IETF Logo Mail Archive

Re: [stir] "iat" value to use during PASSPorT construction

"Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com> Fri, 20 July 2018 19:12 UTC

Return-Path: <Pierce.Gorman@sprint.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B4B2F130EEE for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 12:12:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tenirx0GhWaw for <stir@ietfa.amsl.com>; Fri, 20 Jul 2018 12:12:28 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730130.outbound.protection.outlook.com [40.107.73.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94956130E32 for <stir@ietf.org>; Fri, 20 Jul 2018 12:12:27 -0700 (PDT)
Received: from SN4PR0501CA0091.namprd05.prod.outlook.com (2603:10b6:803:22::29) by CY4PR05MB3112.namprd05.prod.outlook.com (2603:10b6:903:fc::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.973.16; Fri, 20 Jul 2018 19:12:25 +0000
Received: from BN3NAM01FT029.eop-nam01.prod.protection.outlook.com (2a01:111:f400:7e41::200) by SN4PR0501CA0091.outlook.office365.com (2603:10b6:803:22::29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.995.10 via Frontend Transport; Fri, 20 Jul 2018 19:12:25 +0000
Received-SPF: Pass (protection.outlook.com: domain of sprint.com designates 144.230.32.82 as permitted sender) receiver=protection.outlook.com; client-ip=144.230.32.82; helo=preapdm3.corp.sprint.com;
Received: from preapdm3.corp.sprint.com (144.230.32.82) by BN3NAM01FT029.mail.protection.outlook.com (10.152.67.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.952.17 via Frontend Transport; Fri, 20 Jul 2018 19:12:25 +0000
Received: from pps.filterd (preapdm3.corp.sprint.com [127.0.0.1]) by preapdm3.corp.sprint.com (8.16.0.21/8.16.0.21) with SMTP id w6KIoInr027277; Fri, 20 Jul 2018 15:12:25 -0400
Received: from plswe13m04.ad.sprint.com (plswe13m04.corp.sprint.com [144.229.214.23]) by preapdm3.corp.sprint.com with ESMTP id 2k7bepsxwn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 20 Jul 2018 15:12:24 -0400
Received: from PLSWE13M04.ad.sprint.com (2002:90e5:d617::90e5:d617) by plswe13m04.ad.sprint.com (2002:90e5:d617::90e5:d617) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 20 Jul 2018 14:12:23 -0500
Received: from PLSWE13M04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a]) by plswe13m04.ad.sprint.com ([fe80::2c01:fcb8:e729:4a7a%24]) with mapi id 15.00.1367.000; Fri, 20 Jul 2018 14:12:23 -0500
From: "Gorman, Pierce A [CTO]" <Pierce.Gorman@sprint.com>
To: "Asveren, Tolga" <tasveren@rbbn.com>, williw <wilhelm@wimmreuter.de>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] "iat" value to use during PASSPorT construction
Thread-Index: AQHUIFv02Z8nWzCv1kqJ873XQiB7CqSYeLqA
Date: Fri, 20 Jul 2018 19:12:22 +0000
Message-ID: <bcd76a29456e4456aab0a38d74d1f3ec@plswe13m04.ad.sprint.com>
References: <CY4PR03MB3160EE4F4502CCF974B070CFA59C0@CY4PR03MB3160.namprd03.prod.outlook.com> <0C2B7B00-AB77-48E1-A666-F76A592DDC51@wimmreuter.de> <MWHPR03MB2815E6CDBA2DF7CD0D8E5BD0A5510@MWHPR03MB2815.namprd03.prod.outlook.com>
In-Reply-To: <MWHPR03MB2815E6CDBA2DF7CD0D8E5BD0A5510@MWHPR03MB2815.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.123.104.29]
Content-Type: multipart/alternative; boundary="_000_bcd76a29456e4456aab0a38d74d1f3ecplswe13m04adsprintcom_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
X-MS-Office365-Filtering-HT: Tenant
X-Forefront-Antispam-Report: CIP:144.230.32.82; IPV:NLI; CTRY:US; EFV:NLI; SFV:NSPM; SFS:(10019020)(136003)(396003)(346002)(39860400002)(376002)(2980300002)(438002)(199004)(189003)(486006)(33964004)(81166006)(81156014)(426003)(336012)(8676002)(966005)(53546011)(68736007)(72206003)(478600001)(102836004)(84326002)(6346003)(186003)(2900100001)(4546004)(356003)(26005)(97736004)(14454004)(606006)(11346002)(106466001)(14444005)(229853002)(316002)(106002)(3846002)(6246003)(446003)(54896002)(236005)(4326008)(7736002)(6116002)(86362001)(6306002)(126002)(24736004)(76176011)(108616005)(53936002)(16586007)(5660300001)(7696005)(8936002)(476003)(5250100002)(110136005)(790700001)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR05MB3112; H:preapdm3.corp.sprint.com; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; BN3NAM01FT029; 1:Q1QakFSsuxVB18nSvRe6zoCW3Ti1Pxz/tiOybVAfEkrcPMECY+RHl/pEuINPzLNDqvC4HODKBU5DjAMDDFw1PK4wKJqy0HUensWyuK9mjf0qLpKvnNBkC88mVMBa2FDq
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 405cc5c3-03b0-4665-77da-08d5ee74ba63
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600067)(711020)(4608076)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:CY4PR05MB3112;
X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3112; 3:/UQ2WNWCt8T5/Z3CcbxLJmIkdgd4amvVeDdLg8ADL0lnNEZGrOfIFItBChQmi/sqU7S5HQM6tqaqmzcHUPHGH6i6HC6OCNwPJWn4hx4dnU3Q8ss0nVzrMKsAe0/xJVTA7NFi60vnzjtFts7d1e0CSCgF9a6OD+jFmHVOgRl6nVrF91gjigxJ/FWGS9K7GCkt1uzO6NUWGDeZ6wYtjbZo6GrW2Q3ujxFcS635LZ0AyccOgqHS94WESDWkT4peLQDoB8FFPZLKvT9ylHwOMnd/fKblE/rkVLiqOuL+Zep3RV+p8cAhCJbwdUjK9U7DVZtClAydWKiITXVSXzh/omAwhFtLXQysqk5muh/k/wOY36A=; 25:unGvAXRWm8bgvccRaFhWS0kw9zPS+IGCAgpHZILKHzDbBcDcA4dxKLUMDwpNOJVpdb6eX7PAFwFAxpddbOKLKfgITys7fVPujh5opmTmBfx68bvBXxx/XAQ8JOhpm36Kjaqmd5ZCi556iMM7MnbdaLpVJxBoNm9c9kK0avVxVjHsMSgjf39IxT8Z2zgtPrDpSmh95Fw98dhxcxSgkk+JXY7rELrXXPtkKXn2+2ab36KQl/LtM43WSpp/IRoTT14fcjlSX/ZyC9bDSOMeUO4zVrphTJFqloXk34o4X17NO8sN/bUJv1h6+1HnCffWdJu61aJdnbbOD4ky++N24j0bZQ==
X-MS-TrafficTypeDiagnostic: CY4PR05MB3112:
X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3112; 31:l1zSKdcnLSuREaGbQXRftH6stsfl5r/oghsvARvRXqXmQVQaVtw6MRL2fUgnCoeJ3HK+oyFGTNSx6OLV2F0VEbVlEFizViESTT0HL+lUFD9d1JHLXWc60mzoJ93Emd39RLrw1TqhImtdoJi8HccoNUnqlJQ1OdAVGopn+JfpnNvnpa3DYyLdieAhr1G5nf2vl7jdjhcShD7kRW6GVisjeAV1jP41orbSHNxSBDiSTGY=; 20:KRcuQ/s40ONJZ/En/XfG2kw1YPSmuRf5adrv5rUSaz1YD1S38s4iwH35Z1YE+oJI1dX44A1trTvXM95MwawdOMAKP9+blZrfDmWSLg1tdR7ARkhBx9KhSjvC5saG9iCYzOgDJ7YpeBFv3SHJCxI2aPoM6V+zBZfkQfMFY6GmQMNuAyoHxo37FKlSVb6QcKHsL168wdhXsgugEd9jbz+n/3bNCIkvDzDdsUyzjJzFm54KOHxKtZwS2H9P7LjE03R0lxnNElxswXvnU3fvUvWoIioR+pT/R7vZkg5x9Ho+8TJSj2TFcNK8a4X/zEZdR0wZFNlT8btNfSH2AC9Ce2DtqidQgJhBJnjskyO0zrgeS6uHf3/pSGQP2PlOh+6U7ziUDIJ6qTpYcES7TFa7A7vj5oE+ZZS+ZvpTtfYd8i7jck/BgX07UXuQctO5sch+ennTWra+0kIRTttOR983nK47uzIRpye39ryNWJrbkRJryJwTmBBmmPy3wrtuO/oGqXWz
X-Microsoft-Antispam-PRVS: <CY4PR05MB3112918E9C912A798B94EFCE89510@CY4PR05MB3112.namprd05.prod.outlook.com>
X-Exchange-Antispam-Report-Test: UriScan:(28532068793085)(223705240517415)(21748063052155);
X-MS-Exchange-SenderADCheck: 1
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93004095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:CY4PR05MB3112; BCL:0; PCL:0; RULEID:; SRVR:CY4PR05MB3112;
X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3112; 4:9f7Jy9590nEmPpt4fhyZP2uFfrBv3wYXdPl5CuDQ5ugKhrFFESF8bBoeuN8MPTl4Wcak945ftAcO7BpmUE9VB0AFaI1oUAr4NzCjM77cZxZ2wMDNAssl5mdGlIXDK+RZuTvk30aU5Ana8YvpCVp59uKejSJGEzFnQ+Chs0bMdNpDCEC+z3tKfrW3b6aftEOdykRXCOps4QWfMmm3kKTZp5SVKp3W6z3lipKzhcC9+a1sDX9/29MW+cdDG6oWFKluOD7+rlAYR14qBJ5JPBLFf6pl8VSIgydltogEEMT0DALXY7dzr0yyG5tlC1XQnG6zoahj2ZA6KOzsFclKJ04Z7KZZ/BLlNurdN3Wi3xyV6TileCAeQCCGmxoA9MfTCdyh
X-Forefront-PRVS: 073966E86B
X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3112; 23:ycd462tn2j2d7YHQ9+O7MhqoWDCbLQHs8y1U9Brnl+LnY+03dM9JZUsSQLF0cxg2WctC5mWuledGKlUtu4CXjb5JCBa9HRUuPjjrungIjjP7bsRv/cbVTYWXpKwcF9S5QXYNKZcDle5sL4DwzXYjz4tMdWMjf9UckF8ZdGNbYsOIeTdKjrORr80zz5NJME+RbgfN1pJYSKl4cvzCBtreF6GyWuWKPheXuabg6a4tNV9y7MYa9TLJaxaI05fzsJvUCkKNRIDwAZPVGLylMrm2/DdLP1qAlxJCDu1+tEw3ytAzK1qL3hBKnDgqvG18N7JMI4r1zZxsFHDdFjZO4ry9xAmp8cUqtYX6xFLgeEGOprxZL+fm9GY31IsSUU9xO8b+EzTN8Y+mvilQgrtTLXBwQGTj4BZC8V399Ct/mTovb2fPciWbzVCPP5dXx3rGFukOmzW5iDp3CFkmRMVIfFXwBRBpSPg3AwZHzbfr2z9clp8nYMVWw5Gim17GbTNq5xRau51n7e3EmuouZQ09H1zGoIW6HRjbCCJpsMAOYUqksd6yU47fSYVvc25gYxJTyj/f8GEX97w5XuKANgFUP8nYqLFkGcdw2UXS975lIQZybKpJofFTGgcMvrGHoudGNL/fHh9Iq/ZeGrvPzsgGx4Zome8b17k2A7c9FZbcFyTEpN5wCEDrk0PAFXSgkeqJzNWKkdmNZGC1dvn8iCaPm6TnZsRhMX5471sdDv6ZgMfLYAZY5SrFWWxlYMXmDk3uvs50/GnzV4qM7c4VqUJKxnVxjMZUvY6KyheQuA2nQIli6HwqwBZbl5Sd3QGxcSqJqwJZQEMdppC3Ab7H5v1Jmd05pPIVPzIDq4b/CVvKd0ym9RnUV1M79NdDQUtkhP7uLdayMb6CIVfEFakNkIAURPhyXOVE3v1rd/Twreawn22FE6+BIvkrsVakFby2zQWHzU36WpqIyXYtsRbq4Ryw9PDUBK1ayzKuFekButGlrEbCcAxB1JweLlBI7HX66CIvvyGlKDhJeu32Kn6QEraMz4q8I6np/BJUeND7t3D61FXxpk7QcYRD65mTDAazHx3HPCNzGEhcT1xl+VWpzRwnyUq9gGwHTv4C8rL/P4jrcBoDrr6hjyrpZNGvqhaEXeMMwUA1dc10xGKZK0g/DtAqg5onxUrqJONk2KeRUyTg3CKBu7LXcS35kxSLlfUouf0aZdNg8hlSZbp/HjoTJnIYOeWgC9zYMUPLIvn1h38aWv0x22JB7whHM33HhkY/OZ3eZ35ZmlbcLoN2ZKOogo/WI7zdXpPPy8BKOiW2UZSh/9TKXyJDsFlGQikQlkuwrPANkQUT
X-Microsoft-Antispam-Message-Info: WmDA7zzZHQ8ejWzD4so+fHMswARlzPIzdl/cD0gvh4jUYqWSzF5ZGBT6ZYCnVtz0JkXvouXUKphg+vdqLSoVNFUaFwqAvdA6OHgGeVfni3TDRZWRh07AJVIvbW62SUeel7dlUgMrQBenYK5diSebQa+W6MwCT3tkX9WVYHoXA83bUuM31eMynKYDJFcwXimgCylZ9Upqey7mowTSC/maL0yNVs932tsxYnU5O5/1QweFuMVzaXkEtWsN2wMpEYTq2AqELq+S6/85CWlw6y386bzW7Zwk8AIj3jrINwI9b+IQt2srVS/yYhTLUb0pKQAIyFXvrga+1WWgOSZolus9FXkg9x9cXUcQN7+zQk7QslY=
X-Microsoft-Exchange-Diagnostics: 1; CY4PR05MB3112; 6:XWVtdchJXLNpC/zkU7fOzyS1dGHeOuFpEqrfglGobXLGbS3nxu16Suu2oeyChZ2ePwHVaKSiELzjHL6m2trzgnuLAGAItf3snmZy/7WyqM8aIMYQSsPc7mNhT9gPHahqVgsIh/llVvzVte3XnBsBP+f8U8kPqhJjnCghjD8D//3jcKqIo8TF0IozUparCggkSnJ8QL9y6T85euBqt2pI20oEGGCpnOL+/DFN7HWNaxJ8jTBAZsAw/gq+Ra+4tNUJAsVC8cEWWXt7oP56pe/b5knsStqLhf51we/+Ry5+41zM73Y6sj2Ni06C6eOTXL5q3/8Krnjd/5Y9KHJFAe0yMsh1OiTj+LxRh7gniMxYL7wjI4PUd8Shfcfo5VPWMJ6aQnZ50ZrJM+3R/OdQVawDQhNhg/BnlJidf/6pG3ElQZhoJEMdHGS31HJJeGY+UhIav/vL8pFcLNFAfLNPhTiIYA==; 5:HArzFLJ+HEADRd/ffFgoh8RJQYXlGqdSe8pP9gWhbq+BioF4b8FYvoFNJ+khxAmQznfluryS1njWXljUsSV+rF5NLFSlO/YWN8M7C+i2fUOIGxs0d2tdNPYmfZmmWB4hAVbe33I0TLgC+tF881ITXlU2ErH/Q4/0/oU06bAECW8=; 7:ycVdQZMaaE0bOkOB2mmRHKIKfsrvQ6JjLnD2R9yVDVDx9mcjNLUHtSwJIHREjBNsyMGQZQBec+gYV61rtfvB0MyCVQJncKTM0gkp4JGcGCIahyyO2P6oFSeAkuoLT0uMap/vGQTtOQE5+mWqXKjJTyWoZWKp3HXAKviDGZumBOKr3hn8dUu+s11oDzN2kfvFUpI9/RGZTNtFXO7oqtym6/v8oVaKHUbmR5J5wpqcKFq6nBm2dBron+O11H1cT3E6
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: sprint.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2018 19:12:25.2709 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 405cc5c3-03b0-4665-77da-08d5ee74ba63
X-MS-Exchange-CrossTenant-Id: 4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=4f8bc0ac-bd78-4bf5-b55f-1b31301d9adf; Ip=[144.230.32.82]; Helo=[preapdm3.corp.sprint.com]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR05MB3112
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/UnX6Ac9zQgRTt67tdygUNZBWfEY>
Subject: Re: [stir] "iat" value to use during PASSPorT construction
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 19:12:32 -0000

Because of the large volume of porting and ported numbers I assume it is impractical (or at least undesirable) to validate in real-time that a number is “owned” by the originating carrier.  This also won’t work for the scenarios where the call is signed by a transit or gateway carrier (say for automated traceback).

It has been said many times that just as all unwanted and illegal robocalls do not use spoofed calling numbers, it should be assumed that bad actors will originate signed calls with bad intent.  Prepaid phones and ephemeral enterprise SIP trunks will be a good home for these kinds of calls.  And there are other scenarios as well.



From: Asveren, Tolga [mailto:tasveren@rbbn.com]
Sent: Friday, July 20, 2018 1:18 PM
To: williw <wilhelm@wimmreuter.de>
Cc: stir@ietf.org
Subject: Re: [stir] "iat" value to use during PASSPorT construction

I don’t think that is an issue as that signature is cryptographically valid doesn’t mean that is “completely fine”. It also should be checked that signing organization is authoritative for the claimed (and verified) origination.

Please consider that the scenario you mention is not related with “originating network signs only if the call leaves the network” policy. It can happen for any case: an intermediary (maybe with malicious intent) just can generate a valid signature for any call by using its own key; but then the above check I mentioned would detect that signer is not authoritative for the origination, i.e. signature is not generated by the originating network.

Thanks,
Tolga

From: stir <stir-bounces@ietf.org<mailto:stir-bounces@ietf.org>> On Behalf Of williw
Sent: Friday, July 20, 2018 11:15 AM
To: Asveren, Tolga <tasveren@rbbn.com<mailto:tasveren@rbbn.com>>
Cc: stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] "iat" value to use during PASSPorT construction

________________________________
NOTICE: This email was received from an EXTERNAL sender
________________________________

Sorry, I unsuccessfully submitted my concern on jabber list during the meeting.
However, this could be valid in this and applies possibly other areas of stir as well.


My concern that came up while seeing the cat slides in meeting was the following:


Signing outbound / E-gres calls only.
This emulates the old PSTN paradigm and enables impersonation as we have it in SS7.
Without originating signatures this seems to be a big impersonation hole I assume.

In fact, operators will happily sign my robocalls and other malicious stuff.
And this will guarantee that my robocalls have a valid signature that will also be perfect for OOB signalling etc.

Is this concern valid?

Sorry this did not come through the scribe and to the mic.

Thanks

Willi

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

________________________________

This e-mail may contain Sprint proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.

v2.23.0 | Report a Bug | By Email