IETF Logo Mail Archive

Re: [Rum] [EXT] RUM security model

Brian Rosen <br@brianrosen.net> Tue, 03 November 2020 20:34 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D46E73A1139 for <rum@ietfa.amsl.com>; Tue, 3 Nov 2020 12:34:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PFXazeRFDl5y for <rum@ietfa.amsl.com>; Tue, 3 Nov 2020 12:34:14 -0800 (PST)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F35093A1138 for <rum@ietf.org>; Tue, 3 Nov 2020 12:34:13 -0800 (PST)
Received: by mail-qv1-xf32.google.com with SMTP id g13so8580484qvu.1 for <rum@ietf.org>; Tue, 03 Nov 2020 12:34:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8j7JqFFa0+hhNT1Vgudtxuxo6RS69N5rvBUT1Ox9OzM=; b=zl5RAEA1UKrw7Delnmifflg+P58nIQ0zYPmBivCwiblpPSuWpq0e63vq1VVzn2wfMD X2XKKchjWVMh8Kt+SneG+VeBCxuMnkG03FWUOQvFM9S7+IChUFaU9uFGl2XiDOW+hn3z kCtjXQ66vGiuCJQ1k+fraGoqC8ntEWkoLC9JGp90wD5dG92IO534S/dnWLjaH68h6rbW gvLoXFqR1JWjIC75kuHtu+wa9xgX4vp9JXLRgnm4L1E4yY1sP3Oq/2D8Skf8IVHAKEBr aGRSGEXA/bHNgoteyr5xWEZxZNSozkbUgktRrLeA3ahlMQo9BKXjv+229b36yjogpzlj bNnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=8j7JqFFa0+hhNT1Vgudtxuxo6RS69N5rvBUT1Ox9OzM=; b=XTiu10Y+vFxVgU82zSbqeuB7p7mRFeAoBYulT6qh/xZ5z+s3GoLazN/Tm75Leg4J7u u6J4nMGWvWIe41bzqNvqPYMJVEUfmCsgWFNqzy1SJ02j9K2Gbux1Jg8z1dCD7E7FLG+/ YO/A1KkvL4WFIRD9JxSP+9dDORld+lY+4PUfiZ5rMIQfd+qWmuAANbipXD9mS64tuVd2 85uf3bGRqw9PbSEBRgabSN1JJrbJSkxHJI6fwsgsVhDNXawYzTQWfPycUi0RpDyvCroO b3OWtLM++9yH0bGmZ2ZQPur33HOjCnXWu7qq1S8D08j31Sz+5ljNucfyc5NQ6aJji2+c JGvg==
X-Gm-Message-State: AOAM531ZZwUa2fJxjvywxV0qE4FZyKTbs7LC1kylbTKzC/gxM+Pe7DBE 8Vv1IgZW1qwzA/PalkHG2bnt0w==
X-Google-Smtp-Source: ABdhPJyzeCNH03jacm5HLiCNkl6UruVceJYWW7iCji89U/AK4fEwmAxzb9SmUHUaFIZ/wwWk+CPpYg==
X-Received: by 2002:a0c:a2a6:: with SMTP id g35mr28470277qva.4.1604435652848; Tue, 03 Nov 2020 12:34:12 -0800 (PST)
Received: from brians-mbp-2871.lan (dynamic-acs-24-154-119-158.zoominternet.net. [24.154.119.158]) by smtp.gmail.com with ESMTPSA id m26sm11565118qka.118.2020.11.03.12.34.11 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 03 Nov 2020 12:34:12 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Brian Rosen <br@brianrosen.net>
In-Reply-To: <90279636-259e-8ff6-7e28-406a84ddeccc@alum.mit.edu>
Date: Tue, 03 Nov 2020 15:34:09 -0500
Cc: Eugene Christensen <echristensen@sorenson.com>, "Olle E. Johansson" <oej@edvina.net>, "rum@ietf.org" <rum@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <1EE964DF-3F07-4F36-83C2-7B27068B434F@brianrosen.net>
References: <4d6ba97f-a83d-3d36-14a9-c6e84dd5b874@alum.mit.edu> <7A11F680-9EA6-4477-9BD8-6A7755AD0054@brianrosen.net> <7fdb95e6-e954-7275-60f7-462cf07eff0e@alum.mit.edu> <CAOPrzE1ONDUcGwvcfRhpyu9YM5JJJD92AsLKaeXvXqH4fmNbBw@mail.gmail.com> <92b5d34b-2fbf-0e2b-8562-8f7d11c5123b@alum.mit.edu> <F03944C6-0C19-4964-94A8-658B338526D4@brianrosen.net> <5e6d8446-c267-5113-aff1-fc87576b1317@alum.mit.edu> <BYAPR04MB49835526E9F63A38A5C56B86A31C0@BYAPR04MB4983.namprd04.prod.outlook.com> <38090A50-6572-4A8E-97D4-C260323365AE@brianrosen.net> <EC92824F-0175-407A-8175-A95DFE197B22@edvina.net> <f5c85256-45fe-2c0b-2b93-3fe4fd24e557@alum.mit.edu> <BYAPR04MB4983A00EF9CA72582AC270FAA3150@BYAPR04MB4983.namprd04.prod.outlook.com> <90279636-259e-8ff6-7e28-406a84ddeccc@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/Ua9AOYRAI7JVCYXzfG5Sjv0vnrY>
Subject: Re: [Rum] [EXT] RUM security model
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Nov 2020 20:34:16 -0000

Classic API Keys don’t depend on user sign in: it’s built into the code.  In terms of our spec, all we would need is the mechanism to send the code, and we wouldn’t deal with how the code developer got the key.  Classically, it’s sent in some initial transaction after TLS is established, so the key can’t be observed.

If API Key’s are a satisfactory (to providers) way of controlling what implementations are allowed access, we can discuss mechanism and I’ll write text.

I think the fundamental question is do we want a SIP mechanism (which means TCP/TLS signaling) or an HTTP mechanism?  We could tie it to the retrieval of the config file if that is per-provider, which would be an HTTP mechanism, or we could include it in, say, a Call-Info header on a SIP REGISTER if that was TLS protected.

Brian


> On Nov 3, 2020, at 3:25 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
> 
> Eugene,
> 
> On 10/30/20 5:40 PM, Eugene Christensen wrote:
>> There has to be some amount of trust between the providers so I think we should consider the use of an API key for access to the provider's configuration service.  If an API key is given and another provider abuses that, it obviously could result in something bad but it could quickly be revoked by the provider; right?  And the company that has abused it will likely not be trusted in the future (motivation for maintaining trust).
> 
> It depends on how key management works. Does each device/app need to test with each provider and receive a separate key from each provider?
> Or does the testing happen with some testing organization who then provides a key that all providers accept?
> 
> The logistics of testing and revocation differ in these cases.
> 
>> Would it also be wise to use a client certificate for SIP communications once the RUE has the necessary info from the configuration service?  The client certificate could be embedded into the application.
> 
> From a practical perspective I think we need to authenticate using a password at some point. (Just due to logistics of bootstrapping and identifying the human user. Perhaps only for the config service.) Or perhaps could use OAuth to authenticate using Facebook/Google/...
> 
> From there it might make sense to provide certs for subsequent use.
> 
>> Is there any reason we cannot use language that makes the use of the API key and client certificate optional, at the discretion of the provider?  (e.g. The providers MAY require an API key for their configuration service and/or a client certificate for SIP communications).
> 
> Possibly. The devil is in the details here.
> 
> 	Thanks,
> 	Paul
> 
>> Thanks,
>> Eugene.
>> CONFIDENTIALITY NOTICE. This e-mail transmission, and any documents, files or previous e-mail messages attached to it, may contain confidential and proprietary information. If you are not the intended recipient, or a person responsible for delivering it to the intended recipient, you are hereby notified that any disclosure, copying, distribution or use of any of the information contained in or attached to this message is STRICTLY PROHIBITED. If you have received this transmission in error, please immediately notify me by reply e-mail at echristensen@sorenson.com or by telephone at +1 (801) 287-9419, and destroy the original transmission and its attachments without reading them or saving them to disk.
>> -----Original Message-----
>> From: Paul Kyzivat <pkyzivat@alum.mit.edu>
>> Sent: Thursday, October 22, 2020 9:34 AM
>> To: Olle E. Johansson <oej@edvina.net>; Brian Rosen <br@brianrosen.net>
>> Cc: Eugene Christensen <echristensen@sorenson.com>; rum@ietf.org
>> Subject: Re: [Rum] [EXT] RUM security model
>> [EXTERNAL]
>> On 10/22/20 2:29 AM, Olle E. Johansson wrote:
>> [snip]
>>>> Brute force and DDoS attacks can’t be addressed by this document except in the Security Consideration section.  They are implementation issues.
>>> If there are specific attack vectors to RUM that doesn’t apply to SIP implementations in general, yes.
>> AFAIK there should be nothing special about VRS that makes it any more vulnerable to attack than any other sip service accessed over the public internet.
>> I'd like to hear from the providers if I am wrong about this.
>> 	Thanks,
>> 	Paul
>

v2.23.0 | Report a Bug | By Email