Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"Olle E. Johansson" <oej@edvina.net> Fri, 16 September 2011 13:24 UTC

Return-Path: <oej@edvina.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 030AB21F8C16 for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 06:24:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.235
X-Spam-Level:
X-Spam-Status: No, score=-2.235 tagged_above=-999 required=5 tests=[AWL=0.014, BAYES_00=-2.599, HELO_EQ_SE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lrx-3YCQP-9z for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 06:24:16 -0700 (PDT)
Received: from smtp7.webway.se (smtp7.webway.se [212.3.14.205]) by ietfa.amsl.com (Postfix) with ESMTP id 730CC21F8B5A for <sip@ietf.org>; Fri, 16 Sep 2011 06:24:16 -0700 (PDT)
Received: from [192.168.40.44] (ns.webway.se [87.96.134.125]) by smtp7.webway.se (Postfix) with ESMTPA id 23BD5754BCE5; Fri, 16 Sep 2011 13:26:28 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=iso-8859-1
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
Date: Fri, 16 Sep 2011 15:26:26 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DEDCF32A-9F63-4C07-8A44-0182E946DDA5@edvina.net>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net> <CALiegfkqnVMHSZuim33XNy8rPdBRmJsB6VRxF3mR1dEXvEdK-Q@mail.gmail.com> <CALiegf=jX6pkdw+xYueuEjgAoo_9XVhYqOgc0Uwx2yt7gqto1Q@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net> <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com> <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
X-Mailer: Apple Mail (2.1244.3)
Cc: "sip@ietf.org" <sip@ietf.org>, "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 13:24:17 -0000

16 sep 2011 kl. 14:18 skrev DRAGE, Keith (Keith):

>> So IMHO SIPS and TLS is broken and it can only work when the full path
>> is secure (which is unfeasible in most of the environments). This
>> needs a rework ...
> 
> This conclusion is nothing new - it was essentially the conclusion of those working on RFC 5630. But it is not RFC 5630 that needs the rework; that document is pretty much correct within the constraints we gave it, which is to define what happens with the existing protocol and make minimum fixes to the existing protocol (indeed the original charter item was only the first half of this). 
> 
> There was a recognition that more could be achieved with a new mechanism (for example there was a draft from Vijay Gurbani), but that would have been a separate charter item, and noone seemed to have the enthusiasm at the time to work on it. That doesn't mean that that situation still persists and I'm sure you understand the process for bringing new work into IETF if you want to do something. But that is what it is, new work.

Thank you very much Keith for this clarification, which gives us the background we need.

Time to allocate resources to be able to work on this then.

/O