Re: [secdir] SecDir review of draft-ietf-sipcore-sip-websocket-08
Iñaki Baz Castillo <ibc@aliax.net> Thu, 11 April 2013 16:52 UTC
Return-Path: <ibc@aliax.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CCDB21F8771 for <secdir@ietfa.amsl.com>; Thu, 11 Apr 2013 09:52:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.677
X-Spam-Level:
X-Spam-Status: No, score=-2.677 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dcrHHb+8Emfh for <secdir@ietfa.amsl.com>; Thu, 11 Apr 2013 09:52:06 -0700 (PDT)
Received: from mail-qe0-f49.google.com (mail-qe0-f49.google.com [209.85.128.49]) by ietfa.amsl.com (Postfix) with ESMTP id 23D7921F8FAC for <secdir@ietf.org>; Thu, 11 Apr 2013 09:51:52 -0700 (PDT)
Received: by mail-qe0-f49.google.com with SMTP id 6so1006827qeb.8 for <secdir@ietf.org>; Thu, 11 Apr 2013 09:51:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=oDx5pNovdftQVuzpQ2xvCXyX0m5am7j7rpdCmDb9x+g=; b=PEzWztWQQPH3Y6caGbkYqm41g/ZM5EmkNickSxV4nFv3XKbSgJw9i5BHNDnz8S9q+c OT4Uw9LGkKXUsYQCp4ZQKPeA0XjTtDj+Ulct5lr5pJ3PJtc8faLp4ccyapCHz/MELGKl Xsqk6C5Pp6uH/NvWhfAKdC+A825dOvWKgAvtcSCik4GFIPqKEmoCRYit/xKjYk1/G2lA 3BAOxkcPpBI0i4kGQ+WZ0TuCEP2oeKNnpW8c0mz3xAJAOt5CyOa3xdH9nTaRgy+BkGBN 88fcoqtDnQ/CvPSJBcIOZJs5iEVor79fsfOSwej9NdyWWI84GwjEyKeqly4F+4V7s0rh vuFw==
X-Received: by 10.49.104.196 with SMTP id gg4mr8998636qeb.53.1365699106545; Thu, 11 Apr 2013 09:51:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.49.81.175 with HTTP; Thu, 11 Apr 2013 09:51:25 -0700 (PDT)
In-Reply-To: <5165D736.9010903@gmail.com>
References: <5165D736.9010903@gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Thu, 11 Apr 2013 18:51:25 +0200
Message-ID: <CALiegfn55tepAXP2DJye6doFcd+ocY9a1oEchLLFhVo5BZf1VA@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQltcC6/qoQTPdlK6B5pHpm8k6zkTdYolfDDOSHg4M9bwKYSVj94Z+TUWVW7vI4DKk2U7xx/
Cc: draft-ietf-sipcore-sip-websocket.all@tools.ietf.org, The IESG <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-sipcore-sip-websocket-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Apr 2013 16:52:08 -0000
2013/4/10 Yaron Sheffer <yaronf.ietf@gmail.com>: > Details > > RFC 3261 has 20 pages of security considerations, and defines several > security mechanisms. The current document "only" defines a transport for > SIP, but such transport needs to preserve the security of any SIP mechanisms > being used. In particular, it should be clear how endpoint identities are > determined at each layer and how identities at different layers relate to > one another. In other words, what's known as "channel binding". IMHO there is no a "channel binding". It may be or not, that's up to the implementor. For example an implementor could use the same WS connection and carry SIP registrations and calls from different SIP accounts over the same WS connection. Another implementor may associate (at server side) each WS connection with a SIP identity (for example the SIP identity could be provided in a URL parameter in the WS HTTP GET request, or retrieved from a Cookie in the same HTTP request). Honestly I don't think we should force a specific behavior here. When SIP is transported over TCP there is no rules in RFC 3261 stating that the endpoint is associated to the TCP connection, same here IMHO. > The only security-related section (other than the Security Considerations) > is Authentication (Sec. 7), and this section is marked non-normative. So the > reader is left to wonder: how is the SIP client authenticated? How does this > authentication relate to the WebSocket-level client authentication? And > similarly for the server. IMHO we should leave this as flexible as possible. For example, as author of OverSIP (the first SIP proxy with WebSocket support) I leave the user to program it custom logic for authenticating/authorizing WebSocket connections and the SIP "layer" on top of them. From section "WebSocket authentication/authorization" at http://oversip.net/documentation/misc/sip_websocket/: ------------------------------------------------------------------ WebSocket authentication/authorization When a WebSocket client attempts to establish a WebSocket connection, OverSIP invokes user programmable callbacks. The user can there inspect parameters from the connection (including the HTTP GET request of the WebSocket handshake) in order to decide, based on any custom policy, whether to allow or deny the connection. The user can also assign custom parameters to the authorized WebSocket connection and retrieve such parameters when processing SIP requests coming through that WebSocket connection. By playing with these features several architectural solutions can be built for implementing any kind of authentication/authorization system. ------------------------------------------------------------------ > Sec. 9.1 mentions (again, non-normatively) that SIP-level certificate checks > are omitted, and replaced by transport-level checks only. I believe this > significantly reduces the security properties of SIP. Moreover, it begs for > a policy tying WebSocket certificates to identities of the endpoints of the > SIP protocol. I agree that this subject should be improved. In fact, web browsers allow setting user certificates for authentication in some web sites requiring them. Most probably the same is valid for WSS connections and then, a client certificate would be sent when connecting to a specific WSS server. I should investigate it a bit more. Does it sound fine? Thanks a lot. -- Iñaki Baz Castillo <ibc@aliax.net>
- [secdir] SecDir review of draft-ietf-sipcore-sip-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Iñaki Baz Castillo
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-sipcore-… Paul Kyzivat