[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sip] Signing requests [was: Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem]

To: Dean Willis <dean.willis at softarmor.com>, "sip at ietf.org List" <sip at ietf.org>
Subject: [Sip] Signing requests [was: Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem]
From: Hadriel Kaplan <HKaplan at acmepacket.com>
Date: Sun, 13 Apr 2008 11:32:12 -0400
Accept-language: en-US
Acceptlanguage: en-US
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <9F300C5A-9A1E-4F97-8A81-CB049B2545AA at softarmor.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <9F300C5A-9A1E-4F97-8A81-CB049B2545AA at softarmor.com>
Sender: sip-bounces at ietf.org
Thread-index: Acice7Mvt1i0FGt7Ttu9Paf7i9j6xAA/qAnA
Thread-topic: Signing requests [was: Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem]

> -----Original Message-----
> From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On Behalf Of Dean
> Willis
>
> We've realized we have a specification mutual exclusion.
>
> RFC 4474 as written precludes the insertion of an Identity header by
> an authentication service into a SIP message produced by a PSTN
> gateway. However, DTLS-SRTP as written needs such an Identity header
> in order to be able to verify that the media key fingerprint has not
> been altered by a MITM who is also attacking on the media path.

It's not just DTLS-SRTP fingerprints, it's non-SDP mime bodies as well.  For example the body of a MESSAGE request.  Middle-boxes have no need to change such bodies in transit, and we shouldn't want them to.  But as it stands right now, some middle-boxes would either break the signature or need to re-sign (if possible), simply because they modify the call-id.  It is debatable if changing the call-id has any real security implications for 4474, or if they're so minor that we're cutting off our nose to spite our face.

-hadriel
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

References:
- [Sip] Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem
  - From: Dean Willis

Prev by Date: Re: [Sip] RFC 4474 and PSTN
Next by Date: Re: [Sip] RFC 4474 and PSTN
Previous by thread: [Sip] Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem
Next by thread: Re: [Sip] Thoughts on gateways, user=phone, and the Identity/DTLS-SRTP problem
Index(es):
- Date
- Thread