[Sip] RE: Identity after reinvite
"Peterson, Jon" <jon.peterson@neustar.biz> Tue, 16 November 2004 06:45 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA09211 for <sip-web-archive@ietf.org>; Tue, 16 Nov 2004 01:45:13 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CTx7f-00056i-FO for sip-web-archive@ietf.org; Tue, 16 Nov 2004 01:47:27 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CTx3q-0006nw-Ol; Tue, 16 Nov 2004 01:43:30 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CTx20-0006YT-GC for sip@megatron.ietf.org; Tue, 16 Nov 2004 01:41:37 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id BAA08904 for <sip@ietf.org>; Tue, 16 Nov 2004 01:41:35 -0500 (EST)
Received: from oak.neustar.com ([209.173.53.70]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CTx49-00050O-ON for sip@ietf.org; Tue, 16 Nov 2004 01:43:50 -0500
Received: from stntimc1.va.neustar.com (stntimc1.neustar.com [10.31.13.11]) by oak.neustar.com (8.12.8/8.11.0) with ESMTP id iAG6f210026137; Tue, 16 Nov 2004 06:41:02 GMT
Received: by stntimc1.cis.neustar.com with Internet Mail Service (5.5.2657.72) id <T32L783V>; Tue, 16 Nov 2004 01:41:02 -0500
Message-ID: <7927C67249E4AD43BC05B539AF0D129801AF4372@stntexch04.cis.neustar.com>
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: 'Paul Kyzivat' <pkyzivat@cisco.com>, Cullen Jennings <fluffy@cisco.com>, sip@ietf.org
Date: Tue, 16 Nov 2004 01:40:57 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="iso-8859-1"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 8de5f93cb2b4e3bee75302e9eacc33db
Subject: [Sip] RE: Identity after reinvite
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a8a20a483a84f747e56475e290ee868e
Well, yes, now one begins to appreciate why we originally coupled the request identity problem with the response identity problem. :) In the next revision of the identity draft, which will incorporate the list comments up to date, I do intend to include some text about dialogs. I agree that the draft should apply to requests regardless of the dialog context. Moreover, I don't think the problem you raise below is limited merely to re-INVITEs within a dialog. I believe it applies equally to BYE requests sent in the backwards direction in a dialog. Ideally, the originator of the dialog should have some assurance that requests sent in the backwards direction come from the same identity that positively responded to the dialog (i.e., the sender of the 200 and any provisional responses). In the absence of response identity, though, it is difficult for Alice to have any such assurance. Equally, as you point out below, Bob can have no assurance that his BYE or re-INVITE has been fielded by Alice if he is unable to get a cryptographically-assured 200 response to his own requests. Alice can't even be certain that she actually connected to Bob, thanks to retargeting; this is the essence of the connected-ID/response identity problem, and threatens to drag us back into the morass of retargeting restrictions and so on that populated the sip-identity-02 draft. A lack of such a strong binding of backwards-direction BYE requests to the dialog is a significant limitation; if BYE can be spoofed, then an attacker can terminate existing dialogs. However, I'm not sure that the situation is so dire as you suggest below. Without identity, it is trivial for any attacker to impersonate a dialog-forming request. It is harder, though, for an attacker to impersonate a response or mid-dialog request; this requires the attacker to gather dialog state through eavesdropping or some similar means. There is a very important distinction in sophistication between an attacker who can merely formulate a plausible dialog-forming request with an inappropriate From header field versus an attacker who can capture dialog-forming requests and improvise appropriate responses (with correct tags, correct Call-ID/CSeq, etc). Ultimately, request identity can protect against the former but not the latter. While it is imperfect, I feel that this is an improvement over the current situation. In cases where retargeting has not occurred, Alice will see a re-INVITE or BYE from the expected URI (blessed, as you say); in cases where retargeting has occurred, Alice may receive a warning from her UI that an unexpected but assured URI has responded. Likewise, Bob will have to trust, given the signature over the Contact header field in the dialog-forming INVITE request, that his request in the backwards direction is forwarded to the appropriate UA instance. In terms of what Bob's UI should display, well, that really depends on the sophistication of attacks you are willing to consider plausible. Personally, I don't think Bob's UI should suggest any uncertainty about the matter. To improve on all this, we will ultimately need to solve the response identity problem; however, I maintain that sip-identity as it stands will have addressed the simplest and most common variety of impersonation, the one that does not require any eavesdropping whatsoever. Once we feel we have the right answer to request identity, we can revisit the response identity problem and try to eliminate the remaining attacks. Jon Peterson NeuStar, Inc. > -----Original Message----- > From: Paul Kyzivat [mailto:pkyzivat@cisco.com] > Sent: Monday, November 15, 2004 3:58 PM > To: Peterson, Jon; Cullen Jennings; sip@ietf.org > Subject: Identity after reinvite > > > Jon, > > After the meetings last week a question came to mind re the > identity draft. > > First, I want to double check on usage in dialogs. The draft doesn't > say, but I presume that every message in a dialog needs to be signed, > not just the one that initiates a dialog. If that is a bad assumption, > it would be good to hear why. > > Assuming that, what happens when the initial invite was from Alice to > Bob, and later a reinvite is sent from Bob to Alice? Initially Bob knew > that Alice had called, while Alice had no assurance about who she had > reached with her call. The reinvite is from Bob, so if his identity is > blessed, then Alice will know she is talking to Bob, but Bob will no > longer have any assurance that he is still talking to Alice. > > This could even manifest itself in the UI presented to Alice and Bob. > Initially Bob would have a "callerid" display showing Alice as a > certified caller. But after putting Alice on hold and back off hold the > display might stop showing Alice, or at least might show the identity as > suspect. (There may be strong temptations to avoid this via some sort of > hack.) > > I don't see any good solution for this other than solving the connected > party id problem as well. > > Just checking my understanding, > Paul > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] Identity after reinvite Paul Kyzivat
- [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- [Sip] Re: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite Cullen Jennings
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- Re: [Sip] RE: Identity after reinvite David R Oran
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- RE: [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Paul Kyzivat
- RE: [Sip] RE: Identity after reinvite Peterson, Jon
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Jonathan Rosenberg
- Re: [Sip] RE: Identity after reinvite Dean Willis