IETF Logo Mail Archive

RE: [Sipping] draft-camarillo-sipping-sbc-funcs-02.txt

henry@sinnreich.net Fri, 21 October 2005 13:57 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESxOk-0000ct-US; Fri, 21 Oct 2005 09:57:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1ESxOj-0000cl-RJ for sipping@megatron.ietf.org; Fri, 21 Oct 2005 09:57:29 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA22962 for <sipping@ietf.org>; Fri, 21 Oct 2005 09:57:18 -0400 (EDT)
From: henry@sinnreich.net
Message-Id: <200510211357.JAA22962@ietf.org>
Received: from xmail.bluehost.com ([70.98.111.4]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1ESxas-0001tT-2P for sipping@ietf.org; Fri, 21 Oct 2005 10:10:03 -0400
Received: (qmail 29225 invoked by uid 0); 21 Oct 2005 13:56:49 -0000
Received: from unknown (HELO box6.bluehost.com) (70.98.111.61) by xmail.bluehost.com with SMTP; 21 Oct 2005 13:56:49 -0000
Received: from c-24-1-136-53.hsd1.tx.comcast.net ([24.1.136.53] helo=1AB764895C324D3) by box6.bluehost.com with esmtp (Exim 4.52) id 1ESxOY-0001jR-HL; Fri, 21 Oct 2005 07:57:18 -0600
To: 'Arjun Roychowdhury' <arjunrc@gmail.com>
Subject: RE: [Sipping] draft-camarillo-sipping-sbc-funcs-02.txt
Date: Fri, 21 Oct 2005 08:57:13 -0500
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
In-Reply-To: <a9994e940510202033i1ae13fe3he662630004cb9ca0@mail.gmail.com>
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Thread-Index: AcXV8C6QbMUqojAPTHqGxQoRonqDOgAVkWzg
X-PopBeforeSMTPSenders: henry@sinnreich.net
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - box6.bluehost.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - sinnreich.net
X-Spam-Score: 2.9 (++)
X-Scan-Signature: b4a0a5f5992e2a4954405484e7717d8c
Content-Transfer-Encoding: 7bit
Cc: 'sipping' <sipping@ietf.org>
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Sender: sipping-bounces@ietf.org
Errors-To: sipping-bounces@ietf.org

Arjun,

We need not burden the list again with a new flare-up discussing SBCs all
over again and I apologize if I may have caused this discussion.

Let's trust the authors of the I-D to add more substance to the Security
section and maybe deal with some of the other topics previously discussed.

This is a document that should be quickly advanced on the BCP track, since
the topic is of high interest in the industry.

Thanks, Henry

-----Original Message-----
From: Arjun Roychowdhury [mailto:arjunrc@gmail.com] 
Sent: Thursday, October 20, 2005 10:33 PM
To: henry@sinnreich.net
Cc: sipping
Subject: Re: [Sipping] draft-camarillo-sipping-sbc-funcs-02.txt

I really feel like playing devils' advocate, since I know, deep
inside, you really think SBCs are nice kids who just need to be 'wired
right'. So here goes ....

It seems the only unfriendly thing an SBC does is that it modifies
messages without the knowledge of the UAs - though this is not the
concern - the concern is that this in turn breaks end-end protection,
if it is used (that is the one consistent reason in all the sections).

In all fairness, I have a hard time understanding why the SBC is
turning out to be the 'Anti-Internet'. The end-end principle of the
Internet has always been challenged at the network layer (which has
nothing to do with the application layer) for a long time, including
technologies like NAT, Firewalls,ALGs, relays, split DNS and similar.
Several RFCs talk about the realistic challenge of e-e and actually
discuss realistic scenarios where e-e may not work (The Rise of the
Middle and the Future of End-End - 3724)

The biggest issue seems to be 'done without knowledge' and 'end-end
encryption' seems secondary, at least at the network layer of the
Internet (as an example, the NAT WG suggested RSIP as an adjunct to
NAT to make it 'friendly'). If this is the biggest problem, then the
solution is easier - let the SBC 'tell' the UAs via some SIP mechanism
that it is playing 'big brother'. That information could be used to
inform the UAs 'legally' that due to network policies the outside
world is not seeing what they are sending - and if the SBC tells them
what the change is, then maybe the UAs can get 'smarter' in operation
for that session. (Sorry, I am not smart enough to figure out what
'smarter' really means, at least for now)


>
> - If the SBC is compromised (it happens on the Internet) then what are the
> vulnerabilities for (1) SIP signaling and (2) RTP media streams?

This is a problem not specific to SBCs. What if the mailserver of a
corporate domain gets compromised ? What if the backend datastore of a
credit card company gets compromised by a web server exploit ? Same
story.

regds
arjun
--
Arjun Roychowdhury



_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email