Re: [secdir] secdir review of draft-ietf-sipcore-sip-push-21

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 06 January 2019 16:10 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074CC126CB6 for <secdir@ietfa.amsl.com>; Sun, 6 Jan 2019 08:10:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.355
X-Spam-Level:
X-Spam-Status: No, score=-4.355 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=N6k4ZpBr; dkim=pass (1024-bit key) header.d=ericsson.com header.b=VNesi/Qi
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6esMmhxIxN0 for <secdir@ietfa.amsl.com>; Sun, 6 Jan 2019 08:10:30 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24389127B4C for <secdir@ietf.org>; Sun, 6 Jan 2019 08:10:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1546791025; x=1549383025; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4zOOA/pR7jEkz6tvmzTd5VGyFJYRHq408lr9ATxA+N8=; b=N6k4ZpBr8NcIvKtgcqVwDLov2p3LVrUJmscPr0m8Y8Il/q3sLfnMInwMi1iTNo8R ow65jPrwPQNlcBqTf3z+j4H9I9knl7g4XOQlgDx1JtQ+daU1IfFdGmqb3x8NYeCW wEsJ2pKXV7DNU83We/bWd7X5A9gDgLgflazTMW6ZP+s=;
X-AuditID: c1b4fb25-209009e000005ff7-0e-5c32287184f2
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 51.B1.24567.178223C5; Sun, 6 Jan 2019 17:10:25 +0100 (CET)
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 6 Jan 2019 17:10:13 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sun, 6 Jan 2019 17:10:13 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4zOOA/pR7jEkz6tvmzTd5VGyFJYRHq408lr9ATxA+N8=; b=VNesi/QierCXYKFlDKzS3JJZogEDFOEkZtSi5jzIJ9N1XiYlYM+XuEaz289/Bk+vUs6rXVVRyZ8uhzi5rDSkmCa069D1Pe3GpKNNTIlKyfOIoWwSTnXkt1cKzPi86QkSoRbaHG4aklqtuirrSHAkbauytpgSS0gYY/la76l9Gm0=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3273.eurprd07.prod.outlook.com (10.170.246.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.10; Sun, 6 Jan 2019 16:10:11 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::852a:3f04:e342:cf55]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::852a:3f04:e342:cf55%3]) with mapi id 15.20.1516.010; Sun, 6 Jan 2019 16:10:11 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Ben Campbell <ben@nostrum.com>, Benjamin Kaduk <kaduk@MIT.EDU>
CC: "Scott G. Kelly" <scott@hyperthought.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sipcore-sip-push.all@ietf.org" <draft-ietf-sipcore-sip-push.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: [secdir] secdir review of draft-ietf-sipcore-sip-push-21
Thread-Index: AQHUoUFwpb8nIR8T3kKT3FjKoKE4faWfiegKgAF6kMCAABArgIAABAAAgAAHiQCAAT1LfA==
Date: Sun, 6 Jan 2019 16:10:11 +0000
Message-ID: <VI1PR07MB31674B4B0085EC2B6F4B385B93880@VI1PR07MB3167.eurprd07.prod.outlook.com>
References: <1546285539.44113084@apps.rackspace.com> <DB7PR07MB56286B4A2702A5FF1915D1D6938D0@DB7PR07MB5628.eurprd07.prod.outlook.com> <1546631184.64914945@apps.rackspace.com> <215DF6BE-69A3-4394-9BE2-EE7751957E07@nostrum.com> <20190105182119.GA28515@kduck.kaduk.org> <B02C0483-E53F-4C3E-8541-6FC3F2AB9DCC@nostrum.com> <20190105193346.GC28515@kduck.kaduk.org>, <8D02428A-AC2F-4D80-A108-CE55833CFAFE@nostrum.com>
In-Reply-To: <8D02428A-AC2F-4D80-A108-CE55833CFAFE@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [37.33.31.219]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3273; 6:XTudyhe9EP6RwiIDsbfBrgpyfaIkLwDuU3h81Khs8xkWycN+BIxG+qUvlVMPF319pLaexKBtq+OzBiMbzvP0bMHpOL22X6blgSAWAVP18D0AiZD0u4iA+/FdR47dUt21IqwBpfm/EfNZRTfEBsf8IjodSzyG8It+Cc1hjpVl+6lNLuDMSL58lGaKkFh7TXDRfJconFb0ZEEHby5Q5DJS54oKkSOxQoJUzbsf+0OEADORQEJIVXC/z4XKTO9K3waBA08yCHnD7i196VmIoVEntfuGn41nKbRLhuPinIePzQSBXL5/wi2pBBBmX3MPjC54vfIAeD1L85G7L7Nye4o+F9vxScsfLNQMklveqiOSR65GFsqA1SkzSRoaxdVCtr+f0u/x63+ZgqmWUBwts8boeYsXflnr9lU4ueYI+/08USV2PskrasigJ3LR07Zp8xL4WNV5ld5WnlZSGSwbRxz6ag==; 5:2GSD5NQpwuzxNjw2fyM+vX6Wl2PkYi/MXUKLC6bjYW4MTIgCC74As98Yqw/wIgqWqnHn0s8iPK51PqcuBJ+i+KrM1Qqy0rCzg8w5Ifj1iQ3F8E6065u28Xywf+d4F6v8rS2xr2u44pfEg8gaf1ynWEb8jKMj39WhfYUde4BOHKWHrqELQzqANvi7Dd/KaEyBsn4diZdtcP2zxjXRUsIZaA==; 7:CZ0jOaiLWJ/szRUlS2DQMPppyWLT29LUR80NkgaxdvqQaIfRFuMtoQT8z2q1unlZMAjhZ3Fod/vxO2Sk0L6SM+li0BD/V0peh3nVr645cr3WmKIPcd2Ql/HlH3d6tjKeS+q+WnQ4+fYHt3j9WT4IWQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 47004fb4-5603-4c53-fefe-08d673f16f87
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3273;
x-ms-traffictypediagnostic: HE1PR07MB3273:
x-microsoft-antispam-prvs: <HE1PR07MB32733113E63ED5CC0C4743EE93880@HE1PR07MB3273.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(10201501046)(3002001)(3231475)(944501520)(4982022)(52105112)(93006095)(93001095)(6041310)(20161123564045)(20161123562045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB3273; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3273;
x-forefront-prvs: 09090B6B69
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(366004)(376002)(346002)(136003)(199004)(189003)(6436002)(76176011)(229853002)(6486002)(316002)(256004)(105586002)(66066001)(446003)(19627405001)(476003)(486006)(26005)(186003)(99286004)(102836004)(6506007)(6116002)(3846002)(106356001)(14444005)(6606003)(33656002)(68736007)(44832011)(11346002)(25786009)(81156014)(53946003)(81166006)(86362001)(2171002)(8676002)(71190400001)(71200400001)(54896002)(4326008)(8936002)(6512007)(9686003)(53936002)(7736002)(5660300001)(6246003)(93886005)(2906002)(110136005)(54906003)(478600001)(14454004)(97736004)(74316002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3273; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: wIDdGHCWq7KkhtEGr8ykrwOFE1rxqXwhn28ZLfkPOzyqERsTYSdqObhDwUT8X2d3Ujg3mMFa+TPfMP8zUJbp42l68pSRZB62DI/LKUfBYUU2YEFrbyExpsaiH/X6CU9SEyRUjDSNdEbPy+AmHt/mhmRU2YjUI80prT9o3w0xk6c/lGscBW9ZJbJIylFuBV9LJjS05VcJzAHgMYFvWnvUGvygSvtcgQEZ+ZZdbMVSJlIEYKckEm1N8AH/epriE7LwyghzhFLOvSUeFN+vvdXBNYQM+PugPaU6VxTx7Ym9vNnTPBDqWEH/g972CFwI3hyC
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB31674B4B0085EC2B6F4B385B93880VI1PR07MB3167eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 47004fb4-5603-4c53-fefe-08d673f16f87
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2019 16:10:11.3589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3273
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHe885m8fR8HV5edBEGYqleI/Yhy4WKIsQIsIiB7n0oKJutmOW fQgxHKgpU+d0oi3NMswwy2sl0bzkzEspVoqQsqmEo1Q0E4fUdhb47ff8///3eZ/n5aVJ0SjP h85Q5DIqhTxLzBdQ+is9t8JuHImWRbYOhEsMxR9dJNZuE5LU2ipISUuHnpBsdWqQZK1xkYrl S3t7Rylpc/MOIS0cGyKldX0W6gJ1VXAilcnKyGNUEaeSBemajRUip7ifuF2xm1KA/tQSJciV BnwM9tq6qBIkoEV4EEHfjAlxxRYCi/UDyRWPCDBXTDsKCmtIaB60unBOJQE1Zr0ztoigxjjJ K0E0zccSKN0LtV/igc/CPV0Lz54h8QSCenUZshuHcByY36gpLhQPM+tLJMeJoJuecegUDoTF tQHHtEIsg36bkW9nEX5MwmiDwM6u+DQ06ZocZxH2gu3RNkeexN4wZzE4N8XQ/HaS5NgTfpj3 eFxeDu9aF5x6AGgLTHyO/WDKUOp4DMCFLlDQscLjjDBYq652HkiALrXOyZ8Q2Oo9OQ6BV+Pf nI0yYaRHz+cazZGwOj/kbHQYepfMfA2KqNs3LMdK2NlbpOocS7uDSW+hOD0Sfk0YSI5D4Unj qpMjoGNzHO3XHyKXVuTJMuz17LTomHBGlZHCskpFuILJfYn+/bD3nbtBvWjaesaIMI3EB4Xn faNlIp48j83PNiKgSbGHMGspSiYSpsrz7zAq5TXVzSyGNSJfmhJ7C20id5kIp8lzmUyGyWFU /12CdvUpQJdWS0O1r+8u+5sOlEu1w7ZWP8PTIl3IcnfRxaRgt4lkt+Awj/ovC3xx9dfZgLTf YyP5lFtQYIL1Wbuxymv55OUHz+fZkM8/X0DM7PfNiUpPU3x66v1ztbFxVRb/jamZ9W2tuqTP FIvU7eU5wXVlRzurjYnigSS5bHiaON7QohRTbLo8KoRUsfK/A+NR6l0DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/KM4V2ikwFF9nUaFOdMDpc7CUJAE>
Subject: Re: [secdir] secdir review of draft-ietf-sipcore-sip-push-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2019 16:10:32 -0000

Hi,


For some reasons all replies were not delivered to me yesterday, but I hope I am now replying to the latest one.


…



>>>>> That all being said, I would be happy to see something to the effect of the following
>>>>> in this draft: “The security considerations for the use and operation of any particular
>>>>> PNS is out of scope for this document. [RFC8030] documents the security considerations
>>>>> for HTTP Push. Security considerations for other PNSs are left to their respective specifications.”
>>>>
>>>> That seems like a pretty nice way to say it.

As indicated yesterday, I would be happy to add such text.

>>>>> Would that be sufficient to resolve your concern above?
>>>>
>>>> I think I would still like to see some indication of the potential
>>>> consequences for the mechanism defined in this document, if a PNS does not
>>>> (properly) perform authentication and authorization between UA/proxy and
>>>> PNS.
>>>
>>> (Having not yet read the whole spec I don't have a great picture of
>>> exactly what those consequences are.)
>>
>> That’s reasonable, and I think fits into the category of consequences to the SIP network
>> due to the interface.
>>
>> Thinking out loud: One thing that comes to mind would be the insertion of false push
>> notifications by an unauthorized 3rd party. It seems like the 3rd party would have to
>> learn the necessary parameters, which might be difficult. How guessable these parameters
>> might be would have an impact.
>>
>> If someone succeeded in this, I imagine it mostly as a DoS attack on handset battery life. It
>> could possibly be a DoS on the registrar.
>>
>> From a privacy perspective, an eavesdropper might be able to infer something about the number
>> of incoming calls to a handset. Hopefully there’s not much in the way of PSI in the push request
>> or notification themselves.

What about something like the following:

OLD:

   "Operators MUST ensure that the SIP signalling is properly secured,
   e.g., using encryption, from malicious middlemen.  TLS MUST be used,
   unless the operators know that the signalling is secured using some
   other mechanism.

   [RFC8292] defines a mechanism which allows a proxy to identity itself
   to a PNS, by signing a JWT sent to the PNS using a key pair.  The
   public key serves as an identifier of the proxy, and can be used by
   devices to restrict push notifications to the proxy associated with
   the key."

NEW:

  "The security considerations for the use and operation of any particular
    PNS is out of scope for this document. [RFC8030] documents the security
    considerations for the PNS defined in that specification. Security considerations
    for other PNSs are left to their respective specifications.

   Operators MUST ensure that the SIP signalling is properly secured,
   e.g., using encryption, from malicious middlemen.  TLS MUST be used,
   unless the operators know that the signalling is secured using some
   other mechanism that provides strong crypto properties.

   Unless the PNS authenticates and authorizes the PNS, malicious users that managed
   to get access to the parameters transported in the SIP signalling might be able to
   request push notifications towards a UA. Which such push notifications will not
   have any security related impacts, they will impact the battery life of the UA and trigger
   unnecessary SIP traffic.

   [RFC8292] defines a mechanism which allows a proxy to identity itself
   to a PNS, by signing a JWT sent to the PNS using a key pair.  The
   public key serves as an identifier of the proxy, and can be used by
   devices to restrict push notifications to the proxy associated with
   the key."

Regards,

Christer