[Sip] Re: REFER security
William Marshall <wtm@research.att.com> Thu, 14 March 2002 18:42 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA25213 for <sip-archive@odin.ietf.org>; Thu, 14 Mar 2002 13:42:33 -0500 (EST)
Received: (from daemon@localhost) by optimus.ietf.org (8.9.1a/8.9.1) id NAA23296 for sip-archive@odin.ietf.org; Thu, 14 Mar 2002 13:42:34 -0500 (EST)
Received: from optimus.ietf.org (localhost [127.0.0.1]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA21481; Thu, 14 Mar 2002 13:14:49 -0500 (EST)
Received: from ietf.org (odin [132.151.1.176]) by optimus.ietf.org (8.9.1a/8.9.1) with ESMTP id NAA21452 for <sip@ns.ietf.org>; Thu, 14 Mar 2002 13:14:46 -0500 (EST)
Received: from mail-green.research.att.com (H-135-207-30-103.research.att.com [135.207.30.103]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA24535 for <sip@ietf.org>; Thu, 14 Mar 2002 13:14:44 -0500 (EST)
Received: from alliance.research.att.com (alliance.research.att.com [135.207.26.26]) by mail-green.research.att.com (Postfix) with ESMTP id 89BBD1E055; Thu, 14 Mar 2002 13:14:44 -0500 (EST)
Received: from fish.research.att.com (fish.research.att.com [135.207.27.137]) by alliance.research.att.com (8.8.7/8.8.7) with ESMTP id NAA20457; Thu, 14 Mar 2002 13:14:41 -0500 (EST)
From: William Marshall <wtm@research.att.com>
Received: (from wtm@localhost) by fish.research.att.com (SGI-8.9.3/8.8.5) id NAA99404; Thu, 14 Mar 2002 13:13:29 -0500 (EST)
Date: Thu, 14 Mar 2002 13:13:29 -0500
Message-Id: <200203141813.NAA99404@fish.research.att.com>
To: rohan@cisco.com
Cc: sip@ietf.org
Subject: [Sip] Re: REFER security
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-Mailman-Version: 1.0
Precedence: bulk
List-Id: Session Initiation Protocol <sip.ietf.org>
X-BeenThere: sip@ietf.org
The issue that I raised with REFER security during its last-call period last year was the inability of the transfer-target to authenticate the Referred-By header with the transferor. While there may be an authenticated relationship between the transferee and the transferor (established by an INVITE, and used by the REFER), and an authenticated relationship between the transferee and the transfer-target (established by the REFER-initiated INVITE), there is no way for the transfer-target (i.e. UAS in the second INVITE) to verify that the transferor really did send a REFER to the UAC. The result is that the only reasonable policy of a UAS on receiving an INVITE containing a Referred-By header is to ignore it. It can only be utilized and believed within a very limited scope that rivals the applicability statement in the privacy draft. If the basic mechanism is of such limited scope, it seems less than useful to discuss security for each separate usage of REFER. In my last-call review of draft-ietf-sip-refer-02, message dated 13 Nov 2001, I proposed one solution. An additional 4xx error response would be sent from transfer-target to transferee, which would contain a challenge. The transferee would send this challenge to the transferer in a NOTIFY, who would respond with an updated REFER with the proper response. This response would then be included in a new INVITE to the transfer-target. Lots of details TBD, like what additional headers are included in the calculation of the response. An example of the problem with the current draft: Consider the simple case of a blind transfer (described in Section 6 of draft-ietf-sip-cc-transfer-05): Person X calls the CEO of a corporation, and the call is intercepted by a screener (S). Screener is the transferor, X is the transferee, and CEO is transfer-target. Screener sends REFER to X, then X sends INVITE to CEO's private address with Referred-By: S. So the next time X wants to call CEO, why go through the screener? X has the magic Referred-By value to go direct. CEO gets unscreened calls, and removes SIP phones from company. Bill Marshall wtm@research.att.com -----original message----- Date: Thu, 14 Mar 2002 08:42:18 -0800 (Pacific Standard Time) From: Rohan Mahy <rohan@cisco.com> To: sip@ietf.org Subject: [Sip] Re: REFER security Hi, I'm a little unclear whether it is REFER that needs security, or its usage. - A REFER which starts a new dialog should be challenged just like any other request that starts a new dialog (INVITE, SUBSCRIBE). - A REFER in the context of an existing dialog should be treated just like any other request in that context (reINVITE, BYE). If you are using TLS, you don't have any reason to challenge these requests, if you aren't using TLS you should probably challenge these requests. I think what we are talking about is the security or introduction of the triggered request. Can we reasonably discuss this issue in each "usage" of REFER, the first being cc-transfer? thanks, -rohan ------------------ To: "'Robert Sparks'" <rsparks@dynamicsoft.com>, sip@ietf.org Subject: RE: [Sip] Status of REFER From: Alan Johnston <alan.johnston@wcom.com> Date: Tue, 12 Mar 2002 12:43:21 -0600 Importance: Normal In-reply-to: <1015945586.1187.34.camel@dhcp240.dfw.dynamicsoft.com> List-Id: Session Initiation Protocol <sip.ietf.org> Sender: sip-admin@ietf.org -------------------------------------------------------------------------------- Robert, I'm confused about this. We decided a while back to remove a REFER specific security scheme in favor of a more general SIP security approach. Now that we have the general SIP security scheme in bis, you are suggesting that we have to add a REFER specific security scheme back in? This makes no sense. Also, I feel that this is a specific case of the more general problem of how to transport and pass around an "authorization token" for want of a better description in SIP. It could authorize a transfer, a call back through a gateway, a one-time use of a special SIP service, etc, as briefly mentioned in the Multiparty Framework document. I am in favor of solving this general problem, not inventing a REFER specific approach (again) which may or may not work for the more general case. REFER is already way, way, way behind schedule - lets not delay any further by wading into another security quagmire - please. Thanks, Alan Johnston WorldCom sip:alan@siptest.wcom.com > -----Original Message----- > From: sip-admin@ietf.org [mailto:sip-admin@ietf.org] On > Behalf Of Robert Sparks > Sent: Tuesday, March 12, 2002 9:06 AM > To: sip@ietf.org > Subject: [Sip] Status of REFER > > > First - many thanks to those people who found the time to > comment on the current REFER draft during the bis-storm. > > The feedback I received indicates that we should alter the > plan discussed in SLC. Specifically, we should not advance > the REFER draft without a concrete mechanism for securing > information passed from the referror through the referree > to the refer target). I'm working on a couple of mechanisms now. > > The draft also needs to be realigned with the new SIP and > SIP-events RFCs. For instance, the ;cseq= parameter should > be replaced with the more general ;id= parameter in events. > > > RjS _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- Re: [Sip] REFER security William Marshall
- [Sip] REFER security Henning Schulzrinne
- RE: [Sip] REFER security Robert Sparks
- RE: [Sip] REFER security krisztian.kiss
- RE: [Sip] REFER security Robert Sparks
- [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Henning G. Schulzrinne
- Re: [Sip] REFER security Michael Thomas
- Re: [Sip] REFER security Daniel G. Petrie
- [Sip] Re: REFER security Rohan Mahy
- [Sip] Re: REFER security William Marshall
- [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Rohan Mahy
- Re: [Sip] Re: REFER security Michael Thomas
- Re: [Sip] Re: REFER security Jonathan Rosenberg
- RE: [Sip] Re: REFER security Arunachalam Venkatraman