Re: [secdir] secdir review of draft-ietf-sipcore-sip-push-21

Christer Holmberg <christer.holmberg@ericsson.com> Sun, 06 January 2019 21:00 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A235C130E3D for <secdir@ietfa.amsl.com>; Sun, 6 Jan 2019 13:00:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.364
X-Spam-Level:
X-Spam-Status: No, score=-4.364 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=IomMZSj+; dkim=pass (1024-bit key) header.d=ericsson.com header.b=EsjaXUcH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZNpqFP9ijSXj for <secdir@ietfa.amsl.com>; Sun, 6 Jan 2019 13:00:03 -0800 (PST)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89CDF130DBE for <secdir@ietf.org>; Sun, 6 Jan 2019 13:00:02 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1546808400; x=1549400400; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=uxqcacGE/FKRYGEv4DwPeGT50OhJWPpMrzrc6V7nnec=; b=IomMZSj+T7jPfwC0w6+h7UT+0BFBi46kb0KYBoPsOny7kNVUnl/sdML8kjbKguo5 Ekv/Q8mx3aAkjFKW1fMkLACOA3jY5LV2ndXs7iSCm4kiLdoC1W8UZhqhA+068kO+ vhEBqGuadPFg/0ZV5KIis1YL3jBAgyYk61XP1pR30co=;
X-AuditID: c1b4fb30-fabff7000000355c-ef-5c326c506828
Received: from ESESBMB502.ericsson.se (Unknown_Domain [153.88.183.115]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 69.0B.13660.05C623C5; Sun, 6 Jan 2019 22:00:00 +0100 (CET)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESBMB502.ericsson.se (153.88.183.169) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Sun, 6 Jan 2019 22:00:00 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Sun, 6 Jan 2019 22:00:00 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uxqcacGE/FKRYGEv4DwPeGT50OhJWPpMrzrc6V7nnec=; b=EsjaXUcHq2dCrSk5bmWA4AuLPBZiUfMVAejHuap71tpSHEiiDsmsqG5HL4a9QfCpnKRzlgdgiAp0P762dtv6icEuYbw70fgVqtwcVpbYTvtdswYj6R6cuZt0plr3L0Mi58qniA4EkX62QU05CR1mE6HRJfRzwSnCo9VhDdjXKVw=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3130.eurprd07.prod.outlook.com (10.170.245.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.9; Sun, 6 Jan 2019 20:59:58 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::852a:3f04:e342:cf55]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::852a:3f04:e342:cf55%3]) with mapi id 15.20.1516.010; Sun, 6 Jan 2019 20:59:58 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Ben Campbell <ben@nostrum.com>, "Scott G. Kelly" <scott@hyperthought.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sipcore-sip-push.all@ietf.org" <draft-ietf-sipcore-sip-push.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: [secdir] secdir review of draft-ietf-sipcore-sip-push-21
Thread-Index: AQHUoUFwpb8nIR8T3kKT3FjKoKE4faWfiegKgAF6kMCAABArgIAABAAAgAAHiQCAAT1LfIAANMWAgAAwVcc=
Date: Sun, 6 Jan 2019 20:59:57 +0000
Message-ID: <HE1PR07MB316172AB7FA4157AADC0310093880@HE1PR07MB3161.eurprd07.prod.outlook.com>
References: <1546285539.44113084@apps.rackspace.com> <DB7PR07MB56286B4A2702A5FF1915D1D6938D0@DB7PR07MB5628.eurprd07.prod.outlook.com> <1546631184.64914945@apps.rackspace.com> <215DF6BE-69A3-4394-9BE2-EE7751957E07@nostrum.com> <20190105182119.GA28515@kduck.kaduk.org> <B02C0483-E53F-4C3E-8541-6FC3F2AB9DCC@nostrum.com> <20190105193346.GC28515@kduck.kaduk.org> <8D02428A-AC2F-4D80-A108-CE55833CFAFE@nostrum.com> <VI1PR07MB31674B4B0085EC2B6F4B385B93880@VI1PR07MB3167.eurprd07.prod.outlook.com>, <20190106180514.GM28515@kduck.kaduk.org>
In-Reply-To: <20190106180514.GM28515@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [37.33.31.219]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3130; 6:xgvKH5/sJk23vmNIkDeFnPvsUJoQjE31185Oi8jxHdEulAq1N8LBb3DAp6OwIk65NC5Z9DqyV5rAy+4LXDHHOcizaA7F0xOPFtLd8JNqZfm1pRT6eDrLI/tO3O4oHAOx+RDq1/8ItedEBYwguiaCCmnLscuehm6/zXXLmkmqiqifbawuyE7JGtwdn+7pkO3xxqI6rh7Tmf1PfDjiYoo4ZJh+t4d6W1v58nEAJcBXZijn6i46SYnLg6kSJ5vHJQx525PLkSqq8NwOlr8NRjPPJ5jhEqqXpU1QsM2iA9etqNiTSZECTR8HYRSRQALHV/j+QY9XCBqqT4937fpF6EtAh+1JJlR3OTfV/oHy9tRVHuC0nWEfTZFNRjoba09KdpmRZjyVdns/5O1QBPQJPMVzmVbo9f68wYnPySDOCuPtuVA9FQi7fbPKAcQpxY8G4pUd5z+tXf74OCfA1ID7J8cQSw==; 5:lDJcyBKiM4/YtzjgfbzDtxCOxE+GHg3JIH7UAcGnZgwdSExaN/l+FmGsqn0IlkX+H7nRv2i8534vexzOtmdjK17y21j6i85/wrL1CdgKOcm9Q0trH5PL5Y19ih/IXvNiypNJuBlTagwqV4/CBX/z2E2Y8B2vhf05lh5t7PzJIt34ENsDU0zozk3fqHSwJszv+d7fitGJFsPDcRO0xveibQ==; 7:MVaWPGkEouszfvAbkR0k3JVenQUGtg2teMN8eOOFxWNT96LlnBhNqrNRds3Kws+oPfnt+vz/TJJuq96XEYSF1lxf/zgZMBHLxCusPx9u5AX4PkHgeytKBaHPRSQDcseG0sXMA05908QeEtMAZ5gmog==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 9a059e3c-63e8-4d18-4d9e-08d67419eac1
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:HE1PR07MB3130;
x-ms-traffictypediagnostic: HE1PR07MB3130:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-microsoft-antispam-prvs: <HE1PR07MB3130B653CF66F112CC521C1793880@HE1PR07MB3130.eurprd07.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(93006095)(93001095)(10201501046)(3231475)(944501520)(4982022)(52105112)(3002001)(6041310)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB3130; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3130;
x-forefront-prvs: 09090B6B69
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(376002)(366004)(39860400002)(346002)(396003)(199004)(189003)(19627405001)(68736007)(54906003)(105586002)(106356001)(66066001)(6916009)(1015004)(71190400001)(71200400001)(229853002)(236005)(9686003)(54896002)(6306002)(6606003)(2906002)(14444005)(8936002)(6116002)(256004)(3846002)(7736002)(8676002)(74316002)(14454004)(81156014)(81166006)(966005)(5660300001)(93886005)(606006)(6436002)(2171002)(53936002)(33656002)(55016002)(4326008)(6246003)(478600001)(76176011)(6506007)(53546011)(86362001)(99286004)(7696005)(102836004)(476003)(11346002)(446003)(25786009)(26005)(44832011)(186003)(97736004)(316002)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3130; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: larT4k0bCwnFmWj/++4Nm7uznvTQWNr+rF3zsXq2CKC2aDnEHufg9//TjWMDZ2U6CCRM4pQVItEHhTVczzbZxcvwQrTVcKC1RkicGQhU1TKmMRIgy5C0LQP7MneJ3GGIhy+mCQPnhOjkZnJ5SzugNGQYBWJCkhjGojch9ESccNl9PsQknZBT9s7msNyDClzNIVCfSkBBvERFCEqJFFH/ZoXrI3Nu9KgWScSLBwxdvZdCCCIkXkOvASjcJaJgtxbBEXgJAUlMlw1H+XaSsGuATh8WBLPJLaeD5bDDSkQMi88jwTHDYF4d2Jk6FW62tkoC
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB316172AB7FA4157AADC0310093880HE1PR07MB3161eurp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 9a059e3c-63e8-4d18-4d9e-08d67419eac1
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Jan 2019 20:59:57.9594 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3130
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTYRTHee69u7tag+vUPPkSMQJh4ttSGCKWmLE+CJZREsuaeVFxTts1 SS2YokX6Rc1RLmIul5YEqZiaFerSQqcz01CM8G0qopJiYpZZzmeB337n/M//vDw8DCnuF3gz 6ZocTqtRqSW0K1Wd2MYHxqtlypAe3RG58Z5VKF9u7UPyh9sVpLy+qZqQb7SUI/mqaZo6SSva 2/sphdm8RSiKBnpJheG1nYqnLrlGpnDq9FxOGxx11TXN0j9MZVen36ybNAl0qOpiKXJhgA2D lfsGohS5MmK2B4HNaqdxsIFgTD8qxEEtAUNbO7TDQrHlJIzUnMVCBQGDjfUCHEwj6DKZdqsY hmblULYT4DB4sBKoHSzea0uyqwiafrwXOgR3NhZm39yhcNFp+LI2R2JOhg7rjHPaMViZ6hY4 WMQqobLD8n8lCj4u6fYMLmw4/FlY3mPEHoLN/heEg0nWCybsRgJfyoL57RCJ2RMWZ3cEmI9C la6PxuwHn41lyDEA2CIhLHTanUIgrOr1TnMcvNPbhLjoE4KBGRvCghTM31oQ3kIFnQ1TTkMG NLdt0tgwQULtsNXZ1Rfa52bpchRs2Lct5iwoNr9Chr2z3aCv2k7hfAh8txlJzAFQZ1pycvDu sw6i/fkaJGxAnjzHJ2emymRBnDb9Gs9naYI0XE4z2v1h3S2/Q9rR4kK0BbEMkhwUqVUypVig yuXzMi0IGFLiIVLPhSrFohRVXj6nzbqivaHmeAvyYSiJl2hb7KYUs6mqHC6D47I57X+VYFy8 dSjCuDD+aC3yuI/mSVfR/HyJYjOG8i8sjH7GmE6MybqKQyvrowtm1j80Xoi7lXi+7fDLB/zz yz0xfvm0LVoj7Srx/TrpkpQVe53IjvJMGF+/GxKVMEKWHYgsmD1322p5GvZ3w1DY2uu/nGQs PDMSMfrLlqH/aUt0l4brAwoeS9xOSSg+TRUqJbW86h/TsbWWXQMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NHSYjDL4eI8QCvd6cCM8zs1kvA8>
Subject: Re: [secdir] secdir review of draft-ietf-sipcore-sip-push-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jan 2019 21:00:06 -0000

Hi,


Based on the sec-dir comments, I have updated the pull request:


https://github.com/cdh4u/draft-sip-push/pull/31/files


I modified my suggested changes to the security considerations, in order to make everything fit with the existing text.


Ben, I think it would be useful to submit a new version of the draft before the IESG review.


Regards,


Christer


________________________________
From: Benjamin Kaduk <kaduk@mit.edu>;
Sent: Sunday, January 6, 2019 8:05 PM
To: Christer Holmberg
Cc: Ben Campbell; Scott G. Kelly; secdir@ietf.org; draft-ietf-sipcore-sip-push.all@ietf.org; iesg@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-sipcore-sip-push-21

On Sun, Jan 06, 2019 at 04:10:11PM +0000, Christer Holmberg wrote:
> Hi,
>
>
> For some reasons all replies were not delivered to me yesterday, but I hope I am now replying to the latest one.
>
>
> …
>
>
>
> >>>>> That all being said, I would be happy to see something to the effect of the following
> >>>>> in this draft: “The security considerations for the use and operation of any particular
> >>>>> PNS is out of scope for this document. [RFC8030] documents the security considerations
> >>>>> for HTTP Push. Security considerations for other PNSs are left to their respective specifications.”
> >>>>
> >>>> That seems like a pretty nice way to say it.
>
> As indicated yesterday, I would be happy to add such text.
>
> >>>>> Would that be sufficient to resolve your concern above?
> >>>>
> >>>> I think I would still like to see some indication of the potential
> >>>> consequences for the mechanism defined in this document, if a PNS does not
> >>>> (properly) perform authentication and authorization between UA/proxy and
> >>>> PNS.
> >>>
> >>> (Having not yet read the whole spec I don't have a great picture of
> >>> exactly what those consequences are.)
> >>
> >> That’s reasonable, and I think fits into the category of consequences to the SIP network
> >> due to the interface.
> >>
> >> Thinking out loud: One thing that comes to mind would be the insertion of false push
> >> notifications by an unauthorized 3rd party. It seems like the 3rd party would have to
> >> learn the necessary parameters, which might be difficult. How guessable these parameters
> >> might be would have an impact.
> >>
> >> If someone succeeded in this, I imagine it mostly as a DoS attack on handset battery life. It
> >> could possibly be a DoS on the registrar.
> >>
> >> From a privacy perspective, an eavesdropper might be able to infer something about the number
> >> of incoming calls to a handset. Hopefully there’s not much in the way of PSI in the push request
> >> or notification themselves.
>
> What about something like the following:

The general trend is looking good.  I'll probably have some wordsmithing
suggestions for "TLS MUST be used, unless [...]" in my ballot but don't
have a great suggestion right now.

-Benjamin

> OLD:
>
>    "Operators MUST ensure that the SIP signalling is properly secured,
>    e.g., using encryption, from malicious middlemen.  TLS MUST be used,
>    unless the operators know that the signalling is secured using some
>    other mechanism.
>
>    [RFC8292] defines a mechanism which allows a proxy to identity itself
>    to a PNS, by signing a JWT sent to the PNS using a key pair.  The
>    public key serves as an identifier of the proxy, and can be used by
>    devices to restrict push notifications to the proxy associated with
>    the key."
>
> NEW:
>
>   "The security considerations for the use and operation of any particular
>     PNS is out of scope for this document. [RFC8030] documents the security
>     considerations for the PNS defined in that specification. Security considerations
>     for other PNSs are left to their respective specifications.
>
>    Operators MUST ensure that the SIP signalling is properly secured,
>    e.g., using encryption, from malicious middlemen.  TLS MUST be used,
>    unless the operators know that the signalling is secured using some
>    other mechanism that provides strong crypto properties.
>
>    Unless the PNS authenticates and authorizes the PNS, malicious users that managed
>    to get access to the parameters transported in the SIP signalling might be able to
>    request push notifications towards a UA. Which such push notifications will not
>    have any security related impacts, they will impact the battery life of the UA and trigger
>    unnecessary SIP traffic.
>
>    [RFC8292] defines a mechanism which allows a proxy to identity itself
>    to a PNS, by signing a JWT sent to the PNS using a key pair.  The
>    public key serves as an identifier of the proxy, and can be used by
>    devices to restrict push notifications to the proxy associated with
>    the key."
>
> Regards,
>
> Christer
>