[saag] Request for guidance regarding E2E security over Diameter

<lionel.morand@orange.com> Thu, 26 March 2015 16:24 UTC

Return-Path: <lionel.morand@orange.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C33D1A87EB for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 09:24:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I2qX7h8rHvCi for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 09:24:28 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias243.francetelecom.com [80.12.204.243]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3DA21A87D9 for <saag@ietf.org>; Thu, 26 Mar 2015 09:24:27 -0700 (PDT)
Received: from omfeda07.si.francetelecom.fr (unknown [xx.xx.xx.200]) by omfeda10.si.francetelecom.fr (ESMTP service) with ESMTP id 8439D374293; Thu, 26 Mar 2015 17:24:26 +0100 (CET)
Received: from Exchangemail-eme1.itn.ftgroup (unknown [10.114.1.183]) by omfeda07.si.francetelecom.fr (ESMTP service) with ESMTP id 6180A158094; Thu, 26 Mar 2015 17:24:26 +0100 (CET)
Received: from PEXCVZYM13.corporate.adroot.infra.ftgroup ([fe80::cc7e:e40b:42ef:164e]) by PEXCVZYH02.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0224.002; Thu, 26 Mar 2015 17:24:26 +0100
From: lionel.morand@orange.com
To: "saag@ietf.org" <saag@ietf.org>
Thread-Topic: Request for guidance regarding E2E security over Diameter
Thread-Index: AdBn4UO6eeHIiYWPTtOuFgAIOEZrZA==
Date: Thu, 26 Mar 2015 16:24:25 +0000
Message-ID: <26716_1427387066_551432BA_26716_9790_2_6B7134B31289DC4FAF731D844122B36EEAF5B8@PEXCVZYM13.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.197.38.4]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.3.26.135421
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/uZVj-0XfLB9x7s79LQ8-G-Xums0>
Cc: "dime-chairs@tools.ietf.org" <dime-chairs@tools.ietf.org>
Subject: [saag] Request for guidance regarding E2E security over Diameter
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 16:24:29 -0000

Hi,

As currently specified, the Diameter Base protocol (RFC6733) only offers transport level protection between neighboring Diameter peers, using either TLS/TCP, DTLS/SCTP, or IPsec as last resort. However, no mechanism has been defined to ensure E2E security for data (in the conveyed (in the form of Attribute-Value Pairs (AVPs)) in Diameter messages between two endpoints. Early 2000, at the beginning of the work on Diameter, CMS (Cryptographic Message Syntax) was identified as solution to provide AVP-level E2E security but this work was not completed due to lack of deployment interest (at least at that time) and the foreseen complexity of the developed solution for Diameter.

Due to the renewed interest for E2E security over Diameter, mainly for inter-domain signaling in the mobile network environment, the DIME WG has decided to reactivate the work on E2E security for Diameter. The first step is almost completed, with a document (draft-ietf-dime-e2e-sec-req-02) defining the requirements for an AVP-level E2E security solution. The second step will be work on the specification of such mechanism. An early proposal was to derive a solution from JOSE, encapsulating JOSE objects for integrity protection and AVP encryption. It is however expected that other mechanisms could be proposed as candidate solutions. And we know already that there are existing discussions on alternative to JOSE (e.g. COSE).

Whatever the proposed solution(s),the DIME WG has not (and will not have) the expertise required to evaluate and select the more appropriate security mechanism for E2E security over Diameter. We are therefore interested by any guidance and support from SAAG regarding the development of a solution for E2E security over Diameter, based on the requirements collected in draft-ietf-dime-e2e-sec-req-02.

Regards,

Lionel

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.