[Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
"Fischer, Kai" <kai.fischer@siemens.com> Wed, 23 January 2008 09:34 UTC
Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JHbzi-00031c-1u; Wed, 23 Jan 2008 04:34:06 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JHbzg-00031O-Et for sip-confirm+ok@megatron.ietf.org; Wed, 23 Jan 2008 04:34:04 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JHbzf-00031C-JX for sip@ietf.org; Wed, 23 Jan 2008 04:34:03 -0500
Received: from goliath.siemens.de ([192.35.17.28]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JHbze-0001HG-N6 for sip@ietf.org; Wed, 23 Jan 2008 04:34:03 -0500
Received: from mail1.siemens.de (localhost [127.0.0.1]) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id m0N9Y1Ft026376 for <sip@ietf.org>; Wed, 23 Jan 2008 10:34:01 +0100
Received: from mchp7wta.ww002.siemens.net (mchp7wta.ww002.siemens.net [139.25.131.193]) by mail1.siemens.de (8.12.6/8.12.6) with ESMTP id m0N9Y1U1000271 for <sip@ietf.org>; Wed, 23 Jan 2008 10:34:01 +0100
Received: from MCHP7RDA.ww002.siemens.net ([139.25.131.171]) by mchp7wta.ww002.siemens.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jan 2008 10:34:01 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C85DA3.15D79A1D"
Subject: [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
Date: Wed, 23 Jan 2008 10:33:57 +0100
Message-ID: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
Thread-Index: AchdoYOBj7k5YqdfRt26nwywkqFi4gAAD1sg
From: "Fischer, Kai" <kai.fischer@siemens.com>
To: sip@ietf.org
X-OriginalArrivalTime: 23 Jan 2008 09:34:01.0203 (UTC) FILETIME=[161BC430:01C85DA3]
X-Spam-Score: -4.0 (----)
X-Scan-Signature: f49c97ce49302a02285a2d36a99eef8c
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
Hi, I have submitted a draft proposing a solution to secure a DTLS-SRTP handshake and hence SRTP end-to-end (in terms of end-domain to end-domain). As discussed during the last IETF meetings and analyzed by Dan's Identity-Media draft, current solutions like SIP Identity do not protect the authenticity of the fingerprint end-to-end in certain inter-domain scenarios. For example, a modification of SDP m-/c-lines or the From header field by intermediaries breaks the SIP-Identity or Identity-Media signature and causes a re-signing by a domain different to the originating one. The draft proposes a solution for such scenarios without the need to re-sign during domain traversal and which preserves the original identity information. I appreciate your comments and opinions to the draft and the proposed solution. Kai > -----Original Message----- > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] > Sent: Mittwoch, 23. Januar 2008 10:20 > To: i-d-announce@ietf.org > Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > > Title : End-to-End Security for DTLS-SRTP > Author(s) : K. Fischer > Filename : draft-fischer-sip-e2e-sec-media-00.txt > Pages : 14 > Date : 2008-01-23 > > The end-to-end security properties of DTLS-SRTP depend on the > authenticity of the certificate fingerprint exchanged in the > signalling channel. In current approaches the authenticity is > protected by SIP-Identity or SIP-Identity-Media. These types of > signatures are broken if intermediaries like Session Border > Controllers in other domains change specific information of the SIP > header or the SIP body. The end-to-end security property between the > originating and terminating domain is lost if these intermediaries > re-sign the SIP message and create a new identity signature using > their own domain credentials. > > This document defines a new signature type 'Fingerprint-Identity' > which is exchanged in the signalling channel. Fingerprint-Identity > covers only those elements of a SIP message necessary to authenticate > the certificate fingerprint and to secure media end-to-end. It is > independent from SIP-Identity and SIP-Identity-Media and can be > applied in parallel to them. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec- > media-00.txt > > To remove yourself from the I-D Announcement list, send a message to > i-d-announce-request@ietf.org with the word unsubscribe in > the body of > the message. > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce > to change your subscription settings. > > Internet-Drafts are also available by anonymous FTP. Login with the > username "anonymous" and a password of your e-mail address. After > logging in, type "cd internet-drafts" and then > "get draft-fischer-sip-e2e-sec-media-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant > mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. >
_______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip