Re: [Sip] Re: REFER security
Michael Thomas <mat@cisco.com> Fri, 15 March 2002 02:25 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA08536 for <sip-archive@odin.ietf.org>; Thu, 14 Mar 2002 21:25:51 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id VAA27901 for sip-archive@odin.ietf.org; Thu, 14 Mar 2002 21:25:54 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id VAA27254; Thu, 14 Mar 2002 21:11:21 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id VAA27195 for <sip@optimus.ietf.org>; Thu, 14 Mar 2002 21:11:18 -0500 (EST)
Received: from sj-msg-core-1.cisco.com (sj-msg-core-1.cisco.com [171.71.163.11]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA08223 for <sip@ietf.org>; Thu, 14 Mar 2002 21:11:14 -0500 (EST)
Received: from mira-sjc5-7.cisco.com (mira-sjc5-7.cisco.com [171.71.163.27]) by sj-msg-core-1.cisco.com (8.11.3/8.9.1) with ESMTP id g2F2Akd07798; Thu, 14 Mar 2002 18:10:46 -0800 (PST)
Received: from thomasm-u1.cisco.com (thomasm-u1.cisco.com [128.107.140.53]) by mira-sjc5-7.cisco.com (Mirapoint) with ESMTP id ABD01274; Thu, 14 Mar 2002 18:08:30 -0800 (PST)
Received: (thomasm@localhost) by thomasm-u1.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) id SAA07393; Thu, 14 Mar 2002 18:10:46 -0800 (PST)
From: Michael Thomas <mat@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <15505.22565.984553.793703@thomasm-u1.cisco.com>
Date: Thu, 14 Mar 2002 18:10:45 -0800
To: Rohan Mahy <rohan@cisco.com>
Cc: William Marshall <wtm@research.att.com>, sip@ietf.org
Subject: Re: [Sip] Re: REFER security
In-Reply-To: <Pine.WNT.4.44.0203141752470.-477753@chorizo.rapidconvergence.com>
References: <200203141813.NAA99404@fish.research.att.com> <Pine.WNT.4.44.0203141752470.-477753@chorizo.rapidconvergence.com>
X-Mailer: VM 6.72 under 21.1 (patch 6) "Big Bend" XEmacs Lucid
X-Face: &, heK/V66p?[2!i|tVn, 9lN0TUvEv7:9FzXREj/AuzN4m<D]vnFJ>u!4x[/Z4t{V}~L]+Sk @RFNnJEg~WZ/(8<`5a), -7ukALWa^&?&D2R0CSG3kO5~#6JxLF\d, g">$%B!0w{W)qIhmwhye104zd bUcI'1!
Content-Transfer-Encoding: 7bit
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
Content-Transfer-Encoding: 7bit
?? I thought that cc-transfer was on an informational track? Mike Rohan Mahy writes: > > On Thu, 14 Mar 2002, William Marshall wrote: > > The issue that I raised with REFER security during its last-call period > > last year was the inability of the transfer-target to authenticate > > the Referred-By header with the transferor. While there may be > > an authenticated relationship between the transferee and the transferor > > (established by an INVITE, and used by the REFER), and an authenticated > > relationship between the transferee and the transfer-target (established by > > the REFER-initiated INVITE), there is no way for the transfer-target > > (i.e. UAS in the second INVITE) to verify that the transferor really > > did send a REFER to the UAC. > > Then you are discussing the security of cc-transfer, not the security of > REFER. This doesn't mean we don't need a solution, but figuring out how > to trust a header in an INVITE doesn't exactly seem like a job for the > document that defines REFER. > > thanks, > -rohan > > > The result is that the only reasonable policy of a UAS on receiving > > an INVITE containing a Referred-By header is to ignore it. It can > > only be utilized and believed within a very limited scope that rivals > > the applicability statement in the privacy draft. > > > > If the basic mechanism is of such limited scope, it seems less than > > useful to discuss security for each separate usage of REFER. > > > > In my last-call review of draft-ietf-sip-refer-02, message dated 13 Nov 2001, > > I proposed one solution. An additional 4xx error response would be > > sent from transfer-target to transferee, which would contain a challenge. > > The transferee would send this challenge to the transferer in a NOTIFY, > > who would respond with an updated REFER with the proper response. This > > response would then be included in a new INVITE to the transfer-target. > > Lots of details TBD, like what additional headers are included in the > > calculation of the response. > > > > An example of the problem with the current draft: > > Consider the simple case of a blind transfer (described in Section 6 > > of draft-ietf-sip-cc-transfer-05): > > Person X calls the CEO of a corporation, and the call is intercepted by > > a screener (S). Screener is the transferor, X is the transferee, and > > CEO is transfer-target. Screener sends REFER to X, then X sends INVITE > > to CEO's private address with Referred-By: S. So the next time X wants > > to call CEO, why go through the screener? X has the magic Referred-By > > value to go direct. CEO gets unscreened calls, and removes SIP phones > > from company. > > > > Bill Marshall > > wtm@research.att.com > > > > -----original message----- > > Date: Thu, 14 Mar 2002 08:42:18 -0800 (Pacific Standard Time) > > From: Rohan Mahy <rohan@cisco.com> > > To: sip@ietf.org > > Subject: [Sip] Re: REFER security > > > > > > Hi, > > > > I'm a little unclear whether it is REFER that needs security, or its > > usage. > > > > - A REFER which starts a new dialog should be challenged just like any > > other request that starts a new dialog (INVITE, SUBSCRIBE). > > > > - A REFER in the context of an existing dialog should be treated just like > > any other request in that context (reINVITE, BYE). If you are using TLS, > > you don't have any reason to challenge these requests, if you aren't using > > TLS you should probably challenge these requests. > > > > I think what we are talking about is the security or introduction of the > > triggered request. Can we reasonably discuss this issue in each > > "usage" of REFER, the first being cc-transfer? > > > > thanks, > > -rohan > > > > > > > > ------------------ > > To: "'Robert Sparks'" <rsparks@dynamicsoft.com>, sip@ietf.org > > Subject: RE: [Sip] Status of REFER > > From: Alan Johnston <alan.johnston@wcom.com> > > Date: Tue, 12 Mar 2002 12:43:21 -0600 > > Importance: Normal > > In-reply-to: <1015945586.1187.34.camel@dhcp240.dfw.dynamicsoft.com> > > List-Id: Session Initiation Protocol <sip.ietf.org> > > Sender: sip-admin@ietf.org > > > > -------------------------------------------------------------------------------- > > > > Robert, > > > > I'm confused about this. We decided a while back to remove a REFER > > specific security scheme in favor of a more general SIP security > > approach. > > > > Now that we have the general SIP security scheme in bis, you are > > suggesting that we have to add a REFER specific security scheme back in? > > This makes no sense. > > > > Also, I feel that this is a specific case of the more general problem of > > how to transport and pass around an "authorization token" for want of a > > better description in SIP. It could authorize a transfer, a call back > > through a gateway, a one-time use of a special SIP service, etc, as > > briefly mentioned in the Multiparty Framework document. > > > > I am in favor of solving this general problem, not inventing a REFER > > specific approach (again) which may or may not work for the more general > > case. > > > > REFER is already way, way, way behind schedule - lets not delay any > > further by wading into another security quagmire - please. > > > > Thanks, > > Alan Johnston > > WorldCom > > sip:alan@siptest.wcom.com > > > > > -----Original Message----- > > > From: sip-admin@ietf.org [mailto:sip-admin@ietf.org] On > > > Behalf Of Robert Sparks > > > Sent: Tuesday, March 12, 2002 9:06 AM > > > To: sip@ietf.org > > > Subject: [Sip] Status of REFER > > > > > > > > > First - many thanks to those people who found the time to > > > comment on the current REFER draft during the bis-storm. > > > > > > The feedback I received indicates that we should alter the > > > plan discussed in SLC. Specifically, we should not advance > > > the REFER draft without a concrete mechanism for securing > > > information passed from the referror through the referree > > > to the refer target). I'm working on a couple of mechanisms now. > > > > > > The draft also needs to be realigned with the new SIP and > > > SIP-events RFCs. For instance, the ;cseq= parameter should > > > be replaced with the more general ;id= parameter in events. > > > > > > > > > RjS > > > > > > > > > _______________________________________________ > Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sipping@ietf.org for new developments on the application of sip _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] REFER security William Marshall
- [Sip] REFER security Henning Schulzrinne
- RE: [Sip] REFER security Robert Sparks
- RE: [Sip] REFER security krisztian.kiss
- RE: [Sip] REFER security Robert Sparks
- [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Daniel G. Petrie
- [Sip] Re: REFER security Rohan Mahy
- [Sip] Re: REFER security William Marshall
- [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Rohan Mahy
- Re: [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Jonathan Rosenberg
- RE: [Sip] Re: REFER security Arunachalam Venkatraman