IETF Logo Mail Archive

Re: [sipcore] Eric Rescorla's Discuss on draft-ietf-sipcore-sip-push-21: (with DISCUSS and COMMENT) - The DISCUSS issues

Eric Rescorla <ekr@rtfm.com> Mon, 07 January 2019 14:06 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7848E130EB0 for <sipcore@ietfa.amsl.com>; Mon, 7 Jan 2019 06:06:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLsxEhHm8H10 for <sipcore@ietfa.amsl.com>; Mon, 7 Jan 2019 06:06:51 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D39AF130EA1 for <sipcore@ietf.org>; Mon, 7 Jan 2019 06:06:50 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id b20so332159lfa.12 for <sipcore@ietf.org>; Mon, 07 Jan 2019 06:06:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=13CG/SkdZeasB7tP61SfYs6qAWBZ9hHViE9NjQkYYds=; b=lG7dnbXzPUdP43TBAAEBvKDATj0+JGCbRzikiXn29Ul+sPcL2MKKrmR7HRusQRpI5i fHVugXW/vdFy9OicDHjzmavl9NviFvmlKSZSHPbXTqCNUP5NGxmdFIY+WU4nXZF688bW pEKVZbQmhYT06KhQiZs/YFiy6gEWKd2X2D8RIdgsFRQbatwHth+hww4BxYbo9wWFKm3p t6r9DJIRWg+ihJF3bo5R5CQcu/UvaFOTaF+25CUG+ilghHbaP+COOMfitlwx5NhUqZb9 8MLmcAiAZll6Bpfj1ixw6LG5fRyDxRqn8SsOAWx+RNcYR9DmbaLUmewbs15sBswvX9/l ORew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=13CG/SkdZeasB7tP61SfYs6qAWBZ9hHViE9NjQkYYds=; b=W3/KGrCILEpjZnZcsQogRZfN+afeTQMnDjjbXmTP2mGpkLrqgTVPDvngSUk0UOJxwP JThJTX+uuZre1Vxxw+Qlv0n4vB+BHkHWQM/4um7Pon/9H04iSGzqbiA5quKwKbqF1ti/ ElFk2Nwwjzlf0DEv/6Q45v7Xihu2+eQjKAky0rzkLmlCcaVZjMt9gebWzU6/I5n+8JqP IBp+jLhDsRniIgTECIiOh6Klx1zC5Bfp8aLWnguWEWyjUtiAZl2bJLwQWsrpHFF/kyEQ 5Wz/aBIBT4HBuOxBwhVkVbBDX+gqjjJTzK9S2A2g0eQc4ebj8OlJga7fmbmj8ku/SnPA zN1Q==
X-Gm-Message-State: AA+aEWbxPtIr2MYei+RK2vZmOZ+beJJxjWMnQ66v6KLFNObUZyTKvyri DUHNHjQz7PjzCVAOxE8HOmhmGPJ5pJo6ggMyqbsSiQ==
X-Google-Smtp-Source: AFSGD/XqEqrahGqilMRiQTiPps8BY72gUxXWj0+RWVHg6NRqa+tCNpBZ6FxtGSVbgJSGnH0ZjuZhIPQ9YD6CG1NTub4=
X-Received: by 2002:a19:ca51:: with SMTP id h17mr28684269lfj.126.1546870008962; Mon, 07 Jan 2019 06:06:48 -0800 (PST)
MIME-Version: 1.0
References: <154681733718.17024.3190954246737206843.idtracker@ietfa.amsl.com> <HE1PR07MB316119D1A9FCD7CE4159021A93890@HE1PR07MB3161.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB316119D1A9FCD7CE4159021A93890@HE1PR07MB3161.eurprd07.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 07 Jan 2019 06:06:11 -0800
Message-ID: <CABcZeBMFGNfo6kUNmh=Y3UEXWdN8XVPTzR92gcftsR-cSTPXiw@mail.gmail.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: The IESG <iesg@ietf.org>, "br@brianrosen.net" <br@brianrosen.net>, "sipcore@ietf.org" <sipcore@ietf.org>, "draft-ietf-sipcore-sip-push@ietf.org" <draft-ietf-sipcore-sip-push@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000660547057edebd9b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/C8yw0GJLoZGeTNx943pg8nCOu5A>
Subject: Re: [sipcore] Eric Rescorla's Discuss on draft-ietf-sipcore-sip-push-21: (with DISCUSS and COMMENT) - The DISCUSS issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2019 14:06:55 -0000

On Mon, Jan 7, 2019 at 2:11 AM Christer Holmberg <
christer.holmberg@ericsson.com> wrote:

> Hi,
>
>
> Thank You for the review! In this reply I'll try to address the DISCUSS
> issues. The COMMENT issues will be addressed in a separate reply.
>
> DETAIL
> S 5.3.2.
> >>      request) addressed towards a SIP UA, if the Request-URI of the
> >>      request contains a pn-provider, a pn-prid and a pn-param (if
> required
> >>      for the specific PNS provider) SIP URI parameter, the proxy
> requests
> >>      a push notification towards the UA, using the PRID included in the
> >>      pn-prid SIP URI parameter and the PNS identified by the pn-provider
> >>      SIP URI parameter.
> >
> >Maybe I'm missing something, but this seems like it leaves open the
> >possibility for the PRID to not match the rest of the URI. E.g.,
> >suppose that a@example.com and b@example.com both register with the
> >same proxy/registrar pair with PRIDa and PRIDb respectively. What
> >stops the registrar from generating (or forwarding) a call to
> >a@example.com, PRIDb? And what happens if that happens?
>
> Since no a@example.com:PRIDb binding has been registered, the registrar
> will not generate such URI.
>

No conformant registrar will. But what about a nonconformant one? Or
another endpoint.

---
>
> S 5.3.2.
> >>      also present (and has not expired) in the REGISTER response, the
> >>      proxy can forward the SIP request towards the UA, using normal SIP
> >>      procedures.  If the contact of the REGISTER request does not match
> >>      the Request-URI of the SIP request to be forwarded, or if the
> contact
> >>      was not present in the REGISTER response, the proxy MUST reject the
> >>      SIP request with a 404 (Not Found) response.  This can happen if
> the
> >
> >How does this happen? I.e., how does the the REGISTER get correlated
> >with the SIP request to be forwarded in order to execute this
> >requirement?
>
> There could be cases where e.g. the PRID values match, but the rest of the
> contact don't.
>

Such as?


But, I don't think that is relevant. What matters is that the contacts DO
> match, AND that the contact is present in the REGISTER response. The rest
> will be handled by the timeout procedures.
>

But *this* text requires you to behave in a certain way in case of
mismatch. When will this be executed?

>
> S 6.1.
> >>      and be able to find and retrieve that information when it receives
> a
> >>      mid-dialog request.  This section defines such mechanism.  The UA
> and
> >>      proxy procedures in this section are applied in addition to the
> >>      generic procedures defined in this specification.
> >>
> >>   6.1.  SIP UA Behavior
> >
> >This section needs some kind of diagram that explains what the
> >mechanism is. I've read it a bunch of times, and I still don't
> >understand it.
>
> I think it would more or less be a copy of the diagram in Section 1. I
> could either reference, or copy/paste that diagram.
>
> ---
>
> S 6.2.1.
> >>      generated key as the value to the associated 2xx REGISTER response.
> >>
> >>      The PURR value MUST be generated in such a way so that it cannot be
> >>      used to retrieve information about the user or associate it with
> >>      registrations.  It can be generated e.g., by utilizing a
> >>      cryptographically secure random function.
> >
> >This seems to weak. I assume you also don't want it to be possible to
> >determine that two PURRs correspond to the same user. Also who must be
> >able to use it in this way. Presumably the proxy can?
> >
> >Why is this not a requirement for say PRID?
>
> The PURR value will reach the remote user. The PRID will only reach the
> registrar.
>

You need to say that.





S 13.
>>      specification.  Web push permits the sending of a push message
>>      without a payload without encryption.
>>
>>   13.  Security Considerations
>>
>>      Different mechanisms exist for authenticating and authorizing
devices
>
>You need to discuss the security implications of knowledge of the push
>parameters (principally PRID). What happens if an attacker learns
>them?

>
> Based on the sec-dir review, I did some modifications/additions to the
> security considerations. They can be seen in the following pull request:
>
> https://github.com/cdh4u/draft-sip-push/pull/31
>
>
> Regarding your comment, I have tried to address that with the following
> suggested text:
>
>             "Typically, the PNS requires the SIP proxy requesting push
> notifications to be
>             authenticated and authorized by the PNS. In some cases the PNS
> also require
>             the SIP application (or the SIP application developer) to be
> identified in order for the
>             application to request push notifications. Unless the PNS
> authenticates and authorizes the PNS,
>             a malicious middleman that managed to get access to the
> parameters transported in the SIP signalling
>             might be able to request push notifications towards a UA.
> Which such push notifications will not
>             have any security related impacts, they will impact the
> battery life of the UA and trigger
>             unnecessary SIP traffic."
>

Why "middleman" as opposed to any endpoint.

>
> Regards,
>
> Christer
>
>
>
>

v2.23.0 | Report a Bug | By Email