IETF Logo Mail Archive

Re: [sipcore] draft-ietf-sipcore-sec-flows-01: technical issues

"Dan Wing" <dwing@cisco.com> Wed, 10 February 2010 19:42 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66DBE3A7465 for <sipcore@core3.amsl.com>; Wed, 10 Feb 2010 11:42:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.552
X-Spam-Level:
X-Spam-Status: No, score=-10.552 tagged_above=-999 required=5 tests=[AWL=0.047, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7veh1jlbGA3W for <sipcore@core3.amsl.com>; Wed, 10 Feb 2010 11:42:33 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 851D83A6F19 for <sipcore@ietf.org>; Wed, 10 Feb 2010 11:42:33 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos;i="4.49,446,1262563200"; d="scan'208";a="481214083"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-6.cisco.com with ESMTP; 10 Feb 2010 19:43:45 +0000
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o1AJhimi002565; Wed, 10 Feb 2010 19:43:44 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Cullen Jennings' <fluffy@cisco.com>, "'Olle E. Johansson'" <oej@edvina.net>
References: <3E6B5A5B-DD53-4376-8767-584F6FDCB3A1@estacado.net><7F45E9F5-ADFF-42D4-9505-882A5A19E198@cisco.com><4B210DA9.90501@alcatel-lucent.com><F0A827BE-95C4-41D0-B09B-63B9470FF8BC@estacado.net><01DD632E-C839-4965-BB4E-0F063D0871B0@edvina.net> <932F6A87-D112-4E9D-913E-9AF518E6891E@cisco.com>
Date: Wed, 10 Feb 2010 11:43:44 -0800
Message-ID: <0af801caaa89$5b3f3170$c4f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3350
In-Reply-To: <932F6A87-D112-4E9D-913E-9AF518E6891E@cisco.com>
Thread-Index: AcqferjgNLEQtF7QQHanw5Un1/FlOALDnp2Q
Cc: 'SIPCORE' <sipcore@ietf.org>
Subject: Re: [sipcore] draft-ietf-sipcore-sec-flows-01: technical issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Feb 2010 19:42:34 -0000

 

> -----Original Message-----
> From: sipcore-bounces@ietf.org 
> [mailto:sipcore-bounces@ietf.org] On Behalf Of Cullen Jennings
> Sent: Wednesday, January 27, 2010 10:01 AM
> To: Olle E. Johansson
> Cc: SIPCORE
> Subject: Re: [sipcore] draft-ietf-sipcore-sec-flows-01: 
> technical issues
> 
> 
> On Jan 8, 2010, at 5:36 AM, Olle E. Johansson wrote:
> 
> > 
> > During the tests we had at SIPit in New Hampshire we 
> discovered that without an IP address in the certificate, 
> most TLS scenarious with record-route/route headers pointing 
> to IP addresses would fail. Either avoiding IP addresses in 
> record-route/route or having IP address for the server in the 
> cert are working solutions to this issue. 
> > 
> > IP in SAN certs is propably the fast way forward, but also 
> gives a headache in solutions where you have multiple IP 
> addresses in a "clustered" environment. It just feels wrong 
> to me to have non-DNS data like IP address within the cert.
> 
> You are complete right that what goes in the record route 
> needs to match what is in the cert. However, it is difficult 
> to get cert signed by a well known CA that has an IP address 
> in it so the obvious solution is don't put IP addresses in 
> your record-route. If a particular proxy, say with a host 
> name of say proxy22, in the example.com domain wants to 
> record route, the easiest thing to deploy in my opinion is 
> putting proxy22.example.com in the record route. Or if you 
> are a domain with only one proxy, you could just put 
> example.com in the record route. In the simple one proxy 
> case, then all you need is a cert with example.com and in the 
> more complex case you might want a cert with both example.com 
> and proxy22.example.com. Hope that makes sense. The other 
> problem with IPs in certs is when you want to renumber the 
> network or move a machine, you might need new certs.

Or an IPv6/IPv4 translator is between the SIP client and
its server.  http://tools.ietf.org/html/draft-ietf-sipping-v6-transition-07
talks a bit about the problem, but doesn't bring TLS into the
picture.

Let's _please_ not use IPv4 address literals, except where
we already have to use them (SDP).

-d


> There is 
> likely some cases where IP in certs make sense but my opinion 
> is that in most case, using DNS names is eas
>  ier. 
> 
> Cullen <in my individual contributor role>
> 
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email