[Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)

"Fischer, Kai" <kai.fischer@siemens.com> Wed, 23 January 2008 09:34 UTC

Return-path: <sip-bounces@ietf.org>
Received: from [] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JHbzi-00031c-1u; Wed, 23 Jan 2008 04:34:06 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JHbzg-00031O-Et for sip-confirm+ok@megatron.ietf.org; Wed, 23 Jan 2008 04:34:04 -0500
Received: from [] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JHbzf-00031C-JX for sip@ietf.org; Wed, 23 Jan 2008 04:34:03 -0500
Received: from goliath.siemens.de ([]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1JHbze-0001HG-N6 for sip@ietf.org; Wed, 23 Jan 2008 04:34:03 -0500
Received: from mail1.siemens.de (localhost []) by goliath.siemens.de (8.12.6/8.12.6) with ESMTP id m0N9Y1Ft026376 for <sip@ietf.org>; Wed, 23 Jan 2008 10:34:01 +0100
Received: from mchp7wta.ww002.siemens.net (mchp7wta.ww002.siemens.net []) by mail1.siemens.de (8.12.6/8.12.6) with ESMTP id m0N9Y1U1000271 for <sip@ietf.org>; Wed, 23 Jan 2008 10:34:01 +0100
Received: from MCHP7RDA.ww002.siemens.net ([]) by mchp7wta.ww002.siemens.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 23 Jan 2008 10:34:01 +0100
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="----_=_NextPart_001_01C85DA3.15D79A1D"
Subject: [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
Date: Wed, 23 Jan 2008 10:33:57 +0100
Message-ID: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
Thread-Topic: [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
Thread-Index: AchdoYOBj7k5YqdfRt26nwywkqFi4gAAD1sg
From: "Fischer, Kai" <kai.fischer@siemens.com>
To: sip@ietf.org
X-OriginalArrivalTime: 23 Jan 2008 09:34:01.0203 (UTC) FILETIME=[161BC430:01C85DA3]
X-Spam-Score: -4.0 (----)
X-Scan-Signature: f49c97ce49302a02285a2d36a99eef8c
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org

I have submitted a draft proposing a solution to secure a DTLS-SRTP
handshake and hence SRTP end-to-end (in terms of end-domain to
end-domain). As discussed during the last IETF meetings and analyzed by
Dan's Identity-Media draft, current solutions like SIP Identity do not
protect the authenticity of the fingerprint end-to-end in certain
inter-domain scenarios. For example, a modification of SDP m-/c-lines or
the From header field by intermediaries breaks the SIP-Identity or
Identity-Media signature and causes a re-signing by a domain different
to the originating one. The draft proposes a solution for such scenarios
without the need to re-sign during domain traversal and which preserves
the original identity information.

I appreciate your comments and opinions to the draft and the proposed


> -----Original Message-----
> From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] 
> Sent: Mittwoch, 23. Januar 2008 10:20
> To: i-d-announce@ietf.org
> Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt 
> A New Internet-Draft is available from the on-line 
> Internet-Drafts directories.
> 	Title           : End-to-End Security for DTLS-SRTP
> 	Author(s)       : K. Fischer
> 	Filename        : draft-fischer-sip-e2e-sec-media-00.txt
> 	Pages           : 14
> 	Date            : 2008-01-23
> The end-to-end security properties of DTLS-SRTP depend on the
> authenticity of the certificate fingerprint exchanged in the
> signalling channel.  In current approaches the authenticity is
> protected by SIP-Identity or SIP-Identity-Media.  These types of
> signatures are broken if intermediaries like Session Border
> Controllers in other domains change specific information of the SIP
> header or the SIP body.  The end-to-end security property between the
> originating and terminating domain is lost if these intermediaries
> re-sign the SIP message and create a new identity signature using
> their own domain credentials.
> This document defines a new signature type 'Fingerprint-Identity'
> which is exchanged in the signalling channel.  Fingerprint-Identity
> covers only those elements of a SIP message necessary to authenticate
> the certificate fingerprint and to secure media end-to-end.  It is
> independent from SIP-Identity and SIP-Identity-Media and can be
> applied in parallel to them.
> A URL for this Internet-Draft is:
> http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec-
> media-00.txt
> To remove yourself from the I-D Announcement list, send a message to
> i-d-announce-request@ietf.org with the word unsubscribe in 
> the body of 
> the message.
> You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce
> to change your subscription settings.
> Internet-Drafts are also available by anonymous FTP. Login with the 
> username "anonymous" and a password of your e-mail address. After 
> logging in, type "cd internet-drafts" and then
> 	"get draft-fischer-sip-e2e-sec-media-00.txt".
> A list of Internet-Drafts directories can be found in
> http://www.ietf.org/shadow.html
> or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> Internet-Drafts can also be obtained by e-mail.
> Send a message to:
> 	mailserv@ietf.org.
> In the body type:
> 	"FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt".
> NOTE:   The mail server at ietf.org can return the document in
> 	MIME-encoded form by using the "mpack" utility.  To use this
> 	feature, insert the command "ENCODING mime" before the "FILE"
> 	command.  To decode the response(s), you will need "munpack" or
> 	a MIME-compliant mail reader.  Different MIME-compliant 
> mail readers
> 	exhibit different behavior, especially when dealing with
> 	"multipart" MIME messages (i.e. documents which have been split
> 	up into multiple messages), so check your local documentation on
> 	how to manipulate these messages.
> Below is the data which will enable a MIME compliant mail reader
> implementation to automatically retrieve the ASCII version of the
> Internet-Draft.
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip