Re: [stir] Draft posted (draft-rescorla-stir-fallback-00)
Dave Crocker <dhc@dcrocker.net> Mon, 15 July 2013 21:59 UTC
Return-Path: <dhc@dcrocker.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D2D621E8177 for <stir@ietfa.amsl.com>; Mon, 15 Jul 2013 14:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.587
X-Spam-Level:
X-Spam-Status: No, score=-6.587 tagged_above=-999 required=5 tests=[AWL=0.012, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HI7+t3rq3rxP for <stir@ietfa.amsl.com>; Mon, 15 Jul 2013 14:59:26 -0700 (PDT)
Received: from sbh17.songbird.com (sbh17.songbird.com [72.52.113.17]) by ietfa.amsl.com (Postfix) with ESMTP id F26B721E816E for <stir@ietf.org>; Mon, 15 Jul 2013 14:59:14 -0700 (PDT)
Received: from [192.168.1.66] (76-218-9-215.lightspeed.sntcca.sbcglobal.net [76.218.9.215]) (authenticated bits=0) by sbh17.songbird.com (8.13.8/8.13.8) with ESMTP id r6FLx97l002197 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 15 Jul 2013 14:59:14 -0700
Message-ID: <51E4708C.4000206@dcrocker.net>
Date: Mon, 15 Jul 2013 14:58:36 -0700
From: Dave Crocker <dhc@dcrocker.net>
Organization: Brandenburg InternetWorking
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBPHKBL+8q+4hzrJnPUL4gWji4bD_kdbdRwPoZGZoNy4pA@mail.gmail.com>
In-Reply-To: <CABcZeBPHKBL+8q+4hzrJnPUL4gWji4bD_kdbdRwPoZGZoNy4pA@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0 (sbh17.songbird.com [72.52.113.66]); Mon, 15 Jul 2013 14:59:14 -0700 (PDT)
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] Draft posted (draft-rescorla-stir-fallback-00)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: dcrocker@bbiw.net
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2013 21:59:34 -0000
Eric, Comments in-line (or should I stash them on a web page, for possible retrieval...?) > Abstract > > A major challenge with RFC 4474-style identity assertions has been > that SIP operates in highly mediated and interworked environments. Given the lack of implementation and deployment experience for RFC4474, there doesn't seem to be any public evidence of what specific problems the document has. So the opening attribution is problematic. A reference like "RFC 4474-style" is quite ambiguous; there's no established practice or other way to know what it refers to in technical terms, and certainly not for folk outside this close-knit club. I suspect that your core point hinges on something that is actually far more broadly applicable than just for that specification. Perhaps as an alternative opening: Any SIP-based authentication mechanism that relies on the carriage of its information in SIP headers encounters a basic problem. SIP typically operates in highly mediated and... > SIP requests may pass through gateways, policy enforcement devices or > other entities that receive SIP requests and effectively act as user > agents, re-initiating a request. In these circumstances, > intermediaries may recreate the fields protected by the RFC4474 > signature, making end-to end integrity impossible. This document > describes a mechanism for two compliant endpoints to exchange > authentication data even in the face of intermediaries which remove > all additional call signaling meta-data or which translate from SIP > into protocols incapable of understanding identity meta-data (e.g., > where one side is the PSTN). > 1. Introduction ... > > While the core network of the PSTN remains fixed, the endpoints of > the telephone network are becoming increasingly programmable and > sophisticated. Landline "plain old telephone service" deployments, Not just the end-points. All of the SIP-based components in the sequence ought to be equally programmable, certainly including SIP/PSTN gateways. And gateways are the more typical place for performing channel-specific tunneling hacks like this. > especially in the developed world, are shrinking, and increasingly > being replaced by three classes of intelligent devices: smart > phones, IP PBXs, and terminal adapters. All three are general > purpose computers, and typically all three have Internet access as > well as access to the PSTN. This provides a potential avenue for > building an authentication system that changes only the endpoints > while leaving the PSTN intact. A benefit of, instead, placing the function in gateways is that it is only active when it is needed and by the relatively few nodes that need the special capability. So this works for more users, as indicated by your second example, below. > 3. Architectural Options ... > There are roughly two plausible dataflow architectures for the CPS: > > > > Rescorla Expires January 14, 2014 [Page 5] > > Internet-Draft Caller-ID Fallback July 2013 > > > o The callee registers with the CPS. When the caller wishes to > place a call to the callee, it sends the CPR to the CPS which > forwards it to the callee. > > o The caller stores the CPR with the CPS at the time of call > placement. When the callee receives the call, it contacts the CPS > and retrieves the CDR. The caller actions is the same for both. The difference is simply a push (forwarding) vs. pull (retrieving) model for the callee-side of things. Yes? > While the first architecture is roughly isomorphic to current VoIP > protocols, it shares their drawbacks. Specifically, the callee must > maintain a full-time connection to the CPS to serve as a notification > channel. That depends upon what is registered. If a contact-me-at entry is registered, it does not require maintaining an open connection, does it? > This comes with the usual networking costs to the callee > and is especially problemtatic for mobile endpoints. Thus, we focus > on the second architecture in which the PSTN incoming call serves as > the notification channel and the callee can then contact the CPS to > retrieve the CPR. These don't have to be mutually exclusive. Forwarding can be a performance optimization, available if the callee has registered, with pull (storage awaiting retrieval) is the default. > 4. Strawman Architecture > > In this section, we discuss a strawman architecture along the lines > described in the previous section. This discussion is deliberately > sketchy, focusing on broad concepts and skipping over details. The > intent here is merely to provide a rough concept, not a complete > solution. > > 4.1. Phone Number Authentication > > We start from the premise that each phone number in the system is > associated with a set of credentials which can be used to prove > ownership of that number. For purposes of exposition we will assume Prove 'ownership' or prove 'assignment'? > that ownership is associated with the endpoint (e.g., a smartphone) > but it might well be associated with a gateway acting for the > endpoint instead. It might be the case that multiple entities are > able to act for a given number, provided that they have the > appropriate authority. The question of how an entity is determined > to have control of a given number is out of scope for this document. > > 4.2. Call Placement Service ... > Once Alice has stored the CPR, she then places the call to Bob as > usual. At this point, Bob's phone would usually ring and display > Alice's number (+1.111.111.1111), which is provided by the usual > caller-id mechanisms (i.e., the CIN field of the IAM). Instead, > Bob's phone transparently contacts the CPS and requests any current > CPRs from Alice. The CPS responds with any such CPRs (assuming they > exists). If such a CPR exists, he can then present the callerid > information as valid. Otherwise, the call is unverifiable. Note > that this does not necessarily mean that the call is bogus; because > we expect incremental deployment many legitimate calls will be > unverifiable This 'Note' sentence is more significant than it's placement in the document would seem to indicate. It goes to a core challenge to make any of these mechanisms useful. > > 4.3. Security Analysis > > The primary attack we seek to prevent is an attacker convincing the > callee that a given call is from some other caller C. There are two > scenarios to be concerned with: > > o The attacker wishes to simulate a call when none exists. What does that mean? > o The attacker wishes to substitute himself for an existing call as > described in Section 4.3.1 Neither of these sounds like the scenario that I thought I'd been hearing during the life of this mailing list: The attacker initiates a call, using a Caller-ID value for which they do not have authorization. Confusion about this suggests that the wg charter needs to be explicit and clear about the threat vectors that are to be of concern for the wg effort. > > If an attacker can inject fake CPRs into the CPS or in the > > > > Rescorla Expires January 14, 2014 [Page 7] > > Internet-Draft Caller-ID Fallback July 2013 > > > communication from the CPS to the callee, he can mount either attack. > In order to prevent this, either the communication to the CPS should > be secured in transport (e.g., with TLS) or the CPRs should be > digitally signed by the caller and verified by the callee > (Section 5.2. For privacy and robustness reasons, both are both are -> using both is Anyhow, really? Belts and suspenders? With the object-based approach, signing isn't enough to provide privacy. It needs confidentiality. Since it's unlikely the caller and callee information will be encrypted, it won't provide meta-data privacy even then. If object-based authentication is performed, TLS provides no value-add for authentication. > preferable. In particular, if only transport security is used, then > a compromised CPS can forge call origination information. d/ -- Dave Crocker Brandenburg InternetWorking bbiw.net
- Re: [stir] Draft posted (draft-rescorla-stir-fall… Eric Rescorla
- [stir] Draft posted Eric Rescorla
- Re: [stir] Draft posted Hadriel Kaplan
- Re: [stir] Draft posted (draft-rescorla-stir-fall… Dave Crocker