[martini] User vs route authentication (was Re: Requirements - rev1)
Dean Willis <dean.willis@softarmor.com> Fri, 22 January 2010 17:14 UTC
Return-Path: <dean.willis@softarmor.com>
X-Original-To: martini@core3.amsl.com
Delivered-To: martini@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B291328C123 for <martini@core3.amsl.com>; Fri, 22 Jan 2010 09:14:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SeISZCeKE--l for <martini@core3.amsl.com>; Fri, 22 Jan 2010 09:14:34 -0800 (PST)
Received: from nylon.softarmor.com (nylon.softarmor.com [66.135.38.164]) by core3.amsl.com (Postfix) with ESMTP id D251328C11E for <martini@ietf.org>; Fri, 22 Jan 2010 09:14:32 -0800 (PST)
Received: from [10.188.233.210] (65-65-155-30.dsl.bigbend.net [65.65.155.30] (may be forged)) (authenticated bits=0) by nylon.softarmor.com (8.14.3/8.14.3/Debian-5) with ESMTP id o0MHEQJD006921 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for <martini@ietf.org>; Fri, 22 Jan 2010 11:14:28 -0600
Message-Id: <CECEE94B-5CC8-40A1-A261-F6BEA2E55713@softarmor.com>
From: Dean Willis <dean.willis@softarmor.com>
To: martini@ietf.org
In-Reply-To: <4B59B21B.7040405@cisco.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 22 Jan 2010 11:14:20 -0600
References: <A444A0F8084434499206E78C106220CA660B0716@MCHP058A.global-ad.net> <EDC0A1AE77C57744B664A310A0B23AE209DCD4D7@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com><E6C2E8958BA59A4FB960963D475F7AC31A59D9693F@mail><4B4F520C.9000208@nostrum.com><A444A0F8084434499206E78C106220CA6A1588F0@MCHP058A.global-ad.net><4B5283C4.9080700@nostrum.com> <EE7493DA-6D3E-4600-AA9D-DEAAE225E6BB@softarmor.com> <C7917E09CB7A432C8AB5BEC908AB6C6F@china.huawei.com> <51AABAC7-B5A7-4ED5-B07B-13C0CFDB4C87@softarmor.com> <A444A0F8084434499206E78C106220CAB4C1DF86@MCHP058A.global-ad.net> <E96CC066-98CF-40ED-8D7C-BEA32B24B9B7@softarmor.com> <4B59B21B.7040405@cisco.com>
X-Mailer: Apple Mail (2.936)
Subject: [martini] User vs route authentication (was Re: Requirements - rev1)
X-BeenThere: martini@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion of en-mass SIP PBX registration mechanisms <martini.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/martini>
List-Post: <mailto:martini@ietf.org>
List-Help: <mailto:martini-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/martini>, <mailto:martini-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2010 17:14:36 -0000
On Jan 22, 2010, at 8:11 AM, Paul Kyzivat wrote: > Dean, > > I don't think the points you make about security assumptions have > been raised before, and they are important. > Thanks! I try to say at least one relevant thing for every three crazy ones. > OTOH, I surmise many of those that are requesting this work may have > more limited expectations. Specifically, the argument that "the PBX > *is* the user" may indeed apply in the case where the PBX is itself > a B2BUA and does all the identity management for all the numbers it > is responsible for. So perhaps the registration model would be > applicable in that limited (but large) scope of applicability. You have an excellent point. If the SSP were a traditional proxy/registrar that is authoritative for the domain and the PBX were a multi-user telephone adapter with credentials for each user in the domain, such that the PBX could send a unique REGISTER for each user, then we might well be having a different conversation. This conversation would be about ways to reduce the number of REGISTER messages required to effect registration of the PBX as a contact for each user. So we might be talking about "multiple authentication", perhaps extending the digest-authentication model to allow a separate authentication header for each AOR being registered. This would preserve the property that the proxy/registrar has established an authenticated relationship between each AOR and its Contact, a property that is fundamental to REGISTER within RFC 3261 and its current kin. Such an approach would clearly work reasonably well within our current security assumptions, although it should be noted that it does not prevent "identity substitution" attacks in the PBX. For example, if the PBX chose to claim that a call is from Bob when in fact the originating user is Alice, the SSP has no way to determine that this substitution has been made. This is a fundamental property of a shared connection in SIP (or indeed, in multi-user systems in general; how do you know this email came from me and not my sysadmin?) and there's not a lot we can do about it short of requiring users to provide single-use keys for each transaction (the equivalent of me signing this message using PGP). If we scoped the applicability to such an environment, then I'd be willing to accept that REGISTER can be used for a domain, at least to the extent I think it works for an individual user (I think REGISTER is deeply wounded and we've had to put a lot of ugly bandaids on it to keep it from bleeding out). MARTINI could quite reasonably define an extension to REGISTER that works within this scope. However, our discussion recently has centered on models where SSP is NOT authoritative for the domain in-question; rather it is just one of many possible relays that might be used to reach the domain- authoritative "PBX". This model potentially allows SSP to make different security assertions. For example, SSP could assert 1) that SSP is transitively authorized as a route for reaching the domain of pbx.com, and that 2) a request exiting through SSP comes from some user in the domain of PBX. Note that this second assertion is not the same as SSP being able to assert that a specific user in the domain is involved. In this model, only PBX (or perhaps the user itself) can make assertions about specific user identities. The fundamental security question: How does SSP prove to others that it is authorized to route requests to/from the domain of PBX? We don't have a security framework for this in SIP. This leads to the "alt root" problem we recently discussed. What keeps a rogue node from claiming to be authoritative as a route toward a domain? For that matter, what keeps a node from claiming to be authoritative for a domain itself, rather than just as a route toward that domain? Let's start with this second question and work backwards. Our fundamental security model (when we have any security at all) assumes that the node that is authoritative for a domain has in its possession booth the public and private keys needed to cryptographically assert that domain. This understanding comes from the basic references of TLS in RFC 3261, and is echoed in our various documents (draft-ietf-sip- certs, draft-ietf-sip-domain-certs, etc.). So if we make a TLS connection to a node, and that TLS connection uses at the other end a trusted cert for the domain in question, then we assume that the other end is trusted to assert identities within that domain. RFC 3274 provides a transitive mechanism for assertion of identity in the context of a SIP request message that is also based on this model of certification. So what we need is something like RFC 3274 for route certification. This has to allow for route redistribution and aggregation, since there might be more than one relay proxy between the source and destination of a SIP request. Adam's draft-roach-martini-up-00 defines a possible syntax for a "route" (using XML), as well as a means for advertising a route (PUBLISH). One can readily envision adding a signature to this syntax. It's straightforward then to go from a single-hop route to a routing vector, where each hop in the vector is signed by the next hop, providing a fully certificated transit chain to the destination. -- Dean
- Re: [martini] Requirements - rev1 David Hancock
- Re: [martini] Requirements - rev1 Elwell, John
- [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 bruno.chatras
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 David Hancock
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)
- Re: [martini] Requirements - rev1 bruno.chatras
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Requirements - rev1 Hadriel Kaplan
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 Bernard Aboba
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Bernard Aboba
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Spencer Dawkins
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 David Hancock
- Re: [martini] Requirements - rev1 Bernard Aboba
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Requirements - rev1 Paul Kyzivat
- [martini] User vs route authentication (was Re: R… Dean Willis
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Brian Lindsay
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] User vs route authentication (was R… Paul Kyzivat
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Brian Lindsay
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Spencer Dawkins
- Re: [martini] Requirements - rev1 bruno.chatras
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Elwell, John
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Adam Roach
- Re: [martini] Requirements - rev1 Spencer Dawkins
- Re: [martini] Requirements - rev1 Paul Kyzivat
- Re: [martini] Requirements - rev1 Brian Lindsay
- [martini] Enumerating AORs/contacts Elwell, John
- Re: [martini] Requirements - rev1 bruno.chatras
- Re: [martini] Enumerating AORs/contacts bruno.chatras
- Re: [martini] Enumerating AORs/contacts Elwell, John
- Re: [martini] Enumerating AORs/contacts bruno.chatras
- Re: [martini] Enumerating AORs/contacts Spencer Dawkins
- Re: [martini] Enumerating AORs/contacts Paul Kyzivat
- Re: [martini] Enumerating AORs/contacts Adam Roach
- Re: [martini] Enumerating AORs/contacts Brian Lindsay
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Enumerating AORs/contacts Bernard Aboba
- Re: [martini] Enumerating AORs/contacts bruno.chatras
- Re: [martini] Enumerating AORs/contacts Hadriel Kaplan
- Re: [martini] Enumerating AORs/contacts Dean Willis
- Re: [martini] Enumerating AORs/contacts Elwell, John
- Re: [martini] Enumerating AORs/contacts Elwell, John
- Re: [martini] Enumerating AORs/contacts Dean Willis
- Re: [martini] Enumerating AORs/contacts Adam Roach
- Re: [martini] Requirements - rev1 Cullen Jennings
- Re: [martini] Enumerating AORs/contacts Spencer Dawkins
- Re: [martini] Enumerating AORs/contacts Spencer Dawkins
- Re: [martini] Enumerating AORs/contacts bruno.chatras
- Re: [martini] Enumerating AORs/contacts Adam Roach
- Re: [martini] Enumerating AORs/contacts Dean Willis
- Re: [martini] Enumerating AORs/contacts Hadriel Kaplan
- Re: [martini] Requirements - rev1 Dean Willis
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)
- Re: [martini] Enumerating AORs/contacts Adam Roach
- Re: [martini] Enumerating AORs/contacts Dean Willis
- Re: [martini] Enumerating AORs/contacts Hadriel Kaplan
- Re: [martini] Enumerating AORs/contacts bruno.chatras
- Re: [martini] Requirements - rev1 Cullen Jennings
- Re: [martini] Enumerating AORs/contacts Elwell, John
- Re: [martini] Requirements - rev1 DRAGE, Keith (Keith)