[secdir] secdir review of draft-ietf-simple-msrp-sessmatch
"Richard L. Barnes" <rbarnes@bbn.com> Mon, 14 June 2010 17:21 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6515D3A68DC; Mon, 14 Jun 2010 10:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.929
X-Spam-Level:
X-Spam-Status: No, score=-0.929 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fp4KJmQO211r; Mon, 14 Jun 2010 10:21:53 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 60E833A68CC; Mon, 14 Jun 2010 10:21:53 -0700 (PDT)
Received: from ros-dhcp192-1-51-71.bbn.com ([192.1.51.71]:51891) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OODMC-000H28-Gt; Mon, 14 Jun 2010 13:21:56 -0400
Message-Id: <5A638DC0-41CF-4C0C-B00D-6793C43FB708@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: secdir@ietf.org, iesg@ietf.org, The IETF <ietf@ietf.org>, draft-ietf-simple-msrp-sessmatch@tools.ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 14 Jun 2010 13:21:55 -0400
X-Mailer: Apple Mail (2.936)
Subject: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2010 17:21:54 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document changes the URI matching algorithm used in MSRP. MSRP sessions are typically initiated using SDP bodies in SIP. These SDP bodies contain MSRP URIs that the peers use to contact each other. When one peer receives a request to initiate a session, he verifies that the URI being requested is one that he initiated in SDP, thereby using the URI as a shared secret to authenticate that the originator of the session actually received the SDP body in question. According to the current SDP specification, this comparison is performed over the whole URI; this document restricts the comparison to the "session-id" component, omitting the host, port, and transport components. The goal of the document is to facilitate a certain class of man-in-the-middle attack, namely to allow a signaling intermediary to insert a media intermediary. The restriction on the URI comparison is needed in order for the media intermediary not to have to modify URIs in MSRP packets to reflect the modifications to URIs in SDP bodies performed to redirect traffic through the media intermediary. I have a few significant reservations about this document: This extension makes it more difficult for MSRP entities to secure their communications against attackers in the signaling path. The current model provides a basic integrity protection, in that signaling intermediaries cannot redirect traffic to an arbitrary third party; they must at least advise the third party about how to modify MSRP packets. The proposed modification would remove even this cost. Moreover, it raises the cost of providing integrity protection to messages, since Alice must now employ both integrity and confidentiality protections on an end-to-end basis; if her messages are only integrity-protected, then a proxy can remove the integrity protection and redirect traffic without it being observable to Alice. The document needs to clarify what the impacts are for authentication in secure modes of MSRP. In particular: -- The distinction between "self-signed" and "public" certificates is inappropriate. The proper distinction is between the name-based authentication in Section 14.2 of RFC 4975 and the fingerprint-based authentication in Section 14.4. -- In either case, changing the host name need not result in an authentication failure, since the media intermediary can simply authenticate as itself to both endpoints, having changed the respective MSRP URIs appropriately. -- There is currently no requirement that a endpoint identity in the To-Path URI matches the endpoint identity authenticated at the TLS layer, because these two are required to be the same. This document changes that assumption, and should note that these two identities can differ. The document also precludes any name-based multiplexing, where a single MSRP process (single IP address and port) directs requests to different virtual recipients based on the domain name in the To-Path header. (In analogy to Host-based multiplexing in HTTP, which is very widely deployed.) Since with this extension, the domain in the To- Path is completely unpredictable from the recipient's perspective, it is useless to the recipient. The document has no backward-compatibility. MSRP implementations that do not support this extension will not be able to receive MSRP sessions from implementations that do. In that regard, this document seems more like an new version of MSRP rather than an update.
- [secdir] secdir review of draft-ietf-simple-msrp-… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Cullen Jennings
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] secdir review of draft-ietf-simple-m… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- [secdir] Draft new version: draft-ietf-simple-msr… Christer Holmberg
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Ted Hardie
- Re: [secdir] secdir review of draft-ietf-simple-m… Cullen Jennings
- Re: [secdir] secdir review of draft-ietf-simple-m… Ben Campbell
- Re: [secdir] [Simple] secdir review of draft-ietf… Adrian Georgescu
- Re: [secdir] [Simple] secdir review of draft-ietf… Ben Campbell
- Re: [secdir] [Simple] secdir review of draft-ietf… Adrian Georgescu
- Re: [secdir] secdir review of draft-ietf-simple-m… Gonzalo Camarillo
- Re: [secdir] [Simple] secdir review of draft-ietf… Ben Campbell