Re: [secdir] review of draft-ietf-sipcore-reinvite-06.txt

[Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>]

Hi Stephen,

thanks for your review. My answers inline:

On 21/10/2010 5:17 AM, Stephen Kent wrote:
> I reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.  Document editors and WG chairs should treat 
> these comments just like any other last call comments.
> 
> This document (draft-ietf-sipcore-reinvite-06.txt) provides 
> clarification on how to process a re-invite in SIP. The notion of a 
> re-invite is defined in RFC 3261 (SIP). This document was created to 
> clarify the description provided in 3261, based on feedback from 
> implementers. It includes a number of examples designed to clarify. 
> It is fair to say that this document not only offers clarifications, 
> but also makes some changes to SIP handling of re-INVITEs. For 
> example, the document notes that "Section 4.3 specifies new rules for 
> the handling of target-refresh requests."
> 
> The document makes reference to "properly" authenticated requests in 
> a couple of places (4.4 & 4.6), but provides no indication of what 
> constitutes proper authentication. I think it would be appropriate to 
> include references to whatever SIP security mechanisms are currently 
> recommended for message/session authentication (as opposed to what 
> 3261 said 8 years ago).

I suggest adding the following text in both places: "(see Section 26.2
of RFC 3261)".

http://tools.ietf.org/html/rfc3261#section-26.2

The way user agents authenticate incoming requests has not changed much
since RFC 3261 was published.

> The document has a trivial Security Considerations section:
> 
>     This document does not introduce any new security issue.  It just
>     clarifies how certain transactions should be handled in SIP.
>     Security issues related to re-INVITEs and UPDATE requests are
>     discussed in RFC 3261 [RFC3261] and RFC 3311 [RFC3311].
> 
> I checked 3261 and I agree that this document provides a decent 
> review of security for SIP in general, but it makes no specific 
> mention of UPDATE or (re)INVITE messages and attendant security 
> concerns. RFC 3311 has an almost trivial Security Considerations 
> section, but at least it does specifically refer to UPDATE and 
> (re-)Invite messages, briefly, and the need for authentication. I 
> think it would be appropriate to add a discussion of how these 
> clarifications operate in various SIP security contexts, e.g., use of 
> TLS for point-to-point SIP security or use of S/MIME for end-to-end 
> SIP security. A statement that the security offered for SIP when the 
> initial call setup was processed cannot be undermined by a later 
> re-INVITE or UPDATE would be reassuring (if accompanied by a 
> rationale for that statement :).
> 

I suggest adding the following text to the Security Considerations
Section. Feel free to edit the text if you wish:

"In particular, in order not to reduce the security level for a given
session, re-INVITEs and UPDATE requests SHOULD be secured in a similar
or stronger manner as the initial INVITE request that created the
session. For example, if the initial INVITE request was end-to-end
integrity protected or encrypted, subsequent re-INVITEs and UPDATE
requests should also be so."

A discussion on which security mechanisms should be applied in different
contexts in outside the scope of this document, IMHO. SIP has been and
is being deployed in so different environments that we would need a
whole document (or more likely a set of them) to discuss all relevant
issues.

Thanks,

Gonzalo