REFER Are security mechanisms beyond those in bis-09 needed?

Slides:

Advertisements

Similar presentations

Message Sessions Draft-campbell-simple-im-sessions-01 Ben Campbell

Advertisements

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Service Bus Service Bus Access Control.

IETF Trade Working Group January 2000 XML Messaging Overview January 2000.

W3C Workshop on Web Services Mark Nottingham

Web Service Security CS409 Application Services Even Semester 2007.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

SMUCSE 5349/73491 Authentication Protocols. SMUCSE 5349/73492 The Premise How do we use perfect cryptographic mechanisms (signatures, public-key and symmetric.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

4 August 2005draft-burger-simple-imdn-011 Instant Message Delivery Notification (IMDN) for Presence and Instant Messaging (CPIM) Messages draft-burger-simple-imdn-01.

Proposed Fix to HERFP* (Heterogeneous Error Response Forking Problem) Rohan Mahy * for INVITE transactions.

Rohan Mahy draft-ietf-sip-join and Semantics of REFER.

Security using Encryption Security Features Message Origin Authentication - verifying that the sender is who he or she says they are Content Integrity.

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Explicit Subscriptions for REFER draft-sparks-sipcore-refer-explicit-subscription-00 SIPCORE – IETF90 Robert Sparks.

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner

Slide 1 © 2004 Reactivity The Gap Between Reliability and Security Eric Gravengaard Reactivity.

Certificate Credentials STIR WG IETF 91 (Honolulu) Sean Jon.

S/MIME and Certs Cullen Jennings

IMS 架構與話務分析網路管理維運資源中心日期 : 2013/07/25 網路管理維運資源中心日期 : 2013/07/25 限閱.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials Company Confidential Issues with HTTP Authentication for SIP Hisham Khartabil SIP WG IETF 59, Seoul.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

App Interaction Framework Jonathan Rosenberg dynamicsoft.

SIMPLE Drafts Jonathan Rosenberg dynamicsoft. Presence List Changes Terminology change Presence List Information Data Format –Provides version, full/partial.

Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,

©Stephen Kingham SIP Protocol overview SIP Workshop APAN Taipei Taiwan 23rd Aug 2005 By Stephen Kingham

URP Usage Scenarios for Mobility James Kempf Sun Microsystems, Inc.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono IETF60.

1 of 4 This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. © 2006 Microsoft Corporation.

Public Safety Answering Point (PSAP) Callbacks draft-ietf-ecrit-psap-callback-02.txt H. Schulzrinne, H. Tschofenig, M. Patel.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

Slide #1 Nov 6 -11, 2005SIP WG IETF64 Feature Tags with SIP REFER draft-ietf-sip-refer-feature-param-00 Orit

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

SIPPING Drafts Jonathan Rosenberg dynamicsoft. Conferencing Package Issues Only one – scope Depends on broader work in conferencing May include –Participant.

Clarification of Access Control Mechanism on Rel-1 & Rel-2 Group Name: SEC ( ARC & PRO for information) Source: FUJITSU Meeting Date: Agenda.

9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Draft-gu-ppsp-tracker-protocol-04 Presenter ： Gu Yingjie IETF-81, Quebec, July, 2011.

End-to-middle Security in SIP

Authenticated Identity

WMarket For Developers API && Authorization.

ECRIT Interim: SIP Location Conveyance

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

draft-ietf-simple-message-sessions-00 Ben Campbell

App Interaction Framework

Transcoding Framework

Chris Wendt, David Hancock (Comcast)

Verstat Related Best Practices

Transcoding Framework

HyperText Transfer Protocol

SIP Session Policies Volker Hilt

IPNNI SHAKEN Enterprise Models: LEMON TWIST

SIP Basics Workshop Dennis Baron July 20, 2005.

Protection Mechanisms in Security Management

Presentation transcript:

REFER Are security mechanisms beyond those in bis-09 needed?

Problem REFER sip:B Refer-To: sip:C Referred-By: ACB Can C trust the Referred-By header? Should the header influence logic at C? INVITE sip:C Referred-By:

Problem INVITE sip:C Referred-By: CB Referred-By Referred-By Can C trust the Referred-By header? Should the header influence logic at C? INVITE sip:C?Replaces=1234%40C%3Bto-tag=1234%3Bfrom-tag=3994%3B

Choices for Path Forward Remove Referred-By from REFER Specify transfer specific mechanism in the transfer draft Specify REFER specific mechanism in the REFER draft Solve general problem of passing authorization tokens through intermediaries.

Possible Mechanisms Use Referred-By generic-params Use Authorization header Use S/MIME body parts Have C directly contact A

Use generic-params Add a signature/hash over the information to protect to the Referred-By header This was the original PGP-based proposal

Use Authorization header Refer-To: sip:C?Authorization=DIGEST&realm=… How does A provide meaningful credentials? –Needs a challenge from C –Challenge can be carried from B to A using NOTIFY –How does challenge get from C to B?

Use Authorization header ACB REFER 202 INVITE 4?? Authenticate Referror Refer-Authenticate: DIGEST (…) NOTIFY 4?? Authenticate Referror Refer-Authenticate: DIGEST (…) ACK 200 REFER Refer-To: sip:c?Authorization=DIGEST(…) INVITE Authorization: DIGEST(…)

Use S/MIME Body Parts Provide a S/MIME protected sipfrag containing Referred-By –In Refer-To URL as a ?body= component –In Body Part REFER recipients add that part to the body of the triggered request (probably making it multipart). Likely to be more efficient that challenge/response since both A and B’s identity can be proven to C in the initial message to C

Using S/MIME Body Parts ACB REFER (A-signed part containing Refer-To, Referred-By) 202 INVITE (B-signed part protecting entire INVITE (A-signed part containing Refer-To, Referred-By)) 200 OK NOTIFY 200 OK ACK 200

Contact A directly Have C send a request to A asking “Did you ask B to do this” –Use URI from Referred-By as RURI –C can authenticate A using bis-09 mechanisms A B C REFER INVITE VERIFY

Taking Advantage of the Attended Transfer Triangle A B C 1: Invite/Hold2: Invite/Hold/Refer 3: Invite

Proposal Add an S/MIME-based mechanism for carrying proof of identity and content of the Refer* headers from A to C Add security discussion of some use cases (particularly the screening form of attended transfer)