Proposal for Change/Improvments in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server.

Slides:

Advertisements

Similar presentations

Introduction. 2 What Is SmartFlow? SmartFlow is the first application to test QoS and analyze the performance and behavior of the new breed of policy-based.

Advertisements

Gursharan Singh Tatla Transport Layer 16-May

July 30, 2010SIPREC WG1 SIP Call Control - Recording Extensions draft-johnston-siprec-cc-rec-00 Alan Johnston Andrew Hutton.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

CS 218 F 2003 Nov 3 lecture:  Streaming video/audio  Adaptive encoding (eg, layered encoding)  TCP friendliness References: r J. Padhye, V.Firoiu, D.

RTSP Real Time Streaming Protocol

Draft-campbell-dime-load- considerations-01 IETF 92 DIME Working Group Meeting Dallas, Texas.

MobiQuitous 2004Kimaya Sanzgiri Leveraging Mobility to Improve Quality of Service in Mobile Networks Kimaya Sanzgiri and Elizabeth Belding-Royer Department.

2-levels Access control for HTTP binding Group Name: WG4 (& WG2/WG3 for information) Source: Shingo Fujimoto, FUJITSU, Meeting.

1 Ethics of Computing MONT 113G, Spring 2012 Session 8 The Internet HTML.

1 © NOKIA 1999 FILENAMs.PPT/ DATE / NN SIP Service Architecture Markus Isomäki Nokia Research Center.

Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.

Performance of HTTP Application in Mobile Ad Hoc Networks Asifuddin Mohammad.

IETF 60 – San Diegodraft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-07 Magnus Westerlund Aravind.

Module 10: How Middleboxes Impact Performance

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

SIP working group IETF#70 Essential corrections Keith Drage.

SIP Performance Benchmarking draft-ietf-bmwg-sip-bench-term-01 draft-ietf-bmwg-sip-bench-meth-01 March 22, 2010 Prof. Carol Davids, Illinois Inst. of Tech.

CSE5803 Advanced Internet Protocols and Applications (14) Introduction Developed in recent years, for low cost phone calls (long distance in particular).

RESTful Web Services What is RESTful?

Securing Angular Apps Brian Noyes

Internet of Things Fall 2015

PRO/ARC and TST/PRO joint sessions at TP20 Group Name: oneM2M TP20 Source: Peter Niblett, IBM Meeting Date:

Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:

Andrew Allen ROUTING OUT OF DIALOG REQUESTS draft-allen-dispatch-routing-out-of-dialog-request-01 Dispatch IETF 92 March 23 rd 2015.

The Transport Layer Implementation Services Functions Protocols

SIP over MANETs Introduction to SIP SIP vs MANETs Open Issues

FILS Reduced Neighbor Report

Open issues with PANA Protocol

Jonathan Rosenberg Volker Hilt Daryl Malas

Top-Down Network Design Chapter Thirteen Optimizing Your Network Design Copyright 2010 Cisco Press & Priscilla Oppenheimer.

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

Cryptography and Network Security

Node.js Express Web Services

A. Báder, L. Westberg, G. Karagiannis,

Chris Wendt, David Hancock (Comcast)

Internet Networking recitation #12

Proposed ATIS Standard for Signing of SIP RPH

FHIR BULK DATA API April 2018

Packet Sniffing.

Introducing Forms.

RFC PASSporT Construction 6.2 Verifier Behavior

Real Time Streaming Protocol

Proposal for Change/Improvements in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server.

RFC PASSporT Construction 6.2 Verifier Behavior

RFC PASSporT Construction 6.2 Verifier Behavior

ITIS 6010/8010 Wireless Network Security

SIP RPH and TN Signing Cross Relationship

FILS Reduced Neighbor Report

STIR WG IETF-100 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-01) November, 2017 Ray P. Singh, Martin Dolly, Subir Das,

Open Forum th November 2015.

HyperText Transfer Protocol

STIR WG IETF-99 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-00) July, 2017 Ray P. Singh, Martin Dolly, Subir Das, and An.

Change Proposals for SHAKEN Documents

AP Power Down Notification

Introduction to TCP/IP

STIR WG IETF-102 PASSPorT Extension for Resource-Priority Authorization (draft-ietf-stir-rph-06) July 18, 2018 Ray P. Singh, Martin Dolly, Subir Das, and.

RFC Verifier Behavior Step 4: Check the Freshness of Date

Proposal for Change/Improvements in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server.

Kevin Harville Source: Webmaster in a Nutshell, O'Rielly Books

Comment resolution on CID 20175

IPNNI SHAKEN Enterprise Models: LEMON TWIST

CS5220 Advanced Topics in Web Programming Secure REST API

Information Retrieval and Web Design

Management Frame Priority SG Input

Rifaat Shekh-Yusef IETF105, OAuth WG, Montreal, Canada 26 July 2019

SHAKEN for Presented to: Ericsson Contact:

Proposed Changes to STI-VS "iat" freshness check

STIR / SHAKEN for 911 use of SHAKEN 8/7/2019

Presentation transcript:

Proposal for Change/Improvments in STIR/SHAKEN Technical Report on SHAKEN APIs for a Centralized Signing and Signature Validation Server

“iat” Content “iat” is “issued at” Claim RFC7519 JSON Web Token (JWT ) It pertains to PASSPorT token, i.e. it needs to contain the time when it is constructed RFC7519 JSON Web Token (JWT ) Arguably the “most authorative” specification regarding “iat” content 4.1.6. "iat" (Issued At) Claim The "iat" (issued at) claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT. Its value MUST be a number containing a NumericDate value. Use of this claim is OPTIONAL. This text clearly states that “iat” should be populated with the generation time of JWS. 6.1 Datatype: signingRequest “Issued At Claim”: Should be set to the date and time of issuance of the PASSporT Token. This is how it should to be populated. 8.1.1 Functional Behavior The “iat” parameter is populated using the “Date” header field in the SIP Invite. If there is no “Date” header field in the SIP Invite, a Date header field is added to the SIP INVITE. Contradicts RFC7519 and 6.1 RFC8244 also needs to be modified regarding content of “iat” Start of session (which Date header is based on) and PASSPorT generation are temporarily not necessarily close Example: PASSPorT generated just before session is routed to a partner network after announcement/digit collection This could introduce a non-negligible artificial drift and cause freshness check issues during validation

STI-AS/VS Overload A signing/verification request associated with a real time session setup procedure needs to complete in a given time frame. Current HTTP overload control relies on using 503 with a Retry-After header indicating for how long no request should be sent to a server. This, although sufficient for certain applications, does not always provide satisfactory results as it allows only binary control of the load following a step function pattern. TCP congestion window does not address this issue either as it does not allow an application direct control and is impacted by network conditions like latency, jitter, packet loss. A mechanism is needed to efficiently deal with sTO-AS/VS overload Similar phenomena is observed for other protocols as well. For example, for SIP the issue is addressed by defining a specific mechanism in RFC 7339 Same overall strategy can be used for HTTP as well Server indicates “drop rate” in 503 responses https://tools.ietf.org/html/draft-asveren-dispatch-http-overload-control-00 Work in progress and needs improvements, e.g. clarification about scope, retrying requests, introducing “validity time” parameter.