[Sip] Re: Identity after reinvite
Paul Kyzivat <pkyzivat@cisco.com> Tue, 16 November 2004 15:01 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA04827 for <sip-web-archive@ietf.org>; Tue, 16 Nov 2004 10:01:42 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU4sD-0007RI-Mq for sip-web-archive@ietf.org; Tue, 16 Nov 2004 10:04:02 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU4ec-0007AO-6z; Tue, 16 Nov 2004 09:49:58 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU4YN-0006KG-KP for sip@megatron.ietf.org; Tue, 16 Nov 2004 09:43:31 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA03376 for <sip@ietf.org>; Tue, 16 Nov 2004 09:43:30 -0500 (EST)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU4ab-0006x7-6v for sip@ietf.org; Tue, 16 Nov 2004 09:45:49 -0500
Received: from sj-core-1.cisco.com (171.71.177.237) by sj-iport-2.cisco.com with ESMTP; 16 Nov 2004 06:55:59 -0800
Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com [161.44.122.62]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id iAGEgj3O010184; Tue, 16 Nov 2004 06:42:45 -0800 (PST)
Received: from cisco.com ([161.44.79.125]) by flask.cisco.com (MOS 3.4.6-GR) with ESMTP id ANB49111; Tue, 16 Nov 2004 09:42:56 -0500 (EST)
Message-ID: <419A11F0.2000601@cisco.com>
Date: Tue, 16 Nov 2004 09:42:56 -0500
From: Paul Kyzivat <pkyzivat@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: "Peterson, Jon" <jon.peterson@neustar.biz>
References: <7927C67249E4AD43BC05B539AF0D129801AF4372@stntexch04.cis.neustar.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 287c806b254c6353fcb09ee0e53bbc5e
Content-Transfer-Encoding: 7bit
Cc: Cullen Jennings <fluffy@cisco.com>, sip@ietf.org
Subject: [Sip] Re: Identity after reinvite
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 37af5f8fbf6f013c5b771388e24b09e7
Content-Transfer-Encoding: 7bit
Jon, I generally agree with what you say. I wasn't trying to suggest that we hold up identity for connected-party support. I just wanted to get a clear understanding of the issues remaining. It seems that they are a bit more than just not getting confirmation of who you connected to. Paul Peterson, Jon wrote: > Well, yes, now one begins to appreciate why we originally coupled the > request identity problem with the response identity problem. :) > > In the next revision of the identity draft, which will incorporate the list > comments up to date, I do intend to include some text about dialogs. I agree > that the draft should apply to requests regardless of the dialog context. > > Moreover, I don't think the problem you raise below is limited merely to > re-INVITEs within a dialog. I believe it applies equally to BYE requests > sent in the backwards direction in a dialog. Ideally, the originator of the > dialog should have some assurance that requests sent in the backwards > direction come from the same identity that positively responded to the > dialog (i.e., the sender of the 200 and any provisional responses). > > In the absence of response identity, though, it is difficult for Alice to > have any such assurance. Equally, as you point out below, Bob can have no > assurance that his BYE or re-INVITE has been fielded by Alice if he is > unable to get a cryptographically-assured 200 response to his own requests. > Alice can't even be certain that she actually connected to Bob, thanks to > retargeting; this is the essence of the connected-ID/response identity > problem, and threatens to drag us back into the morass of retargeting > restrictions and so on that populated the sip-identity-02 draft. > > A lack of such a strong binding of backwards-direction BYE requests to the > dialog is a significant limitation; if BYE can be spoofed, then an attacker > can terminate existing dialogs. However, I'm not sure that the situation is > so dire as you suggest below. Without identity, it is trivial for any > attacker to impersonate a dialog-forming request. It is harder, though, for > an attacker to impersonate a response or mid-dialog request; this requires > the attacker to gather dialog state through eavesdropping or some similar > means. There is a very important distinction in sophistication between an > attacker who can merely formulate a plausible dialog-forming request with an > inappropriate From header field versus an attacker who can capture > dialog-forming requests and improvise appropriate responses (with correct > tags, correct Call-ID/CSeq, etc). > > Ultimately, request identity can protect against the former but not the > latter. While it is imperfect, I feel that this is an improvement over the > current situation. In cases where retargeting has not occurred, Alice will > see a re-INVITE or BYE from the expected URI (blessed, as you say); in cases > where retargeting has occurred, Alice may receive a warning from her UI that > an unexpected but assured URI has responded. Likewise, Bob will have to > trust, given the signature over the Contact header field in the > dialog-forming INVITE request, that his request in the backwards direction > is forwarded to the appropriate UA instance. In terms of what Bob's UI > should display, well, that really depends on the sophistication of attacks > you are willing to consider plausible. Personally, I don't think Bob's UI > should suggest any uncertainty about the matter. > > To improve on all this, we will ultimately need to solve the response > identity problem; however, I maintain that sip-identity as it stands will > have addressed the simplest and most common variety of impersonation, the > one that does not require any eavesdropping whatsoever. Once we feel we have > the right answer to request identity, we can revisit the response identity > problem and try to eliminate the remaining attacks. > > Jon Peterson > NeuStar, Inc. > > >>-----Original Message----- >>From: Paul Kyzivat [mailto:pkyzivat@cisco.com] >>Sent: Monday, November 15, 2004 3:58 PM >>To: Peterson, Jon; Cullen Jennings; sip@ietf.org >>Subject: Identity after reinvite >> >> >>Jon, >> >>After the meetings last week a question came to mind re the >>identity draft. >> >>First, I want to double check on usage in dialogs. The draft doesn't >>say, but I presume that every message in a dialog needs to be signed, >>not just the one that initiates a dialog. If that is a bad assumption, >>it would be good to hear why. >> >>Assuming that, what happens when the initial invite was from Alice to >>Bob, and later a reinvite is sent from Bob to Alice? Initially Bob knew >>that Alice had called, while Alice had no assurance about who she had >>reached with her call. The reinvite is from Bob, so if his identity is >>blessed, then Alice will know she is talking to Bob, but Bob will no >>longer have any assurance that he is still talking to Alice. >> >>This could even manifest itself in the UI presented to Alice and Bob. >>Initially Bob would have a "callerid" display showing Alice as a >>certified caller. But after putting Alice on hold and back off hold the >>display might stop showing Alice, or at least might show the identity as >>suspect. (There may be strong temptations to avoid this via some sort of >>hack.) >> >>I don't see any good solution for this other than solving the connected >>party id problem as well. >> >> Just checking my understanding, >> Paul >> > > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] Identity after reinvite Paul Kyzivat
- [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- [Sip] Re: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite Cullen Jennings
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite David R Oran
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- RE: [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- RE: [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Dean Willis