Re: [sipcore] draft-kaplan-sip-secure-call-id-00
Hadriel Kaplan <HKaplan@acmepacket.com> Sat, 11 July 2009 18:52 UTC
Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 469B83A6BDD for <sipcore@core3.amsl.com>; Sat, 11 Jul 2009 11:52:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.511
X-Spam-Level:
X-Spam-Status: No, score=-2.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2fbn2wUm5xCO for <sipcore@core3.amsl.com>; Sat, 11 Jul 2009 11:52:26 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 4843D3A69D1 for <sipcore@ietf.org>; Sat, 11 Jul 2009 11:52:26 -0700 (PDT)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Sat, 11 Jul 2009 14:52:54 -0400
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Sat, 11 Jul 2009 14:52:54 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Dale Worley <dworley@nortel.com>, SIPCORE <sipcore@ietf.org>
Date: Sat, 11 Jul 2009 14:52:36 -0400
Thread-Topic: [sipcore] draft-kaplan-sip-secure-call-id-00
Thread-Index: Acn1EZJdYktRdGjcTleEdWXQR1R7SANRLNYg
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC3196190A70F@mail>
References: <1245878312.3748.84.camel@victoria-pingtel-com.us.nortel.com>
In-Reply-To: <1245878312.3748.84.camel@victoria-pingtel-com.us.nortel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [sipcore] draft-kaplan-sip-secure-call-id-00
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Jul 2009 18:52:27 -0000
Hi Dale, Sorry for not seeing this email last month - I had tuned out the sipcore list because I was getting brain-fried trying to follow the 4424bis discussion. :) The idea for providing "upgradeability" to have middleboxes stop changing Call-ID's dynamically for security reasons, is to have them in fact inspect the Call-ID value for conformance to the draft: namely that a Call-ID value does not have a '@' token. Clearly a UAC could still create a Call-ID without the '@' token but still with an IP-Address or hostname embedded in the value, and the current draft recommends that middleboxes which replace the Call-ID for security reasons should inspect it for such as well, regardless of that token. Adding a "+)puK>" identifier does not avoid that having to happen. A security-paranoid middlebox would inspect the value regardless of whether the Call-ID starts with "+)puK>" or not. So adding it doesn't obviate the need. So in your example of Acme SBC's, the SBC's would need to be upgraded to support the draft, and detect legacy vs. draft-complaint Call-ID's by looking for the '@' token (and hostname/ip-address), on a per-out-of-dialog-request basis. Furthermore, there are UAC's which already generate Call-ID's compliant to the current draft, so I wanted to support them as is, without penalizing them to have to change. -hadriel > -----Original Message----- > From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On Behalf > Of Dale Worley > Sent: Wednesday, June 24, 2009 5:19 PM > To: SIPCORE > Subject: [sipcore] draft-kaplan-sip-secure-call-id-00 > > The difficulty with draft-kaplan-sip-secure-call-id-00 is that it > provides no mechanism for a B2BUA or other device to switch from > Call-Id-obscuring to Call-Id-preserving behavior, even when the SIP > elements involved are trying to cooperate. > > For example, suppose I'm a SIP network provider with Acme Packet SBCs at > the boundary of my network. Currently, the SBCs obscure Call-Ids for > reasons of commercial secrecy. If I replace some or all of the UAs in > the network with ones that generate Call-Ids according to the draft, > nothing happens -- there's no way for the SBCs to detect that the > Call-IDs conform to the draft, and change their behavior. My only > option is to update *all* the UAs, then reconfigure the SBCs to not > obscure Call-Ids. This is probably unworkable even in enterprise PBX > systems, much less walled-garden service provider networks -- and yet we > want the mechanism to work in open and nearly-open SIP networks. > > What the draft needs is not the current "negative criterion" that > enables B2BUAs to detect Call-Ids that definitely do not conform to the > draft, but a "positive criterion" that enables B2BUAs to detect Call-Ids > that *do* conform to the draft. > > We did this sort of thing before, with the "magic cookie" z9hG4bK in the > branch value to distinguish RFC 3261 from RFC 2453 messages. So let us > define the "new" Call-Id format to be: > > callid = "+)puK>" 22*( %x41-5A ; "A"-"Z" > / %x61-7A ; "a"-"z" > / %x30-39 ; "0"-"9" > / "_" > / "." > / "!" ) > > That provides 132 bits of randomness in 28 characters, and most likely a > string of that format has never existed in the history of the world. So > when a B2BUA sees a Call-Id of that format, it can trust that the value > was generated properly and can avoid changing it. > > Dale > > > _______________________________________________ > sipcore mailing list > sipcore@ietf.org > https://www.ietf.org/mailman/listinfo/sipcore
- [sipcore] draft-kaplan-sip-secure-call-id-00 Dale Worley
- Re: [sipcore] draft-kaplan-sip-secure-call-id-00 Hadriel Kaplan