Re: [stir] [Technical Errata Reported] RFC8224 (6499)
Cullen Jennings <fluffy@cisco.com> Thu, 01 April 2021 14:30 UTC
Return-Path: <fluffy@cisco.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 931D53A15AA for <stir@ietfa.amsl.com>; Thu, 1 Apr 2021 07:30:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.618
X-Spam-Level:
X-Spam-Status: No, score=-9.618 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FatLXIoQRQEF for <stir@ietfa.amsl.com>; Thu, 1 Apr 2021 07:30:17 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DD8C3A15A5 for <stir@ietf.org>; Thu, 1 Apr 2021 07:30:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=24704; q=dns/txt; s=iport; t=1617287417; x=1618497017; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=ve/PzO1Ioq6C8ExjznCFXQ+HDwdlnkKHqfUrCK6j2hk=; b=YvRHeEGdl8f932RxcVt/6wiQi+TfVH0dQYCxiqczs2nTaOae6WKjUuiP sG52LZIkQhibNp5sU00Dh2vn8Fd9jDOA2SdCj6lAgJd3DMPpxH0EGmJC+ 3aLWAT0+rO+AEllXKM1zUDzE1K9C9BlLM2/c79RFproUwx4DFxbAlFc/L g=;
X-IronPort-AV: E=Sophos;i="5.81,296,1610409600"; d="scan'208,217";a="671500648"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 01 Apr 2021 14:30:14 +0000
Received: from [192.168.4.53] (sjc-fluffy-nitro8.cisco.com [10.19.228.217]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 131EUAP9002850 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 1 Apr 2021 14:30:12 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_F803E7A5-7BBC-44E9-842E-7163C8ABBE86"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Cullen Jennings <fluffy@cisco.com>
In-Reply-To: <70D5DE5F-88A7-4D5D-A06C-6403983F4B75@chriswendt.net>
Date: Thu, 01 Apr 2021 08:30:03 -0600
Cc: Marc Petit-Huguenin <marc@petit-huguenin.org>, Russ Housley <housley@vigilsec.com>, Eric Rescorla <ekr@rtfm.com>, Jon Peterson <jon.peterson@neustar.biz>, IETF STIR Mail List <stir@ietf.org>, "Murray S. Kucherawy" <superuser@gmail.com>, Francesca Palombini <francesca.palombini@ericsson.com>, Robert Sparks <rjsparks@nostrum.com>
Message-Id: <38679905-0AEA-4C2B-B953-F75DEFE433EC@cisco.com>
References: <20210327204839.06FA2F4076D@rfc-editor.org> <F39D942E-717B-4CE8-833C-F7D25CF6D600@vigilsec.com> <40111C58-5A2E-4B36-BBB4-42D639FCC630@cisco.com> <34471c8e-1ce7-3f84-431c-753bb150dbce@petit-huguenin.org> <70D5DE5F-88A7-4D5D-A06C-6403983F4B75@chriswendt.net>
To: Chris Wendt <chris-ietf@chriswendt.net>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
X-Outbound-SMTP-Client: 10.19.228.217, sjc-fluffy-nitro8.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/ZmKZ_E562w3nG40m8OrbGSjMR88>
Subject: Re: [stir] [Technical Errata Reported] RFC8224 (6499)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Apr 2021 14:30:23 -0000
FWIW … AIB is used in some private SIP networks thought I realize it is not used in carrier networks. I have zero idea if they will upgrade to 8224 or not. It is pretty common for the firewalls and border SBC to check that the SIP messages headers match their idea of what the allowed ABNF is and also impose random size limits on stuff. Always very frustrating to run into one of these. They typically do check the allowed characters match the ABNF. I don’t know any of that is a big deal because those network will be configured to stay on 4474 until they upgrade to 8824. I’ve got no strong opinion on what is best resolution to this but glad people found it and are sorting it out one way or the other. > On Mar 28, 2021, at 6:45 PM, Chris Wendt <chris-ietf@chriswendt.net> wrote: > > Yes, so just to explain, we inherited base64url from RFC7519 JWT, so i think the errata is correct, but I believe no-one, i’m aware of at least, actually followed base64 vs base64url for implementing 8224 simply because JWT implementation and interop is so widely accepted at this point (although i didn’t do the homework to see what the potential breakage would be). To be clear this is only for the PASSporT/JWT value in the identity header not any of the parameters that come afterword. > > To Cullen’s point, i think because from 4474 to 8224 the switch as i recall was just a signature to a JWT/PASSporT, this probably is different enough that any implementation of 4474 identity would not be compatible to begin with, if the SBC would even touch the contents of the header values. But again, we have a lot of 8224 identity headers passing in SP networks and i have not heard of any interop issues, from everything i’ve heard most networks have been turning on identity headers passing through SBCs for the first time. And i believe most SBCs do not evaluate the identity header, only until you get to the point where the verification service is the value parsed, as far as i’m aware. > > -Chris > >> On Mar 28, 2021, at 6:42 PM, Marc Petit-Huguenin <marc@petit-huguenin.org <mailto:marc@petit-huguenin.org>> wrote: >> >> See the examples in section 4.1.1 of RFC 8224. >> >> On 3/28/21 2:56 PM, Cullen Jennings wrote: >>> @Chris …. >>> Uh, I’m not sure. I’m not up to speed on this enough and certainly defer to the people that know more than me. >>> I agree the passport is bas64url encoded, but are the strings we are talking about here done the same way? It looks like 4474 has them as base64 encoded. >>> My read was the passport string was base64url encoded, then that string was used with combined and encdoed a second time with base64 encode to go in the identity header. >>> Anyways, I have no idea what should happen here but the more I looked at it, the less obvious it was to me. >>> I’d love to hear from Chris ? >>> Anyways … as a practical point, If you move the Identity header from using base64 in 4474, to base64url in 8224, it seems likely that lots of SBC will reject them. That will be particularly frustrating to debug given it will not reject all of them where the different characters in the alphabet don’t occur. >>>> On Mar 28, 2021, at 10:48 AM, Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote: >>>> >>>> I think this errata should be approved. >>>> >>>> Russ >>>> >>>>> On Mar 27, 2021, at 4:48 PM, RFC Errata System <rfc-editor@rfc-editor.org <mailto:rfc-editor@rfc-editor.org>> wrote: >>>>> >>>>> The following errata report has been submitted for RFC8224, >>>>> "Authenticated Identity Management in the Session Initiation Protocol (SIP)". >>>>> >>>>> -------------------------------------- >>>>> You may review the report below and at: >>>>> https://www.rfc-editor.org/errata/eid6499 <https://www.rfc-editor.org/errata/eid6499> >>>>> >>>>> -------------------------------------- >>>>> Type: Technical >>>>> Reported by: Marc Petit-Huguenin <marc@petit-huguenin.org> >>>>> >>>>> Section: 4 >>>>> >>>>> Original Text >>>>> ------------- >>>>> Identity = "Identity" HCOLON signed-identity-digest SEMI >>>>> ident-info *( SEMI ident-info-params ) >>>>> signed-identity-digest = 1*(base64-char / ".") >>>>> ident-info = "info" EQUAL ident-info-uri >>>>> ident-info-uri = LAQUOT absoluteURI RAQUOT >>>>> ident-info-params = ident-info-alg / ident-type / >>>>> ident-info-extension >>>>> ident-info-alg = "alg" EQUAL token >>>>> ident-type = "ppt" EQUAL token >>>>> ident-info-extension = generic-param >>>>> >>>>> base64-char = ALPHA / DIGIT / "/" / "+" >>>>> >>>>> >>>>> Corrected Text >>>>> -------------- >>>>> Identity = "Identity" HCOLON signed-identity-digest SEMI >>>>> ident-info *( SEMI ident-info-params ) >>>>> signed-identity-digest = 1*(base64url-char / ".") >>>>> ident-info = "info" EQUAL ident-info-uri >>>>> ident-info-uri = LAQUOT absoluteURI RAQUOT >>>>> ident-info-params = ident-info-alg / ident-type / >>>>> ident-info-extension >>>>> ident-info-alg = "alg" EQUAL token >>>>> ident-type = "ppt" EQUAL token >>>>> ident-info-extension = generic-param >>>>> >>>>> base64url-char = ALPHA / DIGIT / "-" / "_" >>>>> >>>>> >>>>> Notes >>>>> ----- >>>>> RFC 8225 makes it clear that the encoding is BASE4URL, not the standard BASE64 encoding. >>>>> >>>>> Instructions: >>>>> ------------- >>>>> This erratum is currently posted as "Reported". If necessary, please >>>>> use "Reply All" to discuss whether it should be verified or >>>>> rejected. When a decision is reached, the verifying party >>>>> can log in to change the status and edit the report, if necessary. >>>>> >>>>> -------------------------------------- >>>>> RFC8224 (draft-ietf-stir-rfc4474bis-16) >>>>> -------------------------------------- >>>>> Title : Authenticated Identity Management in the Session Initiation Protocol (SIP) >>>>> Publication Date : February 2018 >>>>> Author(s) : J. Peterson, C. Jennings, E. Rescorla, C. Wendt >>>>> Category : PROPOSED STANDARD >>>>> Source : Secure Telephone Identity Revisited >>>>> Area : Applications and Real-Time >>>>> Stream : IETF >>>>> Verifying Party : IESG >>>>> >> >> >> -- >> Marc Petit-Huguenin >> Email: marc@petit-huguenin.org <mailto:marc@petit-huguenin.org> >> Blog: https://marc.petit-huguenin.org <https://marc.petit-huguenin.org/> >> Profile: https://www.linkedin.com/in/petithug <https://www.linkedin.com/in/petithug>
- [stir] [Technical Errata Reported] RFC8224 (6499) RFC Errata System
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Russ Housley
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Cullen Jennings
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Marc Petit-Huguenin
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Chris Wendt
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Marc Petit-Huguenin
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Christer Holmberg
- Re: [stir] [Technical Errata Reported] RFC8224 (6… Cullen Jennings