Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

Samir Srivastava <samirs.lists@gmail.com> Fri, 07 October 2011 19:30 UTC

Return-Path: <samirs.lists@gmail.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F65521F8B8F for <sip@ietfa.amsl.com>; Fri, 7 Oct 2011 12:30:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.145
X-Spam-Level:
X-Spam-Status: No, score=-3.145 tagged_above=-999 required=5 tests=[AWL=-0.147, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vuaq+Vihixxi for <sip@ietfa.amsl.com>; Fri, 7 Oct 2011 12:30:20 -0700 (PDT)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 0C75E21F8ADE for <sip@ietf.org>; Fri, 7 Oct 2011 12:30:19 -0700 (PDT)
Received: by ggnk3 with SMTP id k3so3728295ggn.31 for <sip@ietf.org>; Fri, 07 Oct 2011 12:33:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=8nwqS/hjQZdMGCy4v3TQ9AvSZTCpR9DPU+zkZJBb/Qc=; b=e41SMIqYtAXbWznC49N2MA9d+Z2UiHUmMXNfdyKGaFuZa0uOCh7lOy47q86hRYfY+i MDTcVAW+sGxwvc13k4ZpTCMl6dBd+v6zaqxQUKrSFHHA2WLrGkfDO+k2QXpqZ7K3u7/S HKRzUaIsyLdws/no1uliL8vAnItilNLxcfC+M=
MIME-Version: 1.0
Received: by 10.236.184.10 with SMTP id r10mr12418169yhm.81.1318016014125; Fri, 07 Oct 2011 12:33:34 -0700 (PDT)
Received: by 10.236.107.131 with HTTP; Fri, 7 Oct 2011 12:33:34 -0700 (PDT)
In-Reply-To: <EDC0A1AE77C57744B664A310A0B23AE220C0DC0D@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <3EBDBBCF-C3F3-4C64-B010-4F275B0A5A96@edvina.net> <CALiegfkKSHiEWF5+Lz5FBEawNc6ST1s3+MLYeBnUJedFjxQoDw@mail.gmail.com> <40FFF683-2CA1-4436-9421-42ACC205A42C@acmepacket.com> <CALiegf=Z3qZey-+0=wqN80BjS6Jn5V8tFU_w2LtS7O5v-jXK+Q@mail.gmail.com> <9825F789-887F-44CD-BD43-C000929E5B17@acmepacket.com> <CALiegfms0=Khcc_kKiGfcO6hUcd8-nDxG16bBN_SxCatuvAejA@mail.gmail.com> <2966AE2F-BBED-4E97-A27B-6E55279ED9FF@acmepacket.com> <EDC0A1AE77C57744B664A310A0B23AE220C0DC0D@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
Date: Fri, 7 Oct 2011 12:33:34 -0700
Message-ID: <CAK+SpiyoDWiqmyab-D0KpT0zsDL=xhN-pnxearFBXBWAz=v+dQ@mail.gmail.com>
From: Samir Srivastava <samirs.lists@gmail.com>
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary=20cf305640e7548bd604aeba84d7
Cc: "<sip@ietf.org>" <sip@ietf.org>, "Olle E. Johansson" <oej@edvina.net>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2011 19:30:21 -0000

In line prefixed with SS>>

Regards
Samir

On Thu, Sep 15, 2011 at 10:05 AM, DRAGE, Keith (Keith) <
keith.drage@alcatel-lucent.com> wrote:

> Addressing the thread in general rather than Hadriel in particular.
>
> Please remember that RFC 5630 did not set out to create a complete solution
> to secure communication. That was left to separate work and noone at the
> time seemed interested in doing that next step, so it was abandoned.
>

SS>> Refer the draft
http://datatracker.ietf.org/doc/draft-srivastava-dispatch-avoidance-of-threats/
submitted recently. And let me know your comments. What we intend to do in
future? As per my recollection Security Advisor was not in agreement with my
proposal. But it was told that there will be a day when this solution will
be needed,


>
> What RFC 5630 set out to do was to define what occurred if you followed the
> RFC 3261 mechanisms, and to correct some of RFC 3261 that was known to be
> wrong and to attempt to make sure that if SIPS was used in the Request-URI,
> then TLS was used end to end. I do not believe there was ever an intent to
> try and control what happened hop by hop. If you know that TLS is being used
> on the local hop, but have absolutely no knowledge of whether it is being
> used anywhere else, how useful is that?
>
> While section 5, the normative section appears somewhat long, if you look
> at the impact of RFC 5630 in the way it changed RFC 3261 as stated in
> appendix A, it actually did very little in terms of change to the original
> RFC 3261 material.
>
> I'm not actually sure that the issue you point out in 3.1.3 actually
> impacts the above drastically.
>
> Do note however that if you want to perform new work, you probably need to
> take it to the SIPCORE list.
>


> Keith
>
> > -----Original Message-----
> > From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On Behalf Of
> > Hadriel Kaplan
> > Sent: 15 September 2011 17:31
> > To: Iñaki Baz Castillo
> > Cc: <sip@ietf.org>rg>; Olle E. Johansson
> > Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
> >
> >
> > Oh I'm well aware of that. :)
> > I assumed this whole discussion was theoretical.
> > In *practice* using sips is tough.  Some systems don't support it and
> will
> > choke on the scheme, while some systems seem to ignore the extra "s".
>  And
> > there are real problems with it even if you do everything by the book.
> > For example, it's not like Alice's UA will actually have a TLS cert to be
> > able to be a TLS server/listen-socket, so you can't open a TLS connection
> > to her UA regardless, ever.  And with TCP in general you have to treat
> her
> > Registered Contact connection as an outbound-style flow (ie, like an
> > alias'ed connection-reuse), even if the UAC doesn't indicate RFC 5626 nor
> > 5923.  Once you do that, using "sip" instead of "sips" contact works, or
> > has so far for us.  YMMV.
> >
> > -hadriel
> >
> >
> > On Sep 15, 2011, at 12:03 PM, Iñaki Baz Castillo wrote:
> >
> > > 2011/9/15 Hadriel Kaplan <HKaplan@acmepacket.com>om>:
> > >> No I mean if Bob wants to Refer Carol to Alice, or Alice to Carol
> > (since that Refer can be sent out of dialog to Alice's contact).
> > >
> > > Initial requests sent to a Contact address rather than being sent to
> > > an AoR are always problematic. The same occurs in attended trasfer
> > > when the REFER is sent within the dialog and contains a Refer-To with
> > > the endpoint Contact URI. Such URI could be no reachable if it's
> > > between some kind of NAT's (regardless the user used STUN).
> > >
> > > --
> > > Iñaki Baz Castillo
> > > <ibc@aliax.net>
> >
> > _______________________________________________
> > Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> > This list is essentially closed and only used for finishing old business.
> > Use sip-implementors@cs.columbia.edu for questions on how to develop a
> SIP
> > implementation.
> > Use dispatch@ietf.org for new developments on the application of sip.
> > Use sipcore@ietf.org for issues related to maintenance of the core SIP
> > specifications.
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is essentially closed and only used for finishing old business.
> Use sip-implementors@cs.columbia.edu for questions on how to develop a SIP
> implementation.
> Use dispatch@ietf.org for new developments on the application of sip.
> Use sipcore@ietf.org for issues related to maintenance of the core SIP
> specifications.
>