Re: [sipcore] draft-ietf-sipcore-sec-flows-01: technical issues
"Dan Wing" <dwing@cisco.com> Wed, 10 February 2010 19:42 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66DBE3A7465 for <sipcore@core3.amsl.com>; Wed, 10 Feb 2010 11:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.552
X-Spam-Level:
X-Spam-Status: No, score=-10.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7veh1jlbGA3W for <sipcore@core3.amsl.com>; Wed, 10 Feb 2010 11:42:33 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 851D83A6F19 for <sipcore@ietf.org>; Wed, 10 Feb 2010 11:42:33 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.49,446,1262563200"; d="scan'208";a="481214083"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-6.cisco.com with ESMTP; 10 Feb 2010 19:43:45 +0000
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o1AJhimi002565; Wed, 10 Feb 2010 19:43:44 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Cullen Jennings' <fluffy@cisco.com>, "'Olle E. Johansson'" <oej@edvina.net>
References: <3E6B5A5B-DD53-4376-8767-584F6FDCB3A1@estacado.net><7F45E9F5-ADFF-42D4-9505-882A5A19E198@cisco.com><4B210DA9.90501@alcatel-lucent.com><F0A827BE-95C4-41D0-B09B-63B9470FF8BC@estacado.net><01DD632E-C839-4965-BB4E-0F063D0871B0@edvina.net> <932F6A87-D112-4E9D-913E-9AF518E6891E@cisco.com>
Date: Wed, 10 Feb 2010 11:43:44 -0800
Message-ID: <0af801caaa89$5b3f3170$c4f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <932F6A87-D112-4E9D-913E-9AF518E6891E@cisco.com>
Thread-Index: AcqferjgNLEQtF7QQHanw5Un1/FlOALDnp2Q
Cc: 'SIPCORE' <sipcore@ietf.org>
Subject: Re: [sipcore] draft-ietf-sipcore-sec-flows-01: technical issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2010 19:42:34 -0000
> -----Original Message----- > From: sipcore-bounces@ietf.org > [mailto:sipcore-bounces@ietf.org] On Behalf Of Cullen Jennings > Sent: Wednesday, January 27, 2010 10:01 AM > To: Olle E. Johansson > Cc: SIPCORE > Subject: Re: [sipcore] draft-ietf-sipcore-sec-flows-01: > technical issues > > > On Jan 8, 2010, at 5:36 AM, Olle E. Johansson wrote: > > > > > During the tests we had at SIPit in New Hampshire we > discovered that without an IP address in the certificate, > most TLS scenarious with record-route/route headers pointing > to IP addresses would fail. Either avoiding IP addresses in > record-route/route or having IP address for the server in the > cert are working solutions to this issue. > > > > IP in SAN certs is propably the fast way forward, but also > gives a headache in solutions where you have multiple IP > addresses in a "clustered" environment. It just feels wrong > to me to have non-DNS data like IP address within the cert. > > You are complete right that what goes in the record route > needs to match what is in the cert. However, it is difficult > to get cert signed by a well known CA that has an IP address > in it so the obvious solution is don't put IP addresses in > your record-route. If a particular proxy, say with a host > name of say proxy22, in the example.com domain wants to > record route, the easiest thing to deploy in my opinion is > putting proxy22.example.com in the record route. Or if you > are a domain with only one proxy, you could just put > example.com in the record route. In the simple one proxy > case, then all you need is a cert with example.com and in the > more complex case you might want a cert with both example.com > and proxy22.example.com. Hope that makes sense. The other > problem with IPs in certs is when you want to renumber the > network or move a machine, you might need new certs. Or an IPv6/IPv4 translator is between the SIP client and its server. http://tools.ietf.org/html/draft-ietf-sipping-v6-transition-07 talks a bit about the problem, but doesn't bring TLS into the picture. Let's _please_ not use IPv4 address literals, except where we already have to use them (SDP). -d > There is > likely some cases where IP in certs make sense but my opinion > is that in most case, using DNS names is eas > ier. > > Cullen <in my individual contributor role> > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore
- [sipcore] draft-ietf-sipcore-sec-flows-01: techni… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… DRAGE, Keith (Keith)
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Ben Campbell
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Dean Willis
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Paul Kyzivat
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Dan Wing
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Cullen Jennings
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Brian Hibbard
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Vijay K. Gurbani
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Dean Willis
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Olle E. Johansson
- Re: [sipcore] draft-ietf-sipcore-sec-flows-01: te… Dan Wing