idnits 2.17.1 draft-ietf-simple-msrp-cema-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (May 3, 2012) is 4377 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4566 (Obsoleted by RFC 8866) ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 SIMPLE Working Group C. Holmberg 3 Internet-Draft S. Blau 4 Intended status: Standards Track Ericsson 5 Expires: November 4, 2012 E. Burger 6 Georgetown University 7 May 3, 2012 9 Connection Establishment for Media Anchoring (CEMA) for the Message 10 Session Relay Protocol (MSRP) 11 draft-ietf-simple-msrp-cema-05.txt 13 Abstract 15 This document defines a Message Session Relay Protocol (MSRP) 16 extension, Connection Establishment for Media Anchoring (CEMA). 17 Support of the extension is optional. The extension allows 18 middleboxes to anchor the MSRP connection, without the need for 19 middleboxes to modify the MSRP messages, and thus also enables a 20 secure end-to-end MSRP communication in networks where such 21 middleboxes are deployed. The document also defines a Session 22 Description Protocol (SDP) attribute, 'msrp-cema', that MSRP 23 endpoints use to indicate support of the CEMA extension. 25 Status of this Memo 27 This Internet-Draft is submitted to IETF in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on November 4, 2012. 42 Copyright Notice 44 Copyright (c) 2012 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. Applicability Statement . . . . . . . . . . . . . . . . . . . 5 62 4. Connection Establishment for Media Anchoring Mechanism . . . . 6 63 4.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 4.2. MSRP SDP Offerer Procedures . . . . . . . . . . . . . . . 7 65 4.3. MSRP SDP Answerer Procedures . . . . . . . . . . . . . . . 8 66 4.4. Address Information Matching . . . . . . . . . . . . . . . 10 67 4.5. Usage With the Alternative Connection Model . . . . . . . 11 68 5. The SDP 'msrp-cema' attribute . . . . . . . . . . . . . . . . 11 69 5.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 11 70 5.2. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . 11 71 6. Middlebox Assumptions . . . . . . . . . . . . . . . . . . . . 11 72 6.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 11 73 6.2. MSRP Awareness . . . . . . . . . . . . . . . . . . . . . . 11 74 6.3. TCP Connection Reuse . . . . . . . . . . . . . . . . . . . 12 75 6.4. SDP Integrity . . . . . . . . . . . . . . . . . . . . . . 12 76 6.5. TLS . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 77 7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 78 7.1. General . . . . . . . . . . . . . . . . . . . . . . . . . 13 79 7.2. Man-in-the-Middle Attacks . . . . . . . . . . . . . . . . 13 80 7.3. TLS Usage without Middleboxes . . . . . . . . . . . . . . 13 81 7.4. TLS Usage with Middleboxes . . . . . . . . . . . . . . . . 14 82 7.5. Authentication, Credentials and Key Management . . . . . . 14 83 7.6. Endpoint procedures for TLS negotiation . . . . . . . . . 15 84 7.7. Fingerprint Based Authentication . . . . . . . . . . . . . 16 85 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 86 8.1. IANA Registration of the SDP 'msrp-cema' attribute . . . . 17 87 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17 88 10. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 17 89 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 90 11.1. Normative References . . . . . . . . . . . . . . . . . . . 19 91 11.2. Informative References . . . . . . . . . . . . . . . . . . 20 92 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 94 1. Introduction 96 The Message Session Relay Protocol (MSRP) [RFC4975] expects to use 97 MSRP relays [RFC4976] as a means for Network Address Translation 98 (NAT) traversal and policy enforcement. However, many Session 99 Initiation Protocol (SIP) [RFC3261] networks, which deploy MSRP, 100 contain middleboxes. These middleboxes anchor and control media, 101 perform tasks such as NAT traversal, performance monitoring, address 102 domain bridging, interconnect Service Layer Agreement (SLA) policy 103 enforcement, and so on. One example is the Interconnection Border 104 Control Function (IBCF) [GPP23228], defined by the 3rd Generation 105 Partnership Project (3GPP). The IBCF controls a media relay that 106 handles all types of SIP session media such as voice, video, MSRP, 107 etc. 109 MSRP, as defined in RFC 4975 [RFC4975] and RFC 4976 [RFC4976], cannot 110 anchor through middleboxes. The reason is that MSRP messages have 111 routing information embedded in the message. Without an extension 112 such as CEMA, middleboxes must read the message to change the routing 113 information. This occurs because middleboxes modify the address:port 114 information in the Session Description Protocol (SDP) [RFC4566] c/m- 115 line in order to anchor media. An "active" [RFC6135] MSRP UA 116 establishes the MSRP TCP or TLS connection based on the MSRP URI of 117 the SDP 'path' attribute. This means that the MSRP connection will 118 not be routed through the middlebox, unless the middlebox also 119 modifies the MSRP URI of the topmost SDP 'path' attribute. In many 120 scenarios this will prevent the MSRP connection from being 121 established. In addition, if the middlebox modifies the MSRP URI of 122 the SDP 'path' attribute, then the MSRP URI comparison procedure 123 [RFC4975], which requires consistency between the address information 124 in the MSRP messages and the address information carried in the MSRP 125 URI of the SDP 'path' attribute, will fail. 127 The only way to achieve interoperability in this situation is for the 128 middlebox to act as an MSRP back-to-back User Agent (B2BUA). Here 129 the MSRP B2BUA acts as the endpoint for the MSRP signaling and media, 130 performs the corresponding modification in the associated MSRP 131 messages, and originates a new MSRP session towards the actual remote 132 endpoint. However, the enabling of MSRP B2BUA functionality requires 133 substantially more resource usage in the middlebox, that normally 134 result in negative performance impact. In addition, the MSRP message 135 needs to be exposed in clear text to the MSRP B2BUA, which violates 136 the end-to-end principle [RFC3724] . 138 This specification defines an MSRP extension, Connection 139 Establishment for Media Anchoring (CEMA). CEMA in most cases allows 140 MSRP endpoints to communicate through middleboxes, as defined in 141 Section 2, without a need for the middleboxes to be an MSRP B2BUA. 143 In such cases, middleboxes, that want to anchor the MSRP connection 144 simply modify the SDP c/m-line address information, similar to what 145 the middleboxes do for non-MSRP media types. MSRP endpoints that 146 support the CEMA extension will use the SDP c/m-line address 147 information for establishing the TCP or TLS connection for sending 148 and receiving MSRP messages. 150 The CEMA extension is backward compatible, meaning that CEMA-enabled 151 MSRP endpoints can communicate with non-CEMA-enabled endpoints. In 152 scenarios where MSRP endpoints do not support the CEMA extension, an 153 MSRP endpoint that supports the CEMA extension behaves in the same 154 way as an MSRP endpoint that does not support it. The CEMA extension 155 only provides an alternative mechanism for negotiating and providing 156 address information for the MSRP TCP connection. After the creation 157 of the MSRP connection, an MSRP endpoint that supports the CEMA 158 extension acts according to the procedures for creating MSRP 159 messages, performing checks when receiving MSRP messages defined in 160 RFC 4975 and, when it is using a relay for MSRP communications, RFC 161 4976. 163 2. Conventions 165 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 166 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 167 document are to be interpreted as described in BCP 14, RFC 2119 168 [RFC2119]. 170 Definitions: 172 Fingerprint Based TLS Authentication: An MSRP endpoint that uses a 173 self-signed certificate and sends a fingerprint (i.e., a hash of the 174 self-signed certificate)in SDP to the other MSRP endpoint. This 175 fingerprint binds the TLS key exchange to the signaling plane and 176 authenticates the other endpoint based on trust in the signaling 177 plane. 179 Name Based TLS Authentication: An MSRP endpoint that uses a 180 certificate from a trusted certification authority and the other 181 endpoint matches the hostname in the received TLS communication 182 SubjectAltName extension towards the hostname received in the MSRP 183 URI in SDP. 185 B2BUA: This is an abbreviation for back-to-back user agent. 187 MSRP B2BUA: A network element that terminates an MSRP connection from 188 one MSRP endpoint and reoriginates that connection towards another 189 MSRP endpoint. Note the MSRP B2BUA is distinct from a SIP B2BUA. A 190 SIP B2BUA terminates a SIP session and reoriginates that session 191 towards another SIP endpoint. In the context of MSRP, a SIP endpoint 192 initiates a SIP session towards another SIP endpoint. However, that 193 INVITE may go through, for example, an outbound Proxy or inbound 194 Proxy to route to the remote SIP endpoint. As part of that SIP 195 session an MSRP session, that may follow the SIP session path, is 196 negotiated. However, there is no requirement to co-locate the SIP 197 network elements with the MSRP network elements. 199 TLS B2BUA: A network element that terminates security associations 200 (SAs) from endpoints, and establishes separate SAs between itself and 201 each endpoint. 203 Middlebox: A SIP network device that modifies SDP media address:port 204 information in order to steer or anchor media flows described in the 205 SDP, including TCP and TLS connections used for MSRP communication, 206 through a media proxy function controlled by the SIP endpoint. In 207 most cases the media proxy function relays the MSRP messages without 208 modification, while in some circumstances it acts as a MSRP B2BUA. 209 Other SIP related functions, such as related to routing, modification 210 of SIP information etc, performed by the Middlebox, and whether it 211 acts a SIP B2BUA or not, is outside the scope of this document. 212 Section 5 describes additional assumptions regarding how the 213 Middlebox handles MSRP in order to support the extension defined in 214 this document. 216 Media anchor: An entity that performs media anchoring inserts itself 217 in the media path of a media communication session between two 218 entities. The entity will receive, and forward, the media sent 219 between the entities. 221 This document reuses the terms answer, answerer, offer and offerer as 222 defined in RFC 3264. 224 3. Applicability Statement 226 This document defines a Message Session Relay Protocol (MSRP) 227 extension, Connection Establishment for Media Anchoring (CEMA). 228 Support of the extension is optional. The extension allows 229 Middleboxes to anchor the MSRP connection, without the need for 230 Middleboxes to modify the MSRP messages, and thus also enables a 231 secure end-to-end MSRP communication in networks where such 232 Middleboxes are deployed. The document also defines a Session 233 Description Protocol (SDP) attribute, 'msrp-cema', that MSRP 234 endpoints use to indicate support of the CEMA extension. 236 The CEMA extension is primarily intended for MSRP endpoints that 237 operate in networks in which Middleboxes that want to anchor media 238 connections are deployed, without the need for the Middleboxes to 239 enable MSRP B2BUA functionality. An example of such network is the 240 IP Multimedia Subsystem (IMS) defined by the 3rd Generation 241 Partnership Project (3GPP), which also has the capability for all 242 endpoints to use Name-based TLS Authentication. The extension is 243 also useful for other MSRP endpoints operating in other networks, but 244 that communicate with MSRP endpoints in networks with such 245 Middleboxes, unless there is a gateway between the networks that by 246 default always enable MSRP B2BUA functionality. 248 This document assumes certain behaviors on the part of Middleboxes, 249 as described in Section 6. These behaviors are not standardized. If 250 Middleboxes do not behave as assumed, then the CEMA extension does 251 not add any value over base MSRP behavior. MSRP endpoints that 252 support CEMA are required to use RFC 4975 behavior in cases where 253 they detect that the CEMA extension cannot be enabled. 255 4. Connection Establishment for Media Anchoring Mechanism 257 4.1. General 259 This section defines how an MSRP endpoint that supports the CEMA 260 extension generates SDP offers and answers for MSRP, and which SDP 261 information elements the MSRP endpoint uses when creating the TCP or 262 TLS connection for sending and receiving MSRP messages. 264 Based on the procedures described in sections 4.2 and 4.3, in the 265 following cases the CEMA extension will not be enabled, and there 266 will be a fallback to the MSRP connection establishment procedures 267 defined in RFC 4975 and RFC 4976: 269 - A non-CEMA-enabled MSRP endpoint becomes "active" [RFC6135] (no 270 matter whether it uses a relay for its MSRP communication or not), as 271 it will always establish the MSRP connection using the SDP 'path' 272 attribute, which contains the address information of the remote MSRP 273 endpoint, instead of using the SDP c/m-line which contains the 274 address information of the Middlebox. 276 - A non-CEMA-enabled MSRP endpoint that uses a relay for its MSRP 277 communication becomes "passive" [RFC6135], as it cannot be assumed 278 that the MSRP endpoint inserts the address information of the relay 279 in the SDP c/m-line. 281 - A CEMA-enabled MSRP endpoint that uses a relay for its MSRP 282 communication becomes "active", since if it adds the received SDP 283 c/m-line address information to the ToPath header field of the MSRP 284 message (in order for the relay to establish the MSRP connection 285 towards the Middlebox), the session matching [RFC4975] performed by 286 the remote MSRP endpoint will fail. 288 4.2. MSRP SDP Offerer Procedures 290 When a CEMA-enabled offerer sends an SDP offer for MSRP, it generates 291 the SDP offer according to the procedures in RFC 4975. In addition, 292 the offerer follows RFC 4976 if it is using a relay for MSRP 293 communication. The offerer also performs the following additions and 294 modifications: 296 1. The offerer MUST include an SDP 'msrp-cema' attribute in the MSRP 297 media description of the SDP offer. 299 2. If the offerer is not using a relay for MSRP communication, it 300 MUST include an SDP 'setup' attribute in the MSRP media description 301 of the SDP offer, according to the procedures in RFC 6135 [RFC6135]. 303 3. If the offerer is using a relay for MSRP communication, it MUST, 304 in addition to including the address information of the relay in the 305 topmost SDP 'path' attribute, also include the address information of 306 the relay, rather than the address information of itself, in the SDP 307 c/m-line associated with the MSRP media description. In addition, it 308 MUST include an SDP 'setup:actpass' attribute in the MSRP media 309 description of the SDP offer. 311 When the offerer receives an SDP answer, if the MSRP media 312 description of the SDP answer does not contain an SDP 'msrp-cema' 313 attribute, and if any of the following criteria below is met, the 314 offerer MUST fallback to RFC 4975 behavior, by sending a new SDP 315 offer according to the procedures in RFC 4975 and RFC 4976. The new 316 offer MUST NOT contain an SDP 'msrp-cema' attribute. 318 1. The SDP c/m-line address information associated with the MSRP 319 media description does not match Section 4.4 the information in the 320 MSRP URI of the 'path' attribute(s) (in which case is assumed that 321 the SDP c/m-line contains the address to a Middlebox), and the MSRP 322 endpoint will become "passive" (if the MSRP media description of the 323 SDP answer contains an SDP 'setup:active' attribute). 325 NOTE: If an MSRP URI contains a domain name, it needs to be resolved 326 into an IP address and port before it is checked against the SDP c/m- 327 line address information, in order to determine whether the address 328 information matches. 330 2. The offerer uses a relay for its MSRP communication, the SDP c/m- 331 line address information associated with the MSRP media description 332 does not match the information in the MSRP URI of the SDP 'path' 333 attribute(s) (in which case is assumed that the SDP c/m-line contains 334 the address to a Middlebox), and the offerer will become "active" 335 (either by default or if the MSRP media description of the SDP answer 336 contains an SDP 'setup:passive' attribute). 338 3. The remote MSRP endpoint, acting as an answerer, uses a relay for 339 its MSRP communication, the SDP c/m-line address information 340 associated with the MSRP media description does not match the 341 information in the MSRP URI of the SDP 'path' attributes (in which 342 case is assumed that the SDP c/m-line contains the address to a 343 Middlebox), and the MSRP offerer will become "active" (either by 344 default or if the MSRP media description of the SDP answer contains 345 an SDP 'setup:passive' attribute). 347 NOTE: As described in section 5, in the absence of the SDP 'msrp- 348 cema' attribute in the new offer, it is assumed that a Middlebox will 349 act as an MSRP B2BUA in order to anchor MSRP media. 351 The offerer can send the new offer within the existing early dialog 352 [RFC3261], or it can terminate the early dialog and establish a new 353 dialog by sending the new offer in a new initial INVITE request. 355 The offerer MAY choose to terminate the session establishment if it 356 can detect that a Middlebox acting as an MSRP B2BUA is not the 357 desired remote MSRP endpoint. 359 If the answerer uses a relay for its MSRP communication, and the SDP 360 c/m-line address information associated with the MSRP media 361 description matches one of the SDP 'path' attributes, it is assumed 362 that there is no Middlebox in the network. In that case the offerer 363 MUST fallback to RFC 4975 behavior, but it does not need to send a 364 new SDP offer. 366 In other cases, where none of the criteria above is met, and where 367 the MSRP offerer becomes "active", it MUST use the SDP c/m-line for 368 establishing the MSRP TCP connection. If the offerer becomes 369 "passive", it will wait for the answerer to establish the TCP 370 connection, according to the procedures in RFC 4975. 372 4.3. MSRP SDP Answerer Procedures 374 If the MSRP media description of the SDP offer does not contain an 375 SDP 'msrp-cema' attribute, and the SDP c/m-line address information 376 associated with the MSRP media description does not match the 377 information in the MSRP URI of the SDP 'path' attribute(s), the 378 answerer MUST either reject the offered MSRP connection (by using a 379 zero port value number in the generated SDP answer), or reject the 380 whole SDP offer carrying SIP request with a 488 Not Acceptable Here 381 [RFC3261] response. 383 NOTE: The reasons for the rejection is that the answerer assumes that 384 a middlebox, that do not support the CEMA extension, has modified the 385 c/m-line address information of the SDP offer, without enabling MSRP 386 B2BUA functionality. 388 NOTE: If an MSRP URI contains a domain name, it needs to be resolved 389 into an IP address and port before it is checked against the SDP c/m- 390 line address information, in order to determine whether the address 391 information matches. 393 If any of the criteria below is met, the answerer MUST fallback to 394 RFC 4975 behavior and generate the associated SDP answer according to 395 the procedures in RFC 4975 and RFC 4976. The answerer MUST NOT 396 insert an SDP 'msrp-cema' attribute in the MSRP media description of 397 the SDP answer. 399 1. Both MSRP endpoints are using relays for their MSRP 400 communication. The answerer can detect if the remote MSRP endpoint, 401 acting as an offerer, is using a relay for its MSRP communication if 402 the MSRP media description of the SDP offer contains multiple SDP 403 'path' attributes. 405 2. The offerer uses a relay for its MSRP communication, and will 406 become "active" (either by default or if the MSRP media description 407 of the SDP offer contains an SDP 'setup:active' attribute). Note 408 that a CEMA-enabled offerer would include an SDP 'setup:actpass' 409 attribute in the SDP offer, as described in Section 4.2. 411 3. The answerer uses a relay for MSRP communication and is not able 412 to become "passive" (if the MSRP media description of the offer 413 contains an SDP 'setup:passive' attribute. Note that an offerer is 414 not allowed to include an SDP 'setup:passive' attribute in an SDP 415 offer, as described in RFC 6135. 417 In all other cases, the answerer generates the associated SDP answer 418 according to the procedures in RFC 4975 and RFC 4976, with the 419 following additions and modifications: 421 1. The answerer MUST include an SDP 'msrp-cema' attribute in the 422 MSRP media description of the SDP answer. 424 2. If the answerer is not using a relay for MSRP communication, it 425 MUST include an SDP 'setup' attribute in the MSRP media description 426 of the answer, according to the procedures in RFC 6135. 428 3. If the answerer is using a relay for MSRP communication, it MUST, 429 in addition to including the address information of the relay in the 430 topmost SDP 'path' attribute, also include the address information of 431 the relay, rather than the address information of itself, in the SDP 432 c/m-line associated with the MSRP media description. In addition, 433 the answerer MUST include an SDP 'setup:passive' attribute in the 434 MSRP media description of the SDP answer. 436 If the answerer included an SDP 'msrp-cema' attribute in the MSRP 437 media description of the SDP answer, and if the answerer becomes 438 "active", it MUST use the received SDP c/m-line for establishing the 439 MSRP TCP or TLS connection. If the answerer becomes "passive", it 440 will wait for the offerer to establish the MSRP TCP or TLS 441 connection, according to the procedures in RFC 4975. 443 4.4. Address Information Matching 445 When comparing address information in the SDP c/m-line and an MSRP 446 URI, for address and port equivalence, the address and port values 447 are retrieved in the following ways: 449 - SDP c/m-line address information: The IP address is retrieved from 450 the SDP c- line, and the port from the associated SDP m- line for 451 MSRP. 453 - In case the SDP c- line contains a Fully Qualified Domain Name 454 (FQDN), the IP address is retrieved using DNS. 456 - MSRP URI address information: The IP address and port are retrieved 457 from the authority part of the MSRP URI. 459 - In case the authority part of the MSRP URI contains a Fully 460 Qualified Domain Name (FQDN), the IP address is retrieved using DNS, 461 according to the procedures in section 6.2 of RFC 4975. 463 NOTE: According to RFC 4975, the authority part of the MSRP URI must 464 always contain a port. 466 Before IPv6 addresses are compared for equivalence, they need to be 467 converted into the same representation, using the mechanism defined 468 in RFC 5952 [RFC5952]. 470 NOTE: In case the DNS returns multiple records, each needs to be 471 compared against the SDP c/m- line address information, in order to 472 find at least one match. 474 NOTE: If the authority part of the MSRP URI contains special 475 characters, they are handled according to the procedures in section 476 6.1 of RFC 4975. 478 4.5. Usage With the Alternative Connection Model 480 An MSRP endpoint that supports the CEMA extension MUST support the 481 mechanism defined in RFC 6135, as it extends the number of scenarios 482 where one can use the CEMA extension. An example is where an MSRP 483 endpoint is using a relay for MSRP communication, and it needs to be 484 "passive" in order to use the CEMA extension, instead of doing a 485 fallback to RFC 4975 behavior. 487 5. The SDP 'msrp-cema' attribute 489 5.1. General 491 The SDP 'msrp-cema' attribute is used by MSRP entities to indicate 492 support of the CEMA extension, according to the procedures in 493 Sections 4.2 and 4.3. 495 5.2. Syntax 497 This section describes the syntax extensions to the ABNF syntax 498 defined in RFC 4566 required for the SDP 'msrp-cema' attribute. The 499 ABNF defined in this specification is conformant to RFC 5234 500 [RFC5234]. 502 attribute /= msrp-cema-attr 503 ;attribute defined in RFC 4566 504 msrp-cema-attr = "msrp-cema" 506 6. Middlebox Assumptions 508 6.1. General 510 This document does not specify explicit Middlebox behavior, even 511 though Middleboxes enable some of the procedures described here. 512 However, as MSRP endpoints are expected to operate in networks where 513 Middleboxes that want to anchor media are present, this document 514 makes certain assumptions regarding to how such Middleboxes behave. 516 6.2. MSRP Awareness 518 In order to support interoperability between UAs that support the 519 CEMA extension and UAs that do not support the extension, the 520 Middlebox is MSRP aware. This means that it implements MSRP B2BUA 521 functionality. The Middlebox enables that functionality in cases 522 where the offerer does not support the CEMA extension. In cases 523 where the SDP offer indicates support of the CEMA extension, the 524 Middlebox can simply modify the SDP c/m-line address information for 525 the MSRP connection. 527 In cases where the Middlebox enables MSRP B2BUA functionality, it 528 acts as an MSRP endpoint. If it does not use the CEMA procedures it 529 will never forward the SDP 'msrp-cema' attribute in SDP offers and 530 answers. 532 If the Middlebox does not implement MSRP B2BUA functionality, or does 533 not enable it when the SDP 'msrp-cema' attribute is not present in 534 the SDP offer, CEMA-enabled MSRP endpoints will in some cases be 535 unable to interoperate with non-CEMA-enabled endpoints across the 536 Middlebox. 538 6.3. TCP Connection Reuse 540 Middleboxes do not need to parse and modify the MSRP payload when 541 endpoints use the CEMA extension. A Middlebox that does not parse 542 the MSRP payload probably will not be able to reuse TCP connections 543 for multiple MSRP sessions. Instead, in order to associate an MSRP 544 message with a specific session, the Middlebox often assigns a unique 545 local address:port combination for each MSRP session. Due to this, 546 between two Middleboxes there might be a separate connection for each 547 MSRP session. 549 If the Middlebox does not assign a unique address:port combination 550 for each MSRP session, and does not parse MSRP messages, it might end 551 up forwarding MSRP messages towards the wrong destination. 553 6.4. SDP Integrity 555 This document assumes that Middleboxes are able to modify the SDP 556 address information associated with the MSRP media, and that they are 557 able to modify the SDP address information associated with the MSRP 558 media. 560 NOTE: Eventhough the CEMA extension as such works with end-to-end SDP 561 protection, the main advantage of the extension is in networks where 562 Middleboxes are deployed. 564 If the Middlebox is unable to modify SDP payloads due to end-to-end 565 integrity protection, it will be unable to anchor MSRP media as the 566 SIP signaling would fail due to integrity violations. 568 6.5. TLS 570 When UAs use the CEMA extension, this document assumes that 571 Middleboxes relay MSRP media packets at the transport layer. The TLS 572 handshake and resulting security association (SA) can be established 573 peer-to-peer between the MSRP endpoints. The Middlebox will see 574 encrypted MSRP media packets, but is unable to inspect the clear text 575 content. 577 When UAs fall back to RFC 4975 behavior Middleboxes act as TLS 578 B2BUAs. The Middlebox decrypts MSRP media packets received from one 579 MSRP endpoint, and then re-encrypts them before sending them toward 580 the other MSRP endpoint. Middleboxes can inspect and modify the MSRP 581 message content. 583 7. Security Considerations 585 7.1. General 587 Unless otherwise stated, the security considerations in RFC 4975 and 588 RFC 4976 still apply. This section only describes additions and 589 changes introduced by the CEMA extension. 591 In deployments where Middleboxes are always used, which is the main 592 use case for the CEMA extension, the CEMA extension increases the 593 security by enabling the use of end-to-end TLS between the two 594 endpoints. If the key management does not depend on trust in the 595 signaling plane, this greatly increases the security. If the key 596 management depends on trust in the signaling plane, the Middlebox is 597 by definition trusted, but the security is still increased as the 598 cleartext is not available in the Middlebox. 600 7.2. Man-in-the-Middle Attacks 602 If TLS is not used to protect MSRP, the CEMA extension might make it 603 easier for a man-in-the-middle to transparently insert itself in the 604 communication between MSRP endpoints in order to monitor or record 605 unprotected MSRP communication. This can be mitigated by the use of 606 TLS. It is therefore RECOMMENDED to use TLS [RFC5246]. It is also 607 recommended to use TLS e2e, which CEMA enables even in the case of 608 Middleboxes. For backward compatibility, a CEMA-enabled MSRP 609 endpoint MUST implement TLS. 611 7.3. TLS Usage without Middleboxes 613 If TLS is use without Middleboxes, the security considerations in RFC 614 4975 and RFC 4976 still apply unchanged. Note that this is not the 615 main use case for the CEMA extension. 617 7.4. TLS Usage with Middleboxes 619 This is the main use case for the CEMA extension; the endpoints 620 expect one or more Middlebox. 622 The CEMA extension supports the usage of both name-based 623 authentication and fingerprint based authentication for TLS in the 624 presence of Middleboxes. The use of fingerprint based authentication 625 requires signaling integrity protection. This can e.g. be hop-by-hop 626 cryptographic protection or cryptographic access protection combined 627 with physical trust in other parts of the signaling plane. As stated 628 in section 6.4, this document assumes that Middleboxes are able to 629 modify the SDP address information associated with the MSRP media, 630 and that they are able to modify the SDP address information 631 associated with the MSRP media. 633 If a Middlebox acts as a TLS B2BUA, the security considerations are 634 the same as without the CEMA extension. In such case the Middlebox 635 acts as TLS endpoints. 637 If a Middlebox does not act as a TLS B2BUA, TLS is e2e and the 638 Middlebox just forwards the TLS packets. This requires that both 639 peers support the CEMA extension. 641 If fingerprint based authentication is used, the MSRP endpoints might 642 not be able to decide whether the Middlebox acts as a TLS B2BUA or 643 not. But this is not an issue as the signaling network is considered 644 trusted by the endpoint (a requirement to use fingerprint based 645 authentication). 647 7.5. Authentication, Credentials and Key Management 649 One issue with usage of TLS (not specific to CEMA) is the 650 availability of a PKI. Endpoints can always provide self-signed 651 certificates. However, this relies on that the SDP signaling is 652 integrity protected, which may not always be the case. 654 Therefore, it addition to the authentication mechanisms defined in 655 RFC 4975, it is RECOMMENDED that a CEMA-enabled MSRP endpoint also 656 supports self-signed certificates together Certificate Management 657 Service [RFC6072], to which it publishes its self-signed certificate 658 and from which it fetches on demand the self-signed certificates of 659 other endpoints. 661 Alternate key distribution mechanisms, such as DANE [DANE], PGP 662 [RFC6091], MIKEY-TICKET [RFC6043] or some other technology, might 663 become ubiquitous enough to solve the key distribution problem in the 664 future. 666 One of the target deployments for CEMA is the 3GPP IMS SIP network. 667 In this environment authentication and credential management is less 668 of a problem as the SDP signaling is mostly considered trusted, 669 service providers provision signed certificates or manage signed 670 certificates on behalf of their subscribers, and MIKEY-TICKET is 671 available. Some of these options require trusting the service 672 provider, but those issues are beyond the scope of this document. 674 7.6. Endpoint procedures for TLS negotiation 676 The CEMA extension does not change the endpoint procedures for TLS 677 negotiation. As in RFC 4975, the MSRP endpoint uses the negotiation 678 mechanisms in SDP and then the TLS handshake to agree on a mechanisms 679 and algorithms that both support. The mechanisms can be divided in 680 three different security levels: 682 - MSRPS: Security Mechanisms that does not rely on trusted signaling 683 such as name based authentication 685 - MSRPS: Mechanisms that do rely on trusted signaling such as 686 fingerprint based authentication 688 - MSRP: Unprotected 690 If the endpoint uses security mechanisms that does not rely on 691 trusted signaling the endpoint can detect if a Middlebox is inserted. 692 It is therefore RECOMMENDED to use such a mechanism. 694 If the endpoint uses security mechanisms that rely on trusted 695 signaling the endpoint may not be able to detect if a Middlebox is 696 inserted (by the trusted network operator). To be able to eavesdrop 697 a Middlebox must do an active "attack" on the setup signaling. A 698 Middlebox cannot insert itself at a later point. 700 If Unprotected MSRP is used, the endpoint cannot detect if a 701 Middlebox is inserted and Middleboxes may be inserted at any time 702 during the session. 704 The mechanism in RFC 6072 [RFC6072] provides end-to-end security 705 without relying on trust in the signaling, and eases the use and 706 deployment of name based authentication. 708 The procedures for choosing and offering name based authentication, 709 fingerprint based authentication, and unprotected MSRP as described 710 in RFC 4975 still apply. 712 7.7. Fingerprint Based Authentication 714 If the endpoint cannot use a key management protocol that does not 715 rely on trust in the signaling such as name based authentication, the 716 only alternative is fingerprint based authentication. 718 The use of fingerprint based authentication requires integrity 719 protection of the signaling plane. This can e.g. be end-to-end 720 cryptographic protection, hop-by-hop cryptographic protection, or 721 cryptographic access protection combined with physical trust in other 722 parts of the signaling plane. Unless cryptographic end-to-end SDP 723 integrity protection or encryption is used this may be hard for the 724 endpoint to decide. In the end it is up to the endpoint to decide 725 whether the signaling path is trusted or not. 727 How this decision is done is implementation specific, but normally 728 signaling over the internet SHOULD NOT be trusted. Signaling over a 729 local or closed network MAY be trusted. Such networks can e.g. be a 730 closed enterprise network or a network operated by an operator that 731 the end user trusts. In e.g. IMS the signaling traffic in the 732 access network is integrity protected and the traffic is routed over 733 a closed network separated from the Internet. If the network is not 734 trusted the endpoints SHOULD NOT use fingerprint authentication. 736 It should however be noted that using fingerprint based 737 authentication over an insecure network increases the security 738 compared to unencrypted MSRP as this makes it harder to perform an 739 man-in-the-middle attack. Such an attack needs to be done to both 740 the signaling and the media plane, which may be separated. It does 741 not however give any guarantees that such a man-in-the-middle attack 742 is not taking place. A client using DTLS-SRTP [RFC5764] for VoIP 743 media security may wish to use fingerprint based authentication also 744 for MSRP media security. 746 MSRPS with fingerprint based authentication is vulnerable to attacks 747 due to vulnerabilities in the SIP signaling. If there are weaknesses 748 in the integrity protections on the SIP signaling, an attacker may 749 insert malicious middleboxes to alter, record, or otherwise harm the 750 media. With insecure signaling, it can be difficult for an endpoint 751 to even be aware the remote endpoint has any relationship to the 752 expected endpoint. Securing the SIP signaling does not solve all 753 problems. For example, in a SIPS environment, the endpoints have no 754 cryptographic way of validating that one or more SIP Proxies in the 755 proxy chain are not, in fact, malicious. 757 8. IANA Considerations 759 8.1. IANA Registration of the SDP 'msrp-cema' attribute 761 This document instructs IANA to add a attribute to the 'att-field 762 (media level only)' registry of the SDP parameters registry, 763 according to the information provided in this section. 765 This section registers a new SDP attribute, 'msrp-cema'. The 766 required information for this registration, as specified in RFC 4566, 767 is: 769 Contact name: Christer Holmberg 771 Contact e-mail: christer.holmberg@ericsson.com 773 Attribute name: msrp-cema 775 Type of attribute: media level 777 Purpose: This attribute is used to indicate support of 778 the MSRP Connection Establishment for Media 779 Anchoring (CEMA) extension defined in 780 RFC XXXX. When present in an MSRP media 781 description of an SDP body, it indicates 782 that the creator of the SDP supports the CEMA 783 mechanism. 785 Values: The attribute does not carry a value 787 Charset dependency: none 789 9. Acknowledgements 791 Thanks to Ben Campbell, Remi Denis-Courmont, Nancy Greene, Hadriel 792 Kaplan, Adam Roach, Robert Sparks, Salvatore Loreto, Shida Schubert, 793 Ted Hardie, Richard L Barnes, Inaki Baz Castillo, Saul Ibarra 794 Corretge, Cullen Jennings, Adrian Georgescu and Miguel Garcia for 795 their guidance and input in order to produce this document. 797 Thanks to John Mattsson for his help to restructure the Security 798 Considerations section, based on the feedback from IESG. 800 10. Change Log 802 [RFC EDITOR NOTE: Please remove this section when publishing] 803 Changes from draft-ietf-simple-msrp-cema-04 804 o Changes based on additional IESG comments from Stephen Farrell. 805 o - 'Media anchor' definition added. 806 o - TLS reference made normative. 807 o - MIKEY-TICKET recommendation removed. 808 o - Editorial clarifications. 810 Changes from draft-ietf-simple-msrp-cema-03 811 o Security Considerations sections re-written based on IESG 812 comments. 813 o Changes based on IESG comments from Peter Saint-Andre. 814 o Changes based on IESG comments from Robert Sparks. 815 o Changes based on IESG comments from Stephen Farrell. 816 o Changes based on IESG comments from Pete Resnick. 818 Changes from draft-ietf-simple-msrp-cema-02 819 o Changes based on WGLC comments. 820 o - Editorial changes based on comments from Nancy Greene. 821 o - Editorial changes based on comments from Saul Ibarra Corretge. 822 o - Editorial changes based on comments from Christian Schmidt. 823 o - Editorial changes based on comments from Miguel Garcia. 824 o Changes based on MMUSIC SDP impact review. 825 o - Editorial changes based on comments from Miguel Garcia. 827 Changes from draft-ietf-simple-msrp-cema-01 828 o Changes based on comment from Ben Campbell. 829 o - TLS B2BUA added to definitions section. 830 o - Middlebox added. 831 o - Editorial changes. 833 Changes from draft-ietf-simple-msrp-sessmatch-13 834 o Changed the draft name, as was suggested by our AD and work group. 835 o Clean up language use, clarify language, and clean up editorial 836 and style issues. 837 o Formally defined an MSRP B2BUA. 839 Changes from draft-ietf-simple-msrp-sessmatch-12 840 o Extension name changed to Connection Establishment for Media 841 Anchoring (CEMA). 842 o Middlebox definition added. 843 o ALG terminology replaced with Middlebox. 844 o SDP attribute name changed to a=msrp-cema. 845 o Applicability Statement section expanded. 846 o Re-structuring of MSRP Answerer section. 847 o Changes based on comments from Saul Ibarra Corretge (1406111). 849 Changes from draft-ietf-simple-msrp-sessmatch-11 850 o Modification of the sessmatch mechanism. 851 o - Extension name changed to Alternative Connection Establishment 852 (ACE) 853 o - Session matching procedure no longer updated. 854 o - SDP c/m-line used for MSRP TCP connection. 855 o - sessmatch option-tag removed. 856 o - a=msrp-ace attribute defined. 857 o - Support of RFC 6135 mandatory. 859 Changes from draft-ietf-simple-msrp-sessmatch-10 860 o Sessmatch option-tag added, based on WG discussions and concensus. 862 Changes from draft-ietf-simple-msrp-sessmatch-08 863 o OPEN ISSUE regarding the need for a sessmatch option-tag removed. 865 Changes from draft-ietf-simple-msrp-sessmatch-07 866 o Sessmatch defined as an MSRP extension, rather than MSRP update 867 o Additional security considerations text added 869 11. References 871 11.1. Normative References 873 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 874 Requirement Levels", BCP 14, RFC 2119, March 1997. 876 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 877 A., Peterson, J., Sparks, R., Handley, M., and E. 878 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 879 June 2002. 881 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 882 Description Protocol", RFC 4566, July 2006. 884 [RFC4975] Campbell, B., Mahy, R., and C. Jennings, "The Message 885 Session Relay Protocol (MSRP)", RFC 4975, September 2007. 887 [RFC4976] Jennings, C., Mahy, R., and A. Roach, "Relay Extensions 888 for the Message Sessions Relay Protocol (MSRP)", RFC 4976, 889 September 2007. 891 [RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax 892 Specifications: ABNF", STD 68, RFC 5234, January 2008. 894 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 895 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 897 [RFC6072] Jennings, C. and J. Fischl, "Certificate Management 898 Service for the Session Initiation Protocol (SIP)", 899 RFC 6072, February 2011. 901 [RFC6135] Holmberg, C. and S. Blau, "An Alternative Connection Model 902 for the Message Session Relay Protocol (MSRP)", RFC 6135, 903 February 2011. 905 11.2. Informative References 907 [RFC3724] Kempf, J., Austein, R., and IAB, "The Rise of the Middle 908 and the Future of End-to-End: Reflections on the Evolution 909 of the Internet Architecture", RFC 3724, March 2004. 911 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 912 Security (DTLS) Extension to Establish Keys for the Secure 913 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 915 [RFC5952] Kawamura, S. and M. Kawashima, "A Recommendation for IPv6 916 Address Text Representation", RFC 5952, August 2010. 918 [RFC6043] Mattsson, J. and T. Tian, "MIKEY-TICKET: Ticket-Based 919 Modes of Key Distribution in Multimedia Internet KEYing 920 (MIKEY)", RFC 6043, March 2011. 922 [RFC6091] Mavrogiannopoulos, N. and D. Gillmor, "Using OpenPGP Keys 923 for Transport Layer Security (TLS) Authentication", 924 RFC 6091, February 2011. 926 [GPP23228] 927 3GPP, "IP Multimedia Subsystem (IMS); Stage 2", 3GPP 928 TS 23.228 10.5.0, June 2011. 930 [DANE] "DNS-based Authentication of Named Entities Work Group". 932 Authors' Addresses 934 Christer Holmberg 935 Ericsson 936 Hirsalantie 11 937 Jorvas 02420 938 Finland 940 Email: christer.holmberg@ericsson.com 941 Staffan Blau 942 Ericsson 943 Stockholm 12637 944 Sweden 946 Email: staffan.blau@ericsson.com 948 Eric Burger 949 Georgetown University 950 Department of Computer Science 951 37th and O Streets, NW 952 Washington, DC 20057-1232 953 United States of America 955 Phone: 956 Fax: +1 530 267 7447 957 Email: eburger@standardstrack.com 958 URI: http://www.standardstrack.com