IETF Logo Mail Archive

Re: [sipcore] SASL Authentication for SIP

Rick van Rein <rick@openfortress.nl> Wed, 19 October 2022 11:56 UTC

Return-Path: <vanrein@vanrein.org>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9924C14CE3D for <sipcore@ietfa.amsl.com>; Wed, 19 Oct 2022 04:56:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.636
X-Spam-Level:
X-Spam-Status: No, score=-1.636 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_TEMPERROR=0.01, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=kpnmail.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NPN-lTGu7cqa for <sipcore@ietfa.amsl.com>; Wed, 19 Oct 2022 04:56:02 -0700 (PDT)
Received: from ewsoutbound.kpnmail.nl (ewsoutbound.kpnmail.nl [195.121.94.170]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF4AEC14CE3B for <sipcore@ietf.org>; Wed, 19 Oct 2022 04:55:49 -0700 (PDT)
X-KPN-MessageId: f790c3b5-4fa4-11ed-8a67-005056ab378f
Received: from smtp.kpnmail.nl (unknown [10.31.155.39]) by ewsoutbound.so.kpn.org (Halon) with ESMTPS id f790c3b5-4fa4-11ed-8a67-005056ab378f; Wed, 19 Oct 2022 13:55:46 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kpnmail.nl; s=kpnmail01; h=content-type:mime-version:message-id:subject:to:from:date; bh=PlP1YG4SwG5FFfy7v2J7Aj12GkqMqWdKT7/3G8/8TDg=; b=s+SkqhftSMwVFLaaKoYrgYFLpikrhqs27q2gbNSCpe/+bkSV42j8ra6TYzsOcpSHhyZGzkXQ+oaxj AmPf/C07p/EgvcPWuPJDlFBwDSnZbPn3otY1GaAH2fRTAr07r8lCTCsVzCOUUScx0gNpnygDog4PMo dBkqUBF5N9vOz8v4=
X-KPN-MID: 33|4dSelMhekK7FxGIOi4x1eXYyl0nIHUAlRFOqENhpifOt4YXJQZIElSigUSF/RkG RYfSgebAfCAkUS7u2JLddBgUEPIlmz8p11kXG5rHR1mI=
X-KPN-VerifiedSender: No
X-CMASSUN: 33|Wfk23CKmfDn/pWvB5zHkJdzEpMjcp/MlRpReiV8C1yLuHf7fLLGK7K5bS+i5yfy ucypyB5YYDwe30CZEXOvmhA==
X-Originating-IP: 77.173.183.203
Received: from fame.vanrein.org (77-173-183-203.fixed.kpn.net [77.173.183.203]) by smtp.xs4all.nl (Halon) with ESMTPSA id f7712dbb-4fa4-11ed-b8b1-005056ab7447; Wed, 19 Oct 2022 13:55:46 +0200 (CEST)
Received: by fame.vanrein.org (Postfix, from userid 1000) id 37A3D2A2B0; Wed, 19 Oct 2022 11:55:46 +0000 (UTC)
Date: Wed, 19 Oct 2022 11:55:46 +0000
From: Rick van Rein <rick@openfortress.nl>
To: sipcore@ietf.org
Message-ID: <20221019115546.GA22702@openfortress.nl>
Mail-Followup-To: sipcore@ietf.org
References: <20221014162340.GA7844@openfortress.nl> <69DDB655-0B52-4D14-A67A-54EC9A7D7DFE@brianrosen.net> <20221014173308.GA8165@openfortress.nl> <20221019082937.GA22077@openfortress.nl> <38EC5E77-6150-4334-B331-39D7D1E0B27A@edvina.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <38EC5E77-6150-4334-B331-39D7D1E0B27A@edvina.net>
User-Agent: Mutt/1.5.20 (2009-06-14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/5in_6PdkO4RtX7YHbQQt9Ok_jGw>
Subject: Re: [sipcore] SASL Authentication for SIP
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 11:56:13 -0000

Hello Olle,

Thanks for explaining.

> For inter-domain trust there’s been a few attempts, SIP identity was one
> that is now replaced by the work in stir/shaken that focus a lot on
> old-fashioned telephone numbers and the problems related with that.

Since SASL is in most protocols, we built a general Realm Crossover
implementation for it in draft-vanrein-diameter-sasl -- this works on
existing protocols that use SASL.  There are a few more that benefit
from having this added to them.  This is how I wrote the SIP-SASL
draft as an isolated addition of SASL authentication to SIP.

By creating SIP setup with Wireguard, I am hoping to benefit from
Realm Crossover, thus allowing anyone to setup a VPN to anyone.

> There’s no SIP police. At least I can’t say if there is one or not. ;-)
> [...] But if you want other implementers
> to pick up your work, you want to convince us to work with you
> and get an RFC published. The outcome may be different 
> from your original idea, but that is quite often a good thing.

Makes sense, thanks for showing the balance of concerns.

> You start with the solution. I may have missed it, but I don’t
> see a definition of the problem you are trying to solve.

 - Realm Crossover across protocols
 - No changes to the majority of protocols
 - Decent integration with a few protocols that cannot use SASL yet
 - ...
 - VPN setup with Wireguard, using SIP/SDP

> I need to read your document in more detail to understand,
> but reading this, I don’t see how SASL is the solution to
> what you describe here.

The real trick is the integration with pretty much all other
protocols.

SASL is helpful because some mechanisms can derive a key
that was not shown on the wire (not even as ECDH) and so
are not vulnarable to quantum computer attacks.  Mixing
such keys in with an ECDH exchange is a good mechanism to
protect from future problems or retrospective decryption.
This is useful for a VPN, as well as for telephony.

> Do you want to use SIP offer/answer to set up a 
> peer 2 peer VPN using wireguard? Like we currently
> use it to set up RTP streams between user agents?

Yes; not over RTP/AVP but over udp, using SDP like

    v=0
    o=- 4280564478 1563511013 IN IP6 2001:db8:666::666
    s=-
    c=IN IP6 2001:db8:666::666
    t=0 0
    m=application 0 udp vnd.wireguard
    a=fmtp:vnd.wireguard pubkey=;prefix=2001:db8:456:1::/64;pskmth=none
    a=sendrecv

I have this working for localhost tunnels; code, man page:

https://gitlab.com/0cpm/subliminal/-/blob/master/src/wgsip.c
https://gitlab.com/0cpm/subliminal/-/blob/master/doc/man/wgsip.1

The "pskmth" would be a PSK exchange method name, to be filled
with a key derivation method, like manual keys and SASL.

(I never know how much to tell upfront, tastes differ, sorry
 if that triggers questions.)


Cheers,
 -Rick

v2.23.0 | Report a Bug | By Email