[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Simple] MSRP-ACM compatibility

To: "Ben Campbell" <ben at nostrum.com>
Subject: Re: [Simple] MSRP-ACM compatibility
From: "Christer Holmberg" <christer.holmberg at ericsson.com>
Date: Fri, 1 May 2009 16:01:41 +0200
Cc: Simple WG <simple at ietf.org>
Delivered-to: simple at core3.amsl.com
In-reply-to: <949A60EB-D082-4DED-AE6C-0FFC515574BC at nostrum.com>
List-archive: <http://www.ietf.org/mail-archive/web/simple>
List-help: <mailto:simple-request@ietf.org?subject=help>
List-id: SIP for Instant Messaging and Presence Leveraging Extensions <simple.ietf.org>
List-post: <mailto:simple@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/simple>, <mailto:simple-request@ietf.org?subject=unsubscribe>
References: <66cd252f0903311557k14448ac8m62a6ca46e86e2fd4 at mail.gmail.com><66cd252f0904281601q18402163p1e715d709b92f22b at mail.gmail.com> <CA9998CD4A020D418654FCDEF4E707DF0CADF73A at esealmw113.eemea.ericsson.se> <CA9998CD4A020D418654FCDEF4E707DF0B16820A at esealmw113.eemea.ericsson.se> <F348DC0C-FD01-473A-BB7E-4C2FDFECF529 at nostrum.com> <CA9998CD4A020D418654FCDEF4E707DF0CB0FDA7 at esealmw113.eemea.ericsson.se> <49503123-011D-4825-8B2B-7F11A86C550A at nostrum.com> <949A60EB-D082-4DED-AE6C-0FFC515574BC at nostrum.com>
Thread-index: AcnJlekqbsoovmnHRemZQiJfgi3taAAzIqew
Thread-topic: [Simple] MSRP-ACM compatibility

Hi, 

>>> To make this interop with MSRP relays, we would need more work. 
>>> Relays are not involved in the SIP signaling, so there's no
>> opportunity for
>>> them to send a fingerprint. We would need some way for endpoints to 
>>> get fingerprints from the relays, and include them in the signaling.
>>
>> Just for my clarification: how is that related to routing based on 
>> c/m/a=path, and possibly having a B2BUA which may modify the address 
>> information of the ACM client's c/m/a=path?
>
> It's specific to the idea of having TLS cert fingerprints sent in SIP 
> for each relay. It's only needed in case where a middlebox modified 
> the path attribute to modify the IP addresses or host names in the 
> MSRP uris, creating the certificate mismatch we have discussed.

A few questions:


FIRST, RFC4572 already defines the usage of the fingerprint attribute,
so wouldn't your issue also apply if you ONLY use COMEDIA, with relays?


SECOND, as Hadriel wrote earlier (see copy of his e-mail below), the IP
address/ports are not used for the certificate. So, as long as both the
ACM client/SBC belong to foobar.dom, and the MSRP client/relay belong to
anotherfoobar.com, the SBC and relay can have the same certificate as
the client behind them. Or?


THIRD, if a fingerprint is to be provided to/from the relay when an MSRP
message is sent, I guess it could be sent as a To/From-path URI
parameter. Getting the fingerprint to/from the relay BEFORE an MSRP
message is sent is of course more tricky.


Hadriel's e-mail (fri 17th april):
==================================

If I understand your comment, the property you believe is important is
that when a MSRP client is given an MSRPS next-hop to connect to, that
it be able to verify at the MSRP TLS connection level that it is in fact
talking to that next-hop.  Correct?  I agree with that being a very good
property.  

Luckily TLS relies on Certificate CNs/SANs, not IP Addresses/ports, for
identity. (unlike some other identity mechanisms we've been discussing
lately ;) 

If I am told to talk to foobar.com, it does not matter what IP/port at
layer-3 I am talking to, so long as it has foobar.com's Cert.  

So I think what we need in ACM is to provide a way to indicate what (1)
the IP/port to connect to is, vs. (2) what Cert identity to be verified
is.  Comedia-tls (rfc4572) does that with a fingerprint attribute, but
we have been discussing on this list what the appropriate way to do that
for the ACM case is.

Regards,

Christer

Follow-Ups:
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell

References:
- [Simple] MSRP-ACM compatibility
  - From: Hisham Khartabil
- Re: [Simple] MSRP-ACM compatibility
  - From: Hisham Khartabil
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Christer Holmberg
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell
- Re: [Simple] MSRP-ACM compatibility
  - From: Ben Campbell

Prev by Date: Re: [Simple] WGLC Review: draft-ietf-simple-chat-04
Next by Date: Re: [Simple] MSRP-ACM compatibility
Previous by thread: Re: [Simple] MSRP-ACM compatibility
Next by thread: Re: [Simple] MSRP-ACM compatibility
Index(es):
- Date
- Thread