Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com> Sat, 08 October 2011 09:05 UTC

Return-Path: <keith.drage@alcatel-lucent.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5C3021F8B3F for <sip@ietfa.amsl.com>; Sat, 8 Oct 2011 02:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.704
X-Spam-Level:
X-Spam-Status: No, score=-105.704 tagged_above=-999 required=5 tests=[AWL=-0.056, BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, J_CHICKENPOX_52=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jZL+U0OR57nK for <sip@ietfa.amsl.com>; Sat, 8 Oct 2011 02:05:53 -0700 (PDT)
Received: from smail2.alcatel.fr (smail2.alcatel.fr [64.208.49.57]) by ietfa.amsl.com (Postfix) with ESMTP id 904C321F8B36 for <sip@ietf.org>; Sat, 8 Oct 2011 02:05:53 -0700 (PDT)
Received: from FRMRSSXCHHUB03.dc-m.alcatel-lucent.com (FRMRSSXCHHUB03.dc-m.alcatel-lucent.com [135.120.45.63]) by smail2.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id p9898vZa022330 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Sat, 8 Oct 2011 11:08:57 +0200
Received: from FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com ([135.120.45.45]) by FRMRSSXCHHUB03.dc-m.alcatel-lucent.com ([135.120.45.63]) with mapi; Sat, 8 Oct 2011 11:08:57 +0200
From: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
To: Samir Srivastava <samirs.lists@gmail.com>
Date: Sat, 8 Oct 2011 11:08:56 +0200
Thread-Topic: [Sip] Using TLS in the first hop - Bug in RFC 5630
Thread-Index: AcyFKAbIpJXrpCmLRmuj2lpMmy8mhwAcczKg
Message-ID: <EDC0A1AE77C57744B664A310A0B23AE220D4C5BD@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <3EBDBBCF-C3F3-4C64-B010-4F275B0A5A96@edvina.net> <CALiegfkKSHiEWF5+Lz5FBEawNc6ST1s3+MLYeBnUJedFjxQoDw@mail.gmail.com> <40FFF683-2CA1-4436-9421-42ACC205A42C@acmepacket.com> <CALiegf=Z3qZey-+0=wqN80BjS6Jn5V8tFU_w2LtS7O5v-jXK+Q@mail.gmail.com> <9825F789-887F-44CD-BD43-C000929E5B17@acmepacket.com> <CALiegfms0=Khcc_kKiGfcO6hUcd8-nDxG16bBN_SxCatuvAejA@mail.gmail.com> <2966AE2F-BBED-4E97-A27B-6E55279ED9FF@acmepacket.com> <EDC0A1AE77C57744B664A310A0B23AE220C0DC0D@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com> <CAK+SpiyoDWiqmyab-D0KpT0zsDL=xhN-pnxearFBXBWAz=v+dQ@mail.gmail.com>
In-Reply-To: <CAK+SpiyoDWiqmyab-D0KpT0zsDL=xhN-pnxearFBXBWAz=v+dQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_EDC0A1AE77C57744B664A310A0B23AE220D4C5BDFRMRSSXCHMBSC3d_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.69 on 155.132.188.80
Cc: "<sip@ietf.org>" <sip@ietf.org>, "Olle E. Johansson" <oej@edvina.net>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2011 09:05:54 -0000

All drafts help things along, but please do have the discussion on DISPATCH or SIPCORE.

It doesn't belong here.

Keith

________________________________
From: Samir Srivastava [mailto:samirs.lists@gmail.com]
Sent: 07 October 2011 20:34
To: DRAGE, Keith (Keith)
Cc: Hadriel Kaplan; Iñaki Baz Castillo; <sip@ietf.org>rg>; Olle E. Johansson
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

In line prefixed with SS>>

Regards
Samir

On Thu, Sep 15, 2011 at 10:05 AM, DRAGE, Keith (Keith) <keith.drage@alcatel-lucent.com<mailto:keith.drage@alcatel-lucent.com>> wrote:
Addressing the thread in general rather than Hadriel in particular.

Please remember that RFC 5630 did not set out to create a complete solution to secure communication. That was left to separate work and noone at the time seemed interested in doing that next step, so it was abandoned.

SS>> Refer the draft   http://datatracker.ietf.org/doc/draft-srivastava-dispatch-avoidance-of-threats/  submitted recently. And let me know your comments. What we intend to do in future? As per my recollection Security Advisor was not in agreement with my proposal. But it was told that there will be a day when this solution will be needed,


What RFC 5630 set out to do was to define what occurred if you followed the RFC 3261 mechanisms, and to correct some of RFC 3261 that was known to be wrong and to attempt to make sure that if SIPS was used in the Request-URI, then TLS was used end to end. I do not believe there was ever an intent to try and control what happened hop by hop. If you know that TLS is being used on the local hop, but have absolutely no knowledge of whether it is being used anywhere else, how useful is that?

While section 5, the normative section appears somewhat long, if you look at the impact of RFC 5630 in the way it changed RFC 3261 as stated in appendix A, it actually did very little in terms of change to the original RFC 3261 material.

I'm not actually sure that the issue you point out in 3.1.3 actually impacts the above drastically.

Do note however that if you want to perform new work, you probably need to take it to the SIPCORE list.


Keith

> -----Original Message-----
> From: sip-bounces@ietf.org<mailto:sip-bounces@ietf.org> [mailto:sip-bounces@ietf.org<mailto:sip-bounces@ietf.org>] On Behalf Of
> Hadriel Kaplan
> Sent: 15 September 2011 17:31
> To: Iñaki Baz Castillo
> Cc: <sip@ietf.org<mailto:sip@ietf.org>>; Olle E. Johansson
> Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
>
>
> Oh I'm well aware of that. :)
> I assumed this whole discussion was theoretical.
> In *practice* using sips is tough.  Some systems don't support it and will
> choke on the scheme, while some systems seem to ignore the extra "s".  And
> there are real problems with it even if you do everything by the book.
> For example, it's not like Alice's UA will actually have a TLS cert to be
> able to be a TLS server/listen-socket, so you can't open a TLS connection
> to her UA regardless, ever.  And with TCP in general you have to treat her
> Registered Contact connection as an outbound-style flow (ie, like an
> alias'ed connection-reuse), even if the UAC doesn't indicate RFC 5626 nor
> 5923.  Once you do that, using "sip" instead of "sips" contact works, or
> has so far for us.  YMMV.
>
> -hadriel
>
>
> On Sep 15, 2011, at 12:03 PM, Iñaki Baz Castillo wrote:
>
> > 2011/9/15 Hadriel Kaplan <HKaplan@acmepacket.com<mailto:HKaplan@acmepacket.com>>:
> >> No I mean if Bob wants to Refer Carol to Alice, or Alice to Carol
> (since that Refer can be sent out of dialog to Alice's contact).
> >
> > Initial requests sent to a Contact address rather than being sent to
> > an AoR are always problematic. The same occurs in attended trasfer
> > when the REFER is sent within the dialog and contains a Refer-To with
> > the endpoint Contact URI. Such URI could be no reachable if it's
> > between some kind of NAT's (regardless the user used STUN).
> >
> > --
> > Iñaki Baz Castillo
> > <ibc@aliax.net<mailto:ibc@aliax.net>>
>
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is essentially closed and only used for finishing old business.
> Use sip-implementors@cs.columbia.edu<mailto:sip-implementors@cs.columbia.edu> for questions on how to develop a SIP
> implementation.
> Use dispatch@ietf.org<mailto:dispatch@ietf.org> for new developments on the application of sip.
> Use sipcore@ietf.org<mailto:sipcore@ietf.org> for issues related to maintenance of the core SIP
> specifications.
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is essentially closed and only used for finishing old business.
Use sip-implementors@cs.columbia.edu<mailto:sip-implementors@cs.columbia.edu> for questions on how to develop a SIP implementation.
Use dispatch@ietf.org<mailto:dispatch@ietf.org> for new developments on the application of sip.
Use sipcore@ietf.org<mailto:sipcore@ietf.org> for issues related to maintenance of the core SIP specifications.