[secdir] secdir review of draft-ietf-cuss-sip-uui-10
"Scott G. Kelly" <scott@hyperthought.com> Fri, 31 May 2013 00:48 UTC
Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD1C21F9921 for <secdir@ietfa.amsl.com>; Thu, 30 May 2013 17:48:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wh7z5E7INDw2 for <secdir@ietfa.amsl.com>; Thu, 30 May 2013 17:48:00 -0700 (PDT)
Received: from smtp182.iad.emailsrvr.com (smtp182.iad.emailsrvr.com [207.97.245.182]) by ietfa.amsl.com (Postfix) with ESMTP id 7D75921F9193 for <secdir@ietf.org>; Thu, 30 May 2013 17:48:00 -0700 (PDT)
Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp28.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id DEEBAE0559; Thu, 30 May 2013 20:47:59 -0400 (EDT)
X-Virus-Scanned: OK
Received: from legacy18.wa-web.iad1a (legacy18.wa-web.iad1a.rsapps.net [192.168.4.108]) by smtp28.relay.iad1a.emailsrvr.com (SMTP Server) with ESMTP id C25B5E0544; Thu, 30 May 2013 20:47:59 -0400 (EDT)
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by legacy18.wa-web.iad1a (Postfix) with ESMTP id ACBD536002E; Thu, 30 May 2013 20:47:59 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Thu, 30 May 2013 17:47:59 -0700 (PDT)
Date: Thu, 30 May 2013 17:47:59 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: draft-ietf-cuss-sip-uui.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1369961279.70598635@apps.rackspace.com>
X-Mailer: webmail7.0
Subject: [secdir] secdir review of draft-ietf-cuss-sip-uui-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 00:48:06 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I have no expertise in SIP, and am providing this review as a first-level filter for our over-worked security ADs. So, please take my comments accordingly. Also, this review is a day late -- I hope it is still useful. This document defines a method for exchanging a blob of information between user agents during SIP session establishment (User to User Information, or UUI data) by adding a new SIP header. The data is intended to be opaque to SIP. There is a related problem statement RFC (6567) that briefly describes 3 different approaches to security, but neither document describes likely threats. They are implicit in the 3 models described in 6567 (e.g. treat the sip layer as "untrusted", treat the sip layer as "trusted", treat the transport domain as "trusted"), but I found myself wishing I had more info about real-world threats and countermeasures. Given that I am not a SIP expert (and don't have time to become one as part of this review), I don't know if this is an issue or not, but this is an impression I think worth mentioning. A second question relates to the binding of the UUI to its originator. The security considerations section suggests that the UUI might carry sensitive info requiring privacy or integrity protection, but does not mention origin authentication. There is a hint in the next paragraph (it says "History-Info can be used to determine the identity of the inserter"), but the relative security of this mechanism is not clear to me. Could an attacker forge History-Info? I don't know. What are the consequences of such behavior? I don't know. Seems like a well-written security considerations section would lay these questions to rest. Again, I have almost zero knowledge of SIP, so maybe answers are obvious to someone steeped in SIP lore, and I apologize if this is the case. But, these are my impressions. --Scott
- [secdir] secdir review of draft-ietf-cuss-sip-uui… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-cuss-sip… Alan Johnston
- Re: [secdir] secdir review of draft-ietf-cuss-sip… Scott G. Kelly
- Re: [secdir] secdir review of draft-ietf-cuss-sip… Alan Johnston