RE: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-framework-00.txt
"Elwell, John" <john.elwell@siemens.com> Tue, 13 November 2007 08:06 UTC
Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Irqmz-00008l-DP; Tue, 13 Nov 2007 03:06:29 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1Irqmy-00008X-4T for sip-confirm+ok@megatron.ietf.org; Tue, 13 Nov 2007 03:06:28 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Irqmr-0008VR-5q for sip@ietf.org; Tue, 13 Nov 2007 03:06:21 -0500
Received: from mailgate.siemenscomms.co.uk ([195.171.110.225] helo=bemg01.siemenscomms.co.uk) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1Irqmq-00084Y-DF for sip@ietf.org; Tue, 13 Nov 2007 03:06:21 -0500
Received: from GBNTHT12009MSX.gb002.siemens.net ([137.223.219.235]) by siemenscomms.co.uk (PMDF V6.0-24 #40642) with ESMTP id <0JRF00M0LQHSTW@siemenscomms.co.uk> for sip@ietf.org; Tue, 13 Nov 2007 08:05:52 +0000 (GMT)
Date: Tue, 13 Nov 2007 08:06:18 +0000
From: "Elwell, John" <john.elwell@siemens.com>
Subject: RE: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-framework-00.txt
In-reply-to: <E1IrSL3-0006kt-LG@stiedprstage1.ietf.org>
To: Jason Fischl <jason@counterpath.com>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Eric Rescorla <ekr@networkresonance.com>
Message-id: <0D5F89FAC29E2C41B98A6A762007F5D03E9673@GBNTHT12009MSX.gb002.siemens.net>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-Topic: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-framework-00.txt
Thread-Index: Acgk8VuOGDukYdUYRu+GADE+jpfRLQAbZkZA
Content-class: urn:content-classes:message
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
References: <E1IrSL3-0006kt-LG@stiedprstage1.ietf.org>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Cc: sip@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
In Security Considerations, concerning UPDATE: "OPEN ISSUE: Note that there is a window of vulnerability during the early media phase of this operation before Alice receives the UPDATE (which immediately follows the SDP answer). During this window, Alice cannot be sure of Bob's identity." There is a vulnerability in any case during the early media phase if the SDP answer does not arrive until the SIP 200 OK. So the additional vulnerability is the short window between the 200 OK and the UPDATE request. Also the UPDATE request can be sent earlier if reliable provisional responses (RFC 3262) are used. Concerning use of SIPS: "The security issue with this approach is that if one of the Proxies wished to mount a man-in-the-middle attack, it could convince Alice that she was talking to Bob when really the media was flowing through a man in the middle media relay." In fact, even a well-behaved proxy could forward the INVITE request to Chuck (in accordance with Bob's requirements presumably), so Alice might think she is talking to Bob when in fact she is talking to Chuck. Concerning use of S/MIME: "RFC 3261 [RFC3261] defines a S/MIME security mechanism for SIP that could be used to sign that the fingerprint was from Bob. This would be secure. However, so far there have been no deployments of S/MIME for SIP." It fails to mention that PKIX certs need to be provided on endpoints. John > -----Original Message----- > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] > Sent: 12 November 2007 06:00 > To: i-d-announce@ietf.org > Cc: sip@ietf.org > Subject: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-framework-00.txt > > A New Internet-Draft is available from the on-line > Internet-Drafts directories. > This draft is a work item of the Session Initiation Protocol > Working Group of the IETF. > > > Title : Framework for Establishing an SRTP > Security Context using DTLS > Author(s) : J. Fischl, et al. > Filename : draft-ietf-sip-dtls-srtp-framework-00.txt > Pages : 28 > Date : 2007-11-12 > > This document specifies how to use the Session Initiation Protocol > (SIP) to establish an Secure Real-time Transport Protocol (SRTP) > security context using the Datagram Transport Layer Security (DTLS) > protocol. It describes a mechanism of transporting a fingerprint > attribute in the Session Description Protocol (SDP) that identifies > the key that will be presented during the DTLS handshake. It relies > on the SIP identity mechanism to ensure the integrity of the > fingerprint attribute. The key management exchange travels along the > media path as opposed to the signaling path. > > A URL for this Internet-Draft is: > http://www.ietf.org/internet-drafts/draft-ietf-sip-dtls-srtp-f > ramework-00.txt > > To remove yourself from the I-D Announcement list, send a message to > i-d-announce-request@ietf.org with the word unsubscribe in > the body of > the message. > You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce > to change your subscription settings. > > Internet-Drafts are also available by anonymous FTP. Login with the > username "anonymous" and a password of your e-mail address. After > logging in, type "cd internet-drafts" and then > "get draft-ietf-sip-dtls-srtp-framework-00.txt". > > A list of Internet-Drafts directories can be found in > http://www.ietf.org/shadow.html > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > Internet-Drafts can also be obtained by e-mail. > > Send a message to: > mailserv@ietf.org. > In the body type: > "FILE > /internet-drafts/draft-ietf-sip-dtls-srtp-framework-00.txt". > > NOTE: The mail server at ietf.org can return the document in > MIME-encoded form by using the "mpack" utility. To use this > feature, insert the command "ENCODING mime" before the "FILE" > command. To decode the response(s), you will need "munpack" or > a MIME-compliant mail reader. Different MIME-compliant > mail readers > exhibit different behavior, especially when dealing with > "multipart" MIME messages (i.e. documents which have been split > up into multiple messages), so check your local documentation on > how to manipulate these messages. > > Below is the data which will enable a MIME compliant mail reader > implementation to automatically retrieve the ASCII version of the > Internet-Draft. > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] I-D Action:draft-ietf-sip-dtls-srtp-framewo… Internet-Drafts
- RE: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-fra… Elwell, John
- RE: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-fra… Francois Audet
- Re: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-fra… Jason Fischl
- RE: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-fra… Francois Audet
- Re: [Sip] I-D Action:draft-ietf-sip-dtls-srtp-fra… Flemming Andreasen