Re: [Sip] Using TLS in the first hop - Bug in RFC 5630

"DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com> Fri, 16 September 2011 12:16 UTC

Return-Path: <keith.drage@alcatel-lucent.com>
X-Original-To: sip@ietfa.amsl.com
Delivered-To: sip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F09521F8669 for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 05:16:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.795
X-Spam-Level:
X-Spam-Status: No, score=-105.795 tagged_above=-999 required=5 tests=[AWL=0.154, BAYES_00=-2.599, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6d3I8avCA-R7 for <sip@ietfa.amsl.com>; Fri, 16 Sep 2011 05:16:39 -0700 (PDT)
Received: from smail3.alcatel.fr (smail3.alcatel.fr [62.23.212.56]) by ietfa.amsl.com (Postfix) with ESMTP id 4B39121F85EF for <sip@ietf.org>; Fri, 16 Sep 2011 05:16:38 -0700 (PDT)
Received: from FRMRSSXCHHUB03.dc-m.alcatel-lucent.com (FRMRSSXCHHUB03.dc-m.alcatel-lucent.com [135.120.45.63]) by smail3.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id p8GCIGMW015919 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 16 Sep 2011 14:18:50 +0200
Received: from FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com ([135.120.45.45]) by FRMRSSXCHHUB03.dc-m.alcatel-lucent.com ([135.120.45.63]) with mapi; Fri, 16 Sep 2011 14:18:42 +0200
From: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
To: =?iso-8859-1?Q?I=F1aki_Baz_Castillo?= <ibc@aliax.net>, "Horvath, Ernst" <ernst.horvath@siemens-enterprise.com>
Date: Fri, 16 Sep 2011 14:18:41 +0200
Thread-Topic: [Sip] Using TLS in the first hop - Bug in RFC 5630
Thread-Index: Acx0YPOECDOTc7UWRJ+04b78UnzBzgACQnWg
Message-ID: <EDC0A1AE77C57744B664A310A0B23AE220C0DD06@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <CALiegfkNfJ7McZAA=a5ajYVzYtmAjC_KQdK1P_ez2L1dia5v2g@mail.gmail.com> <CFFC2869-C704-423E-974D-3F4B93145BBB@edvina.net> <CALiegfnh2C3GNddnneepcVsGgtOd1pSDBVC3uH72S1KaVT_jHg@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2E6EF@MCHP058A.global-ad.net> <CALiegfkqnVMHSZuim33XNy8rPdBRmJsB6VRxF3mR1dEXvEdK-Q@mail.gmail.com> <CALiegf=jX6pkdw+xYueuEjgAoo_9XVhYqOgc0Uwx2yt7gqto1Q@mail.gmail.com> <7889A6C3D41A49439DAECC7B4C998F011C07F2EA81@MCHP058A.global-ad.net> <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com>
In-Reply-To: <CALiegfnxSo3zvCHAUtFUU=2XODUJN3SNxhRgVZ+oF5tfsQFsFw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.69 on 155.132.188.83
Cc: "sip@ietf.org" <sip@ietf.org>
Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sip>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Sep 2011 12:16:40 -0000

> So IMHO SIPS and TLS is broken and it can only work when the full path
> is secure (which is unfeasible in most of the environments). This
> needs a rework ...

This conclusion is nothing new - it was essentially the conclusion of those working on RFC 5630. But it is not RFC 5630 that needs the rework; that document is pretty much correct within the constraints we gave it, which is to define what happens with the existing protocol and make minimum fixes to the existing protocol (indeed the original charter item was only the first half of this). 

There was a recognition that more could be achieved with a new mechanism (for example there was a draft from Vijay Gurbani), but that would have been a separate charter item, and noone seemed to have the enthusiasm at the time to work on it. That doesn't mean that that situation still persists and I'm sure you understand the process for bringing new work into IETF if you want to do something. But that is what it is, new work.

Keith

> -----Original Message-----
> From: sip-bounces@ietf.org [mailto:sip-bounces@ietf.org] On Behalf Of
> Iñaki Baz Castillo
> Sent: 16 September 2011 12:08
> To: Horvath, Ernst
> Cc: sip@ietf.org
> Subject: Re: [Sip] Using TLS in the first hop - Bug in RFC 5630
> 
> 2011/9/16 Horvath, Ernst <ernst.horvath@siemens-enterprise.com>om>:
> > Well, I read RFC 3261 differently. 8.1.2 says:
> >
> >   Otherwise, the procedures are applied to the first Route header field
> >   value in the request (if one exists), or to the request's Request-URI
> >   if there is no Route header field present.  These procedures yield an
> >   ordered set of address, port, and transports to attempt.  Independent
> >   of which URI is used as input to the procedures of [4], if the
> >   Request-URI specifies a SIPS resource, the UAC MUST follow the
> >   procedures of [4] as if the input URI were a SIPS URI.
> >
> > This behaviour overrides the transport indicated in the Route header if
> > the Request-URI is SIPS. And it applies to mid-dialog requests as well.
> > BTW, RFC 5630 has some text on your original point:
> >
> > 5.1.1.2.  SIPS in a Dialog
> >
> >   If the Request-URI in a request that initiates a dialog is a SIP URI,
> >   then the UAC needs to be careful about what to use in the Contact
> >   header field (in case Record-Route is not used for this hop).  If the
> >   Contact header field was a SIPS URI, it would mean that the UAS would
> >   only accept mid-dialog requests that are sent over secure transport
> >   on each hop.  Since the Request-URI in this case is a SIP URI, it is
> >   quite possible that the UA sending a request to that URI might not be
> >   able to send requests to SIPS URIs.  If the top Route header field
> >   does not contain a SIPS URI, the UAC MUST use a SIP URI in the
> >   Contact header field, even if the request is sent over a secure
> >   transport (e.g., the first hop could be re-using a TLS connection to
> >   the proxy as would be the case with [RFC5626]).
> 
> Hi, this definitely tells me that SIPS and TLS is impossible, but just
> in the case of full TLS in the whole path.
> 
> I insist on the bug I've reported for RFC 5630: If the client sets a
> SIP Contact URI and sends the request using TLS, then it would receive
> incoming in-dialog requests via UDP or TCP, but not TLS. This does not
> make sense as the caller could use just SIP over TLS, and in case of
> NAT this would never work as the proxy/server could never send a TCP
> or UDP request to the client.
> 
> So IMHO SIPS and TLS is broken and it can only work when the full path
> is secure (which is unfeasible in most of the environments). This
> needs a rework, or maybe Olle is right and we should use
> ;transport=tls (with SIP schema), ;transport=tls-sctp and so on.
> 
> --
> Iñaki Baz Castillo
> <ibc@aliax.net>
> _______________________________________________
> Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
> This list is essentially closed and only used for finishing old business.
> Use sip-implementors@cs.columbia.edu for questions on how to develop a SIP
> implementation.
> Use dispatch@ietf.org for new developments on the application of sip.
> Use sipcore@ietf.org for issues related to maintenance of the core SIP
> specifications.