[secdir] secdir review of draft-lawrence-sipforum-user-agent-config-01

Jeffrey Hutzelman <jhutz@cmu.edu> Mon, 03 May 2010 21:26 UTC

Return-Path: <jhutz@cmu.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 932793A6A9A; Mon, 3 May 2010 14:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.714
X-Spam-Level:
X-Spam-Status: No, score=-4.714 tagged_above=-999 required=5 tests=[AWL=-0.715, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c+GiOkNDAMeK; Mon, 3 May 2010 14:26:21 -0700 (PDT)
Received: from smtp02.srv.cs.cmu.edu (SMTP02.SRV.CS.CMU.EDU [128.2.217.197]) by core3.amsl.com (Postfix) with ESMTP id 7182C3A68BB; Mon, 3 May 2010 14:26:21 -0700 (PDT)
Received: from MINBAR.FAC.CS.CMU.EDU (MINBAR.FAC.CS.CMU.EDU [128.2.216.42]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id o43LQ5c6015591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 3 May 2010 17:26:05 -0400 (EDT)
Date: Mon, 03 May 2010 17:26:05 -0400
From: Jeffrey Hutzelman <jhutz@cmu.edu>
To: ietf@ietf.org, secdir@ietf.org, draft-lawrence-sipforum-user-agent-config.all@tools.ietf.org
Message-ID: <7DABD47951EF7DFC7760C11C@minbar.fac.cs.cmu.edu>
X-Mailer: Mulberry/4.0.8 (Linux/x86)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Scanned-By: mimedefang-cmuscs on 128.2.217.197
Subject: [secdir] secdir review of draft-lawrence-sipforum-user-agent-config-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 May 2010 21:26:22 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes a process by which a SIP User Agent can obtain
configuration from a Configuration Service (CS) with a minimum of user
interaction.  This is particularly important since SIP UA's may be
included in devices such as telephone adapters which are installed by
end users and have little or no provision for user interface.

The process described is relatively straightforward:
- use LDDP-MED to get layer 2 up
- use DHCP to get layer 3 up, and discover a local domain name
- use U-NAPTR to turn the "configuration service name" (either the local
  domain name or a manually-entered name) into a set of one or more
  base configuration URL's
- add some query parameters identifying the client, and use HTTPS GET


Section 2.4.1 discusses authentication.  The client is required to use
the TLS server_name extension; however, the server name it is required
to request is the name taken from the host part of the URL(s) obtained
from U-NAPTR, rather than the Configuration Service Name (i.e. the local
domain name or a manually-configured name).  The latter should be used,
so that the DNS-based indirection facilities are not required to be secure
for the system to work.

While DHCP is almost universally not secured, eliminating the need for
pre-secured DNS still provides a substantial improvement.  First, it is
relatively easy for a deployment to require a user to enter a configuration
service name rather than relying on one obtained from DNS.  In fact, it
may even be necessary to do so; for example, a telephone service provider
offering SIP phone service to users via their existing home network cannot
rely on being able to provide a particular domain name in the DHCP responses
provided by an ISP or by the user's consumer-grade router/NAT box.  Second,
the resolution of the CS name to a base URL may require DNS queries to the
internet at large, outside the user's network.  Again, consider the case of
a telephone service provider offering service via the user's existing 
network.

This section says the UA SHOULD validate server certificates if possible, 
and
otherwise MAY use SSH-style leap-of-faith.  This seems reasonable for this
application, where the use is provisioning a new device which, by 
definition,
usually cannot have previously-provisioned trust anchors.

Clients are REQUIRED to send a certificate if they have one, but are not
required to have one.  A CS SHOULD validate the client's certificate, and
otherwise MAY do leap-of-faith caching, provided that HTTP authentication
succeeds on this connection.  However, it is unclear what, if anything, the
client certificate identity is used for.  If this identity is not used, then
use of client certificates is pointless.  Further, since HTTP authentication
is not cryptographically bound to the TLS layer, successful HTTP auth does
not demonstrate anything about the validity of the client certificate.