Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
Gonzalo Camarillo <gcamaril@gmail.com> Tue, 05 October 2010 07:32 UTC
Return-Path: <gcamaril@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1CA533A6EC8; Tue, 5 Oct 2010 00:32:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.574
X-Spam-Level:
X-Spam-Status: No, score=-5.574 tagged_above=-999 required=5 tests=[AWL=0.425, BAYES_00=-2.599, J_CHICKENPOX_14=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m0y-LnHRqZmQ; Tue, 5 Oct 2010 00:32:10 -0700 (PDT)
Received: from mailgw10.se.ericsson.net (mailgw10.se.ericsson.net [193.180.251.61]) by core3.amsl.com (Postfix) with ESMTP id 09E7F3A6E2C; Tue, 5 Oct 2010 00:32:08 -0700 (PDT)
X-AuditID: c1b4fb3d-b7cbfae00000264e-17-4caad4b12de7
Received: from esealmw127.eemea.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw10.se.ericsson.net (Symantec Mail Security) with SMTP id 45.2A.09806.1B4DAAC4; Tue, 5 Oct 2010 09:33:05 +0200 (CEST)
Received: from esealmw127.eemea.ericsson.se ([153.88.254.175]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 5 Oct 2010 09:33:05 +0200
Received: from [131.160.126.165] ([131.160.126.165]) by esealmw127.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 5 Oct 2010 09:33:05 +0200
Message-ID: <4CAAD4B0.2080807@gmail.com>
Date: Tue, 05 Oct 2010 10:33:04 +0300
From: Gonzalo Camarillo <gcamaril@gmail.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.8) Gecko/20100802 Thunderbird/3.1.2
MIME-Version: 1.0
To: Christer Holmberg <christer.holmberg@ericsson.com>
References: <7F2072F1E0DE894DA4B517B93C6A0585015BCA1D@ESESSCMS0356.eemea.ericsson.se>
In-Reply-To: <7F2072F1E0DE894DA4B517B93C6A0585015BCA1D@ESESSCMS0356.eemea.ericsson.se>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 05 Oct 2010 07:33:05.0168 (UTC) FILETIME=[8C7A3100:01CB645F]
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Wed, 06 Oct 2010 06:26:37 -0700
Cc: Cullen Jennings <fluffy@cisco.com>, Ted Hardie <ted.ietf@gmail.com>, The IETF <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "ben@estacado.net" <ben@estacado.net>, "draft-ietf-simple-msrp-sessmatch@tools.ietf.org" <draft-ietf-simple-msrp-sessmatch@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Oct 2010 07:32:12 -0000
Hi, Christer has submitted a new revision of this draft: https://datatracker.ietf.org/doc/draft-ietf-simple-msrp-sessmatch/ Those of you who sent IETF LC comments on this draft, could you please have a look at the new version and let Christer know if he has addressed your concerns? Thanks, Gonzalo On 31/08/2010 8:39 PM, Christer Holmberg wrote: > Hi, > > The purpose of this e-mail is to address the secdir comments given by Richard > Barnes and Ted Hardie. Due to summer vacations, standardization meetings > etc it took a while to put the e-mail together, and we appologise for that. > > GENERAL > ======= > > First, the draft does NOT propose any changes to the TLS authentication > procedures – that will be clarified. The changes are only related to the > procedure for matching an incoming MSRP message to an MSRP session that > has been negotiated using SDP – once any TLS authentication procedure has > already taken place. > > So, in case of TLS and name based authentication, if an SBC/ALG modifies > the a=path MSRP URI, the TLS authentication WILL fail. That is the current > behavior, and sessmatch doesn’t change that. > > We understand that this fact needs to be clearly indicated in the draft. > > Basically sessmatch allows so that, when using peer to peer MSRP, SIP SBCs > and SIP aware firewalls can be in the SIP signaling path without acting as > MSRP B2BUAs. But, for an SBC or ALG to interwork correctly with MSRP relays > the SBC/ALG needs to act as MSRP B2BUA, as today. > > Sessmatch aims to extend the usability of MSRP peer to peer communication to > scenarios where simple ALGs/SBCs are used, and at least in our experience > customer interest for standard MSRP has grown (from more or less zero) > dramatically due to sessmatch. And, OMA, which previously used a *non-standard* > version of MSRP (with no interoperability with standard MSRP), has also agreed > to switch to sessmatch (even if it required a number of changes in their > specifications). > > Second, the intention of sessmatch is not to modify the MSRP URI matching rules, > but rather to not use MSRP URI matching for session matching. > > Please also note that when we talk about SBCs/ALGs, we refer to entities that > normally do NOT have the capability to act as MSRP B2BUAs. > > We will comment the individual comments based on the assumptions above. > > > Comments from Richard > ===================== > >> I have reviewed this document as part of the security directorate's ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the security area directors. >> Document editors and WG chairs should treat these comments just like any other >> last call comments. >> >> This document changes the URI matching algorithm used in MSRP. MSRP sessions >> are typically initiated using SDP bodies in SIP. These SDP >> bodies contain MSRP URIs that the peers use to contact each other. >> When one peer receives a request to initiate a session, he verifies that the >> URI being requested is one that he initiated in SDP, thereby using the URI as a >> shared secret to authenticate that the originator of the session actually >> received the SDP body in question. >> >> According to the current SDP specification, this comparison is performed over >> the whole URI; this document restricts the comparison to the "session-id" >> component, omitting the host, port, and transport components. The goal of the >> document is to facilitate a certain class of man-in-the-middle attack, namely >> to allow a signaling intermediary to insert a media intermediary. The >> restriction on the URI comparison is needed in order for the media intermediary >> not to have to modify URIs in MSRP packets to reflect the modifications to URIs >> in SDP bodies performed to redirect traffic through the media intermediary. > > When an MSRP UA receives an MSRP packet it performs msrp session matching in order > to verify that the msrp packet belongs to an existing SDP negotiated msrp session > at the UA. RFC4975 prescribes that URI matching should be used for session matching. > We argue that the namespace scoping of the session-id values that use of URI matching > brings is unnecessary. The 80-bit randomness of the session-id and the fact that it > was the UA itself that decided on the session-id value and can ensure that it is > unique within the UA makes the session-id sufficiently unique for session matching. > Sessmatch is not changing the MSRP URI matching algorithm, it is changing the session > matching algorithm not to use MSRP URI matching. > >> I have a few significant reservations about this document: >> >> 1) This extension makes it more difficult for MSRP entities to secure their >> communications against attackers in the signaling path. The current model >> provides a basic integrity protection, in that signaling intermediaries cannot >> redirect traffic to an arbitrary third party; they must at least advise the >> third party about how to modify MSRP packets. The proposed modification would >> remove even this cost. > > If we do not introduce the sessmatch change then the only alternative for MSRP > connections to be able to be set up when SBCs or SIP aware firewalls are in the > SIP signaling path is for these to introduce MSRP B2BUA support. This is probably > not feasible for most SBCs and SIP aware firewalls, and if it actually were > feasible then it would mean as big a security problem, or even bigger, than > sessmatch. The choice is thus to not use MSRP at all in presence of such devices > or to introduce sessmatch. Not to fix this probably would mean that use of MSRP > will be marginalized. > >> 2) Moreover, it raises the cost of providing integrity protection to messages, >> since Alice must now employ both integrity and confidentiality protections on >> an end-to-end basis; if her messages are only integrity-protected, then a proxy >> can remove the integrity protection and redirect traffic without it being >> observable to Alice. >> >> The document needs to clarify what the impacts are for authentication in secure >> modes of MSRP. In particular: >> -- The distinction between "self-signed" and "public" certificates is >> inappropriate. The proper distinction is between the name-based authentication >> in Section 14.2 of RFC 4975 and the fingerprint-based authentication in Section >> 14.4. > > We cannot find the terminology “name-based” authentication in RFC 4975. The RFC talks > about TLS authentication using either certificates from well-known certificate > authorities, or using self-signed certificates together with certificate fingerprints. > > Having said that, however, we DO agree that the terminology you suggest is more > appropriate than what we have used and we will introduce this terminology and explain > it in the Convention section of the sessmatch draft. > >> -- In either case, changing the host name need not result in an authentication >> failure, since the media intermediary can simply authenticate as itself to both >> endpoints, having changed the respective MSRP URIs appropriately. > > A media intermediary can only do this if it is an MSRP B2BUA, and sessmatch was > introduced just to avoid most SBCs and ALGs having to implement an MSRP B2BUA in order > to allow standard MSRP deployment. > >> -- There is currently no requirement that an endpoint identity in the To-Path >> URI matches the endpoint identity authenticated at the TLS layer, because these >> two are required to be the same. This document changes that assumption, and >> should note that these two identities can differ. > > We will explicitly mention this. > >> The document also precludes any name-based multiplexing, where a single MSRP >> process (single IP address and port) directs requests to different virtual >> recipients based on the domain name in the To-Path header. (In analogy to >> Host-based multiplexing in HTTP, which is very widely deployed.) Since with >> this extension, the domain in the To- Path is completely unpredictable from the >> recipient's perspective, it is useless to the recipient. > > That is correct, but there should be no problem for a single MSRP process (single > IP address and port) to direct requests to different virtual recipients - based > on the session-id instead. It is only needed for the different virtual recipients > to inform the receiver process on which session-ids that are currently negotiated > instead of informing it on which domain name the virtual recipient shall be > associated with. > >> The document has no backward-compatibility. MSRP implementations that do not >> support this extension will not be able to receive MSRP sessions from >> implementations that do. In that regard, this document seems more like a new >> version of MSRP rather than an update. > > It is not true that there is no backwards compatibility. If there are no > SIP ALGs/SBCs in the SIP/SDP signalling path then there is no problem for MSRP > implementations that do not support the sessmatch extension to receive MSRP > sessions from implementations that do. > > MSRP implementations that do not support the sessmatch extension are however not > able to establish MSRP end to end conversations if there are ALGs/SBCs in the > session path (unless these implement MSRP B2BUA) and sessmatch does not change this > fact – it will not work disregarding if the other endpoint supports sessmatch or not. > >>>> I also note that the security considerations, in addition to having >>>> some fairly disingenuous language about the impact of this change, >>>> seems to fail to mention MSRPS URIs and what, if any, impact this >>>> would have on them. >>> >>> There are no impacts to MSRPS URIs. I assumed it would be implicitly >>> understood since MSRPS URIs are not mentioned in the draft. >>> >>> However, we could explicitly make it clear by modifying the first >>> sentences of section 5: >>> >>> "The change of session matching procedure does not impact the >>> format of MSRP URIs, disregarding if the "msrp" scheme or the "msrps" scheme >>> is used. However, MSRP endpoints can only check that the session-id part of >>> the MSRP URI..." >> >> The conflict here is that with MRSPS authentication, the name in the >> certificate is checked against the domain name in the URI, which was OK when >> the URI in the message was required to be the same. By allowing the domain >> name in the message to change, this draft removes man-in-the-middle protection >>from MSRPS. >> >> The document notes that a SIP MitM can already direct the user to another >> destination. However, if the peers use MSRPS with the current authentication >> scheme, the MitM will not be able to be a part of the resulting MSRPS session, >> since he can't authenticate as one of the endpoints. If only the session ID is >> used in comparisons, the MitM can patch himself in by changing the domain in >> the MSRPS URI. (Which actually seems to be the intended use case for this >draft.) >> >> So the current document does introduce a new MitM vulnerability to MSRPS. > > Sessmatch does not change the fact that name based TLS authentication for MSRPS > will fail if an SBC or ALG has modified the hostname value in the MSRP URI in the > SDP a=path attribute without also acting as MSRP B2BUA. > > > Comments from Ted > ================= > >> I join Richard in believing that this document makes changes beyond that which >> could be understood as "updating" the MSRP URI scheme processing. >> >> ... >> >> I also note that the security considerations, in addition to having some fairly >> disingenuous language about the impact of this change, seems to fail to mention >> MSRPS URIs and what, if any, impact this would have on them. > > We will clarify what impacts there are. > > ------- > >>>> To highlight one particular aspect, RFC 4975 does not require >>>> session-ids to be present, a fact noted both in the ABNF and in this >>>> text: >>>> >>>> 4. The session-id part is compared as case sensitive. A URI without >>>> a session-id part is never equivalent to one that includes one. >>>> >>>> A matching scheme which relies on a URI section which is not >>>> guaranteed to be present has some interesting problems ahead of it. If >>>> this effectively makes their use mandatory, that requires a change to >>>> the fundamental ABNF and text. >>> >>> An MSRP URI in an SDP offer or answer for an MSRP session MUST include a >>> session-id part, so I believe the comment is >>> based on incorrect assumptions. >> >> This is not indicated in the URI matching section > > We will clarify that sessmatch conformant UAs do not use MSRP URI matching in > order to perform MSRP session matching. > >>> Section 6 of RFC 4975 says: >>> >>> "The session-id part identifies a particular session of the >>> participant. The absence of the session-id >>> part indicates a reference to an MSRP host device, but does not refer to a >>> particular session at that device." >>> >> >> The full section from which that quote is taken is: >> >> The MSRP URI authority field identifies a participant in a particular >> MSRP session. If the authority field contains a numeric IP address, >> it MUST also contain a port. The session-id part identifies a >> particular session of the participant. The absence of the session-id >> part indicates a reference to an MSRP host device, but does not refer >> to a particular session at that device. A particular value of >> session-id is only meaningful in the context of the associated >> authority; thus, the authority component can be thought of as >> identifying the "authority" governing a namespace for the session-id. >> >> This proposal changes the concept of a namespace authority present in the URI >> matching section of RFC 4975. I am sorry if my wry reference to this in my >> previous message was hard to follow; I should have known better. >> >> To be more plain, this proposal fundamentally changes the matching semantics of >> the URI set out in RFC 4975, by requiring a match on only a portion of the URI. >> At a bare minimum, this would require noting a normative update to section 6 >> and 6.1 of RFC 4975, which this draft does not do. In reality, this is >> unlikely to be sufficient, as URI matching semantics do not generally have the >> concept of ignoring the authority in providing a match (at least in my reading >> of the RFC 3986 "ladder of comparison" text). That means you'd have to special >> case the MSRP matching semantics, rather than have the URI be parsed and >> compared using a standard library. > > Sessmatch removes the URI matching as a means to do MSRP session matching, and > replaces it with a pure session-id matching. There is no need to create a new > URI scheme that does not re-use the authority component. We believe the minimum > 80-bit randomness of the session-id, together with the fact that the UA itself > generates the session-id it matches on, to be enough for the session-id to be > unique in the scope of the sessions that are active at the UA. > > Also, the security of the matching is not particularly decreased, since it is > relatively easy to find out the authority name anyway. > >>>> I also note that the security considerations, in addition to having >>>> some fairly disingenuous language about the impact of this change, >>>> seems to fail to mention MSRPS URIs and what, if any, impact this >>>> would have on them. >>> >>> There are no impacts to MSRPS URIs. I assumed it would be implicitly understood >>> since MSRPS URIs are not mentioned in the draft. >>> >>> However, we could explicitly make it clear by modifying the first sentences of >>> section 5: >>> >>> "The change of session matching procedure does not impact the format of MSRP >>> URIs, disregarding if the "msrp" scheme or the "msrps" scheme is used. >>> However, MSRP endpoints can only check that the session-id part of the MSRP >>> URI..." >>> >> This doesn't seem to me to actually work, based on Richard's comments, unless >> what you mean to say is "if MSRPS is in use, nothing in this draft can be >> used". That gives you different matching semantics for MSRPS (authority must >> be present and must be matched using TLS semantics) vs MSRP (only session-id is >> checked) which is at the very least a violation of the principle of least >> surprise (no other foo over TLS protocol works that way that I know of ). > > Session matching is done when receiving MSRP packets on an already established TCP > or TCP/TLS connection, and there will not be any different session matching procedure > depending on if the connection uses TLS or plain TCP. > > Regards, > > Christer >
- [secdir] secdir review of draft-ietf-simple-msrp-… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Cullen Jennings
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- [secdir] Draft new version: draft-ietf-simple-msr… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Cullen Jennings
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- Re: [secdir] [Simple] secdir review of draft-ietf… Adrian Georgescu
- Re: [secdir] [Simple] secdir review of draft-ietf… Ben Campbell
- Re: [secdir] [Simple] secdir review of draft-ietf… Adrian Georgescu
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] [Simple] secdir review of draft-ietf… Ben Campbell