830; Sun, 11 Mar 2007 14:27:07 -0700
Received: from dwingwxp ([10.32.240.195]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id l2BLR1xR000198; Sun, 11 Mar 2007 21:27:06 GMT
From: Dan Wing <dwing@cisco.com>
To: 'EKR' <ekr@networkresonance.com>, mmusic@ietf.org
Subject: RE: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00
Date: Sun, 11 Mar 2007 14:27:01 -0700
Message-ID: <004b01c76424$05307310$c3f0200a@amer.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <20070310214614.256461CC77@delta.rtfm.com>
X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.3028
Thread-Index: AcdjXfb5nMG7Pg8pQvmQWucYx7XewwAxFQcA
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4577; t=1173648427; x=1174512427; c=relaxed/simple; s=sjdkim7002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[MMUSIC]=20Review=20of=20draft-saito-mmusic-sdp-ike-0 0 |Sender:=20; bh=YubKmP30DAjAn04n7RBL+dPmGEdbYTJAeAP9LWjzlNM=; b=H4ChQu9EZ9Uavl8vp9WcLbfpJJNFDBEthOaQ9VLVswlS1SP8oCHMxVtQA40PX33E6baot4EB 4KBw3WGVxrF6LuE/dXC8mIciUxz4/T3yPjRe79zqEmOA4UO1ZMdW9hSh;
Authentication-Results: sj-dkim-7; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim7002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 1676547e4f33b5e63227e9c02bd359e3
Cc:
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Errors-To: mmusic-bounces@ietf.org
> -----Original Message----- > From: EKR [mailto:ekr@networkresonance.com] > Sent: Saturday, March 10, 2007 1:46 PM > To: mmusic@ietf.org > Subject: [MMUSIC] Review of draft-saito-mmusic-sdp-ike-00 > > $Id: draft-saito-mmusic-sdp-ike-00-rev.txt,v 1.1 2007/03/10 > 21:57:28 ekr Exp $ You may recall a presentation by Makoto Saito an IETF or two back, which did something similar (it did the IPsec key exchange in SIP, similar to sdescriptions). At the microphone, you said the approach wasn't reasonable. This document provides a new approach that is similar to comedia-tls and dtls-srtp. > This document describes a mechanism whereby a SIP/SDP exchange can > be used to kick off an IPsec association. The idea seems to be > that I have the AOR for some machine behind a NAT or a firewall > and I want to set up an IPsec tunnel. So, I use SIP address > resolution and then SIP to signal to it and then set up an > IPsec SA as if it were a media connection. > > There's no ladder diagram, but I think it looks something like > this: > > > Alice Proxy Bob > ----------------------------------------------- > INVITE (IP=A.B.C.D) -> > Fingerprint=XXXX > INVITE (IP=A.B.C.D) -> > Fingerprint=XXXX > > <- 200 OK (IP=W.X.Y.X) > Fingerprint=XXXX > > <- 200 OK (IP=W.X.Y.X) > Fingerprint=XXXX > > > <------------- IKE exchange -----------------> > > <=============== IPsec tunnel ================> > > > My first question here is what the use case for this technique > is. When would I want to set up a VPN to a machine behind a > NAT? It's not necessarily to a machine behind the NAT, but could also be to the NAT itself (if the NAT itself implements draft-saito-mmusic-sdp-ike). The idea being you could be on the road with your fancy wireless device, could "call home" (using draft-saito-mmusic-sdp-ike), and after the IPsec tunnel is established with your NAT (or, if you prefer, with a device that is behind your NAT), you can then interact with every device within your home as if you were at home ---- those devices don't need to understand SIP or IPsec tunnels or any of that; they just need an IP stack. > That said, this draft seems to solve two problems: > > 1. Discovery of the current IP address of a given machine. > 2. Using SIP to authenticate the certificates of the client > and server as per comedia. > > So, given that there is a use case for this, (1) seems legitimate. > (2) strikes me as not quite right, though. Under what circumstances > are you going to set up a VPN tunnel to a machine that you've never > talked to before? > Surely you already have its public key or some > way of authenticating it. I would think this would go double for > the receiver. I'm not about to let someone set up a VPN tunnel > to me (especially since the claimed purpose here is NAT traversal!) > without knowing who they are. So, I'm not sure what the fingerprint > exchange buys you. For the use-case described in the draft, it's probably not necessary. However, it's reasonable to expect there are other use cases we haven't yet envisioned, and exchanging the fingerprint seems valuable. > Finally, my impression was that NATs weren't that great about > passing IKE and IPsec in general. They aren't, but that's what IPsec-over-UDP solves. And if draft-saito-mmusic-sdp-ike is implemented in the NAT device itself (rather than in a device behind the NAT), this concern is diminished. Of course, the concern comes back if the ISP is NATting their subscribers. > Aren't you going to want to > use ICE to establish that you have a clear channel. Probably, but that's orthogonal. The main goal of this specification is setting up IPsec using SIP. > Actually, > while we're on the topic, wouldn't ICE need to establish not > only that UDP traffic can pass through (for IKE) but also > whether plain IPsec can pass or whether it needs UDP wrapping > I'm not actually sure that ICE can do that now... No, ICE can't do that now, but a connectivity check would be pretty useful to determine if you could do native IPsec or if you needed to do IPsec-over-UDP or IPsec-over-TCP. -d > -Ekr > > > > > _______________________________________________ > mmusic mailing list > mmusic@ietf.org > https://www1.ietf.org/mailman/listinfo/mmusic _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic