[Sip] Comments on rosenberg-sip-identity-coexistence
Cullen Jennings <fluffy@cisco.com> Thu, 29 June 2006 13:57 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fvx11-00016m-Q1; Thu, 29 Jun 2006 09:57:07 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Fvx0z-00010V-GB for sip@ietf.org; Thu, 29 Jun 2006 09:57:05 -0400
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Fvx0y-0000k0-1n for sip@ietf.org; Thu, 29 Jun 2006 09:57:05 -0400
Received: from rtp-core-1.cisco.com ([64.102.124.12]) by rtp-iport-2.cisco.com with ESMTP; 29 Jun 2006 09:57:04 -0400
X-IronPort-AV: i="4.06,192,1149480000"; d="scan'208"; a="91287708:sNHT32736892"
Received: from [172.17.99.213] (rcdn-vpn-cluster-2-132.cisco.com [10.89.20.132]) by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k5TDv1YM001959; Thu, 29 Jun 2006 09:57:03 -0400 (EDT)
Mime-Version: 1.0 (Apple Message framework v750)
Content-Transfer-Encoding: 7bit
Message-Id: <68618EA4-7CA4-4E3E-A306-1BA3902C3476@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
To: Jonathan Rosenberg <jdrosen@cisco.com>, IETF SIP List <sip@ietf.org>
From: Cullen Jennings <fluffy@cisco.com>
Date: Thu, 29 Jun 2006 06:56:59 -0700
X-Mailer: Apple Mail (2.750)
X-Spam-Score: 1.1 (+)
X-Scan-Signature: 25eb6223a37c19d53ede858176b14339
Cc:
Subject: [Sip] Comments on rosenberg-sip-identity-coexistence
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
I really glad to see this draft on how to migrate from where we are today to using Identity. I have some small complaints about parts and some suggestions on the B2BUA part but overall really like it. The most important part of this email is the B2BUA section near the end. Section 1: I think one of the major reason for creating PAI was to provide malicious call trace for anonymous calls. I don't think it was for dealing with spoofing the From header. If that was the goal, we could have solved it just by having device that ends up inserting the PAI just reject any request that has spoofed From headers. Small nit but ... I think identity was designed such that the UAS domain proxy could do everything on behalf of the UAS as a migration step. Clearly that is the point of the draft but the "called party must be upgraded to support it" part I don't quite agree with. My last small nit .... I've sent several posts about why I think B2BUA work with Identity in a large percentage of the cases. I think this draft seems like a great place to explain all this - both what works and what does not. I don't buy into the statement that Identity breaks B2BUAs. Section 2. One of the design choices we need to make in the originating domain is if the ingress or egress proxy inserts the Identity signature. My preference is to explain the pro's and cons of this and allow either. I see the pros/cons of the egress doing it be that since not all calls will require the PKI computation to insert the signature and the cons that now the egress proxy has to authenticate the UA which in may deployments will involved a re-challenge to UA which like inserts another round trip of signaling both to the UA and to the AAA server. I see the pros/cons of the ingress doing it that a) all calls have it even inside the domain b) we provide integrity protection for calls in the domain c) devices receiving the call inside the domain can treat the Identity header the same was as call outside the domain. I'm sure others millage may vary but my mucking around makes me think the ingress proxy doing it will turn out to be best for most deployments. It certainly has better security properties and depending on your mix of inter/intra domain calls, the trade off of the PKI on ingress is offset by extra messaging on egress. I'm big fan of Terminating domain checking Identity signature and if it is OK, then inserting PAI for that. I like this. I think this is right. I think this is critical for migration to Identity. If I can be any more positive about this idea let me know how :-) I don't see why we would need the id-coexists options tags. It seems like they never get used. Section 3.3 I don't think that having the PAI override a broken identity will really fly from a security point of view. This takes this back to something that is only deployable in fully trusted networks. What I mean by this is that if anyone can insert a PAI header, they can totally break the integrity mechanism that identity provides. I realize that you are trying to solve the B2BUA issue here - more on that later - I agree we need to work with B2BUA but I think we can. I like to consider having rules in this order 1) if there is an invalid identity header, reject call 2) if there is a valid identity header, use AOR in From 3) if three is no identity, look for PAI and use that AOR if exists 4) if no PAI, use AOR in From Take the AOR and lookup in local address book and if found, display the user name associated with that entry in address book otherwise display the AOR and if Display Name is used clearly mark it as not being secure 2nd para - I might be confused on what you are suggesting here - In this section you talk about the UAS knowing if the UAC supports Identity or not. I don't know how to do this in a secure way - I think it is pretty hard - the approach of using DNS to look it up might work but has lots of issues too. 4.1 - I think whichever proxy first authenticates the UAS should insert the Identity signature 4.3 - I might be missing some of the stuff you are thinking about with the anonymous URI. However, it seems like for anonymous calls between domains that have an acceptable RFC 3325 Spec T, they will still want to pass the PAI for malicious call trace reasons. Section 5 Ok, I think that having PAI override PAI would break Identity in a way that we would never have strong identity in SIP - so I think we need a better way to work with B2BUA. I think the camarillo-sipping- sbc-funcs draft on the where B2BUA gets used and why might be helpful for working through the cases. Let me look at some starting cases here First let me separate telephone numbers from email style AOR. In all cases telephone numbers are easy as what you generally want is the B2BUA to decide it trusts the number it received, based on Identity or other information, then resign with it's credentials. This is because the E.164 namespace is not delegated to any of the devices doing the signatures. If DNSsec was available, and ENUM was widely deployed, more interesting solutions might be available. Probably worth thinking about. So for the case with email style AORs case 1) an egress B2BUA on originating domain - this one is actually trivial to deal with. This B2BUA can have the credentials to correctly re-sign the message case 2) ingress B2B on terminating domain - this is fairly easy too. This B2BUA resigns the incoming request. To do this it uses a cert that has a wildcard for all domain - the UAS need to be configured to have this cert in it root trust list. What the UAS is doing here is delegating that it trust any name that the B2BUA trusts. This is the sort of trust delegation one wants to be able to make. case 3) a B2BUA in a transit provider between the originating and terminating domain. There are two very different cases here - one is where the transit provider is an intermediate in providing PSTN termination services and using E.164 addresses. For example some company, contracts its PSTN termination from say MCI who for numbers in Australia perhaps uses Telstra. The company wants to see the phone number asserted by MCI, not Telstra - it is MCI they trust and can make an authorization decision based on. They have no idea who Telstra is so whatever telstra wants to claim is useless for the company. The point is, whatever things Telstra might assert to MCI, the company wants MCI to make an assertion that the company can use for it authorization decision. In these cases the transit B2BUA needs to resign things. The next sub case is where the transit provider provides an anonymization service - here you clearly need to resign things. The second sub case is not a PSTN termination service but a "trust broker" between a bunch of companies. An example of this case, a bunch of companies join some consortium and the consortium make sure that they can all talk to each other and no bad people are allowed to talk them because only good people are in the consortium. (I'm always a little confused on the value of all this but many people have suggested it might be useful - there is some groups like this something to do with drug dealers of america or something that people always bring up as an example). Here the consortium has two choices, it can provide new names for all the users and remap them or it can be allowed to sign on behalf of the organizations that are in it. For example, alice@example.com might become alice.example.consortium.com or aliace%example@consortium.com or even just alice@consortium.com. Or alternatively, the UA that trust consortium.com might allow the consortium to have a root cert such that it could sign things alice@example.com. There are many options here and I find it hard to pick one as I don't really understand why this type of service would exist in the first place. However, as we work out the requirements for this type of service, I suspect a soltuion is possible. As a last note, I do think there are workable solutions for the B2BUA case. Having UA accept message with a bad Identity header but that have a PAI seriously breaks Identify. One of the key things that Identity provides is a close to end to end integrity for the bodies. This breaks this and we have no other good way to provide this. What I am suggesting above provides a way to keep this integrity property so that no device can tamper with the integrity other than devices that the UAS or UAC explicitly trusts to tamper with the integrity. I think this is a fairly important property and achievable. Cullen <with my individual contributor hat on> _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] Comments on rosenberg-sip-identity-coexiste… Cullen Jennings
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- Re: [Sip] Comments on rosenberg-sip-identity-coex… Cullen Jennings
- Re: [Sip] Comments on rosenberg-sip-identity-coex… Cullen Jennings
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- Re: [Sip] Comments on rosenberg-sip-identity-coex… Cullen Jennings
- Re: [Sip] Comments on rosenberg-sip-identity-coex… Cullen Jennings
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- Re: [Sip] Comments on rosenberg-sip-identity-coex… David R Oran
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan
- Re: [Sip] Comments on rosenberg-sip-identity-coex… David R Oran
- RE: [Sip] Comments on rosenberg-sip-identity-coex… Hadriel Kaplan