RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
"Dan Wing" <dwing@cisco.com> Thu, 24 January 2008 18:11 UTC
Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JI6YK-0003or-2t; Thu, 24 Jan 2008 13:11:52 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JI6YH-0003W4-Ki for sip-confirm+ok@megatron.ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JI6YH-0003UJ-7n for sip@ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JI6YG-0006HB-2h for sip@ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 24 Jan 2008 10:11:47 -0800
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m0OIBljB024994; Thu, 24 Jan 2008 10:11:47 -0800
Received: from dwingwxp01 ([10.32.240.195]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m0OIBk3V029735; Thu, 24 Jan 2008 18:11:47 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Fischer, Kai'" <kai.fischer@siemens.com>, sip@ietf.org
References: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
Subject: RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
Date: Thu, 24 Jan 2008 10:11:46 -0800
Message-ID: <009701c85eb4$9567a120$c3f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AchdoYOBj7k5YqdfRt26nwywkqFi4gAAD1sgAESeZiA=
In-Reply-To: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4774; t=1201198307; x=1202062307; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[Sip]=20End-to-end=20security=20for=20D TLS-SRTP=20(FW=3A=20I-DAction=3Adraft-fischer-sip-e2e-sec-me dia-00.txt) |Sender:=20; bh=UfMSVaMb2j4kiqld74DYALodji12vJMJU6W5pX9as/c=; b=iYdRWLBlSBEaAhnC8XTYzbJExMPdBj7q6gmzHTLr0/99KVK+fpSZXb2TW/ Tf/pcLRkX5hi/uUKf4rb3Q6bMMQpbrZVmw55aQi8mdGgVR/2xWxyH9E0AVx5 p7872wVqG7;
Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc:
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
I like this draft, and it solves a very real problem: providing identity for SIP requests that traverse B2BUAs and traverse SBCs. -d > -----Original Message----- > From: Fischer, Kai [mailto:kai.fischer@siemens.com] > Sent: Wednesday, January 23, 2008 1:34 AM > To: sip@ietf.org > Subject: [Sip] End-to-end security for DTLS-SRTP (FW: > I-DAction:draft-fischer-sip-e2e-sec-media-00.txt) > > Hi, > I have submitted a draft proposing a solution to secure a DTLS-SRTP > handshake and hence SRTP end-to-end (in terms of end-domain to > end-domain). As discussed during the last IETF meetings and > analyzed by > Dan's Identity-Media draft, current solutions like SIP Identity do not > protect the authenticity of the fingerprint end-to-end in certain > inter-domain scenarios. For example, a modification of SDP > m-/c-lines or > the From header field by intermediaries breaks the SIP-Identity or > Identity-Media signature and causes a re-signing by a domain different > to the originating one. The draft proposes a solution for > such scenarios > without the need to re-sign during domain traversal and which > preserves > the original identity information. > > I appreciate your comments and opinions to the draft and the proposed > solution. > > Kai > > > > -----Original Message----- > > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] > > Sent: Mittwoch, 23. Januar 2008 10:20 > > To: i-d-announce@ietf.org > > Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt > > > > A New Internet-Draft is available from the on-line > > Internet-Drafts directories. > > > > Title : End-to-End Security for DTLS-SRTP > > Author(s) : K. Fischer > > Filename : draft-fischer-sip-e2e-sec-media-00.txt > > Pages : 14 > > Date : 2008-01-23 > > > > The end-to-end security properties of DTLS-SRTP depend on the > > authenticity of the certificate fingerprint exchanged in the > > signalling channel. In current approaches the authenticity is > > protected by SIP-Identity or SIP-Identity-Media. These types of > > signatures are broken if intermediaries like Session Border > > Controllers in other domains change specific information of the SIP > > header or the SIP body. The end-to-end security property > between the > > originating and terminating domain is lost if these intermediaries > > re-sign the SIP message and create a new identity signature using > > their own domain credentials. > > > > This document defines a new signature type 'Fingerprint-Identity' > > which is exchanged in the signalling channel. Fingerprint-Identity > > covers only those elements of a SIP message necessary to > authenticate > > the certificate fingerprint and to secure media end-to-end. It is > > independent from SIP-Identity and SIP-Identity-Media and can be > > applied in parallel to them. > > > > A URL for this Internet-Draft is: > > http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec- > > media-00.txt > > > > To remove yourself from the I-D Announcement list, send a message to > > i-d-announce-request@ietf.org with the word unsubscribe in > > the body of > > the message. > > You can also visit > https://www1.ietf.org/mailman/listinfo/I-D-announce > > to change your subscription settings. > > > > Internet-Drafts are also available by anonymous FTP. Login with the > > username "anonymous" and a password of your e-mail address. After > > logging in, type "cd internet-drafts" and then > > "get draft-fischer-sip-e2e-sec-media-00.txt". > > > > A list of Internet-Drafts directories can be found in > > http://www.ietf.org/shadow.html > > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > > > Internet-Drafts can also be obtained by e-mail. > > > > Send a message to: > > mailserv@ietf.org. > > In the body type: > > "FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt". > > > > NOTE: The mail server at ietf.org can return the document in > > MIME-encoded form by using the "mpack" utility. To use this > > feature, insert the command "ENCODING mime" before the "FILE" > > command. To decode the response(s), you will need "munpack" or > > a MIME-compliant mail reader. Different MIME-compliant > > mail readers > > exhibit different behavior, especially when dealing with > > "multipart" MIME messages (i.e. documents which have been split > > up into multiple messages), so check your local documentation on > > how to manipulate these messages. > > > > Below is the data which will enable a MIME compliant mail reader > > implementation to automatically retrieve the ASCII version of the > > Internet-Draft. > > > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip