Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch

"Richard L. Barnes" <rbarnes@bbn.com> Tue, 29 June 2010 16:42 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F0BE03A6860; Tue, 29 Jun 2010 09:42:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.676
X-Spam-Level:
X-Spam-Status: No, score=-1.676 tagged_above=-999 required=5 tests=[AWL=0.923, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MchnrXpTIPXL; Tue, 29 Jun 2010 09:42:40 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 2EC9F3A6868; Tue, 29 Jun 2010 09:42:40 -0700 (PDT)
Received: from ros-dhcp192-1-51-71.bbn.com ([192.1.51.71]:54895) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OTdta-000Jwk-FR; Tue, 29 Jun 2010 12:42:50 -0400
Message-Id: <AAAA95F1-9DD8-43DB-A88A-832E5A68CC96@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
In-Reply-To: <FF84A09F50A6DC48ACB6714F4666CC7468A54B9BC4@ESESSCMS0354.eemea.ericsson.se>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Tue, 29 Jun 2010 12:42:48 -0400
References: <5A638DC0-41CF-4C0C-B00D-6793C43FB708@bbn.com> <AANLkTikyh2zkQgfnPNgW5orxXvP5fOw7KnpW03V_XFJJ@mail.gmail.com> <FF84A09F50A6DC48ACB6714F4666CC7468A54B9BC4@ESESSCMS0354.eemea.ericsson.se>
X-Mailer: Apple Mail (2.936)
Cc: "draft-ietf-simple-msrp-sessmatch@tools.ietf.org" <draft-ietf-simple-msrp-sessmatch@tools.ietf.org>, Ted Hardie <ted.ietf@gmail.com>, The IETF <ietf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jun 2010 16:42:41 -0000

>> I also note that the security considerations, in addition to
>> having some fairly disingenuous language about the impact of
>> this change, seems to fail to mention MSRPS URIs and what, if
>> any, impact this would have on them.
>
> There are no impacts to MSRPS URIs. I assumed it would be implicitly  
> understood since MSRPS URIs are not mentioned in the draft.
>
> However, we could explicitly make it clear by modifying the first  
> sentences of section 5:
> 	
>      "The change of session matching procedure does not impact the  
> format of MSRP URIs,
> 	disregarding if the "msrp" scheme or the "msrps" scheme is used.
> 	However, MSRP endpoints can only check that the session-id part of  
> the MSRP URI..."

The conflict here is that with MRSPS authentication, the name in the  
certificate is checked against the domain name in the URI, which was  
OK when the URI in the message was required to be the same.  By  
allowing the domain name in the message to change, this draft removes  
man-in-the-middle protection from MSRPS.

The document notes that a SIP MitM can already direct the user to  
another destination.  However, if the peers use MSRPS with the current  
authentication scheme, the MitM will not be able to be a part of the  
resulting MSRPS session, since he can't authenticate as one of the  
endpoints.  If only the session ID is used in comparisons, the MitM  
can patch himself in by changing the domain in the MSRPS URI.  (Which  
actually seems to be the intended use case for this draft.)

So the current document does introduce a new MitM vulnerability to  
MSRPS.

--Richard