IETF Logo Mail Archive

Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?

"Peterson, Jon" <jon.peterson@team.neustar> Tue, 06 February 2018 07:01 UTC

Return-Path: <prvs=9575e1d54b=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20B84126CD6 for <stir@ietfa.amsl.com>; Mon, 5 Feb 2018 23:01:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rs2aF8YEkh_a for <stir@ietfa.amsl.com>; Mon, 5 Feb 2018 23:01:32 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0b-0018ba01.pphosted.com [67.231.157.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D438126CD8 for <stir@ietf.org>; Mon, 5 Feb 2018 23:01:32 -0800 (PST)
Received: from pps.filterd (m0049401.ppops.net [127.0.0.1]) by mx0b-0018ba01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w166qtBE010479; Tue, 6 Feb 2018 02:01:29 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=selector1; bh=cjahLOMGZtQHH83J95OuArgiSrD4L4R5zR9xqznsPZw=; b=CUqagmuBbT51ZFn8oHE11Ed0YIkTklRRq65A97PJcQv41XtTRduxqthJutgA6g1Xmam4 ab6tbKFxkkQeHmhkoVULmIm5o//CFoJNDyIEDFfjYo0+KYNARGV+NeiuwCeQpXvxv4Ho pSRa95DAxOd12UJ/FZ6q8/O8uoTpJzo5wy/vCUbR+2+ZI5kMftDT/yWHFp5Ky+TbfKUu t6iZjlL9baA3ng9UGlQW7Q0ZI3Jx34Urz4bvyAqf5WzqJpKZhrQQRq488hsfi18a1iLY xiEosZc1REMjHP+KAhhF5KE0L3bfyaJKy6JM6nSzkdKdZuVmD7uJt6n3FKXW/zH2cR/5 sg==
Received: from stntexhc10.cis.neustar.com ([156.154.17.216]) by mx0b-0018ba01.pphosted.com with ESMTP id 2fwa9cw082-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 06 Feb 2018 02:01:28 -0500
Received: from STNTEXMB11.cis.neustar.com ([169.254.1.236]) by stntexhc10.cis.neustar.com ([169.254.4.133]) with mapi id 14.03.0279.002; Tue, 6 Feb 2018 02:01:28 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Christer Holmberg <christer.holmberg@ericsson.com>, "Peterson, Jon" <jon.peterson@team.neustar>, Julio Martinez-Minguito <julio.martinez-minguito@ericsson.com>, Chris Wendt <chris-ietf@chriswendt.net>
CC: "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [EXTERNAL] Re: [stir] PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
Thread-Index: AQHTmhhNxwncwLCIhkCTLcv50WoH5KOUS3IggAJ+rAA=
Date: Tue, 06 Feb 2018 07:01:27 +0000
Message-ID: <D69E8CA6.1F58A6%jon.peterson@neustar.biz>
References: <D6962DB9.1F5701%jon.peterson@neustar.biz> <7594FB04B1934943A5C02806D1A2204B6C153603@ESESSMB109.ericsson.se>
In-Reply-To: <7594FB04B1934943A5C02806D1A2204B6C153603@ESESSMB109.ericsson.se>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.3.160329
x-originating-ip: [10.96.13.146]
Content-Type: text/plain; charset="euc-kr"
Content-ID: <AD418F0E79FBFA42AC7FAB239BC1A408@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-06_03:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802060084
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/qI8VKn0yjMl4vI_KSSor-lMadgg>
Subject: Re: [stir] [EXTERNAL] Re: PASSPorT: "orig" and "dest" mandatory in all PASSPorTs?
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Feb 2018 07:01:35 -0000


On 2/4/18, 7:27 AM, "Christer Holmberg" <christer.holmberg@ericsson.com>
wrote:

>Even if you hand the verification service a single Identity header
>fields, which contains embedded claims from N Identity header fields, the
>verification service still have to figure out what goes with what,
>doesn't it?

The point of nesting is to order the stack, and correlate retargets with
previous targets. So I hope that it is explicit about what goes with what.

>
>>- but there are a few potential pitfalls there we need to avoid, or at
>>least carefully mark.
>
>Assume the following:

Yeah this the sort of thing I meant by pitfalls.

> 
>1 . The "original" (pre-3xx) INVITE traverses proxies P1 and P2. Each of
>those proxies insert a claim.

.. in separate Identity headers, I assume.

>2.  The INVITE then reaches P3, which decides to send a 3xx response. It
>includes a nested PASSporT, with the claims from P1 and P2 (and possibly
>P3) in the responses.

... in this case the redirecting service would need to have a way to send
two nested PASSporTs in the backwards direction (one for the P1 PASSporT
and one for the P2 PASSporT); we do need a way to do that.

>3.  The 3xx reaches the UA, which sends a "new" INVITE, which contains
>the nested PASSporT provided in the 3xx.

... in general, cases where the 3xx actually reaches the UA don't worry me
as much as ones where a helpful intermediary intervenes. If the 3xx
reaches the UA, the UA can just send a new INVITE which will go back
through P1 and P2 (or maybe as you have it below some other AS) and they
can merrily add fresh Identity headers to it reflecting the new target.
The reason why I'm not super concerned about this case is because the STIR
scope is limited to trying to convey the identity of the originator to
prevent spoofing, not to record service logic like History-Info does. If
the UAC gets the chance to send a new INVITE, it will get a new Identity
signature quite routinely.

>4.  The new INVITE reaches P3 and P4, and eventually a verifier. The
>Identity header will contain the claims of P1 and P2. Is that the
>intention? Is the verifier supposed to verify those? What if the
>verification fails? Should the verifier reject the request, even if P1
>and P2 are no longer associated with the call?

Ordinarily there would be no reason for a new INVITE - one resulting from
a 3xx that had reached the UAC - to carry the claims of P1 and P2.

>If this will be clarified in the next version, I can wait for the answer
>:)

The above is basically what I have in mind, anyway, for the revision. To
try to keep this simple, focused on the impersonation attack, rather than
trying to sign service logic decisions. The new redirection text is
basically to handle the case where the INVITE does not reach the UA, where
some intermediary explores a new target, that those nested PASSporTs are
relevant here.

If that scope seems insufficient or misguided, let's talk about it more.

>In addition, P3 and P4 may add their own claims, in separate Identity
>header fields, so there would be one Identity header field with the
>nested claim (received in the 3xx response), followed by the Identity
>header fields added by P3 and P4. Perhaps that is not a problem, but I
>just hope we don't make assumptions regarding the number and combinations
>of Identity header fields...

In general, I don't know why changing the target should result in
different authentication services wanting to add PASSporTs to a call, and
I'm kind of afraid to hear the rationale for it. I mean, I can construe a
reason for some corner cases, but in ordinary operations, we hope the
administrative domain of the originator of the call will be able to sign
PASSporTs for it, and that it won't be so destination-dependent.

Jon Peterson
Neustar, Inc.

>
>Regards,
>
>Christer
>
>
>
>On 1/26/18, 9:27 AM, "stir on behalf of Julio Martinez-Minguito"
><stir-bounces@ietf.org on behalf of julio.martinez-minguito@ericsson.com>
>wrote:
>
>>Hi,
>>
>>I see in the nested divert that the new PASSporT has a claim "opt"
>>which includes the PASSporT of the originating network, including the
>>signature.
>>The PASSporT added by the diverting network includes a claim "orig",
>>which is copied from the 'original' PASSporT.
>>In this case , for a PASSporT ppt:div, the diverting network mays not
>>have authority over the claim "orig", but only over the claim 'div'. A
>>verifier will have to check the embedded PASSporT, verify the signature
>>and check that the orig in the different PASSporT matches.
>>
>>Though in another cases, if the originating number and the diverting
>>are served by the same operator, the operator has authority over both
>>orig and div claims. A nested PASSporT would not be needed in this case.
>>
>>The end result is quite similar as if we have multiple Identity headers.
>>In the end there are multiple PASSporT objects, the difference is how
>>they are conveyed in the signaling.
>>
>>I assume the main reason for the embedding is because of the oob
>>solution, or?
>>
>>Regards, Julio
>>
>>> -----Original Message-----
>>> From: Christer Holmberg [mailto:christer.holmberg@ericsson.com]
>>> Sent: den 24 januari 2018 15:06
>>> To: Chris Wendt <chris-ietf@chriswendt.net>
>>> Cc: stir@ietf.org
>>> Subject: Re: [stir] PASSPorT: "orig" and "dest" mandatory in all
>>>PASSPorTs?
>>> 
>>> Hi,
>>> 
>>> >I guess i¹m not following what¹s not clear, if you MUST only have
>>> >one orig claim and one identity in that claim, that seems to be
>>> >pretty clear to me that you cannot either not have an orig claim or
>>> >have more than one.  I guess maybe i¹m missing something subtle in
>>>your point.
>>> 
>>> It is clear that you cannot have more than one claim, but I think it
>>>could be  made more clear that you always must have a claim to begin
>>>with :)
>>> 
>>> >For extensions, and in general with any PASSporT, once the PASSporT
>>> >is signed, that¹s it, you cannot modify claims or "re-sign".  If you
>>> >want new PASSporT claim information that you want to sign, you must
>>> >have a new PASSporT or new identity header.
>>> 
>>> Correct, I should have made that clear.
>>> 
>>> So, if you have two (or more) Identity header fields, do they all
>>>have to  contain the same ³orig² value? Or, is one allowed to change
>>>it?
>>> 
>>> Does the same apply for ³dest²? And, if you want to change the ³dest²
>>>you  need to use the divert extension? You can¹t just add a new
>>>passport with a  new ³dest² value. Or?
>>> 
>>> >Currently for divert, the approach is to embed a PASSporT inside a
>>> >new PASSporT, which is a valid technique also and result in a new
>>> >identity header also (but you should remove the old identity header
>>> >in this
>>>case).
>>> 
>>> My colleague Julio sent some questions and issues regarding the
>>> ³embedding²/³nesting² approach. I would be happy if you look at those
>>> :)
>>> 
>>> Regards,
>>> 
>>> Christer
>>> 
>>> 
>>> >
>>> >-Chris
>>> >
>>> >> On Jan 23, 2018, at 2:19 PM, Christer Holmberg
>>> >><christer.holmberg@ericsson.com> wrote:
>>> >>
>>> >> Hi Chris,
>>> >>
>>> >>>> Question for clarification:
>>> >>>>
>>> >>>> Section 5.2.1 of draft-passport says:
>>> >>>>
>>> >>>>      "There MUST be exactly one "orig" claim with exactly one
>>> >>>>identity claim object in a PASSporT object."
>>> >>>>
>>> >>>> Q1: Does the text above mean that
>>> >>>>
>>> >>>>      a) a passport must always contain one, one only one, "orig"
>>> >>>>claim; or
>>> >>>>      b) that if a passport contains an "orig" claim, if can only
>>> >>>>contains one?
>>> >>>
>>> >>> It can only contain one key value pair with the key ³orig² and
>>> >>>the claim value can only be one identity.
>>> >>>
>>> >>> In other words you cannot claim to originate multiple identities
>>> >>>with a single passport object.
>>> >>
>>> >> Correct. The question is whether "orig" is mandatory (alternative
>>> >>a) or not (alternative b). But, based on your reply to Q2 below, I
>>> >>assume the answer is alternative a).
>>> >>
>>> >> I think it would be good to make that more clear.
>>> >>
>>> >>>> Q2: If a), does it apply to passport extensions too?
>>> >>>
>>> >>> All extensions must include the base passport claims and follow
>>> >>>all rules of the claims, so yes.
>>> >>
>>> >> I think it should be more clear whether a node can modify claims
>>> >>or not when adding an extension, or whether an extension needs to
>>> >>explicitly allow it. Currently the text only says (AFAIK) that
>>> >>claims cannot be removed.
>>> >>
>>> >> For example, if I have a base passport, and add an RPH passport, I
>>> >>assume I cannot change the value of the "dest" claim. I would need
>>> >>to use a divert claim for that.
>>> >>
>>> >> Also, as the passports may be added and signed by different
>>> >>authorities, and as each passport will contain the base claims, it
>>> >>means that the base claims will be signed multiple times, and they
>>> >>may be signed by different authorities. I assume that is ok.
>>> >>
>>> >> Regards,
>>> >>
>>> >> Christer
>>> >>
>>> >
>>> 
>>
>>_______________________________________________
>>stir mailing list
>>stir@ietf.org
>>https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailm
>>an_ 
>>listinfo_stir&d=DwIFAw&c=MOptNlVtIETeDALC_lULrw&r=dQ51tLfoGuuFjanmfeKC0
>>weX 
>>HNMl9xZnnsIiwRd6IgY&m=CYEKQetxoYJFWkCYlTjULI4cuXYtswc-ksgANHWODz0&s=n8n
>>5Xn LoHH1N9qVTNdWCn5VNUcQIQMajN21qTivbnD8&e=
>

v2.23.0 | Report a Bug | By Email