[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt

To: sip at ietf.org
Subject: Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
From: Dale.Worley at comcast.net
Date: Thu, 20 Nov 2008 14:22:46 -0500 (EST)
Delivered-to: ietfarch-sip-web-archive at core3.amsl.com
Delivered-to: sip at core3.amsl.com
In-reply-to: <E6C2E8958BA59A4FB960963D475F7AC313726C28DB at mail> (HKaplan at acmepacket.com)
List-help: <mailto:sip-request@ietf.org?subject=help>
List-id: Session Initiation Protocol <sip.ietf.org>
List-post: <mailto:sip@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
References: <E6C2E8958BA59A4FB960963D475F7AC3136C7E982E at mail> <200811200121.mAK1L68w70382772 at shell01.TheWorld.com> <4924C3E4.40304 at cisco.com> <E6C2E8958BA59A4FB960963D475F7AC313726C28DB at mail>
Sender: sip-bounces at ietf.org

   From: Hadriel Kaplan <HKaplan at acmepacket.com>

   Although the draft mentions a UUID as one option, it leaves the
   mechanism to be decided.

In that regard, the draft is somewhat self-contradictory.  In one
place it mentions UUIDs and in another place, it specifies the
Session-Id as a crypto-random quantity.  But some UUID formats contain
the MAC address of the creator thereof, which violates the stated
security considerations.

   One thing we could do instead of UUID, for example, would be to
   make it a hash of the received call-id and local system/node ID and
   MAC or some such.  In other words take some non-volatile system
   data munged with the call-id, and hash it to get the 128 bits of
   output for the Session-ID header value.  That way a stateless proxy
   can re-generate the same value again for upstream and downstream
   requests and responses, without it compromising or being
   re-create-able just from the call-id value and giving a reason for
   folks to remove it.

You'll have to include in the hash a secret local key.  Otherwise an
adversary can check a guessed correspondence between a Call-Id and a
Session-Id.

Dale
_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip

Follow-Ups:
- Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
  - From: Hadriel Kaplan

References:
- [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
  - From: Hadriel Kaplan
- Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
  - From: Dale . Worley
- Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
  - From: Paul Kyzivat
- Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
  - From: Hadriel Kaplan

Prev by Date: Re: [Sip] Review of draft-kuthan-sip-derive-00
Next by Date: Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
Previous by thread: Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
Next by thread: Re: [Sip] FW: I-D Action:draft-kaplan-sip-session-id-00.txt
Index(es):
- Date
- Thread