IETF Logo Mail Archive

Re: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474gatewaydeadlock

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Wed, 25 June 2008 08:08 UTC

Return-Path: <sip-bounces@ietf.org>
X-Original-To: sip-archive@optimus.ietf.org
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 128EB3A68FA; Wed, 25 Jun 2008 01:08:56 -0700 (PDT)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DDE53A68FA for <sip@core3.amsl.com>; Wed, 25 Jun 2008 01:08:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.099
X-Spam-Level:
X-Spam-Status: No, score=-3.099 tagged_above=-999 required=5 tests=[AWL=-0.500, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IM-T9aUfFiOF for <sip@core3.amsl.com>; Wed, 25 Jun 2008 01:08:54 -0700 (PDT)
Received: from demumfd002.nsn-inter.net (demumfd002.nsn-inter.net [217.115.75.234]) by core3.amsl.com (Postfix) with ESMTP id 46A653A6852 for <sip@ietf.org>; Wed, 25 Jun 2008 01:08:54 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd002.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id m5P88nSa022011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 25 Jun 2008 10:08:49 +0200
Received: from demuexc023.nsn-intra.net (webmail.nsn-intra.net [10.150.128.36]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id m5P88kRt009356; Wed, 25 Jun 2008 10:08:48 +0200
Received: from demuexc024.nsn-intra.net ([10.159.32.11]) by demuexc023.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Jun 2008 10:08:48 +0200
Received: from FIESEXC007.nsn-intra.net ([10.159.0.15]) by demuexc024.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Jun 2008 10:08:48 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 25 Jun 2008 11:08:48 +0300
Message-ID: <C41BFCED3C088E40A8510B57B165C16231309B@FIESEXC007.nsn-intra.net>
In-Reply-To: <198A10EC585EC74687BCA414E2A5971802296B4A@MCHP7RDA.ww002.siemens.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474gatewaydeadlock
Thread-Index: AcjWHtwte7dPhd5lT0KGLuVKo++pzQAesldAAAA7gtA=
References: <7C76092F-6FD4-4951-9166-935CC9001ACD@softarmor.com> <198A10EC585EC74687BCA414E2A5971802296B4A@MCHP7RDA.ww002.siemens.net>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: "ext Fischer, Kai" <kai.fischer@siemens.com>, Dean Willis <dean.willis@softarmor.com>, sip@ietf.org, Eric Rescorla <ekr@rtfm.com>, Jason Fischl <jason@counterpath.com>
X-OriginalArrivalTime: 25 Jun 2008 08:08:48.0201 (UTC) FILETIME=[B2231390:01C8D69A]
X-TM-AS-Product-Ver: SMEX-7.0.0.1584-5.5.1027-15992.005
X-TM-AS-Result: No--23.787100-8.000000-31
Cc: Cullen Jennings <fluffy@cisco.com>, Keith Drage <drage@alcatel-lucent.com>
Subject: Re: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474gatewaydeadlock
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org

Dean, 

I like your approach. 

Ciao
Hannes
 

>-----Original Message-----
>From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On 
>Behalf Of ext Fischer, Kai
>Sent: 25 June, 2008 11:06
>To: Dean Willis; sip@ietf.org; Eric Rescorla; Jason Fischl
>Cc: Cullen Jennings; Keith Drage
>Subject: Re: [Sip] A proposal for breaking the DTLS-SRTP vs 
>RFC4474gatewaydeadlock
>
>If it is the goal to proceed with the DTLS-SRTP framework 
>timely and to reach the milestone, that's the only reasonable 
>approach. However, I hope there will be support to fix RFC 
>4474 and we can address the backwards compatibility issues.
>
>Kai
>
>
>> -----Original Message-----
>> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On 
>Behalf Of 
>> Dean Willis
>> Sent: Dienstag, 24. Juni 2008 19:22
>> To: sip@ietf.org; Eric Rescorla; Jason Fischl
>> Cc: Cullen Jennings; Keith Drage
>> Subject: [Sip] A proposal for breaking the DTLS-SRTP vs
>> RFC4474 gatewaydeadlock
>> 
>> 
>> We've gotten stuck on a fine point in DTLS-SRTP.
>> 
>> The current draft-ietf-sip-dtls-srtp-framework-01 uses an RFC 4474 
>> Identity header to preserve the integrity of the media key's 
>> fingerprint, thereby detecting a certain class of MITM attack.
>> 
>> However, RFC 4474 Identity headers are of questionable validity when 
>> used with protocol gateways or B2BUAs.  More or less, 
>they're capable 
>> of asserting the identity of the gateway, not the identity of the 
>> calling party. But the recipient has no real way to figure out which 
>> is which.
>> 
>> We've debated at some length, and with no good result, about whether 
>> we should try and fix RFC 4474. We've had some suggestions that may 
>> work for B2BUAs, and some other suggestions that may work for 
>> gateways, but we certainly don't have a consensus.
>> 
>> That leaves our chartered deliverable of DTLS-SRTP hanging, and the 
>> milestone has gone past months ago.
>> 
>> Here's a proposal:
>> 
>> We add a caveat about the limitation of RFC 4474 to draft-ietf-sip- 
>> dtls-srtp-framework and go ahead and advance that specification. If 
>> somebody later decides to fix RFC 4474, they can do so, and if 
>> necessary update DTLS-SRTP if needed.
>> 
>> 
>> Does that work for everybody?
>> 
>> If we agree to it, I suggest that we move the date for WGLC 
>of draft- 
>> ietf-sip-dtls-srtp-framework to July 2008, and move the 
>milestone for 
>> delivery of that doc to the IESG into September.
>> 
>> --
>> Dean
>> _______________________________________________
>> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
>> This list is for NEW development of the core SIP Protocol Use 
>> sip-implementors@cs.columbia.edu for questions on current sip Use 
>> sipping@ietf.org for new developments on the application of sip
>> 
>_______________________________________________
>Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
>This list is for NEW development of the core SIP Protocol Use 
>sip-implementors@cs.columbia.edu for questions on current sip 
>Use sipping@ietf.org for new developments on the application of sip
>
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email