[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"

To: "'Victor Pascual Ávila'" <victor.pascual.avila at gmail.com>
Subject: Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
From: "Dan Wing" <dwing at cisco.com>
Date: Wed, 29 Oct 2008 11:44:54 -0700
Authentication-results: sj-dkim-2; header.From=dwing at cisco.com; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: sip at ietf.org
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=4565; t=1225305893; x=1226169893; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing at cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing at cisco.com> |Subject:=20RE=3A=20[Sip]=20submission=20of=20a=20new=20I-D =3A=20=22Dialog=20Event=20foRIdentityVErification=22 |Sender:=20; bh=mGNqNaWk6o3pid2pfB1tZWFHFAFBZsdypkhHvThoVCk=; b=ZBBXjciWz4Ca4IU3+GwGzk+VHCikzVbbmzkBCzW0hg8YSA9rnndYY5RWtV xiLdqzEBXTN0F/CaPurtqHHUSSAWDHkKPewtN3u5rFc5c6BNcTJX2Sw+Ts51 jC/on4vxck;
In-reply-to: <618e24240810290415i7ede4601tf2fd78aaed755445 at mail.gmail.com>
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <618e24240810250809j664bf47ay2745cc9fbf7b0565 at mail.gmail.com> <D38ED479-3722-438A-83B8-F023E02B58A3 at softarmor.com> <200810261145.19745.ibc at aliax.net> <57762491-BE4C-4763-9312-09335B1D7C0C at softarmor.com> <084c01c938a0$a41ff390$c3f0200a at cisco.com> <cc1f582e0810280444y42b8f723w938004e902fb1180 at mail.gmail.com> <032301c93978$6b249c70$c3f0200a at cisco.com> <618e24240810290415i7ede4601tf2fd78aaed755445 at mail.gmail.com>
Sender: sip-bounces at ietf.org
Thread-index: Ack5t7eqvsEFA64yQGajGAp6h2A1tAAOorZw

 

> -----Original Message-----
> From: Victor Pascual Ávila [mailto:victor.pascual.avila at gmail.com] 
> Sent: Wednesday, October 29, 2008 4:16 AM
> To: Dan Wing
> Cc: sip at ietf.org
> Subject: Re: [Sip] submission of a new I-D: "Dialog Event 
> foRIdentityVErification"
> 
> Hi Dan,
> Please, see my comments inline.
> 
> On Wed, Oct 29, 2008 at 4:42 AM, Dan Wing <dwing at cisco.com> wrote:
> >> 2008/10/28 Dan Wing <dwing at cisco.com>:
> >> > Here is another return routability check,
> >> > http://tools.ietf.org/html/draft-wing-sip-e164-rrc-01#section-3.1
> >> > (My I-D expired due to lack of interest.)
> >>
> >> It uses RFC 4474, certificates... is it really feasible in
> >> this real world?
> >
> > No, it doesn't use RFC4474.  The steps merely show where an RFC4474
> > signature could be performed.  If no RFC4474 signatures are
> > being created, or validated, those steps are the 'null operation'
> > (not performed).  Without those steps, it is remarkably similar
> > to DERIVE.
> >
> >> IMHO "Dialog Event foR Identity VErification" is the more feasible
> >> solution at the moment.
> >
> > The differences are minor.
> 
> The Return Routability Check (RRC) determines if a domain rightfully
> 'owns' an E.164 phone number, but DOES NOT prevent an attacker from
> presenting a forged "From" header field.
> 
> As an example:
> 
> INVITE sip:victor at tekelec.com SIP/2.0
> From: +14085551234 
> <sip:+14085551234 at iptel.org;user=phone>;tag=9fxced76sl
> To: Victor <sip:victor at tekelec.com>
> Call-ID: 3848276298220188511 at iptel.org
> Contact: <sip:attacker at pc1.attacker.com>
> Content-Type: application/sdp
> Content-Length: ...
> 
> [SDP not shown]
> 
> Where iptel.org owns the +14085551234 number.
> 
> Section 3.2:
> -The SUBSCRIBE should be immediately acknowledged
> -A NOTIFY should be immediately created and sent
> 
> 
> Moreover IMO:
> - it requires the use of signatures (or RFC4474): see 
> Sections 3, 3.1 and 3.2

As I said previously:  if there is no signature service, this is the null
operation.  The UA is competely incapable of causing or forcing its domain to
generate an RFC4474 signature, anyway, so it's impossible for a UA to
'require' such a signature.

> - it is defined to be used only with e164-based SIP URIs
> 
> In short, this is a good document but, as I mentioned before, ONLY
> determines if a domain rightfully 'owns' an E.164 phone number, it
> doesn't ask "are you calling me?"

Easily added; draft-wing-sip-e164-rrc-01 currently reads:

   3.2.  Authentication Service or Calling Endpoint Operation

   The steps described in this section can be performed by the
   authentication service or by the calling endpoint.

   The authentication service or the calling endpoint, upon receiving a
   SUBSCRIBE for the return-routability event package, performs the
   following steps:

   1.   The SUBSCRIBE should be immediately acknowledged with a 200 Ok
       ^
   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   INSERT "If there is another active INVITE dialog, which has not 
           received its 200 Ok, then"

       message.
                ^
      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      INSERT "If there is not another active INVITE dialog, an error
        response is sent (e.g., 4xx), and processing stops."

   2.  A NOTIFY should be immediately created, containing the same
       application/return-routability-nonce copied from the SUBSCRIBE.
       This NOTIFY contains a To and Request-URI which match the From of
       the SUBSCRIBE.

   3.  This NOTIFY is sent.

   4.  The RFC4474 authentication service, operating at the domain, will
       create a signature over the NOTIFY.  This is used by the remote
       domain's verification service (see Section 3.1).


I'm not interested in having a competing proposal, though, or arguing
nits about which 4xx response code is most appropriate.

We should be arguing about larger issues, such as the value of proving 
someone is actually originating a call.  Without that, we cannot have 
reliable whitelists or reliably blacklists, which are the foundations 
for authorizing incoming SIP requests.

I support draft-kuthan-sip-derive-00, and hope the WG can devote
time and energy to improving and standardizing it to work well
across a variety of networks.

-d

> Thanks a lot for your comments,
> -- 
> Victor Pascual Ávila
> 

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
  - From: Elwell, John
- Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
  - From: Victor Pascual Ávila

References:
- [Sip] submission of a new I-D: "Dialog Event foR Identity VErification"
  - From: Victor Pascual Ávila
- Re: [Sip] submission of a new I-D: "Dialog Event foR Identity VErification"
  - From: Dean Willis
- Re: [Sip] submission of a new I-D: "Dialog Event foR Identity VErification"
  - From: Iñaki Baz Castillo
- Re: [Sip] submission of a new I-D: "Dialog Event foR Identity VErification"
  - From: Dean Willis
- Re: [Sip] submission of a new I-D: "Dialog Event foR IdentityVErification"
  - From: Dan Wing
- Re: [Sip] submission of a new I-D: "Dialog Event foR IdentityVErification"
  - From: Iñaki Baz Castillo
- Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
  - From: Dan Wing
- Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
  - From: Victor Pascual Ávila

Prev by Date: Re: [Sip] draft-ietf-sip-info-events-00 using RFC 3265 instead
Next by Date: Re: [Sip] So where are we at with WGLC of draft-ietf-sip-body-handling?
Previous by thread: Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
Next by thread: Re: [Sip] submission of a new I-D: "Dialog Event foRIdentityVErification"
Index(es):
- Date
- Thread