Last Call Review of draft-ietf-cuss-sip-uui-isdn-08
review-ietf-cuss-sip-uui-isdn-08-secdir-lc-orman-2014-05-15-00

Request Review of draft-ietf-cuss-sip-uui-isdn
Requested rev. no specific revision (document currently at 11)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2014-05-14
Requested 2014-05-02
Other Reviews Genart Last Call review of -08 by Scott Brim (diff)
Genart Telechat review of -09 by Scott Brim (diff)
Review State Completed
Reviewer Hilarie Orman
Review review-ietf-cuss-sip-uui-isdn-08-secdir-lc-orman-2014-05-15
Posted at https://www.ietf.org/mail-archive/web/secdir/current/msg04752.html
Reviewed rev. 08 (document currently at 11)
Review result Has Issues
Draft last updated 2014-05-15
Review completed: 2014-05-15

Review
review-ietf-cuss-sip-uui-isdn-08-secdir-lc-orman-2014-05-15

Security review of draft-ietf-cuss-sip-uui-isdn-08
Interworking ISDN Call Control User Information with SIP

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call
comments.

This document defines a usage (a new package) of the SIP User-to-User
header field to enable interworking with ISDN services transporting
the ITU-T DSS1 User-user information data element and is limited to
the ISDN UUS1 implicit supplementary service.  Because the element may
contain information related to user privacy, one should consider the
impact of transmitting it in this context.

The document begins by noting the the User-to-User header field is
defined in "A Mechanism for Transporting User to User Call Control
Information in SIP" (draft-ietf-cuss-sip-uui-16).  That document notes
security requirements deriving from an earlier document, RFC6567 SIP
UUI Reqs, which states:

  The next three requirements capture the UUI security requirements.
   REQ-13: The mechanism will allow integrity protection of the UUI.
   ...
   REQ-14: The mechanism will allow end-to-end privacy of the UUI.
   ...

   REQ-15: The mechanism will allow both end-to-end and hop-by-hop
   security models.
   ...

The document under review and draft-ietf-cuss-sip-uui-16 note that
because ISDN offers only hop-by-hop security, the SIP UAs must provide
any necessary authenticity, integrity and privacy protection for
sensitive parts of the UUI.

It is not clear to me if the SIP endpoints are aware of intermediary
ISDNs, nor if they might be unaware of the ISDN transit and thus
misled into thinking that the SIP infrastructure provided adequate
security controls for the protection of UUI data.

The document gives the guidance that "data that is used to assist in
selecting which SIP UA should respond to the call would not be
expected to carry any higher level of security than a media feature
tag".  I'm not sure how to interpret that.  When should the "level of
security" be expected to be lower than a media feature tag?  Or does
it mean something else, like: (a) the data should not be more sensitive
than that in a media feature tag or (b) the data should be protected
(authenticity, integrity, privacy) to at least the level of a media
feature tag or (c) the UUI data and the media feature tag data are so
similar that they should have the same level of protection?

That's my impression from reading over the security considerations.
My apologies if I've missed the point.

Hilarie