Re: [Sip] Errata report on errata 2602 and 2120 on RFC 5479, "Requirements and Analysis of Media Security Management Protocols"
Cullen Jennings <fluffy@cisco.com> Fri, 14 January 2011 02:31 UTC
Return-Path: <fluffy@cisco.com>
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E2D483A6C35; Thu, 13 Jan 2011 18:31:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.968
X-Spam-Level:
X-Spam-Status: No, score=-109.968 tagged_above=-999 required=5 tests=[AWL=-0.609, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_LWSHORTT=1.24, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jQseeFXXXiR6; Thu, 13 Jan 2011 18:31:19 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id BA36F3A6C33; Thu, 13 Jan 2011 18:31:19 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAG9EL02rR7Ht/2dsb2JhbACkTXOkJphPhUwEhGiGKIMi
Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-6.cisco.com with ESMTP; 14 Jan 2011 02:33:43 +0000
Received: from [192.168.4.2] (rcdn-fluffy-8711.cisco.com [10.99.9.18]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id p0E2XHdv023999; Fri, 14 Jan 2011 02:33:42 GMT
Mime-Version: 1.0 (Apple Message framework v1082)
Content-Type: text/plain; charset="us-ascii"
From: Cullen Jennings <fluffy@cisco.com>
In-Reply-To: <CD5674C3CD99574EBA7432465FC13C1B2202288AE7@DC-US1MBEX4.global.avaya.com>
Date: Thu, 13 Jan 2011 19:35:18 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <38FA3B83-D552-4BC6-9B06-CBEAC4F750BE@cisco.com>
References: <CD5674C3CD99574EBA7432465FC13C1B2202288AE7@DC-US1MBEX4.global.avaya.com>
To: "Worley, Dale R (Dale)" <dworley@avaya.com>
X-Mailer: Apple Mail (2.1082)
Cc: "sip@ietf.org" <sip@ietf.org>, "dispatch@ietf.org" <dispatch@ietf.org>
Subject: Re: [Sip] Errata report on errata 2602 and 2120 on RFC 5479, "Requirements and Analysis of Media Security Management Protocols"
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Jan 2011 02:31:21 -0000
I agree with the Recommended status on these. Might be good to run the first one by EKR. On Dec 13, 2010, at 3:09 PM, Worley, Dale R (Dale) wrote: > ====================================================================== > RFC5479, "Requirements and Analysis of Media Security Management Protocols" > Source of RFC: sip (rai) > > Errata ID: 2602 > > Status: Reported > Type: Technical > > Reported By: Fabio Pietrosanti > Date Reported: 2010-11-04 > > Section A.5.2 says: > > SDP Security Descriptions with SIPS > Not applicable; SDP Security Descriptions does not have a long- > term secret. > > It should say: > > SDP Security Descriptions with SIPS > The PFS feature of SDP Security Description with SIPS rely on > TLS and the availability or not of PFS for SRTP calls depends > on the negotiated TLS key negotiation algorithm. > > If the selected TLS key negotiation algorithm of SIPS provide > PFS feature, then the underlying SRTP encryption will support > PFS. For example TLS_DHE_RSA_WITH_AES_256_CBC_SHA provde PFS > feature as described in RFC5246. If the selected TLS key > negotiation algorithm of SIPS does not provide PFS feature, > then the underlying SRTP encryption will not support PFS. > For example TLS_RSA_WITH_AES_256_CBC_SHA does not provide PFS > feature as described in RFC5246. > > > Notes: > > It's not true that SDP Security Descriptions with SIPS have PFS "Not > applicable" because the SDES rely on TLS that is part of the security > scheme. > > Practically if the long terms keys (the x509v3 RSA key of SIPS server) > is compromised, the TLS sessions can be decrypted, the SDES key > extracted and SRTP calls deciphered. > > TLS support key exchange methods that provide PFS trough the use of > Ephemeral Diffie Hellman keys. > > When SIPS use TLS with DHE key negotiation, then SDES acquire PFS > feature because even in case of long-term key compromise (the server > x509v3 RSA key), the short term keys (the SDES keys exchanged) will be > safe. > ---------------------------------------------------------------------- > Recommended status: (correct) Verified (publish) > Should be reviewed by a security expert. > > It seems that the entry for "SDP Security Descriptions with S/MIME" is > also incorrect, as revelation of the private keys of the participants > will render the SDES readable. I think better phrasing of the revised > wording is: > > SDP Security Descriptions with SIPS > PFS if the selected TLS cipher suites for the SIPS hops provide PFS. > > SDP Security Descriptions with S/MIME > No PFS. > > This needs to be reviewed by a security expert. > ====================================================================== > RFC5479, "Requirements and Analysis of Media Security Management Protocols" > Source of RFC: sip (rai) > > Errata ID: 2120 > > Status: Reported > Type: Editorial > > Reported By: Alfred Hoenes > Date Reported: 2010-04-05 > > Section 4.4,3rd para says: > > | A typical case of using media security where two entities are having > a Voice over IP (VoIP) conversation over IP-capable networks. > [...] > > It should say: > > | A typical case of using media security is where two entities are > having a Voice over IP (VoIP) conversation over IP-capable networks. > [...] > > Notes: > > Rationale: missing verb. > ---------------------------------------------------------------------- > Recommended status: (correct) Hold for document update > ====================================================================== > > Dale > _______________________________________________ > Sip mailing list https://www.ietf.org/mailman/listinfo/sip > This list is essentially closed and only used for finishing old business. > Use sip-implementors@cs.columbia.edu for questions on how to develop a SIP implementation. > Use dispatch@ietf.org for new developments on the application of sip. > Use sipcore@ietf.org for issues related to maintenance of the core SIP specifications.
- [Sip] Errata report on errata 2602 and 2120 on RF… Worley, Dale R (Dale)
- Re: [Sip] Errata report on errata 2602 and 2120 o… Cullen Jennings