Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"Vijay K. Gurbani" <vkg@bell-labs.com> Fri, 16 September 2011 13:21 UTC

Return-Path: <vkg@bell-labs.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5AD221F8C0D for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 06:21:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.584
X-Spam-Level:
X-Spam-Status: No, score=-106.584 tagged_above=-999 required=5 tests=[AWL=0.015, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ra0jJC0mRikK for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 06:21:18 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) by ietfa.amsl.com (Postfix) with ESMTP id 883D521F8BBC for <sip@ietf.org>; Fri, 16 Sep 2011 06:21:18 -0700 (PDT)
Received: from usnavsmail1.ndc.alcatel-lucent.com (usnavsmail1.ndc.alcatel-lucent.com [135.3.39.9]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id p8GDNVjw029919 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 16 Sep 2011 08:23:31 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail1.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id p8GDNVTW022016 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 16 Sep 2011 08:23:31 -0500
Received: from shoonya.ih.lucent.com (shoonya.ih.lucent.com [135.185.238.235]) by umail.lucent.com (8.13.8/TPES) with ESMTP id p8GDNSwd019695; Fri, 16 Sep 2011 08:23:28 -0500 (CDT)
Message-ID: <4E734E62.1020700@bell-labs.com>
Date: Fri, 16 Sep 2011 08:25:54 -0500
From: "Vijay K. Gurbani" <vkg@bell-labs.com>
Organization: Bell Laboratories, Alcatel-Lucent
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0.2) Gecko/20110906 Thunderbird/6.0.2
MIME-Version: 1.0
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net> <CALiegfkqnVMHSZuim33XNy8rPdBRmJsB6VRxF3mR1dEXvEdK-Q@mail.gmail.com> <CALiegf=jX6pkdw+xYueuEjgAoo_9XVhYqOgc0Uwx2yt7gqto1Q@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net> <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com> <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
In-Reply-To: <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.37
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.9
Cc: "sip@ietf.org" <sip@ietf.org>, "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 13:21:19 -0000

On 09/16/2011 07:18 AM, DRAGE, Keith (Keith) wrote:
[...]
> There was a recognition that more could be achieved with a new
> mechanism (for example there was a draft from Vijay Gurbani), but
> that would have been a separate charter item, and noone seemed to
> have the enthusiasm at the time to work on it. That doesn't mean that
> that situation still persists and I'm sure you understand the process
> for bringing new work into IETF if you want to do something. But that
> is what it is, new work.

The draft Keith is referring to here, if you are interested, is:
"The SIPSEC Uniform Resource Identifier (URI)" [1].

There was a follow-up paper [2] that used the idea in the sipsec URI
draft to benchmark TLS per-hop and TLS end-to-end, treating the
intermediary proxies as a blind byte forwarder.  If you are interested
in the paper, drop me a private message and I can send you the PDF.

[1] http://tools.ietf.org/html/draft-gurbani-sip-sipsec-01
[2] Gurbani, V.K., Willis, D., and Audet, F., "Cryptographically
  Transparent Session Initiation Protocol (SIP) Proxies," Proceedings of
  the 2007 IEEE International Conference on Communications (ICC), pp.
  1185-1190, June 2007, Glasgow, UK.

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
1960 Lucent Lane, Rm. 9C-533, Naperville, Illinois 60566 (USA)
Email: vkg@{bell-labs.com,acm.org} / vijay.gurbani@alcatel-lucent.com
Web:   http://ect.bell-labs.com/who/vkg/