[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)

To: "'Fischer, Kai'" <kai.fischer at siemens.com>, <sip at ietf.org>
Subject: RE: [Sip] End-to-end security for DTLS-SRTP (FW: I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
From: "Dan Wing" <dwing at cisco.com>
Date: Thu, 24 Jan 2008 10:11:46 -0800
Authentication-results: sj-dkim-4; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc:
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4774; t=1201198307; x=1202062307; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[Sip]=20End-to-end=20security=20for=20D TLS-SRTP=20(FW=3A=20I-DAction=3Adraft-fischer-sip-e2e-sec-me dia-00.txt) |Sender:=20; bh=UfMSVaMb2j4kiqld74DYALodji12vJMJU6W5pX9as/c=; b=iYdRWLBlSBEaAhnC8XTYzbJExMPdBj7q6gmzHTLr0/99KVK+fpSZXb2TW/ Tf/pcLRkX5hi/uUKf4rb3Q6bMMQpbrZVmw55aQi8mdGgVR/2xWxyH9E0AVx5 p7872wVqG7;
In-reply-to: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <198A10EC585EC74687BCA414E2A5971801FD49B7@MCHP7RDA.ww002.siemens.net>
Thread-index: AchdoYOBj7k5YqdfRt26nwywkqFi4gAAD1sgAESeZiA=

I like this draft, and it solves a very real problem:  providing identity for
SIP requests that traverse B2BUAs and traverse SBCs.

-d

> -----Original Message-----
> From: Fischer, Kai [mailto:kai.fischer at siemens.com] 
> Sent: Wednesday, January 23, 2008 1:34 AM
> To: sip at ietf.org
> Subject: [Sip] End-to-end security for DTLS-SRTP (FW: 
> I-DAction:draft-fischer-sip-e2e-sec-media-00.txt)
> 
> Hi,
> I have submitted a draft proposing a solution to secure a DTLS-SRTP
> handshake and hence SRTP end-to-end (in terms of end-domain to
> end-domain). As discussed during the last IETF meetings and 
> analyzed by
> Dan's Identity-Media draft, current solutions like SIP Identity do not
> protect the authenticity of the fingerprint end-to-end in certain
> inter-domain scenarios. For example, a modification of SDP 
> m-/c-lines or
> the From header field by intermediaries breaks the SIP-Identity or
> Identity-Media signature and causes a re-signing by a domain different
> to the originating one. The draft proposes a solution for 
> such scenarios
> without the need to re-sign during domain traversal and which 
> preserves
> the original identity information.
> 
> I appreciate your comments and opinions to the draft and the proposed
> solution.
> 
> Kai
> 
> 
> > -----Original Message-----
> > From: Internet-Drafts at ietf.org [mailto:Internet-Drafts at ietf.org] 
> > Sent: Mittwoch, 23. Januar 2008 10:20
> > To: i-d-announce at ietf.org
> > Subject: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt 
> > 
> > A New Internet-Draft is available from the on-line 
> > Internet-Drafts directories.
> > 
> > 	Title           : End-to-End Security for DTLS-SRTP
> > 	Author(s)       : K. Fischer
> > 	Filename        : draft-fischer-sip-e2e-sec-media-00.txt
> > 	Pages           : 14
> > 	Date            : 2008-01-23
> > 
> > The end-to-end security properties of DTLS-SRTP depend on the
> > authenticity of the certificate fingerprint exchanged in the
> > signalling channel.  In current approaches the authenticity is
> > protected by SIP-Identity or SIP-Identity-Media.  These types of
> > signatures are broken if intermediaries like Session Border
> > Controllers in other domains change specific information of the SIP
> > header or the SIP body.  The end-to-end security property 
> between the
> > originating and terminating domain is lost if these intermediaries
> > re-sign the SIP message and create a new identity signature using
> > their own domain credentials.
> > 
> > This document defines a new signature type 'Fingerprint-Identity'
> > which is exchanged in the signalling channel.  Fingerprint-Identity
> > covers only those elements of a SIP message necessary to 
> authenticate
> > the certificate fingerprint and to secure media end-to-end.  It is
> > independent from SIP-Identity and SIP-Identity-Media and can be
> > applied in parallel to them.
> > 
> > A URL for this Internet-Draft is:
> > http://www.ietf.org/internet-drafts/draft-fischer-sip-e2e-sec-
> > media-00.txt
> > 
> > To remove yourself from the I-D Announcement list, send a message to
> > i-d-announce-request at ietf.org with the word unsubscribe in 
> > the body of 
> > the message.
> > You can also visit 
> https://www1.ietf.org/mailman/listinfo/I-D-announce
> > to change your subscription settings.
> > 
> > Internet-Drafts are also available by anonymous FTP. Login with the 
> > username "anonymous" and a password of your e-mail address. After 
> > logging in, type "cd internet-drafts" and then
> > 	"get draft-fischer-sip-e2e-sec-media-00.txt".
> > 
> > A list of Internet-Drafts directories can be found in
> > http://www.ietf.org/shadow.html
> > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > 
> > Internet-Drafts can also be obtained by e-mail.
> > 
> > Send a message to:
> > 	mailserv at ietf.org.
> > In the body type:
> > 	"FILE /internet-drafts/draft-fischer-sip-e2e-sec-media-00.txt".
> > 
> > NOTE:   The mail server at ietf.org can return the document in
> > 	MIME-encoded form by using the "mpack" utility.  To use this
> > 	feature, insert the command "ENCODING mime" before the "FILE"
> > 	command.  To decode the response(s), you will need "munpack" or
> > 	a MIME-compliant mail reader.  Different MIME-compliant 
> > mail readers
> > 	exhibit different behavior, especially when dealing with
> > 	"multipart" MIME messages (i.e. documents which have been split
> > 	up into multiple messages), so check your local documentation on
> > 	how to manipulate these messages.
> > 
> > Below is the data which will enable a MIME compliant mail reader
> > implementation to automatically retrieve the ASCII version of the
> > Internet-Draft.
> > 
> 



_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

References:
- [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
  - From: Fischer, Kai

Prev by Date: [Sip] Target Refresh Request and Contact Header
Next by Date: Re: [Sip] Target Refresh Request and Contact Header
Previous by thread: [Sip] End-to-end security for DTLS-SRTP (FW: I-D Action:draft-fischer-sip-e2e-sec-media-00.txt)
Next by thread: [Sip] I-D Action:draft-ietf-sip-body-handling-01.txt
Index(es):
- Date
- Thread