Re: [Sip] Re: REFER security
Rohan Mahy <rohan@cisco.com> Fri, 15 March 2002 02:22 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA08456 for <sip-archive@odin.ietf.org>; Thu, 14 Mar 2002 21:22:11 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id VAA27802 for sip-archive@odin.ietf.org; Thu, 14 Mar 2002 21:22:13 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA25283; Thu, 14 Mar 2002 20:57:37 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id UAA25248 for <sip@optimus.ietf.org>; Thu, 14 Mar 2002 20:57:34 -0500 (EST)
Received: from sj-msg-core-2.cisco.com (sj-msg-core-2.cisco.com [171.69.24.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA07638 for <sip@ietf.org>; Thu, 14 Mar 2002 20:57:31 -0500 (EST)
Received: from imop.cisco.com (imop.cisco.com [171.69.11.44]) by sj-msg-core-2.cisco.com (8.11.3/8.9.1) with ESMTP id g2F1v3h27318; Thu, 14 Mar 2002 17:57:03 -0800 (PST)
Received: from dhcp-128-107-142-216.cisco.com (dhcp-128-107-142-216.cisco.com [128.107.142.216]) by imop.cisco.com (Mirapoint) with ESMTP id ACQ60441; Thu, 14 Mar 2002 17:57:01 -0800 (PST)
Date: Thu, 14 Mar 2002 17:54:54 -0800
From: Rohan Mahy <rohan@cisco.com>
To: William Marshall <wtm@research.att.com>
cc: sip@ietf.org
Subject: Re: [Sip] Re: REFER security
In-Reply-To: <200203141813.NAA99404@fish.research.att.com>
Message-ID: <Pine.WNT.4.44.0203141752470.-477753@chorizo.rapidconvergence.com>
X-X-Sender: rmahy@imop.cisco.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
On Thu, 14 Mar 2002, William Marshall wrote: > The issue that I raised with REFER security during its last-call period > last year was the inability of the transfer-target to authenticate > the Referred-By header with the transferor. While there may be > an authenticated relationship between the transferee and the transferor > (established by an INVITE, and used by the REFER), and an authenticated > relationship between the transferee and the transfer-target (established by > the REFER-initiated INVITE), there is no way for the transfer-target > (i.e. UAS in the second INVITE) to verify that the transferor really > did send a REFER to the UAC. Then you are discussing the security of cc-transfer, not the security of REFER. This doesn't mean we don't need a solution, but figuring out how to trust a header in an INVITE doesn't exactly seem like a job for the document that defines REFER. thanks, -rohan > The result is that the only reasonable policy of a UAS on receiving > an INVITE containing a Referred-By header is to ignore it. It can > only be utilized and believed within a very limited scope that rivals > the applicability statement in the privacy draft. > > If the basic mechanism is of such limited scope, it seems less than > useful to discuss security for each separate usage of REFER. > > In my last-call review of draft-ietf-sip-refer-02, message dated 13 Nov 2001, > I proposed one solution. An additional 4xx error response would be > sent from transfer-target to transferee, which would contain a challenge. > The transferee would send this challenge to the transferer in a NOTIFY, > who would respond with an updated REFER with the proper response. This > response would then be included in a new INVITE to the transfer-target. > Lots of details TBD, like what additional headers are included in the > calculation of the response. > > An example of the problem with the current draft: > Consider the simple case of a blind transfer (described in Section 6 > of draft-ietf-sip-cc-transfer-05): > Person X calls the CEO of a corporation, and the call is intercepted by > a screener (S). Screener is the transferor, X is the transferee, and > CEO is transfer-target. Screener sends REFER to X, then X sends INVITE > to CEO's private address with Referred-By: S. So the next time X wants > to call CEO, why go through the screener? X has the magic Referred-By > value to go direct. CEO gets unscreened calls, and removes SIP phones > from company. > > Bill Marshall > wtm@research.att.com > > -----original message----- > Date: Thu, 14 Mar 2002 08:42:18 -0800 (Pacific Standard Time) > From: Rohan Mahy <rohan@cisco.com> > To: sip@ietf.org > Subject: [Sip] Re: REFER security > > > Hi, > > I'm a little unclear whether it is REFER that needs security, or its > usage. > > - A REFER which starts a new dialog should be challenged just like any > other request that starts a new dialog (INVITE, SUBSCRIBE). > > - A REFER in the context of an existing dialog should be treated just like > any other request in that context (reINVITE, BYE). If you are using TLS, > you don't have any reason to challenge these requests, if you aren't using > TLS you should probably challenge these requests. > > I think what we are talking about is the security or introduction of the > triggered request. Can we reasonably discuss this issue in each > "usage" of REFER, the first being cc-transfer? > > thanks, > -rohan > > > > ------------------ > To: "'Robert Sparks'" <rsparks@dynamicsoft.com>, sip@ietf.org > Subject: RE: [Sip] Status of REFER > From: Alan Johnston <alan.johnston@wcom.com> > Date: Tue, 12 Mar 2002 12:43:21 -0600 > Importance: Normal > In-reply-to: <1015945586.1187.34.camel@dhcp240.dfw.dynamicsoft.com> > List-Id: Session Initiation Protocol <sip.ietf.org> > Sender: sip-admin@ietf.org > > -------------------------------------------------------------------------------- > > Robert, > > I'm confused about this. We decided a while back to remove a REFER > specific security scheme in favor of a more general SIP security > approach. > > Now that we have the general SIP security scheme in bis, you are > suggesting that we have to add a REFER specific security scheme back in? > This makes no sense. > > Also, I feel that this is a specific case of the more general problem of > how to transport and pass around an "authorization token" for want of a > better description in SIP. It could authorize a transfer, a call back > through a gateway, a one-time use of a special SIP service, etc, as > briefly mentioned in the Multiparty Framework document. > > I am in favor of solving this general problem, not inventing a REFER > specific approach (again) which may or may not work for the more general > case. > > REFER is already way, way, way behind schedule - lets not delay any > further by wading into another security quagmire - please. > > Thanks, > Alan Johnston > WorldCom > sip:alan@siptest.wcom.com > > > -----Original Message----- > > From: sip-admin@ietf.org [mailto:sip-admin@ietf.org] On > > Behalf Of Robert Sparks > > Sent: Tuesday, March 12, 2002 9:06 AM > > To: sip@ietf.org > > Subject: [Sip] Status of REFER > > > > > > First - many thanks to those people who found the time to > > comment on the current REFER draft during the bis-storm. > > > > The feedback I received indicates that we should alter the > > plan discussed in SLC. Specifically, we should not advance > > the REFER draft without a concrete mechanism for securing > > information passed from the referror through the referree > > to the refer target). I'm working on a couple of mechanisms now. > > > > The draft also needs to be realigned with the new SIP and > > SIP-events RFCs. For instance, the ;cseq= parameter should > > be replaced with the more general ;id= parameter in events. > > > > > > RjS > > > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] REFER security William Marshall
- [Sip] REFER security Henning Schulzrinne
- RE: [Sip] REFER security Robert Sparks
- RE: [Sip] REFER security krisztian.kiss
- RE: [Sip] REFER security Robert Sparks
- [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Daniel G. Petrie
- [Sip] Re: REFER security Rohan Mahy
- [Sip] Re: REFER security William Marshall
- [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Rohan Mahy
- Re: [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Jonathan Rosenberg
- RE: [Sip] Re: REFER security Arunachalam Venkatraman