Re: [Sip] scope of derive

[Dean Willis <dean.willis at softarmor.com>]

On Dec 5, 2008, at 3:27 PM, Hadriel Kaplan wrote:

> > -----Original Message-----
> > From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On Behalf  
> > Of Dean
> > Willis
> > Sent: Friday, December 05, 2008 12:22 PM
> >
> > In a third attack scenario, presume the attacker's goal is to
> > impersonate a caller, such as the infamous "Radio-Show Sarkozy/Palin"
> > calls.
> > Here the goal is not necessarily to prevent the call, but to give the
> > called party some level of comfort as to the authenticity of the
> > caller's expression of identity.
> > Indirect return routability checks clearly establish that the calling
> > party is sufficiently in-control of the expressed identity as to be
> > able to receive calls directed toward that identity. This is better
> > than nothing; it can't prove identity, but it greatly decreases the
> > probability of a random radio DJ being able to make a prank call.
>
> Actually, I would debate that.  Derive and other return-routability  
> checks have the property of: "if I pass then you know I'm good, if I  
> fail then you know nothing (neither good nor bad)".   I would argue  
> such a property is only useful in voice communications if it passes  
> and provides a positive/"good" result *frequently*.

Well, if you had previously told me that you should always pass RRC  
and then fail, I might assume the caller isn't you.

> For example, if the odds of Derive passing is low in general, then  
> PaliFrom sip-bounces at ietf.org  Sat Dec  6 10:07:29 2008
Return-Path: <sip-bounces at ietf.org>
X-Original-To: sip-archive at optimus.ietf.org
Delivered-To: ietfarch-sip-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id CF2ED3A680B;
	Sat,  6 Dec 2008 10:07:29 -0800 (PST)
X-Original-To: sip at core3.amsl.com
Delivered-To: sip at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 089263A680B
	for <sip at core3.amsl.com>; Sat,  6 Dec 2008 10:07:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level: 
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=0.009, 
	BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id BvWBbKa0kL0s for <sip at core3.amsl.com>;
	Sat,  6 Dec 2008 10:07:28 -0800 (PST)
Received: from nylon.softarmor.com (nylon.softarmor.com [66.135.38.164])
	by core3.amsl.com (Postfix) with ESMTP id 3071F3A680A
	for <sip at ietf.org>; Sat,  6 Dec 2008 10:07:28 -0800 (PST)
Received: from [192.168.2.102] (cpe-72-181-150-177.tx.res.rr.com
	[72.181.150.177] (may be forged)) (authenticated bits=0)
	by nylon.softarmor.com (8.13.8/8.13.8/Debian-3) with ESMTP id
	mB6I6xb8011369
	(version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT);
	Sat, 6 Dec 2008 12:07:00 -0600
Message-Id: <97F0A98C-70C4-4177-ABD1-5DB5FCA74DE8 at softarmor.com>
From: Dean Willis <dean.willis at softarmor.com>
To: Hadriel Kaplan <HKaplan at acmepacket.com>
In-Reply-To: <E6C2E8958BA59A4FB960963D475F7AC3137F29132B at mail>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Sat, 6 Dec 2008 12:06:53 -0600
References: <4925F842.2040803 at iptel.org>
	<0C76C183-E4D3-400D-9199-EF87D3631D45 at softarmor.com>
	<E6C2E8958BA59A4FB960963D475F7AC3137F29132B at mail>
X-Mailer: Apple Mail (2.929.2)
Cc: "sip at ietf.org" <sip at ietf.org>, Cullen Jennings <fluffy at cisco.com>
Subject: Re: [Sip] scope of derive
X-BeenThere: sip at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sip>,
	<mailto:sip-request at ietf.org?subject=unsubscribe>
List-Post: <mailto:sip at ietf.org>
List-Help: <mailto:sip-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sip>,
	<mailto:sip-request at ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: sip-bounces at ietf.org
Errors-To: sip-bounces at ietf.org


On Dec 5, 2008, at 3:27 PM, Hadriel Kaplan wrote:

> > -----Original Message-----
> > From: sip-bounces at ietf.org [mailto:sip-bounces at ietf.org] On Behalf  
> > Of Dean
> > Willis
> > Sent: Friday, December 05, 2008 12:22 PM
> >
> > In a third attack scenario, presume the attacker's goal is to
> > impersonate a caller, such as the infamous "Radio-Show Sarkozy/Palin"
> > calls.
> > Here the goal is not necessarily to prevent the call, but to give the
> > called party some level of comfort as to the authenticity of the
> > caller's expression of identity.
> > Indirect return routability checks clearly establish that the calling
> > party is sufficiently in-control of the expressed identity as to be
> > able to receive calls directed toward that identity. This is better
> > than nothing; it can't prove identity, but it greatly decreases the
> > probability of a random radio DJ being able to make a prank call.
>
> Actually, I would debate that.  Derive and other return-routability  
> checks have the property of: "if I pass then you know I'm good, if I  
> fail then you know nothing (neither good nor bad)".   I would argue  
> such a property is only useful in voice communications if it passes  
> and provides a positive/"good" result *frequently*.

Well, if you had previously told me that you should always pass RRC  
and then fail, I might assume the caller isn't you.

> For example, if the odds of Derive passing is low in general, then  
> Palin would n would have had to assume it *was* Sarkozy even if it failed.   
> Why?  Because she assumes it now, with no such checking, and the  
> odds of this thing passing are low per the supposition.
>
> Therefore, if we feel the odds of a return-routability check  
> succeeding is low in general, it is NOT the case that: "it greatly  
> decreases the probability of a random radio DJ being able to make a  
> prank call."

But in general, you're confounding the second part of my analysis with  
the first, so keep reading . . .

--
Dean

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip


have had to assume it *was* Sarkozy even if it failed.   
> Why?  Because she assumes it now, with no such checking, and the  
> odds of this thing passing are low per the supposition.
>
> Therefore, if we feel the odds of a return-routability check  
> succeeding is low in general, it is NOT the case that: "it greatly  
> decreases the probability of a random radio DJ being able to make a  
> prank call."

But in general, you're confounding the second part of my analysis with  
the first, so keep reading . . .

--
Dean

_______________________________________________
Sip mailing list  https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sipping at ietf.org for new developments on the application of sip