Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

Iñaki Baz Castillo <ibc@aliax.net> Fri, 16 September 2011 12:44 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D57221F8B4D for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 05:44:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.648
X-Spam-Level:
X-Spam-Status: No, score=-2.648 tagged_above=-999 required=5 tests=[AWL=0.029, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5i2pfwKiIXmZ for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 05:44:02 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id DA68F21F869E for <sip@ietf.org>; Fri, 16 Sep 2011 05:44:01 -0700 (PDT)
Received: by qyk33 with SMTP id 33so3866418qyk.10 for <sip@ietf.org>; Fri, 16 Sep 2011 05:46:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.67.166 with SMTP id r38mr1840589qci.254.1316177176199; Fri, 16 Sep 2011 05:46:16 -0700 (PDT)
Received: by 10.229.79.207 with HTTP; Fri, 16 Sep 2011 05:46:16 -0700 (PDT)
In-Reply-To: <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net> <CALiegfkqnVMHSZuim33XNy8rPdBRmJsB6VRxF3mR1dEXvEdK-Q@mail.gmail.com> <CALiegf=jX6pkdw+xYueuEjgAoo_9XVhYqOgc0Uwx2yt7gqto1Q@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net> <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com> <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
Date: Fri, 16 Sep 2011 14:46:16 +0200
Message-ID: <CALiegfm5YQmcruJ=0=DQEieT+h41N7ySfcR0-QgPE=avOuphBQ@mail.gmail.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "sip@ietf.org" <sip@ietf.org>, "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 12:44:02 -0000

2011/9/16 DRAGE, Keith (Keith) <keith.drage@alcatel-lucent.com>om>:
> This conclusion is nothing new - it was essentially the conclusion of those working on RFC 5630. But it is not RFC 5630 that needs the rework; that document is pretty much correct within the constraints we gave it, which is to define what happens with the existing protocol and make minimum fixes to the existing protocol (indeed the original charter item was only the first half of this).
>
> There was a recognition that more could be achieved with a new mechanism (for example there was a draft from Vijay Gurbani), but that would have been a separate charter item, and noone seemed to have the enthusiasm at the time to work on it. That doesn't mean that that situation still persists and I'm sure you understand the process for bringing new work into IETF if you want to do something. But that is what it is, new work.

Thanks, I understand what you mean.

IMHO the main problem is "mixing" the transport for a specific node in
the path with the requirement of a secure transport for the whole
path. Given this thread is clear that there are errors in the design
making it unusable.

Another "error" (IMHO) is the aim of RFC 3261 in considering TLS (over
TCP) not a transport, but a secure layer over TCP. But that is ironic
since that just applies to URI ;transport param, but in Via transport
field we do have "TLS" and "TCP" as separate values.

Things would be much easier as follows (just an initial idea):

- Consider TLS-over-TCP as a real transport (the same for TLS over
SCTP) so we have ;transport=tls / tls-sctp.

- Completely remove SIPS schema (the real pain here).

- Create any new mechanism for requiring a whole secure path. For
example, by adding a ;sec param to the Request URI and Contact URI. In
this way, the UAS MUST also add ;sec to the Contact header in the
response, so all the in-dialog requests would have ;sec in the Request
URI.  Proxies should add ;sec to Record-Route headers in this case.
If an UAC or proxy has to route a request whose top Route (or RURI if
no Route is present) has ;sec param, then it MUST use a secure
transport. If such URI contains a ;transport param with values "udp",
"tcp" or "sctp" then that's an error and the request should be
rejected.
And that's all.

Of course this idea must be improved (a lot) :)

Regards.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>