Requirements for End-to-Middle Security for the Session Initiation Protocol (SIP)
draft-ietf-sipping-e2m-sec-reqs-06
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Sam Hartman |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Ted Hardie |
2012-08-22
|
06 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2005-04-14
|
06 | Amy Vezza | State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza |
2005-04-12
|
06 | Amy Vezza | IESG state changed to Approved-announcement sent |
2005-04-12
|
06 | Amy Vezza | IESG has approved the document |
2005-04-12
|
06 | Amy Vezza | Closed "Approve" ballot |
2005-04-12
|
06 | Allison Mankin | Moving e2m security solution to sip |
2005-04-12
|
06 | Allison Mankin | draft also addressed Russ's comments |
2005-04-12
|
06 | Allison Mankin | State Change Notice email list have been change to gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, ono.kumiko@lab.ntt.co.jp, kumiko@cs.columbia.edu from gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, … State Change Notice email list have been change to gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, ono.kumiko@lab.ntt.co.jp, kumiko@cs.columbia.edu from gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, ono.kumiko@lab.ntt.co.jp |
2005-04-12
|
06 | Allison Mankin | State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Allison Mankin |
2005-04-11
|
06 | Ted Hardie | [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Discuss by Ted Hardie |
2005-03-30
|
06 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2005-03-16
|
06 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2005-03-16
|
06 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-06.txt |
2005-02-04
|
06 | (System) | Removed from agenda for telechat - 2005-02-03 |
2005-02-03
|
06 | Amy Vezza | State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza |
2005-02-03
|
06 | Sam Hartman | [Ballot Position Update] Position for Sam Hartman has been changed to No Objection from Discuss by Sam Hartman |
2005-02-03
|
06 | Michelle Cotton | IANA Comments: We understand this document to have NO IANA Actions. |
2005-02-03
|
06 | Sam Hartman | [Ballot discuss] This document discusses digest authentication as if it is an end-to-middle service. Digest authentication is a hop-by-hop service last time I checked. I'm … [Ballot discuss] This document discusses digest authentication as if it is an end-to-middle service. Digest authentication is a hop-by-hop service last time I checked. I'm confused; what is really meant here? |
2005-02-03
|
06 | Sam Hartman | [Ballot Position Update] New position, Discuss, has been recorded for Sam Hartman by Sam Hartman |
2005-02-03
|
06 | Bert Wijnen | [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen |
2005-02-03
|
06 | Margaret Cullen | [Ballot Position Update] New position, No Objection, has been recorded for Margaret Wasserman by Margaret Wasserman |
2005-02-03
|
06 | Harald Alvestrand | [Ballot comment] Reviewed by Suzanne Woolf, Gen-ART Her review: This document seems to be in pretty good shape to be published as Informational; it motivates … [Ballot comment] Reviewed by Suzanne Woolf, Gen-ART Her review: This document seems to be in pretty good shape to be published as Informational; it motivates the need for e2m and describes the characteristics of successful e2m security for SIP. However, I have some reservations. I may have found it hard to follow simply because I know little about the underlying protocol. But it may need to be clarified in several places, e.g. "This requirement is not necessary when a provider that operates the proxy server does not permit to reveal the security policies to a different provider that the recipient UA belongs to." I *think* I know what it means but it might be clearer to say "This requirement is not necessary when the provider operating the proxy service does not allow its security policies to be revealed to the provider serving the recipient UA." |
2005-02-03
|
06 | Harald Alvestrand | [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand |
2005-02-02
|
06 | David Kessens | [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens |
2005-02-02
|
06 | Russ Housley | [Ballot discuss] Section 4 includes the following requirements: > > REQ-CONF-1: The solution MUST allow encrypted data to be shared with > … [Ballot discuss] Section 4 includes the following requirements: > > REQ-CONF-1: The solution MUST allow encrypted data to be shared with > the recipient UA and selected proxy servers, when a UA > wants. > > REQ-CONF-3: It SHOULD allow a UA to request selected proxy servers to > view specific message bodies. The request itself SHOULD > be secure. > > REQ-INT-2: It SHOULD allow a UA to request selected proxy servers to > verify specific message bodies. The request itself SHOULD > be secure. > I fear that "selected proxy servers" is not clear. I think that the intent is to allow encrypted data to be decrypted by proxy servers chosen by the UA and to specifically request that these proxy servers perform decryption and/or integrity checking. This implies that the UA can unambiguously identify proxy servers. In the are of confidentiality, the UA also needs to obtain credentials (such as a certificate) for the proxy server. In the case of integrity, similar credentials will be needed to support a message authentication code (such as HMAC), but they are not needed is a digital signature is used. Section 4 includes the following requirements: > > REQ-CONF-3: It SHOULD allow a UA to request selected proxy servers to > view specific message bodies. The request itself SHOULD > be secure. > > REQ-CONF-4: It MAY allow a UA to request that the recipient UA > disclose information to the proxy server, to which the > requesting UA is initially disclosing information. The > request itself SHOULD be secure. > > REQ-INT-2: It SHOULD allow a UA to request selected proxy servers to > verify specific message bodies. The request itself SHOULD > be secure. > > REQ-INT-3: It SHOULD allow a UA to request the recipient UA to send > the verification data of the same information that the > requesting UA is providing to the proxy server. The > request itself SHOULD be secure. > The term "secure" is unclear. I assume that authentication and data integrity are the needed security services. Section 4.2 leads the reader to believe that data integrity can be provided without also providing authentication. I do not believe that it is possible to provide data integrity in this context without also providing authentication. This section should be rewritten to provide both data integrity and authentication. Section 5 says: > > This document describes the requirements for confidentiality and > integrity between a UA and a proxy server. Although this document > does not cover authentication, it is important in order to prevent > attacks from malicious users and servers. > I do not believe that it is possible to provide data integrity in this context without also providing authentication. This comment goes hand-in-hand with my previous comment. Section 5 talks about denial of service attacks. I believe that the protections requested here can be provided by the hop-by-hop use of TLS. The solution implied by the text in section 5 is less robust; it does not seem to consider an attacker generating traffic to a proxy server that looks like it came from another proxy server. |
2005-02-02
|
06 | Russ Housley | [Ballot comment] Section 2.1: s/request base on/request based on/ Section 2.1: ASCII Art is difficult, and often subjective. To me, the following is … [Ballot comment] Section 2.1: s/request base on/request based on/ Section 2.1: ASCII Art is difficult, and often subjective. To me, the following is more self-consistent. In the original, I was asking myself if the inconsistencies meant anything, and I convinced myself that they did not. Second, I propose "[C]" to denote a content that is protected. This allows multiple layers of encapsulation to be shown if needed. Home Network /---------------------\ | +-----+ +-----+ | +-----+ +-----+ User #1-----| C |-----| [C] |-----| [C] |-----| C |-----User #2 | +-----+ +-----+ | +-----+ +-----+ | UA #1 Proxy #1 | Proxy #2 UA #2 \---------------------/ If you accept any of these changes, please consistently use them in the rest of the figures too. Section 2.2.1: The 2nd paragraph of this section should read: > > This service might be deployed in financial networks, health care > service provider's networks, as well as other networks where > archiving communication is required by their security policies. Section 4.1: I think the following revised text has the same meaning, but I think it is more straightforward: > > REQ-GEN-2: It SHOULD NOT have an impact on proxy servers that do > not provide services based on S/MIME-protected bodies > in terms of handling the existing SIP headers. Reference [4] should point to RFC 3850. Reference [6] should point to a specification of the Location Object, not the requirements for the location object. |
2005-02-02
|
06 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley |
2005-02-01
|
06 | Ted Hardie | [Ballot discuss] In 2.2.2, the document says The Location Object [6] includes private information as well as routing information for appropriate proxy servers. … [Ballot discuss] In 2.2.2, the document says The Location Object [6] includes private information as well as routing information for appropriate proxy servers. Some proxy servers have the capability to provide location-based routing. When UAs want to employ location-based routing in non-emergency situations, the UAs need to connect to the proxy servers with such a capability and disclose the location object contained in the message body of the INVITE request, while protecting it from other proxy servers along the request path. [6] points to the GEOPRIV requirements document, but I believe they should point to draft-ietf-geopriv-pidf-lo-03.txt, currently in the RFC Editor's queue. I'm also concerned that this paragraph does not capture well how the privacy aspects of a geopriv object work. The question of to whom a location object may be passed is extensively considered in geopriv, and describing it in the same terms would be very helpful in matching the requirements here to the capabilities of pidf-lo. The document goes on: The Location Object also needs to be verified for integrity before location-based routing is applied. What does verified for integrity mean here? |
2005-02-01
|
06 | Ted Hardie | [Ballot discuss] In 2.2.2, the document says The Location Object [6] includes private information as well as routing information for appropriate proxy servers. … [Ballot discuss] In 2.2.2, the document says The Location Object [6] includes private information as well as routing information for appropriate proxy servers. Some proxy servers have the capability to provide location-based routing. When UAs want to employ location-based routing in non-emergency situations, the UAs need to connect to the proxy servers with such a capability and disclose the location object contained in the message body of the INVITE request, while protecting it from other proxy servers along the request path. [6] points to the GEOPRIV requirements document, but I believe they should point to draft-ietf-geopriv-pidf-lo-03.txt, currently in the RFC Editor's queue. I'm also not concerned that this paragraph does not capture well how the privacy aspects of a geopriv object work. The question of to whom a location object may be passed is extensively considered in geopriv, and describing it in the same terms would be very helpful in matching the requirements here to the capabilities of pidf-lo. The document goes on: The Location Object also needs to be verified for integrity before location-based routing is applied. What does verified for integrity mean here? |
2005-02-01
|
06 | Ted Hardie | [Ballot Position Update] New position, Discuss, has been recorded for Ted Hardie by Ted Hardie |
2005-02-01
|
06 | Scott Hollenbeck | [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck |
2005-01-31
|
06 | Allison Mankin | [Ballot Position Update] New position, Yes, has been recorded for Allison Mankin |
2005-01-31
|
06 | Allison Mankin | Ballot has been issued by Allison Mankin |
2005-01-31
|
06 | Allison Mankin | Created "Approve" ballot |
2005-01-31
|
06 | (System) | Last call text was added |
2005-01-31
|
06 | (System) | Ballot approval text was added |
2005-01-27
|
06 | Allison Mankin | Placed on agenda for telechat - 2005-02-03 by Allison Mankin |
2005-01-27
|
06 | Allison Mankin | State Changes to IESG Evaluation from Publication Requested by Allison Mankin |
2005-01-27
|
06 | Allison Mankin | State Change Notice email list have been change to gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com, ono.kumiko@lab.ntt.co.jp from gonzalo.camarillo@ericsson.com, dean.willis@softarmor.com, rohan@ekabal.com |
2004-12-22
|
06 | Dinara Suleymanova | Draft Added by Dinara Suleymanova in state Publication Requested |
2004-12-09
|
05 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-05.txt |
2004-10-08
|
04 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-04.txt |
2004-07-06
|
03 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-03.txt |
2004-05-12
|
02 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-02.txt |
2004-02-17
|
01 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-01.txt |
2003-10-23
|
00 | (System) | New version available: draft-ietf-sipping-e2m-sec-reqs-00.txt |