Network Working Group J. Peterson Internet-Draft Neustar Intended status: Best Current Practice E. Rescorla Expires: September 22, 2016 R. Barnes Mozilla R. Housley Vigilsec March 21, 2016 Best Practices for Securing RTP Media Signaled with SIP draft-peterson-dispatch-rtpsec-00.txt Abstract Although the Session Initital Protocol (SIP) includes a suite of security services that has been expanded by numerous specifications over the years, there is no single place that explains how to use SIP to establish confidential media sessions. Additionally, existing mechanisms have some feature gaps that need to be identified and resolved in order for them to address the pervasive monitoring threat model. This specification describes practices for negotiating confidential media with SIP, including both comprehensive security solutions which bind the media to SIP-layer identities as well as opportunistic security solutions. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 22, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. Peterson, et al. Expires September 22, 2016 [Page 1] Internet-Draft RTP Security March 2016 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Security at the SIP and SDP layer . . . . . . . . . . . . . . 3 3.1. Comprehensive Security . . . . . . . . . . . . . . . . . 3 3.1.1. Anonymous Communications . . . . . . . . . . . . . . 4 3.2. Opportunistic Security . . . . . . . . . . . . . . . . . 5 4. Media Security . . . . . . . . . . . . . . . . . . . . . . . 5 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 8. Informative References . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction The Session Initiation Protocol (SIP) [RFC3261] includes a suite of security services, ranging from Digest authentication for authenticating entities with a shared secret, to TLS for transport security, to S/MIME (optional) for body security. SIP is frequently used to establish media sessions, in particular audio or audiovisual sessions, which have their own security mechanisms available, such as Secure RTP [RFC3711]. However, the practices needed to bind security at the media layer to security at the SIP layer, to provide an assurance that protection is in place all the way up the stack, rely on a great many external security mechanisms and practices, and require a central point of documentation to explain their optimal use as a best practice. Revelations about widespread pervasive monitoring of the Internet have led to a reevaluation of the threat model for Internet communications [RFC7258]. In order to maximize the use of security features, especially of media confidentiality, opportunistic measures must often serve as a stopgap when a full suite of services cannot be negotiated all the way up the stack. This document explains the limitations that may inhibit the use of comprehensive security, and provides recommendations for which external security mechanisms Peterson, et al. Expires September 22, 2016 [Page 2] Internet-Draft RTP Security March 2016 implementers should use to negotiate secure media with SIP. It moreover gives a gap analysis of the limitations of existing solutions, and specifies solutions to address them. 2. Terminology In this document, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" are to be interpreted as described in RFC 2119 [RFC2119] and RFC 6919 [RFC6919]. 3. Security at the SIP and SDP layer There are two approaches to providing confidentiality for media sessions set up with SIP: comprehensive security and opportunistic security. 3.1. Comprehensive Security Comprehensive security for media sessions established by SIP requires the interaction of three protocols: SIP, the Session Description Protocol (SDP), and the Real-time Protocol, in particular its secure profile SRTP. Broadly, it is the responsibility of SIP to provide integrity for the media keying attributes conveyed by SDP, and those attributes will in turn identify the keys used by endpoints in the RTP media session that SDP negotiates. In that way, once SIP and SDP have exchanged the necessary information to initiate a session, the media endpoints will have a strong assurance that the keys they exchange have not been tampered with by third parties, and that end- to-end confidentiality is available. Our current target mechanism for establishing the identity of the endpoints of a SIP session is the use of STIR [I-D.ietf-stir-rfc4474bis]. The STIR signature has been designed to prevent a class of impersonation attacks that are commonly used in robocalling, voicemail hacking, and related threats. STIR generates a signature over certain features of SIP requests, including header field values that contain an identity for the originator of the request, such as the From header field or P-Asserted-Identity field, and also over the media keys in SDP if they are present. As currently defined, STIR only provides a signature over the "a=fingerprint" attribute, which is a key fingerprint utilized by DTLS-SRTP [RFC5763]; consequently, STIR only offers comprehensive security for SIP sessions, in concert with SDP and SRTP, when DTLS- SRTP is the media security service. The underlying security object of STIR is extensible, however, and it would be possible to provide signatures over other SDP attributes that contain alternate keying material. Peterson, et al. Expires September 22, 2016 [Page 3] Internet-Draft RTP Security March 2016 A STIR verification service can act in concept with an SRTP media endpoint to ensure that the key fingerprints, as given in SDP, match the keys exchanged to establish DTLS-SRTP. Typically, the verification service function would in this case be implemented in the SIP UAS, which would be composed with the media endpoint. If the STIR authentication service or verification service functions are implemented at an intermediary rather than an endpoint, this introduces the possibility that the intermediary could act as a man- in-the-middle, altering key fingerprints. As this attack is not in STIR's core threat model, which focuses on impersonation rather than man-in-the-middle attacks, STIR offers no specific protections against it. However, it would be possible to build a deployment profile of STIR for media confidentiality which shifts these responsibilities to the endpoints rather than the intermediaries. Note that STIR provides integrity protection for the SDP bodies of SIP requests, but not SIP responses. When a session is established, therefore, any SDP body carried by a 200 class response in the backwards direction will not be protected by an authentication service and cannot be verified. Thus, sending a secured SDP body in the backwards direction will require an extra RTT, typically a re- INVITE in the backwards direction. Again, this could be specified as a component of a secure media profile for STIR. Future versions of this specification will show in detail how those gaps can be filled. 3.1.1. Anonymous Communications In some cases, the identity of the initiator of a SIP session may be withheld due to user or provider policy. Per the recommendations of [RFC3323], this may involve using an identity such as "anonymous@anonymous.invalid" in the identity fields of a SIP request. [I-D.ietf-stir-rfc4474bis] does not currently permit authentication services to sign for requests that supply this identity. It does however permit signing for valid domains, such as "anonymous@example.com," as a way of implementation an anonymization service as specified in [RFC3323]. Even for anonymous sessions, providing media confidentiality and partial SDP integrity is still desirable. Barring the use of an anonymization service, this can only be accomplished with opportunistic security; the value of trying to provide an intermediate level between comprehensive and opportunistic security for this use case is a matter for futher discussion and study. Peterson, et al. Expires September 22, 2016 [Page 4] Internet-Draft RTP Security March 2016 3.2. Opportunistic Security Work is already underway on defining approaches to opportunistic media security for SIP in [I-D.johnston-dispatch-osrtp], which builds on the prior efforts of [I-D.kaplan-mmusic-best-effort-srtp]. The major protocol change proposed by that draft is to signal the use of opportunistic encryption by negotiating the AVP profile in SDP, rather than the SAVP profile (as specified in [RFC3711]) that would ordinarily be used when negotiating SRTP. Opportunistic encryption approaches typically have no integrity protection for the keying material in SDP. Sending SIP over TLS hop- by-hop between user agents and any intermediaries will reduce the prospect that active attackers can alter keys for session requests on the wire. 4. Media Security As there are several ways to negotiate media security with SDP, any of which might be used with either opportunistic or comprehensive security, further guidance to implementers is needed. In [I-D.johnston-dispatch-osrtp], opportunistic approaches considered include DTLS-SRTP, security descriptions [RFC4568], and ZRTP [RFC6189]. In order to prevent men-in-the-middle from decrypting media traffic, the "a=crypto" SDP parameter of security descriptions requires signaling confidentiality which STIR and related comprehensive security approaches cannot provide, so delivering keys by value in SDP in this fashion is NOT RECOMMENDED. Both DTLS-SRTP and ZRTP instead provide hashes which are carried in SDP, and thus require only integrity protection rather than confidentiality. Of DTLS-SRTP and ZRTP, only DTLS-SRTP is a Standards Track Internet protocol. Future versions of this specification will give specific recommendations on support for media security protocols. Future versions of this specification will explore the issue of multiple fingerprints appearing in the message, and offers that include both DTLS-SRTP and ZRTP security. 5. Acknowledgments We would like to thank YOU for contributions to this problem statement and framework. Peterson, et al. Expires September 22, 2016 [Page 5] Internet-Draft RTP Security March 2016 6. IANA Considerations This memo includes no requests to the IANA. 7. Security Considerations This document describes the security features that provide media sessions established with SIP with confidentiality, integrity, and authentication. 8. Informative References [I-D.ietf-stir-rfc4474bis] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, "Authenticated Identity Management in the Session Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-07 (work in progress), February 2016. [I-D.johnston-dispatch-osrtp] Johnston, A., Aboba, B., Hutton, A., Liess, L., and T. Thomas, "An Opportunistic Approach for Secure Real-time Transport Protocol (OSRTP)", draft-johnston-dispatch- osrtp-02 (work in progress), February 2016. [I-D.kaplan-mmusic-best-effort-srtp] Audet, F. and H. Kaplan, "Session Description Protocol (SDP) Offer/Answer Negotiation For Best-Effort Secure Real-Time Transport Protocol", draft-kaplan-mmusic-best- effort-srtp-01 (work in progress), October 2006. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model with Session Description Protocol (SDP)", RFC 3264, DOI 10.17487/RFC3264, June 2002, . Peterson, et al. Expires September 22, 2016 [Page 6] Internet-Draft RTP Security March 2016 [RFC3323] Peterson, J., "A Privacy Mechanism for the Session Initiation Protocol (SIP)", RFC 3323, DOI 10.17487/RFC3323, November 2002, . [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. Norrman, "The Secure Real-time Transport Protocol (SRTP)", RFC 3711, DOI 10.17487/RFC3711, March 2004, . [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session Description Protocol (SDP) Security Descriptions for Media Streams", RFC 4568, DOI 10.17487/RFC4568, July 2006, . [RFC5124] Ott, J. and E. Carrara, "Extended Secure RTP Profile for Real-time Transport Control Protocol (RTCP)-Based Feedback (RTP/SAVPF)", RFC 5124, DOI 10.17487/RFC5124, February 2008, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)", RFC 5763, DOI 10.17487/RFC5763, May 2010, . [RFC6189] Zimmermann, P., Johnston, A., Ed., and J. Callas, "ZRTP: Media Path Key Agreement for Unicast Secure RTP", RFC 6189, DOI 10.17487/RFC6189, April 2011, . [RFC6919] Barnes, R., Kent, S., and E. Rescorla, "Further Key Words for Use in RFCs to Indicate Requirement Levels", RFC 6919, DOI 10.17487/RFC6919, April 2013, . [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May 2014, . Authors' Addresses Peterson, et al. Expires September 22, 2016 [Page 7] Internet-Draft RTP Security March 2016 Jon Peterson Neustar, Inc. 1800 Sutter St Suite 570 Concord, CA 94520 US Email: jon.peterson@neustar.biz Eric Rescorla Mozilla Email: ekr@rtfm.com Richard Barnes Mozilla Email: rbarnes@mozilla.com Russ Housley Vigilsec Email: rhousley@vigilsec.com Peterson, et al. Expires September 22, 2016 [Page 8]