IETF Logo Mail Archive

Re: [Sipping] draft-ietf-sipping-update-pai-05 - responseauthentication

Cullen Jennings <fluffy@cisco.com> Tue, 19 August 2008 14:00 UTC

Return-Path: <sipping-bounces@ietf.org>
X-Original-To: sipping-archive@optimus.ietf.org
Delivered-To: ietfarch-sipping-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 68D7D3A6B56; Tue, 19 Aug 2008 07:00:49 -0700 (PDT)
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A7773A69FC for <sipping@core3.amsl.com>; Tue, 19 Aug 2008 07:00:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yqtLuoNW6Br8 for <sipping@core3.amsl.com>; Tue, 19 Aug 2008 07:00:47 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id 229E53A6B56 for <sipping@ietf.org>; Tue, 19 Aug 2008 07:00:47 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.32,235,1217808000"; d="scan'208";a="95978973"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-3.cisco.com with ESMTP; 19 Aug 2008 14:00:49 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m7JE0nvA004641; Tue, 19 Aug 2008 07:00:49 -0700
Received: from [192.168.1.64] (sjc-vpn6-294.cisco.com [10.21.121.38]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m7JE0mi7028652; Tue, 19 Aug 2008 14:00:48 GMT
Message-Id: <64689A12-CDDF-4553-97C0-5FFAC79347DA@cisco.com>
From: Cullen Jennings <fluffy@cisco.com>
To: "Elwell, John" <john.elwell@siemens.com>
In-Reply-To: <0D5F89FAC29E2C41B98A6A762007F5D0FE9FD4@GBNTHT12009MSX.gb002.siemens.net>
Mime-Version: 1.0 (Apple Message framework v928.1)
Date: Tue, 19 Aug 2008 08:00:47 -0600
References: <0D5F89FAC29E2C41B98A6A762007F5D0FE9776@GBNTHT12009MSX.gb002.siemens.net> <48A9F21B.80605@cisco.com> <48A9F9A1.6000207@cisco.com> <0D5F89FAC29E2C41B98A6A762007F5D0FE9FD4@GBNTHT12009MSX.gb002.siemens.net>
X-Mailer: Apple Mail (2.928.1)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6098; t=1219154449; x=1220018449; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:=20Cullen=20Jennings=20<fluffy@cisco.com> |Subject:=20Re=3A=20[Sipping]=20draft-ietf-sipping-update-p ai-05=20-=20responseauthentication |Sender:=20; bh=DJeu0cfBwbSEf38jo7CERQzGShxdDy9joe5EfLjPY9I=; b=RBxWrp78ynOcEBOsAlWRzdakMYSPm/f1OCQL6coyWlss23bhQFqXrpZ9JH MV/VZDh9j7ucY4IcGFcjNUgL7SV7hsyYIOZ+OiDVDvavupD4pA2OgURL2cK0 79yoaoPzoK;
Authentication-Results: sj-dkim-3; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: Paul Kyzivat <pkyzivat@cisco.com>, SIPPING LIST <sipping@ietf.org>, "Peterson, Jon" <jon.peterson@neustar.biz>
Subject: Re: [Sipping] draft-ietf-sipping-update-pai-05 - responseauthentication
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: sipping-bounces@ietf.org
Errors-To: sipping-bounces@ietf.org

For several years we have discussed that it would be nice to have a  
way to tie the previous authentication of a UA to a security channel  
and use that binding for response authentication. Outbound + TLS  
seemed like one way to do this. The plan was to get basic outbound  
done before starting this type of work. It will be a major piece of  
SIP security work to get this done. It will need it's own draft and it  
probably needs to happen in the SIP WG.

Cullen

On Aug 19, 2008, at 24:31 , Elwell, John wrote:

> Paul, Jonathan,
>
> Yes, I failed to mention that this is a problem impacting requests  
> too,
> but with the big difference that each request can be digest
> authenticated. I agree with Paul, that unless you have some way of  
> tying
> together the client of a TLS connection with the client of an earlier
> digest authentication over that same TLS connection, then you have no
> business asserting identity. I am sure practice differs from this! Can
> one of the IMS experts explain how this is achieved?
>
> So the question (to the whole group, and particularly to Cullen and  
> Jon)
> is, should we add some words (for both requests and responses) that
> explains that in order to assert an identity based on an earlier  
> digest
> authentication over the same TLS connection, you must have some  
> means of
> tying together the two clients? Would this be sufficient? Or is it
> necessary to give at least one example of how this might be achieved
> (and AFAIK, there are no standardised examples).
>
> John
>
>> -----Original Message-----
>> From: Paul Kyzivat [mailto:pkyzivat@cisco.com]
>> Sent: 18 August 2008 23:37
>> To: Jonathan Rosenberg
>> Cc: Elwell, John; SIPPING LIST
>> Subject: Re: [Sipping] draft-ietf-sipping-update-pai-05 -
>> responseauthentication
>>
>>
>>
>> Jonathan Rosenberg wrote:
>>> I don't understand why this issue is unique to responses.
>> You have the
>>> same problem with requests. If a proxy authenticates a
>> client over TLS,
>>> and then later on does not re-authenticate each request, it
>> is possible
>>> that subsequent request might actually come from clients
>> further upstream.
>>>
>>> Since we have not viewed this as a problem for requests I
>> don't see why
>>> we should consider it for responses.
>>
>> Or, maybe it really *is* a problem for requests as well!
>>
>> I always viewed the workable use of this in requests to be
>> for the first
>> trusted node to authenticate, perhaps using digest, and then
>> to insert a
>> PAI. The IMS folk always asserted that they had some magic
>> way to verify
>> that the sender of a message was the same one that earlier sent a
>> REGISTER that had been authenticated. If they in fact do not
>> have a way
>> to do that, then they have no business inserting a PAI
>> assuming they do.
>>
>> I agree the response side is only different to the extent
>> that the magic
>> mechanisms differ.
>>
>> 	Thanks,
>> 	Paul
>>
>>> -Jonathan R.
>>>
>>> Elwell, John wrote:
>>>> During discussion of 04 in Dublin, concerns were raised about the
>>>> conditions in which it is possible to assert identity in a
>> response. The
>>>> present text says:
>>>>
>>>> "        <t>The proxy behaviour specified in RFC 3325 is
>> applicable to
>>>> responses with the following qualifications. A proxy that
>> receives a
>>>> response from a node outside the Trust Domain cannot directly
>>>> authenticate the UAS by SIP means. Therefore it MUST NOT include a
>>>> P-Asserted-Identity header field when forwarding the
>> response unless it
>>>> has authenticated the UAS by other means.</t>
>>>>        <t><list>
>>>>          <t>One possible circumstance in which a proxy
>> can include a
>>>> P-Asserted-Identity header field when forwarding a
>> response from a node
>>>> outside the Trust Domain is when the proxy has direct TLS
>> connectivity
>>>> with the UAS and has authenticated the UA by some other
>> means (e.g., SIP
>>>> digest authentication) during that same TLS session.</t>
>>>>        </list></t>"
>>>>
>>>> A concern raised was as follows. How does the proxy know
>> that it has
>>>> **direct** TLS connectivity with the UAS, as opposed to
>> going through
>>>> some intermediary (e.g., an edge proxy)? If there is an
>> intermediary,
>>>> the response may not have come from the UA that was earlier
>>>> authenticated, since the intermediary may have sent a
>> response from a
>>>> different UAS over the same TLS connection (or even
>> responded itself
>>>> over the same TLS connection). Unless the intermediary is
>> also a trusted
>>>> node (in which case the provisions of the paragraphs above do not
>>>> apply), it is important for the proxy to know that there is no
>>>> intermediary, i.e., that the TLS connection is with the
>> UA. Although
>>>> there are signalling mechanisms possible to achieve this,
>> they are not
>>>> standardised. Therefore a proxy can only rely on prior
>> knowledge (e.g.,
>>>> configuration) to know whether to assert an identity in such
>>>> circumstances.
>>>>
>>>> Do people consider this to be a sound basis for accepting asserted
>>>> identity in responses from untrusted nodes? Is it
>> realistic to assume
>>>> that there will be situations where it would be safe to configure a
>>>> proxy to assert an identity when a response is received over a TLS
>>>> connection over which digest authentication has already
>> taken place? The
>>>> existing wording in the draft would then be basically
>> correct, but might
>>>> benefit from some additional explanation, particularly in
>> the Security
>>>> Considerations section.
>>>>
>>>> John
>>>>
>>>>
>>>> _______________________________________________
>>>> Sipping mailing list  https://www.ietf.org/mailman/listinfo/sipping
>>>> This list is for NEW development of the application of SIP
>>>> Use sip-implementors@cs.columbia.edu for questions on current sip
>>>> Use sip@ietf.org for new developments of core SIP
>>>>
>>>
>>

_______________________________________________
Sipping mailing list  https://www.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP

v2.23.0 | Report a Bug | By Email