IETF Logo Mail Archive

Re: [sipcore] About draft-gurbani-sip-sipsec

Dean Willis <dean.willis@softarmor.com> Wed, 28 September 2011 00:34 UTC

Return-Path: <dean.willis@softarmor.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2803821F8C6F for <sipcore@ietfa.amsl.com>; Tue, 27 Sep 2011 17:34:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.634
X-Spam-Level:
X-Spam-Status: No, score=-102.634 tagged_above=-999 required=5 tests=[AWL=-0.405, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, SARE_SXLIFE=1.07, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YLR2jZj5ia0L for <sipcore@ietfa.amsl.com>; Tue, 27 Sep 2011 17:34:27 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id 87A0E21F8CE7 for <sipcore@ietf.org>; Tue, 27 Sep 2011 17:34:27 -0700 (PDT)
Received: by gyd12 with SMTP id 12so7139283gyd.31 for <sipcore@ietf.org>; Tue, 27 Sep 2011 17:37:14 -0700 (PDT)
Received: by 10.151.101.2 with SMTP id d2mr7317148ybm.9.1317170234212; Tue, 27 Sep 2011 17:37:14 -0700 (PDT)
Received: from dwillis-mb1.local (cpe-66-25-15-110.tx.res.rr.com. [66.25.15.110]) by mx.google.com with ESMTPS id s8sm83530240ani.3.2011.09.27.17.37.12 (version=SSLv3 cipher=OTHER); Tue, 27 Sep 2011 17:37:13 -0700 (PDT)
Message-ID: <4E826C37.5070501@softarmor.com>
Date: Tue, 27 Sep 2011 19:37:11 -0500
From: Dean Willis <dean.willis@softarmor.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: Iñaki Baz Castillo <ibc@aliax.net>
References: <CALiegfnAawtQGLuojNwxVrQoWrXX3hKgDGjf8185b_T8QeTJPg@mail.gmail.com>
In-Reply-To: <CALiegfnAawtQGLuojNwxVrQoWrXX3hKgDGjf8185b_T8QeTJPg@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Cc: sipcore@ietf.org
Subject: Re: [sipcore] About draft-gurbani-sip-sipsec
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 00:34:28 -0000

On 9/16/11 9:39 AM, Iñaki Baz Castillo wrote:
> Hi all,
>
> I would like to comment about draft-gurbani-sip-sipsec "The SIPSEC
> Uniform Resource Identifier (URI)".
> I like the idea proposed there. Even more taking into account that it
> is based on the same mechanism for HTTP/CONNECT (widely deployed).
>

Thanks!

>
> Another "issue": The draft requires that the TLS negotiation is made
> by both endpoints (let's say two phones), so the UAS MUST have a TLS
> certificate, which is uncommon, am I right?

I understand that comodohacker has made certs widely available. You 
wanna be gmail for a day?

Seriously, yes, you're right. And this is a major "design feature", not 
unintended. It gives us real "end to end" authentication and privacy, 
subject to the strength of the certificate issuance process (see: 
comodohacker).

As Vijay pointed out, you can issue your own certificates if you and 
your partner work out the trust relationships outside of the usual CA 
process. The certificate used can also be dynamically varied with the 
target identity.

This works nicely in the enterprise space, for example.

Let's say as a consultant working for many clients, each gives me a cert 
to use when talking with them. My UA can key off the remote domain 
identifier in order to know which cert to present during handshake.

However, nothing about the protocol really demands mutual cert-auth. It 
should be possible to use HTTP-style cert-auth of the UAS and digest 
auth of the UAC.

On the other hand, you're going to need a cert to answer the phone, so 
you might as well use it when making calls, too.


> And the last comment: proxies in the path cannot inspect the SIP
> traffic through the established connection so they know nothing about
> what's happening in the call or transactions. Proxies cannot do
> accounting or whatever other action as they are not SIP proxies now,
> but just TCP proxies. How does that fit with current SIP deployments?

That's another feature, not a bug. Current SIP deployments are mostly 
MITM attacks waiting to happen.

Where this becomes incredibly important is P2PSIP (aka SIP/RELOAD). When 
some other bozo's box is acting as your proxy, do you really want it 
doing "accounting or whatever other action" on your SIP messages?

Further, the processing load on the proxies is hugely decreased. Not 
only can they stop worrying about wiretapping every SIP message (as such 
would be pointless), they no longer require the overhead of having to 
decrypt each message before logging it and then re-encrypting it before 
resending it. This makes them hundreds of times more scalable.

It's a win-win for everybody who matters.

Of course, this also works well for criminal conspiracies that have a 
good IT department and can mint and share their own certs out-of-band. 
I'm OK with that. Note that the presence of a communication between the 
two endpoints is still revealed; it's just the text of the signaling 
between them that is protected by the protocol, so snoops could still 
get a "pen register", which in the US is typically a warrantless request 
anyhow. True anonymity is much harder; what is needed is a TOR-ified 
version of the protocol, and that still reveals two half-calls.

--
Dean




--
Dean


--
Dean

v2.23.0 | Report a Bug | By Email