IETF Logo Mail Archive

[Rum] RUM security model

Paul Kyzivat <pkyzivat@alum.mit.edu> Sat, 26 September 2020 17:21 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 559063A0C70 for <rum@ietfa.amsl.com>; Sat, 26 Sep 2020 10:21:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alum.mit.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r32as6sT2jmX for <rum@ietfa.amsl.com>; Sat, 26 Sep 2020 10:21:06 -0700 (PDT)
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2041.outbound.protection.outlook.com [40.107.93.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A1863A0C16 for <rum@ietf.org>; Sat, 26 Sep 2020 10:21:06 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c/9Lj6eDg+Lh7HrOWGHhbOwYgEwT8xCDuPrBZemnLyVMDlygYBvT7tG/2yAsrFi1Bi6Qq/p0+v0Cjqrve5rXB6vBybSGZ+wfAACzLF6cholfPD4Wo7H6UrxN18rwKPcMfC56YQYzUJ1xCLUC5h2xMW6D8rrUhuDwM1wKf10J/tLylE5oXHDcta02TCpqOwOtEGR4BQBI2tlZOhlxC0RhpcRtKfpirx7dAhU8/xiYdra3NIzUa6+mWP3SyX/M6Ake6ypl5xXiKd7ER5cHe4SUuu7vCwfMCN5D6oWq0ODP/OFhBGGodsXEX2RxppMyVvZNwX1R6gQMGRyXL17pUrkrug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PotLnNspvKqNUa8/YBZ4bLkco+QkC5Oxk5DWQ5jv42Y=; b=JYT+O2BfsR7SxDCwYr+kn8b3aTGqsju3Kwy5ElO3wcEP9vm1G1cNkaZBS5QITGam7MQHdT5hDb0gmknk4vpalJqkty+VOAM7k2mMNsYFMut9Zw30Ae/d1RZIR3q0LqLBOWuJE3/BapMEVJpnLSMnRhKbKnf7LxI8OMALmGLCL/IhN/BVKWYusKPpziRfUZprG6bSp3ju83cab1VpYkEywvuZmf35ZhuXEdP8gHRHxyMJ/S3IItV/Hp0LsVrEZNPJD59cYjIfERFhmE3jOPHVoV/8JuXXnf0UcKpAXQPIt7p19HvnfFH+g50aRHH/1y1d3A92lgs8YkskKBWR5hWaRg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 18.7.68.33) smtp.rcpttodomain=ietf.org smtp.mailfrom=alum.mit.edu; dmarc=bestguesspass action=none header.from=alum.mit.edu; dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alum.mit.edu; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PotLnNspvKqNUa8/YBZ4bLkco+QkC5Oxk5DWQ5jv42Y=; b=F68loMsIfl2D5xnB8g24KE/r5iO+/yvv2pQCdgDG2maBguroEGdfs4/HniwhjFMgDfF/Yt5w5Mktpzbxv90GibPZI1JKuJ9tihCBbMQpeyfJnHhCsxms/b4nywN23Cb746cQjMT3Wa+kpoikiMgrew1lGJurj2s2nxsIOVI7Rto=
Received: from SN6PR2101CA0030.namprd21.prod.outlook.com (2603:10b6:805:106::40) by DM5PR12MB2373.namprd12.prod.outlook.com (2603:10b6:4:b1::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.22; Sat, 26 Sep 2020 17:21:00 +0000
Received: from SN1NAM02FT018.eop-nam02.prod.protection.outlook.com (2603:10b6:805:106:cafe::2b) by SN6PR2101CA0030.outlook.office365.com (2603:10b6:805:106::40) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.7 via Frontend Transport; Sat, 26 Sep 2020 17:21:00 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 18.7.68.33) smtp.mailfrom=alum.mit.edu; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=alum.mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of alum.mit.edu designates 18.7.68.33 as permitted sender) receiver=protection.outlook.com; client-ip=18.7.68.33; helo=outgoing-alum.mit.edu;
Received: from outgoing-alum.mit.edu (18.7.68.33) by SN1NAM02FT018.mail.protection.outlook.com (10.152.72.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21 via Frontend Transport; Sat, 26 Sep 2020 17:21:00 +0000
Received: from Kokiri.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id 08QHKvLi019895 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <rum@ietf.org>; Sat, 26 Sep 2020 13:20:58 -0400
To: rum@ietf.org
References: <159838856681.32208.2945571627178413540@ietfa.amsl.com> <E4141C48-64A1-4A34-81CD-2AFB098E411C@brianrosen.net> <eee4a662-9ccd-0ded-4639-76f5be34924b@alum.mit.edu>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <a4a62f53-1571-56ec-35b9-7faecd4fa480@alum.mit.edu>
Date: Sat, 26 Sep 2020 13:20:57 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:78.0) Gecko/20100101 Thunderbird/78.2.2
MIME-Version: 1.0
In-Reply-To: <eee4a662-9ccd-0ded-4639-76f5be34924b@alum.mit.edu>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 74b0c072-a85b-4eab-cbe8-08d8624089cd
X-MS-TrafficTypeDiagnostic: DM5PR12MB2373:
X-Microsoft-Antispam-PRVS: <DM5PR12MB23734FDFDBFAD787A5FEEA4EF9370@DM5PR12MB2373.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: tryrf4peaeNG23ocCTV6eB90Jif50R71m/wRIxbgznBKJ+mZVr5U0LkPE5R3Zz7iCklZP0wetGD8eFBxJxUYsGfdb4ruY+afa8BT+mjR5BmdIfzTWZJCK4i2oidDYGqoSHKId7I7L7xh/SbQbhPa5IOgPMxKh3pgcTqf4R/hKoicXa1tHfpUX6rbbQyWcM3M9eV6ABDMM02OrlQdRqaGBaUSeO81aaBM30M4VV/e7gLlkHIQoqyf5/d8pkxsr2NN/XgPztLVd8twNNKsMypa8wQdrexhQKklSg/Bs75AXp6ze+mgToRjuerAIyvE5BYT4g5eQp+Ik++oiKM0xLoSrkO2j6COlVMaTLW2ZhW6BIFIRtmoN2HQC+YZ/atVDxdel5IeCZ9CqYz63TXw6+s3+SJKtg6g5oKxZY47pB0otakwiVX7igwg7eaH1KdJfr1aiTUEk3b6K5ltzjPtYoN6hL7q0nl87EQpmW/NyUJOMHg=
X-Forefront-Antispam-Report: CIP:18.7.68.33; CTRY:US; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:outgoing-alum.mit.edu; PTR:outgoing-alum.mit.edu; CAT:NONE; SFS:(396003)(136003)(39860400002)(376002)(346002)(46966005)(336012)(8676002)(5660300002)(6916009)(70206006)(82310400003)(31686004)(70586007)(8936002)(15650500001)(82740400003)(3480700007)(75432002)(47076004)(186003)(478600001)(83380400001)(53546011)(86362001)(26005)(7116003)(956004)(356005)(2616005)(2906002)(31696002)(316002)(36906005)(7596003)(786003)(43740500002); DIR:OUT; SFP:1101;
X-OriginatorOrg: alum.mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Sep 2020 17:21:00.0480 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 74b0c072-a85b-4eab-cbe8-08d8624089cd
X-MS-Exchange-CrossTenant-Id: 3326b102-c043-408b-a990-b89e477d582f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=3326b102-c043-408b-a990-b89e477d582f; Ip=[18.7.68.33]; Helo=[outgoing-alum.mit.edu]
X-MS-Exchange-CrossTenant-AuthSource: SN1NAM02FT018.eop-nam02.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR12MB2373
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/QzMRrfvZuEV6aIBh-ABlHm1xo9k>
Subject: [Rum] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Sep 2020 17:21:13 -0000

On 9/18/20 11:52 AM, Paul Kyzivat wrote:
> Brian,
> 
> Thanks for reviving this and resolving some of the open issues. I hope 
> we can soon identify and resolve remaining issues.
> 
> I do think the password issue is going to be tricky to sort out. We 
> should get a discussion going on it. I'm thinking that we may need a 
> whole section discussing the security model.

Some brainstorming on this - half baked thoughts:

1) In many cases a RUM device is an always-on device. It must possess 
credentials that allow it to remain authenticated to a registrar even 
when no user is present. (Not different from many sip devices, but worth 
calling out.)

2) It is the user (owner?) of the RUM device that must first 
authenticate to a provider. This authentication then needs to be 
delegated to the RUM device to satisfy the requirements of (1).

3) There will be a need for the *user* to periodically reauthenticate. 
This may sometimes be time based, but may also be required when the 
device or server have been compromised, etc. This can be a problem if it 
occurs when the user isn't immediately available. In most cases the RUM 
device should still be allowed to remain registered for receipt of 
incoming calls until such time as a user is present to participate in 
reauthentication.

4) Credentials held by the RUM device in support of (1) and (2) must be 
secured. It should be impossible for an attacker to extract these 
credentials and reuse them in another device. (This is hard. We may not 
be able to fully achieve it in the spec. But we need to consider it.)

5) The security system for RUM devices must be compatible with RUM 
devices that support simultaneous registration to multiple VRS 
providers. However there is no requirement for a RUM device to support 
this feature. (It isn't clear to me if this requirement imposes any 
particular burden on the spec. I only bring it up to cover all the bases.)

Note:

In the above I keep using the term "RUM device". I did this because I 
*think* RUE is a more generic term that encompasses both RUM compliant 
devices and non-compliant ones like existing proprietary VRS provider 
supplied user devices.

I think it is too late to restrict the definition of RUE to being 
compliant to RUM, since it is used in the more generic sense in the 
provider profile. I'm content to keep using "RUM device" but I'm open to 
other suggestions. In any case, whatever we decide should go into the 
definitions.

v2.23.0 | Report a Bug | By Email