[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ecrit] Security requirements absorbed from pre-interim requirements document

To: ecrit at ietf.org
Subject: [Ecrit] Security requirements absorbed from pre-interim requirements document
From: "Tom-PT Taylor" <taylor at nortel.com>
Date: Thu, 18 Aug 2005 12:05:41 -0400
List-help: <mailto:ecrit-request@ietf.org?subject=help>
List-id: ecrit.ietf.org
List-post: <mailto:ecrit@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/ecrit>, <mailto:ecrit-request@ietf.org?subject=unsubscribe>
Sender: ecrit-bounces at ietf.org
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

This note is just a record of decisions taken at the May interim meeting that affect the security requirements document. It's basic spadework preceding an update of that document.

For starters, some of the requirements in draft-schulzrinne-ecrit-requirements-00.txt were considered to be security requirements. Here is the list, with comments from the minutes of the interim meeting:

   L24.  Location Query Authorization: The ability to query emergency
      caller location using a location key MUST be limited to authorized
      end points.

      Motivation:  Where the Emergency Caller does not desire the
      transmission of their location in-band with their call setup, they
      shall have the option of requesting a unique query key such that
      only authorized end points may query the location directly from
      the domain.

Ted commented that the real requirement is that the user of the mapping function be able to protect location information from eavesdropping.

   I30: Routing information MUST be secured against unauthorized
      modification.  PSAPs (or perhaps a higher level civic authority
      such as a county, state/province or national body) or their
      designated representative must be the only entities permitted to
      change routing information.

   D2.  Assuring directory identity: The query agent (e.g UA or server)
      MUST be able to assure that it is querying the intended directory.

   D3.  Query response integrity: The query agent MUST be able to be
      confident that the query or response has not been tampered with.

   D4.  Assurance of Update integrity: Any update mechanism for the
      directory MUST ensure that only authorized users can change
      directory information and must keep an audit log of all change
      transactions.

D4 was considered to be out of scope unless brought back into scope by the specific design chosen by the WG.

   S1.  Authentication override: All outbound proxies and other call
      filtering elements MUST be able to be configured so that they
      allow unauthenticated emergency calls.

      In many jurisdictions, emergency calls can be placed by any
      device, regardless of whether it has subscribed for service.

   S4.  Integrity: Implementations MUST provide mechanisms that ensure
      the integrity of IP protocol components that are crucial to
      providing reliable emergency call service.  (This requirement
      implies authentication of the caller to allow integrity protection
      of the request and authentication of the PSAP to allow integrity
      protection of responses.)

      [Ed. changed "SIP protocol component" to "IP protocol components".
      This requirement is not well understood based on comments
      received.  Further clarification requested.]

11.  Security Considerations

   Note: Security Considerations originally described in this section
   have removed and will be resubmitted to the ECRIT security document.
   No reference yet available.

   SEC1.  Safeguards from Attacks:  Safeguards SHOULD be provided to
      assure against network system attacks.

      Motivation:  Safeguards to protect the emergency infrastructure
      and ECC facilities against malicious attacks, especially to
      prevent DoS attacks.

   SEC2.  Denial of Service attacks:   Special consideration SHOULD be
      given to "Distributed Denial of Service" attacks.

   SEC3 Protocols MUST NOT facilitate denial-of-service attacks, e.g.,
      by amplifying incoming unauthenticated messages.

      [Ed. (per hgs, suggested replacement above first two requirements
      with third requirement.]

What follows is action items extracted from the portion of the minutes dealing specifically with the security document. "Chart x" refers to charts at http://www.ietf-ecrit.org/Interim2005/ecrit-security.ppt.

- Terminology to be updated to match the requirements document.

- chart 3: key point is that caller identity is irrelevant for routing, but is needed for accountability (Chart 6 seems to agree.)

- chart 8: second part out of scope

- chart 10 mostly out of scope

- chart 11, impersonation of PSAP: out of scope

Out of the discussion, an action to identify the protocol-specific security requirements and report them to the list. (Presumably I am picking up this action as editor of the security threats document.)

Tom Taylor


_______________________________________________
Ecrit mailing list
Ecrit at ietf.org
https://www1.ietf.org/mailman/listinfo/ecrit

Follow-Ups:
- Re: [Ecrit] Security requirements absorbed from pre-interim requirements document
  - From: Andrew Newton

Prev by Date: Re: [Ecrit] introduction section (<draft-schulzrinne-ecrit-requirements-01.txt>)
Next by Date: Re: [Ecrit] Security requirements absorbed from pre-interim requirements document
Previous by thread: [Ecrit] Text requirements in draft-schulzrinne-ecrit-requirements-01
Next by thread: Re: [Ecrit] Security requirements absorbed from pre-interim requirements document
Index(es):
- Date
- Thread