[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?

To: Jonathan Rosenberg <jdrosen at cisco.com>
Subject: Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
From: Eric Rescorla <ekr at networkresonance.com>
Date: Thu, 28 Feb 2008 11:30:46 -0800
Cc: sip at ietf.org, Dean Willis <dean.willis at softarmor.com>
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <47C70906.8000802 at cisco.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <47C6F876.4060809 at softarmor.com> <47C70906.8000802 at cisco.com>
Sender: sip-bounces at ietf.org
User-agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)

At Thu, 28 Feb 2008 14:18:30 -0500,
Jonathan Rosenberg wrote:
> 
> 
> 
> Dean Willis wrote:
> > Is there any need for discussion of the DTLS framework
> > (draft-ietf-sip-dtls-srtp-framework-01) during our meeting?
> > 
> > The authors think that it is pretty much ready for WGLC and that all
> > known issues have been resolved.
> 
> I do not agree.
> 
> One of the points I raise in my rfc4474-concerns draft is that dtls-srtp 
> is basing integrity of the fingerprint on 4474, and that 4474 does not 
> provide integrity against intermediary modifications of the number, and 
> even for user at domain names this can happen.
> 
> I think this needs to be called out in the draft. The security 
> considerations section does not discuss this.

Because it's not a DTLS-SRTP issue. It's a SIP/4474 issue.

The fingerprint in the SIP messaging does *not* tie the DTLS-SRTP
handshake to the phone number or to the domain name. Rather, it ties
the media to the SIP signalling. Period. It allows whatever guarantees
you are prepared to assert about the signalling to be extended to
media. If those guarantees allow you to make assertions about the
caller (or callee) identity, then great.  If not, then DTLS-SRTP
doesn't help, nor is it intended to.

Look at it this way:
When the phone rings (or your UA shows you that the other side has
answered), it can show you some meta-information about who you're
talking to. The objections you have to RFC 4474 (and I'm not saying I
agree with them) already apply at this point, before a single RTP
packet has traversed the wire. This is not a DTLS-SRTP issue.

-Ekr
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
  - From: Hadriel Kaplan
- Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
  - From: Elwell, John

References:
- [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
  - From: Dean Willis
- Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
  - From: Jonathan Rosenberg

Prev by Date: Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
Next by Date: Re: [Sip] WGLC for draft-ietf-sip-subnot-etags-01
Previous by thread: Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
Next by thread: Re: [Sip] Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?
Index(es):
- Date
- Thread