Re: [stir] I-D Action: draft-ietf-stir-threats-01.txt

[Dan York <york@isoc.org>]

Robert,


On 2/5/14 2:45 PM, "Robert Sparks" <rjsparks@nostrum.com> wrote:

>I'd also very much like to hear from more people in the group that they
>read the document and believe it is ready to ship.

I have read the document and have no fundamental objection to publishing.
I have only several editorial comments for Jon's consideration.

======================
1.   In section one, I found this paragraph a bit confusing, particularly
the last sentence:
----
   In SIP and even many traditional telephone protocols, call signaling
   can be renegotiated after the call has been established.  Using
   various transfer mechanisms common in telephone systems, a callee can
   easily be connected to, or conferenced in with, telephone numbers
   other than the original calling number once a call has been
   established.  These post-setup changes to the call are outside the
   scope of impersonation considered in this model.  Furthermore,
   impersonating a reached number to the originator of a call is outside
   the scope of this threat model.

----

Specifically the use of "reached number" is something I don't see anywhere
else in the document.  I also just find it strange to have that last
sentence tacked on to a paragraph that covers another topic.  It might be
better as something like:

----
   In SIP and even many traditional telephone protocols, call signaling
can be renegotiated after the call has been established. Using
various transfer mechanisms common in telephone systems, a callee can
easily be connected to, or conferenced in with, telephone numbers
other than the original calling number once a call has been
established. These post-setup changes to the call are outside the
scope of impersonation considered in this model.

Furthermore, this threat model does not include in its scope the
verification of
the called party number back to the originator of the call. There is no
assurance to the originator that they are reaching the correct number. This
threat model is focused only on verifying the caller party number to the
callee.
----

Maybe that's too wordy but I think it would be helpful to those trying to
understand STIR to be clear that spoofing the called party number is out
of scope.

======================



2. In section "3.1.  Voicemail Hacking via Impersonation", the end of the
first paragraph says:
----
   the
   attacker may try to impersonate the calling party number using one of
   the scenarios described below.
----
I'm not clear what the "scenarios described below" are as I don't see any
scenarios in this section 3.1.  Is it referring to the later section 4?
If so, you might want to reword it along the lines of "the scenarios
describe in the later section on "Attack Scenarios"."

======================

3. In section "3.2.  Unsolicited Commercial Calling from Impersonated
Numbers", third paragaph:
----
If there were a service that
   could inform the terminating side of that it should expect an
   identity signature in calls or texts from that number, however, that
   would also help in the robocalling case.
----

The "of that it" doesn't work in my brain.  I think the "of" needs to be
dropped.

======================

4. In section "3.3.  Telephony Denial-of-Service Attacks", first
paragraph, there is an extra "a" in "attaacks":
----
These attaacks might target a
   business, an individual or a public resource like emergency

   responders; the attack may intend to extort the target or have other
   motivations.

----
I also personally don't like this usage of the semi-colon and might
suggest these would be best as two separate sentences... but that's a
style thing.  
<insert semi-colon rat hole / flame war here>


======================

5. In section "4. Attack Scenarios", the acronyms "CPN" and "IAM" are used
 without expansion in the first paragraph and then CPN is defined in the
second paragraph.  It might be better to put "PSTN-PSTN" first.  I don't
know whether "IAM" warrants expanding.

I also would suggest putting "IP-IP" first in the scenarios given that
most folks reading this should be familiar with SIP and that is by far the
easiest example for people to understand.  The flow of the scenarios could
be: 
IP-IP
PSTN-PSTN
IP-PSTN
IP-PSTN-IP

----
 Impersonation, IP-PSTN

   An attacker on the Internet uses a commercial WebRTC service to send
   a call to the PSTN with a chosen calling party number.  The service
   contacts an Internet-to-PSTN gateway, which inserts the attacker's
   chosen calling party number into the SS7 call setup message (the CPN
   field of an IAM).  When the call setup message reaches the
   terminating telephone switch, the terminal renders the attacker's
   chosen calling party number as the calling identity.

   Impersonation, PSTN-PSTN

   An attacker with a traditional PBX (connected to the PSTN through
   ISDN) sends a Q.931 SETUP request with a chosen calling party number
   which a service provider inserts into the corresponding SS7 calling
   party number (CPN) field of a call setup message (IAM).  When the
   call setup message reaches the endpoint switch, the terminal renders
   the attacker's chosen calling party number as the calling identity.

----

======================

6. In section "4. Attack Scenarios", the term "calling identity" is used
at the end of each scenario in the text "the terminal renders the
attacker's chosen calling party number as the calling identity."  That's
the only usage of that phrase in the document.   I don't know that this is
wrong, but I just wondered if it was in keeping with the terminology that
is being used across other STIR documents.  (And I don't really have an
alternative that comes to my mind.)

======================

Regards,
Dan