Re: [secdir] secdir review of draft-ietf-sipcore-info-events

Christer Holmberg <> Tue, 20 April 2010 13:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 0245428C155 for <>; Tue, 20 Apr 2010 06:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.226
X-Spam-Status: No, score=-5.226 tagged_above=-999 required=5 tests=[AWL=1.373, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gHIpw5+1DphF for <>; Tue, 20 Apr 2010 06:19:51 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id F402C3A69E2 for <>; Tue, 20 Apr 2010 06:19:24 -0700 (PDT)
X-AuditID: c1b4fb3d-b7bf6ae000005bec-d7-4bcda9d259fe
Received: from (Unknown_Domain []) by (Symantec Brightmail Gateway) with SMTP id 0C.DE.23532.2D9ADCB4; Tue, 20 Apr 2010 15:19:14 +0200 (CEST)
Received: from ([]) by ([]) with mapi; Tue, 20 Apr 2010 15:19:14 +0200
From: Christer Holmberg <>
To: Stephen Farrell <>, "" <>, "" <>, "" <>
Date: Tue, 20 Apr 2010 15:19:07 +0200
Thread-Topic: secdir review of draft-ietf-sipcore-info-events
Thread-Index: Acrgan2adtTaRafGR3CloxG6hYVqjgAHTm7g
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [secdir] secdir review of draft-ietf-sipcore-info-events
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Apr 2010 13:19:54 -0000

Hi Stephen, 

Thanks for your review! Comments inline.


>This specification sort-of provides a SIP-based tunnel for 
>application protocols.
>1: What prevents (or allows detection of) insertion of bogus 
>Info Package specifications? (e.g. by a proxy). If nothing, 
>then why is this ok?

Unless you somehow secure your SIP signalling, evil proxies can insert/modify/remove more or less whatever information elements in the messages. It's not specific to INFO.


>2: I don't know how prevalent implementations of this are, or 
>will be, but since this calls for the user agents to include 
>a MIME parser plus parsers for whatever MIME types the user 
>agent claims to support, I'd say some guideance about 
>defensive programming (e.g. avoiding buffer overruns
>etc.) should be given somewhere (maybe that's a more generic 
>SIP thing though).

It is not necessarily the SIP stack of the user agent itself that needs to include the parser, but the application using the Info Package.

Also, I belive you would have the same issue for event packages.

Having said that, the trend today seem to be using XML, so probably there will not be a need for too many parsers.

>3. 4.2.2. says that a UA MUST indicate which Info packages it 
>supports.  That seems a bit open-kimono - why MUST all UAs 
>tell everyone everything they support all the time? Won't 
>that expose more attack surface than is wise? Wouldn't it be 
>better to first know who the other UA is, before telling them 
>everything every time? For example, imagine a UA supported 
>the "US Govt SECRET foobar application Info Package," I'm 
>guessing that it wouldn't be ok to just say that to every UA 
>one meets on the Internet.

The intention is to say that a UA MUST indicate which Info Packages it is willing to support for a specific session.

So, maybe something like:

"A UA which supports the Info Package mechanism MUST indicate, using
the Recv-Info header field, the set of Info Packages for which it is
willing to receive INFO requests for a specific session."


>4. 10.10 says that if TLS is not good enough, then use S/MIME.
>My understanding is that no UAs implement S/MIME (or CMS 
>really) and no networks support its use. So shouldn't that 
>really say "if TLS is not good enough, then just don't do it 
>or require the application to do its own security"? Same 
>point applies to section 13. I would think that securing 
>specific applications would be easier and more likely than 
>getting S/MIME used in UAs, so why not recommend that?

I don't think 10.10 says "then use S/MIME". It only says that one way to achieve end-to-end application security is to use S/MIME. Section 13 doesn't mention S/MIME.

And, the text DOES say that the Info Package specification needs to specify what kind of security is required.


>5. 1st para of section 13 says that this will be an 
>improvement over RFC2976. I would think a reference to the 
>problems with that RFC or to something detailing the expected 
>improvement is warranted.

I guess a reference to section 9.2 could be added:

"By eliminating multiple usages of INFO messages without adequate
community review and by eliminating the possibility for rogue SIP UAs
from confusing another UA by purposely sending unrelated INFO
requests, as described in section 9.2, we expect this document's 
clarification of the use of INFO to improve the security of the Internet."


>6. How and why would one "filter for approved Info Packages" 
>as stated in section 13? It seems like that single sentence 
>is either too much or too little, so maybe delete it or 
>expand upon it, so that an implementer might know what's 
>reasonable filtering.

Maybe the text could be modified to:

"Whilst rogue UAs can still send unrelated INFO requests, this mechanism provides mechanisms for
which the UAS and other security devices can associate INFO requests with Info Packages that have
been negotiated for a session."


>Non security notes:
>s1, 2nd para: how can you prevent INFO being used to update 
>the state of a "SIP dialog or session"? Seems like it'd be 
>more accurate to say that that's the intent but that there 
>really are no guarantees. The example given in the abstract 
>of RFC2976 seems in fact to be directly related to signalling 
>so that's confusing.

The purpose of the expert review is to ensure that an Info Package does not update the state.

Of course, an application that receives an Info Package may trigger actions that updates the session state.


>10.10: s/certain level/a certain level/

Fixed it will be.

Thank You!