RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)

"Dan Wing" <dwing@cisco.com> Thu, 24 January 2008 18:11 UTC

Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JI6YK-0003or-2t; Thu, 24 Jan 2008 13:11:52 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JI6YH-0003W4-Ki for sip-confirm+ok@megatron.ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JI6YH-0003UJ-7n for sip@ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JI6YG-0006HB-2h for sip@ietf.org; Thu, 24 Jan 2008 13:11:49 -0500
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 24 Jan 2008 10:11:47 -0800
Received: from sj-core-1.cisco.com (sj-core-1.cisco.com [171.71.177.237]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m0OIBljB024994; Thu, 24 Jan 2008 10:11:47 -0800
Received: from dwingwxp01 ([10.32.240.195]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id m0OIBk3V029735; Thu, 24 Jan 2008 18:11:47 GMT
From: "Dan Wing" <dwing@cisco.com>
To: "'Fischer, Kai'" <kai.fischer@siemens.com>, <sip@ietf.org>
References: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
Subject: RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
Date: Thu, 24 Jan 2008 10:11:46 -0800
Message-ID: <009701c85eb4$9567a120$c3f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AchdoYOBj7k5YqdfRt26nwywkqFi4gAAD1sgAESeZiA=
In-Reply-To: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=4774; t=1201198307; x=1202062307; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[Sip]=20End-to-end=20security=20for=20D TLS-SRTP=20(FW=3A=20I-DAction=3Adraft-fischer-sip-e2e-sec-me dia-00.txt) |Sender:=20; bh=UfMSVaMb2j4kiqld74DYALodji12vJMJU6W5pX9as/c=; b=iYdRWLBlSBEaAhnC8XTYzbJExMPdBj7q6gmzHTLr0/99KVK+fpSZXb2TW/ Tf/pcLRkX5hi/uUKf4rb3Q6bMMQpbrZVmw55aQi8mdGgVR/2xWxyH9E0AVx5 p7872wVqG7;
Authentication-Results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 36c793b20164cfe75332aa66ddb21196
Cc:
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org

I like this draft, and it solves a very real problem:  providing identity for
SIP requests that traverse B2BUAs and traverse SBCs.

-d

> -----Original Message-----
> From: Fischer, Kai [mailto:kai.fischer@siemens.com] 
> Sent: Wednesday, January 23, 2008 1:34 AM
> To: sip@ietf.org
> Subject: [Sip] End-to-end security for DTLS-SRTP (FW: 
> I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
> 
> Hi,
> I have submitted a draft proposing a solution to secure a DTLS-SRTP
> handshake and hence SRTP end-to-end (in terms of end-domain to
> end-domain). As discussed during the last IETF meetings and 
> analyzed by
> Dan's Identity-Media draft, current solutions like SIP Identity do not
> protect the authenticity of the fingerprint end-to-end in certain
> inter-domain scenarios. For example, a modification of SDP 
> m-/c-lines or
> the From header field by intermediaries breaks the SIP-Identity or
> Identity-Media signature and causes a re-signing by a domain different
> to the originating one. The draft proposes a solution for 
> such scenarios
> without the need to re-sign during domain traversal and which 
> preserves
> the original identity information.
> 
> I appreciate your comments and opinions to the draft and the proposed
> solution.
> 
> Kai
> 
> 
> > -----Original Message-----
> > From: Internet-Drafts@ietf.org [mailto:Internet-Drafts@ietf.org] 
> > Sent: Mittwoch, 23. Januar 2008 10:20
> > To: i-d-announce@ietf.org
> > Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt 
> > 
> > A New Internet-Draft is available from the on-line 
> > Internet-Drafts directories.
> > 
> > 	Title           : End-to-End Security for DTLS-SRTP
> > 	Author(s)       : K. Fischer
> > 	Filename        : draft-fischer-sip-e2e-sec-media-00.txt
> > 	Pages           : 14
> > 	Date            : 2008-01-23
> > 
> > The end-to-end security properties of DTLS-SRTP depend on the
> > authenticity of the certificate fingerprint exchanged in the
> > signalling channel.  In current approaches the authenticity is
> > protected by SIP-Identity or SIP-Identity-Media.  These types of
> > signatures are broken if intermediaries like Session Border
> > Controllers in other domains change specific information of the SIP
> > header or the SIP body.  The end-to-end security property 
> between the
> > originating and terminating domain is lost if these intermediaries
> > re-sign the SIP message and create a new identity signature using
> > their own domain credentials.
> > 
> > This document defines a new signature type 'Fingerprint-Identity'
> > which is exchanged in the signalling channel.  Fingerprint-Identity
> > covers only those elements of a SIP message necessary to 
> authenticate
> > the certificate fingerprint and to secure media end-to-end.  It is
> > independent from SIP-Identity and SIP-Identity-Media and can be
> > applied in parallel to them.
> > 
> > A URL for this Internet-Draft is:
> > http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec-
> > media-00.txt
> > 
> > To remove yourself from the I-D Announcement list, send a message to
> > i-d-announce-request@ietf.org with the word unsubscribe in 
> > the body of 
> > the message.
> > You can also visit 
> https://www1.ietf.org/mailman/listinfo/I-D-announce
> > to change your subscription settings.
> > 
> > Internet-Drafts are also available by anonymous FTP. Login with the 
> > username "anonymous" and a password of your e-mail address. After 
> > logging in, type "cd internet-drafts" and then
> > 	"get draft-fischer-sip-e2e-sec-media-00.txt".
> > 
> > A list of Internet-Drafts directories can be found in
> > http://www.ietf.org/shadow.html
> > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > 
> > Internet-Drafts can also be obtained by e-mail.
> > 
> > Send a message to:
> > 	mailserv@ietf.org.
> > In the body type:
> > 	"FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt".
> > 
> > NOTE:   The mail server at ietf.org can return the document in
> > 	MIME-encoded form by using the "mpack" utility.  To use this
> > 	feature, insert the command "ENCODING mime" before the "FILE"
> > 	command.  To decode the response(s), you will need "munpack" or
> > 	a MIME-compliant mail reader.  Different MIME-compliant 
> > mail readers
> > 	exhibit different behavior, especially when dealing with
> > 	"multipart" MIME messages (i.e. documents which have been split
> > 	up into multiple messages), so check your local documentation on
> > 	how to manipulate these messages.
> > 
> > Below is the data which will enable a MIME compliant mail reader
> > implementation to automatically retrieve the ASCII version of the
> > Internet-Draft.
> > 
> 



_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip