Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-rtpsec-06

Russ Housley <housley@vigilsec.com> Sun, 30 December 2018 22:56 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: sipbrandy@ietfa.amsl.com
Delivered-To: sipbrandy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5EA2A13103A for <sipbrandy@ietfa.amsl.com>; Sun, 30 Dec 2018 14:56:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mX8VE8lqizOW for <sipbrandy@ietfa.amsl.com>; Sun, 30 Dec 2018 14:56:47 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E91213102D for <sipbrandy@ietf.org>; Sun, 30 Dec 2018 14:56:47 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id E36913005D5 for <sipbrandy@ietf.org>; Sun, 30 Dec 2018 17:52:14 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id wc7MS9NjgFb1 for <sipbrandy@ietf.org>; Sun, 30 Dec 2018 17:51:52 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-108-45-137-105.washdc.fios.verizon.net [108.45.137.105]) by mail.smeinc.net (Postfix) with ESMTPSA id 9B6093001FD; Sun, 30 Dec 2018 17:51:40 -0500 (EST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <E86F65B7-7901-4EFB-B70C-541349E73DB2@nostrum.com>
Date: Sun, 30 Dec 2018 17:56:08 -0500
Cc: draft-ietf-sipbrandy-rtpsec.all@ietf.org, sipbrandy@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE21FBA1-28A5-48B3-BF49-D7C9CA526CF5@vigilsec.com>
References: <E86F65B7-7901-4EFB-B70C-541349E73DB2@nostrum.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipbrandy/IZfJhJLaqxV-JtdnqFdX4AbgwEM>
Subject: Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-rtpsec-06
X-BeenThere: sipbrandy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIPBRANDY working group discussion list <sipbrandy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipbrandy>, <mailto:sipbrandy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipbrandy/>
List-Post: <mailto:sipbrandy@ietf.org>
List-Help: <mailto:sipbrandy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipbrandy>, <mailto:sipbrandy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Dec 2018 22:56:51 -0000

Ben:

Thanks for the thoughtful and careful review.

Responding only to your Substantive Comments for now...

> §4:
> - general: The section explains the requirement that the AS and VS to be colocated with the caller and recipient UAs as because putting them in an intermediary could allow that intermediary to act as a MitM. Isn’t this more a question of trust than physical location? Users already need to trust the AS and VS for STIR to work at all. In particular, I don’t think it’s safe to imply that a local AS _can’t_ act as a MiTM unless the code is inspected (and perhaps signed) by a trusted entity.
> 
> For the record, I do not necessarily object to the colocation requirement; I’m just not entirely buying the explanation for it.

The SIPBRANDY profile is based on an end-to-end trust model.  The verification could take place at an intermediary, but to get the end-to-end assurance, the verification would need to be repeated at the end.

> - 2nd paragraph: "While intermediaries MAY provide the verification service function of STIR for SIPBRANDY transactions,”: That seems to contradict the statement in the following paragraph that the user agent implementations MUST implement both the AS and VS.

Again, verification could take place at an intermediary for their own purposes, but the end-to-end assurance is only provided if the check is made at the end as well.

> §4.1:
> - General: This section talks about self-signed certs and TOFU. Would you characterize those as comprehensive security? I suspect not, since they offer more exposure to active attacks. But I’m not sure they qualify as “opportunistic”, since they don’t (necessarily) allow a fallback to cleartext. In any case, some text discussing this question might be helpful. (This also includes §4.2)

No, I would not characterize the use of self-signed certificates as comprehensive security.  This section is suggesting them as an alternative when other certificates are not available for the caller identity.  The PKI for telephone numbers is not yet available, but it is coming.  The PKI for a SIP URI without a telephone number (e.g. "sip:alice@example.com") is not being worked yet.  Sp, self-signed certificates give a way to start.  An active attacker could strip the signature altogether.

> - third paragraph: "This profile of STIR therefore relaxes the authority requirements of [RFC8224]”
> Does that require this draft to formally update 8224?

I do not think so.  RFC 8224 says:

   ...  Similar practices could be used to support opportunistic
   signing of SIP requests for UA-integrated authentication services
   with self-signed certificates, though that is outside the scope of
   this specification and is left as a matter for future investigation.
   Note, however, that even when using anonymous SIP URIs, an
   authentication service must possess a certificate corresponding to
   the host portion of the addr-spec of the From header field value of
   the request; accordingly, using domains like "anonymous.invalid"
   will not be usable by privacy services that simultaneously act as
   authentication services.  The assurance offered by the usage of
   anonymous URIs with a valid domain portion is "this is a known user
   in my domain that I have authenticated, but I am keeping its identity
   private."

> §4.3: Does this draft need to formally update 4916? It’s not clear to me if this draft intends to update these, or is stating that these are some updates we should do in the future. The last paragraph suggests the latter, but the rest of the section seems to be more the former.

Yes, it probably should update RFC 4916.

> §4.4, last paragraph: Is there an expectation that the UA will alert the user if it allows the dialog to continue without media security?

Since the IETF does not normally get into user interface, the "if policy permits" language would allow the user to be involved in the decision, or it could be set by other means.

Russ