[secdir] secdir review of draft-lawrence-sipforum-user-agent-config-01
Jeffrey Hutzelman <jhutz@cmu.edu> Mon, 03 May 2010 21:26 UTC
Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 932793A6A9A; Mon, 3 May 2010 14:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.714
X-Spam-Level:
X-Spam-Status: No, score=-4.714 tagged_above=-999 required=5 tests=[AWL=-0.715, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c+GiOkNDAMeK; Mon, 3 May 2010 14:26:21 -0700 (PDT)
Received: from smtp02.srv.cs.cmu.edu (SMTP02.SRV.CS.CMU.EDU [128.2.217.197]) by core3.amsl.com (Postfix) with ESMTP id 7182C3A68BB; Mon, 3 May 2010 14:26:21 -0700 (PDT)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id o43LQ5c6015591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 May 2010 17:26:05 -0400 (EDT)
Date: Mon, 03 May 2010 17:26:05 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: ietf@ietf.org, secdir@ietf.org, draft-lawrence-sipforum-user-agent-config.all@tools.ietf.org
Message-ID: <7DABD47951EF7DFC7760C11C@minbar.fac.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.197
Subject: [secdir] secdir review of draft-lawrence-sipforum-user-agent-config-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2010 21:26:22 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a process by which a SIP User Agent can obtain configuration from a Configuration Service (CS) with a minimum of user interaction. This is particularly important since SIP UA's may be included in devices such as telephone adapters which are installed by end users and have little or no provision for user interface. The process described is relatively straightforward: - use LDDP-MED to get layer 2 up - use DHCP to get layer 3 up, and discover a local domain name - use U-NAPTR to turn the "configuration service name" (either the local domain name or a manually-entered name) into a set of one or more base configuration URL's - add some query parameters identifying the client, and use HTTPS GET Section 2.4.1 discusses authentication. The client is required to use the TLS server_name extension; however, the server name it is required to request is the name taken from the host part of the URL(s) obtained from U-NAPTR, rather than the Configuration Service Name (i.e. the local domain name or a manually-configured name). The latter should be used, so that the DNS-based indirection facilities are not required to be secure for the system to work. While DHCP is almost universally not secured, eliminating the need for pre-secured DNS still provides a substantial improvement. First, it is relatively easy for a deployment to require a user to enter a configuration service name rather than relying on one obtained from DNS. In fact, it may even be necessary to do so; for example, a telephone service provider offering SIP phone service to users via their existing home network cannot rely on being able to provide a particular domain name in the DHCP responses provided by an ISP or by the user's consumer-grade router/NAT box. Second, the resolution of the CS name to a base URL may require DNS queries to the internet at large, outside the user's network. Again, consider the case of a telephone service provider offering service via the user's existing network. This section says the UA SHOULD validate server certificates if possible, and otherwise MAY use SSH-style leap-of-faith. This seems reasonable for this application, where the use is provisioning a new device which, by definition, usually cannot have previously-provisioned trust anchors. Clients are REQUIRED to send a certificate if they have one, but are not required to have one. A CS SHOULD validate the client's certificate, and otherwise MAY do leap-of-faith caching, provided that HTTP authentication succeeds on this connection. However, it is unclear what, if anything, the client certificate identity is used for. If this identity is not used, then use of client certificates is pointless. Further, since HTTP authentication is not cryptographically bound to the TLS layer, successful HTTP auth does not demonstrate anything about the validity of the client certificate.
- [secdir] secdir review of draft-lawrence-sipforum… Jeffrey Hutzelman