[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sipping] SIP Identity Usage in Enterprise Scenarios

To: "'Michael Slavitch'" <slavitch at objectworld.com>, "'Fries, Steffen'" <steffen.fries at siemens.com>, <sipping at ietf.org>
Subject: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
From: "Dan Wing" <dwing at cisco.com>
Date: Wed, 14 Sep 2005 18:46:29 -0700
Cc:
In-reply-to: <4E2DC1ACE541B94A946B8D8657E372C50F2E39@photon.objectworld.com>
List-help: <mailto:sipping-request@ietf.org?subject=help>
List-id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-post: <mailto:sipping@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
Sender: sipping-bounces at ietf.org
Thread-index: AcW4c5/WDSPz1a7EScCD8MvwNM+OnwAyDA0AAAB1syAAACBSYAABedmQABRBZpA=

> As a further update to my previous email, look at the 
> USERNAME provision in the current ID for ICE (draft 05), 
> which I consider a weakness of the protocol.

-05 doesn't handle username/password exchanges correctly.  I think there
have been a few posts recently on this very topic.  -04 did this correctly.

> My preference would be to replace that password with some 
> kind of MIKEY exchange such that the password is only for 
> that session, otherwise you'll see cheap phones or all with 
> the same password being vulnerable,

I don't believe generating a unique STUN username/password is
any harder than a unique SIP Call-ID or tag.

> which I suggest is a strong weakness of ICE.

Considering that each a=candidate line needs its own STUN username/password:

  * If you are proposing MIKEY DH (or MIKEY with any of 
    the public key modes), how many a=candidate lines 
    will you be able to process before running out of
    CPU horsepower?

  * If you are proposing MIKEY DH (or MIKEY with any
    of the public key modes), we need a public key 
    infrastructure.  We don't yet have one.  ICE was
    invented for NAT traversal, and we can't create a
    need on a non-existing solution (globally 
    available PKI) for NAT traversal.

  * If you are proposing the pre-shared key mode, we 
    need a way to pre-share the MIKEY keys across 
    administrative domains.

-d

_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors at cs.columbia.edu for questions on current sip
Use sip at ietf.org for new developments of core SIP

References:
- RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
  - From: Michael Slavitch

Prev by Date: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
Next by Date: [Sipping] document paths in sipping-config-framework-07
Previous by thread: RE: [Sipping] SIP Identity Usage in Enterprise Scenarios
Next by thread: Re: [Sipping] SIP Identity Usage in Enterprise Scenarios
Index(es):
- Date
- Thread