IETF Logo Mail Archive

Re: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474 gatewaydeadlock

"Fischer, Kai" <kai.fischer@siemens.com> Wed, 25 June 2008 08:06 UTC

Return-Path: <sip-bounces@ietf.org>
X-Original-To: sip-archive@optimus.ietf.org
Delivered-To: ietfarch-sip-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7C7F73A68ED; Wed, 25 Jun 2008 01:06:12 -0700 (PDT)
X-Original-To: sip@core3.amsl.com
Delivered-To: sip@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B9613A68ED for <sip@core3.amsl.com>; Wed, 25 Jun 2008 01:06:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSm4r87F2PbG for <sip@core3.amsl.com>; Wed, 25 Jun 2008 01:06:10 -0700 (PDT)
Received: from thoth.sbs.de (thoth.sbs.de [192.35.17.2]) by core3.amsl.com (Postfix) with ESMTP id 5C9803A68B8 for <sip@ietf.org>; Wed, 25 Jun 2008 01:06:10 -0700 (PDT)
Received: from mail2.siemens.de (localhost [127.0.0.1]) by thoth.sbs.de (8.12.11.20060308/8.12.11) with ESMTP id m5P863D1032363; Wed, 25 Jun 2008 10:06:03 +0200
Received: from mchp7wta.ww002.siemens.net (mchp7wta.ww002.siemens.net [139.25.131.193]) by mail2.siemens.de (8.12.11.20060308/8.12.11) with ESMTP id m5P862Yd019047; Wed, 25 Jun 2008 10:06:02 +0200
Received: from MCHP7RDA.ww002.siemens.net ([139.25.131.171]) by mchp7wta.ww002.siemens.net with Microsoft SMTPSVC(6.0.3790.3959); Wed, 25 Jun 2008 10:06:01 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Wed, 25 Jun 2008 10:05:59 +0200
Message-ID: <198A10EC585EC74687BCA414E2A5971802296B4A@MCHP7RDA.ww002.siemens.net>
In-Reply-To: <7C76092F-6FD4-4951-9166-935CC9001ACD@softarmor.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474 gatewaydeadlock
Thread-Index: AcjWHtwte7dPhd5lT0KGLuVKo++pzQAesldA
References: <7C76092F-6FD4-4951-9166-935CC9001ACD@softarmor.com>
From: "Fischer, Kai" <kai.fischer@siemens.com>
To: Dean Willis <dean.willis@softarmor.com>, sip@ietf.org, Eric Rescorla <ekr@rtfm.com>, Jason Fischl <jason@counterpath.com>
X-OriginalArrivalTime: 25 Jun 2008 08:06:01.0841 (UTC) FILETIME=[4EFA8E10:01C8D69A]
Cc: Cullen Jennings <fluffy@cisco.com>, Keith Drage <drage@alcatel-lucent.com>
Subject: Re: [Sip] A proposal for breaking the DTLS-SRTP vs RFC4474 gatewaydeadlock
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org

If it is the goal to proceed with the DTLS-SRTP framework timely and to
reach the milestone, that's the only reasonable approach. However, I
hope there will be support to fix RFC 4474 and we can address the
backwards compatibility issues.

Kai


> -----Original Message-----
> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On 
> Behalf Of Dean Willis
> Sent: Dienstag, 24. Juni 2008 19:22
> To: sip@ietf.org; Eric Rescorla; Jason Fischl
> Cc: Cullen Jennings; Keith Drage
> Subject: [Sip] A proposal for breaking the DTLS-SRTP vs 
> RFC4474 gatewaydeadlock
> 
> 
> We've gotten stuck on a fine point in DTLS-SRTP.
> 
> The current draft-ietf-sip-dtls-srtp-framework-01 uses an RFC 4474  
> Identity header to preserve the integrity of the media key's  
> fingerprint, thereby detecting a certain class of MITM attack.
> 
> However, RFC 4474 Identity headers are of questionable validity when  
> used with protocol gateways or B2BUAs.  More or less, they're 
> capable  
> of asserting the identity of the gateway, not the identity of the  
> calling party. But the recipient has no real way to figure out which  
> is which.
> 
> We've debated at some length, and with no good result, about whether  
> we should try and fix RFC 4474. We've had some suggestions that may  
> work for B2BUAs, and some other suggestions that may work for  
> gateways, but we certainly don't have a consensus.
> 
> That leaves our chartered deliverable of DTLS-SRTP hanging, and the  
> milestone has gone past months ago.
> 
> Here's a proposal:
> 
> We add a caveat about the limitation of RFC 4474 to draft-ietf-sip- 
> dtls-srtp-framework and go ahead and advance that specification. If  
> somebody later decides to fix RFC 4474, they can do so, and if  
> necessary update DTLS-SRTP if needed.
> 
> 
> Does that work for everybody?
> 
> If we agree to it, I suggest that we move the date for WGLC of draft- 
> ietf-sip-dtls-srtp-framework to July 2008, and move the 
> milestone for  
> delivery of that doc to the IESG into September.
> 
> --
> Dean
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip
> 
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email