Presentation is loading. Please wait.

Presentation is loading. Please wait.

sip-identity-04 Added new response codes for various conditions

Published byAllen Small Modified over 6 years ago

Similar presentations

Presentation on theme: "sip-identity-04 Added new response codes for various conditions"— Presentation transcript:

1 sip-identity-04 Added new response codes for various conditions
Softened ‘direct TLS connection’ requirement Added support for CID URI in Identity-Info Added some non-normative text about requests in the backwards direction within a dialog

2 New Open Issues Fixing 6.1 Display-name handling
Should the identity signature cover the display-name? Transitional authorization policy How do you know if a domain supports sip-identity? Privacy interaction RFC3323 isn’t so current anymore URI scheme for Identity-Info Should SIPS be an option? Or should it just be a fetch (like, HTTP) Applicability to REGISTER tel URI handling domain certs v. end-user certs Name subordination rules

3 What is Response Identity?
A mechanism that allows UACs to detect that responses come from an impersonator Flip side of request identity sip-identity-04 wouldn’t work if it were applied as-is to responses (assuming flipping From for To) The problem: signature over the To header field in a response would come from the actual ‘connected’ domain -Not- the original target domain of the request, when retargeting has taken place Thus, the root cause of response identity problems is retargeting That is, if there were no retargeting, response identity would “just work”

4 Response Identity is Hard™
Issues: Who are you impersonating when you forge a response? What are intermediaries authorized to do when routing SIP requests? How would a UAC make authorization decisions on the basis of response identity? Architectural properties that make this harder: Lack of distinction between AoRs and contract addresses and ‘identities’

5 Impersonate who? Biggest difference between request and response identity is: In a transaction, a request can only come from one identity… But a response can legitimately come from tens or hundreds or thousands of entities Who is authorized to respond to a request? The set of corresponding addresses in the location service of the target domain But, that is just a logical concept – a domain can populate location services arbitrarily So who might an impersonator impersonate? The original target URI is one possibility As are any translated contacts (possibly a very large set) if known by the adversary But, an impersonator can just “be themselves” – how would a UAC know that they aren’t authorized? This is our first hint that the problem is architectural

6 Identities, AoRs, and contacts
When I respond legitimately, who am I, really? I may be capable of registering under many AoRs I don’t just have one unique identity – which one should I use? The identity to which a request was originally sent may be a valid AoR for the respondent E.g., a request to redirected to Does retargeting change the identity from which you respond? Should it? What about non-AoR targets (contact addresses)? The ultimate target of a request isn’t likely to be an AoR No way to tell from inspecting a URI if it represents a user, device, or what have you Sipping-sip-arch 4.3

7 Difficulty of Response Impersonation
Huge difference in threat model between request and response identity Request identity: adversary can forge a From header field Requires adversary to control their own device Response identity: Adversary can eavesdrop on traffic to capture transaction/dialog identifiers Adversary can suppress or somehow complement legitimate responses Adversary can reinsert forged responses into any existing persistent transport-layer connections Actually impersonating a legitimate respondant requires a great deal of sophistication

8 What is the solution space?
Strategy 1: Increase transaction security Try to prevent adversaries from learning enough about transactions/dialogs to forge responses Strategy 2: Provide a causal trace of intermediary agency after the fact E.g., Request History (post-facto authorization at UAC) Each intermediary sending a backwards-direction NOTIFY (i.e., an implicit SUBSCRIBE) Strategy 3: Let the UAC explore new targets for a request rather than an intermediary E.g., Redirection (before the fact authorization at UAC) Spidering contacts via presence before sending a “real” request Strategy 4: Essentially do nothing – bar for attackers is high enough that we shouldn’t worry

9 Permissions of Intermediaries
The architectural problem: A UAC wants to authorize a specific intermediary to change the target of a request That intermediary, in turn, wants to authorize a specific set of respondants to provide responses Any response outside of that set is NOT authorized

10 Authorization Decisions at UACs

Download ppt "sip-identity-04 Added new response codes for various conditions"

Similar presentations

MARTINI WG Interim 2010-04-29 draft-kaplan-martini-with-olive-00 Hadriel Kaplan.

MARTINI WG Interim draft-kaplan-martini-with-olive-00 Hadriel Kaplan.
SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.

PROTOCOLS AND ARCHITECTURE Lesson 2 NETS2150/2850.
Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.

Global Information Security Issues According to the E&Y Global Survey, Managers Say the Right Thing… –90% of 1400 companies surveyed in 66 countries say.
Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.

1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.
Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.
Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa-060006.

Draft-rosen-ecrit-emergency- framework-00 Brian Rosen NeuStar CPa
IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.
Discovery issues in atoca Brian Rosen. We need to handle several cases Some alerts are broadcast via some access network specific mechanism (multicast,

Discovery issues in atoca Brian Rosen. We need to handle several cases Some alerts are broadcast via some access network specific mechanism (multicast,
IETF 77 MARTINI WG draft-ietf-martini-reqs-02 John Elwell Hadriel Kaplan (editors)

IETF 77 MARTINI WG draft-ietf-martini-reqs-02 John Elwell Hadriel Kaplan (editors)
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.

SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
(we need your advice!) Jon Peterson MIT– December 2010 IETF & Privacy.

(we need your advice!) Jon Peterson MIT– December 2010 IETF & Privacy.
7/6/20061 Speermint Use Case for Cable IETF 66 Yiu L. Lee JULY 2006.

7/6/20061 Speermint Use Case for Cable IETF 66 Yiu L. Lee JULY 2006.
Draft-elwell-sipping- redirection-reason-00 Author: John Elwell

Draft-elwell-sipping- redirection-reason-00 Author: John Elwell

Similar presentations

Ads by Google