RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
"Michael Slavitch" <slavitch@objectworld.com> Thu, 15 September 2005 13:55 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFuCx-0005Ao-GV; Thu, 15 Sep 2005 09:55:23 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFuCw-0005Ab-0t; Thu, 15 Sep 2005 09:55:22 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA11507; Thu, 15 Sep 2005 09:55:19 -0400 (EDT)
Received: from firewall.objectworld.com ([209.87.233.180] helo=photon.objectworld.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EFuHk-0001ag-Ep; Thu, 15 Sep 2005 10:00:20 -0400
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
X-MimeOLE: Produced By Microsoft Exchange V6.5.6944.0
Date: Thu, 15 Sep 2005 09:55:09 -0400
Message-ID: <4E2DC1ACE541B94A946B8D8657E372C50F2E58@photon.objectworld.com>
Thread-Topic: [Sipping] SIP Identity Usage in Enterprise Scenarios
Thread-Index: AcW59pnOY7S2SF/oTrGQxNuZQ6durgAAFY/Q
From: Michael Slavitch <slavitch@objectworld.com>
To: Jonathan Rosenberg <jdrosen@cisco.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c83ccb5cc10e751496398f1233ca9c3a
Content-Transfer-Encoding: quoted-printable
Cc: sipping@ietf.org, IETF MMUSIC WG <mmusic@ietf.org>, "Fries, Steffen" <steffen.fries@siemens.com>
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Sender: sipping-bounces@ietf.org
Errors-To: sipping-bounces@ietf.org
Due to past experience I am very pessimistic about how these numbers are actually chosen in implementation, indeed I am pessimistic about any protocol that's not locked down tight with all parts mandatory except when they really really must have wiggle room and only for a clearly defined and well understood purpose. The IETF is littered with protocols that leave things far too open to interpretation. SNMP is but one notorious example of this, where each implementation of so-called standard MIBs must be treated as a special case due to almost certain implementation error. If this happens in the IP world where each device has a unique flavour of ICE it does not bode well at all for the future. So what I suggest is some boring consistency, especially when there is the likelihood of additional and broad benefit. Using a session certificate asserts that the data streams and all associated negotiations belong to the same asserted identity and session all the way down the line. This adds a level of consistency and rigor that's tough to muck up in implementation, especially in non-trivial implementations where many thousand separate sessions may concurrently be established from the same ICE source at the same time, and this is especially true when many simultaneous sessions are being established between two NAT networks. By tying the ICE negotiating identity to a session cert this makes everything easier to implement, manage, monitor and debug, as session and media can be tied together up and down the line. It is also a tight way of ensuring implementation rigor. The recently expired draft-ignjatic-msec-mikey-rsa-r-00 has a proposal for key management where instigators do not initially know the keys of the respondent, a use of which is described as a best practise for identity assertion in draft-fries-sipping-identity-enterprise-scenario-00.txt. As SIP evolves identity assurance is going to be a key pain point, by taking these steps proactively we will help inoculate the protocol and its subcomponents from any future pain. Regards to all, Michael It is amazing what you can accomplish if you do not care who gets the credit. - Harry S Truman -----Original Message----- From: Jonathan Rosenberg [mailto:jdrosen@cisco.com] Sent: September 14, 2005 10:07 PM To: Michael Slavitch Cc: Fries, Steffen; sipping@ietf.org; IETF MMUSIC WG Subject: Re: [Sipping] SIP Identity Usage in Enterprise Scenarios moving to mmusic since we are now talking about ICE. Michael Slavitch wrote: > As a further update to my previous email, look at the USERNAME > provision in the current ID for ICE (draft 05), which I consider a > weakness of the protocol. Firstly, it has been pointed out to me from several sources that the security mechanism in the most recent ICE draft is severely broken. I had somehow gotten it into my head that we didnt need to convey both the username and password, which is false. The next ICE draft will revert to what was there previously; each side conveys a username fragment and one side provides the password. > > My preference would be to replace that password with some kind of > MIKEY exchange such that the password is only for that session, > otherwise you'll see cheap phones or all with the same password being > vulnerable, which I suggest is a strong weakness of ICE. Why would this happen? The password needs to be selected randomly for each candidate. Thats a requirement of the protocol. Its not that hard to create a random number. -Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711 Cisco Systems jdrosen@cisco.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com -- BEGIN-ANTISPAM-VOTING-LINKS ------------------------------------------------------ Teach CanIt if this mail (ID 434640) is spam: Spam: http://asteroid.objectworld.com/canit/b.php?c=s&i=434640&m=a2c8da4fe0c4 Not spam: http://asteroid.objectworld.com/canit/b.php?c=n&i=434640&m=a2c8da4fe0c4 Forget vote: http://asteroid.objectworld.com/canit/b.php?c=f&i=434640&m=a2c8da4fe0c4 ------------------------------------------------------ END-ANTISPAM-VOTING-LINKS _______________________________________________ Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors@cs.columbia.edu for questions on current sip Use sip@ietf.org for new developments of core SIP
- [Sipping] SIP Identity Usage in Enterprise Scenar… Fries, Steffen
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Michael Slavitch
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Fries, Steffen
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Michael Slavitch
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Dan Wing
- Re: [Sipping] SIP Identity Usage in Enterprise Sc… Jonathan Rosenberg
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Michael Slavitch
- RE: [Sipping] SIP Identity Usage in Enterprise Sc… Dan Wing
- RE: [MMUSIC] RE: [Sipping] SIP Identity Usage in … Francois Audet