Presentation is loading. Please wait.

Presentation is loading. Please wait.

SIP Security Michael Thomas Status First Cut of Requirements Draft –draft-thomas-sip-sec-reqt-00.txt –Will be basis going forward –Design.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "SIP Security Michael Thomas Status First Cut of Requirements Draft –draft-thomas-sip-sec-reqt-00.txt –Will be basis going forward –Design."— Presentation transcript:

1 SIP Security Michael Thomas Mat@cisco.com

2 Status First Cut of Requirements Draft –draft-thomas-sip-sec-reqt-00.txt –Will be basis going forward –Design team being formed –Should complete soon Drafts which can meet all of the requirements will not be short term exercise Prioritization of requirements needed

3 bis Strawman We have enough understanding of the current requirements that some prioritization can probably be made for bis If we are to move bis along, the baseline must be fairly uncontroversial, be based on existing protocols, and address enough threats so that it is acceptable to IESG But… there is also a strong desire for additional mechanisms and support for different authentication backends

4 Two Paths Choose a limited base set of protections offered by bis with the guarantee that we will have a standards track SIP security framework –We’re relatively close to coming to consensus here –Existing hop-by-hop crypto and legacy http mechanisms –Resolve future proofing questions Open up discussions about what ought to be in bis baseline –No consensus –Many competing agendas –Many competing authentication mechanisms

5 My Suggestion In order to get bis to move forward soon, we have very few options –If we don’t care about moving forward, then an endless discussion is probably appropriate The only real question is whether an unambitious baseline will pass muster –My sense is that it solves the most serious problems that SIP deployments currently face –Other mechanisms are oriented at enabling different authentication deployment scenarios; no single answer here, so it’s difficult to pick one anyway.

6 The bis Baseline Two principle threats: –Various attacks from non call participants –Theft of service attacks at a remote proxy/gateway Full Message Crypto Solves 1 st Threat –IPsec, TLS, App layer HTTP Digest provides 2 nd

7 Transport Options IPsec + Provides keying mechanism + TCP/SCTP/UDP friendly -Credential fetching API currently lacking -TLS + Provides keying mechanism + Good credential binding mechanism -No support for UDP; SCTP still being worked on -App Layer + Most flexible since it would be SIP-custom -No keying mechanism -No off the shelf solution which fits requirements

8 UAC->Middle/UAS HTTP Digest currently in Bis + Widely implemented -No concept of mutual authentication -No facility for multiple challenges -Key distribution undefined Hacked on Digest + Quick and dirty - Unproven; not widely reviewed by right people -Side effects questionable - Not clear whether benefits fits into the 80/20 rule New SIP-secure + Should solve these kinds of problems systematically - Needs to be fully fleshed out

Download ppt "SIP Security Michael Thomas Status First Cut of Requirements Draft –draft-thomas-sip-sec-reqt-00.txt –Will be basis going forward –Design."

Similar presentations

Message Sessions Draft-campbell-simple-im-sessions-01 Ben Campbell

Message Sessions Draft-campbell-simple-im-sessions-01 Ben Campbell
Presence, Security and Privacy. www.dynamicsoft.com VON 3.20. 01 The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.
© 2006 NEC Corporation - Confidential age 1 November 2008 - 1 SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.

© 2006 NEC Corporation - Confidential age 1 November SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.
PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.

PKI Solutions: Buy vs. Build David Wasley, U. California (ret.) Jim Jokl, U. Virginia Nick Davis, U. Wisconsin.
ClASS DEBRIEF SESSIONS PROVIDING EFFECTIVE FEEDBACK.

ClASS DEBRIEF SESSIONS PROVIDING EFFECTIVE FEEDBACK.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IETF OAuth Proof-of-Possession

IETF OAuth Proof-of-Possession
What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.

The Aerospace Clinic 2002 Team Members Nick Hertl (Project Manager) Will Berriel Richard Fujiyama Chip Bradford Faculty Advisor Professor Michael Erlinger.
TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &

TMN Workshop Antwerp, 27 May1998 EURESCOM Project P710 “Security for the TMN X-interface” by Pål Kristiansen, Telenor R&D  The need for TMN security &
1 Presentation_ID © 1998, Cisco Systems, Inc. SIP Security Status Michael Thomas

1 Presentation_ID © 1998, Cisco Systems, Inc. SIP Security Status Michael Thomas
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
SIP Security Matt Hsu.

SIP Security Matt Hsu.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.

MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16, 2003 1300 - 1500.

July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
Host Identity Protocol

Host Identity Protocol

Similar presentations

Ads by Google