© 2006 NEC Corporation - Confidential age 1 November 2008 - 1 SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01.

Slides:

Advertisements

Similar presentations

RadSec – A better RADIUS protocol

Advertisements

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec Title: Initiate An Exercise for Generating a 21a Document Date Submitted: September 21, 2009.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.

IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

71 th IETF – Philadelphia, USA March 2008 PCECP Requirements and Protocol Extensions in Support of Global Concurrent Optimization Young Lee (Huawei) J-L.

1 SIP End-to-End Performance Metrics (draft-ietf-pmol-sip-perf-metrics-00.txt)draft-ietf-pmol-sip-perf-metrics-00.txt 71 st IETF Conference PMOL Daryl.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

The study and demonstration on SIP security vulnerabilities Mahidhar Penigi Vamsi Krishna Karnati.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

SIPPING IETF51 3GPP Security and Authentication Peter Howard 3GPP SA3 (Security) delegate

SIP Security Matt Hsu.

Host Identity Protocol

21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH Protocol Security Date Submitted: December, 2007 Presented.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Draft-khan-ip-serv-peer-arch-03.txt SPEERMINT Peering Architecture IETF-66, Montreal, Canada Sohel Khan, Ph.D. Technology Strategist.

Incident Object Description and Exchange Format

SPEERMINT Terminology Draft th IETF - Chicago Editors: Daryl Malas David Meyer.

DNS SRV and NAPTR Use for SPEERMINT - Tom Creighton, Gaurav Khandpur Comcast SPEERMINT Intermin Meeting Philadelphia Sept

STIR Problem Statement IETF 88 (Vancouver) Tuesday Session Jon Peterson.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt RTSP 2.0 TLS handling Magnus Westerlund draft-ietf-mmusic-rfc2326bis-12.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

By: Versha Thakur Shravani Aishwarya Sai Kamal.  The Session Initiation Protocol (SIP) is a simple text-based protocol that is easy to understand. 

WG Document Status 192nd IETF TEAS Working Group.

SIPREC draft-ietf-siprec-req-00 Requirements for Media Recording using SIP Draft authors: K. Rehor, A. Hutton, L. Portman, R. Jain, H. Lum IETF 78 Ken.

Session Recording (SIPREC) Protocol (draft-ietf-siprec-protocol-09) Leon Portman Henry Lum

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Requirements for SIP-based VoIP Interconnection (BCP) draft-natale-sip-voip-requirements-00.txt Bob Natale For Consideration by the.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-01 David Hancock, Daryl Malas.

Multiple Interfaces (MIF) WG IETF 79, Beijing, China Margaret Wasserman Hui Deng

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: IETF Liaison Report Date Submitted: November 15, 2007 Presented.

6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.

1 SIP Performance Benchmarking draft-poretsky-sip-bench-term-04.txt draft-poretsky-bmwg-sip-bench-meth-02.txt BMWG, IETF-70 Vancouver Dec 2007 Davids IIT.

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Draft-ietf-fecframe-config-signaling-02 1 FEC framework Configuration Signaling draft-ietf-fecframe-config-signaling-02.txt IETF 76 Rajiv Asati.

Page 1 IETF Speermint Working Group Speermint Requirements/Guidelines for SIP session peering draft-ietf-speermint-requirements-02 IETF 69 - Monday July.

Session Peering Use Cases for Federations David Schwartz – Kayote Networks Eli Katz - XConnect Jeremy Barkan - Digitalshtick draft-schwartz-speermint-use-cases-federations-00.txt.

Security Threats and Security Requirements for the Access Node Control Protocol (ANCP) IETF 68 - ANCP WG March 18-23, 2007 draft-ietf-ancp-security-threats-00.txt.

1 ForCES Applicability Statement Alan Crouch Mark Handley Hormuzd Khosravi 65 th IETF Meeting, Dallas.

Softwire Security Requirement Update draft-ietf-softwire-security-requirements-02.txt IETF Meeting, Prague March 19, 2007 Shu Yamamoto Carl Williams Florent.

IETF 67 – SPEERMINT WG Presence Use Cases draft-houri-speermint-usecase-presence-00 Avshalom Houri – IBM Edwin Aoki – AOL LLC Sriram Parameswar - Microsoft.

August 2, 2005 IETF 63 – Paris, France Media Independent Handover Services and Interoperability Ajay Rajkumar Chair, IEEE WG.

IETF sec - 1 Security Work in the IETF Scott Bradner Harvard University

Design Considerations for the Common MIH Protocol Functions draft-hepworth-mipshop-mih-design-considerations-01 Ele Hepworth (*), Robert Hancock, Srinivas.

Diameter SIP Application

SIP Working Group IETF 72 chaired by Keith Drage, Dean Willis.

Analysis of SIP security Ashwini Sanap ( ) Deepti Agashe ( )

Page 1 IETF Speermint Working Group Speermint draft-ietf-speermint-requirements-04 IETF 71 - Wednesday March 12, 2008 Jean-François Mulé -

S. Ali, K. Cartwright, D. Guyton, A. Mayrhofer, J-F. Mulé Data for Reachability of Inter/tra-NetworK SIP (drinks) DRINKS WG draft-mule-drinks-proto-02.

IPFIX Requirements: Document Changes and New Issues Raised Jürgen Quittek, NEC Benoit Claise, Cisco Tanja Zseby, Sebstian Zander, FhG FOKUS.

Page 1 IETF DRINKS Working Group Data Model and Protocol Requirements for DRINKS IETF 72 - Thursday July Tom Creighton -

Automotive Industry Requirements for NEMO Route Optimization IETF71, MEXT WG 12/03/2008 draft-ietf-mext-nemo-ro-automotive-req-00 Roberto Baldessari Thierry.

SPEERMINT Architecture - Reinaldo Penno Juniper Networks SPEERMINT, IETF 70 Vancouver, Canada 2 December 2007.

DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.

Postech DP&NM Lab Session Initiation Protocol (SIP) Date: Seongcheol Hong DP&NM Lab., Dept. of CSE, POSTECH Date: Seongcheol.

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

IETF 78 Ken Rehor on behalf of the team

Goals of soBGP Verify the origin of advertisements

The study and demonstration on SIP security vulnerabilities

Softwire Security Update

Nancy Cam-Winget June 2015 SACM Requirements Nancy Cam-Winget June 2015.

Charles Clancy Katrin Hoeper IETF 73 Minneapolis, USA 17 November 2008

Maryna Komarova (ENST)

draft-ipdvb-sec-01.txt ULE Security Requirements

Securing the CASP Protocol

IEEE MEDIA INDEPENDENT HANDOVER DCN: xx-00-sec

Editors: Bala’zs Varga, Jouni Korhonen

Georgios Karagiannis, Tom Taylor, Kwok Chan, Michael Menth

Presentation transcript:

© 2006 NEC Corporation - Confidential age 1 November SPEERMINT Security Threats and Suggested Countermeasures draft-ietf-speermint-voipthreats-01 Saverio Niccolini, Eric Chen, Jan Seedorf, Hendrik Scholz

© 2006 NEC Corporation - Confidential November Goals / Scope Goals of the draft –List of security threats (specific) for SPEERMINT –Mapping of these threats to suggested countermeasures As information for implementers Also helping implementers choose proper means for addressing SPEERMINT security requirements (as defined in draft-ietf-speermint-requirements-07) Target: –Informational document for implementers

© 2006 NEC Corporation - Confidential November VoIP-SPECIFIC USE CASES IM/PRESENCE-SPECIFIC USE CASES VOIP-SPECIFIC REQUIREMENTS IM/PRESENCE-SPECIFIC REQUIREMENTS ARCHITECTURE MESSAGE FLOWS DNS SRV & NAPTR USE OTHER IMPLEMENTER DOCUMENTS (BCPs) TERMINOLOGY Contribution of the draft (related to SPEERMINT document flow chart) SPEERMINT Security Threats and Suggested Countermeasures: Informational Document

© 2006 NEC Corporation - Confidential November Security Requirements vs. concrete Solutions Security Requirements: draft-ietf-speermint-requirements-07 –This draft lists security requirements without stating concrete protocols or guidance on how to meet these requirements How to fulfill/meet the Security Requirements: draft-ietf-speermint-voipthreats-01 –This draft provides concrete protocols and solutions for meeting the requirements –As guidance for implementers who want to fulfill the security requirements for SPEERMINT –Section on security requirements (section 3) Currently only listing the security requirements Waiting for draft-ietf-speermint-requirements-07 to be finalized (IESG processing) Then addressing the requirements with text on protocols and solutions

© 2006 NEC Corporation - Confidential November Comments received for Version -00 at IETF 73 Minimization of SED suggested as countermeasure Included in the new -01 version Text regarding password cracking was misleading Changed Digest authentication onall requests was seen as unrealistic Removed PKI is assumed for TLS Added text

© 2006 NEC Corporation - Confidential November Changes since -00 version Addressed comments received (see previous slide) New threats –network discovery –unwanted requests New countermeasures –minimization of session establishment data –topology hiding Renamed / Restructured Countermeasures (see next slide) Editorial changes –Updated/removed references

© 2006 NEC Corporation - Confidential November Version -01: Suggested Countermeasures Suggested Countermeasures –Database Security BCPs –DNSSEC –DNS Replication –Cross-Domain Privacy Protection –Use TCP instead of UDP to deliver SIP messages –Ingress Filtering / Reverse-Path Filtering –Strong Identity Assertion –Reliable Border Element Pooling –Rate limit –Topology Hiding –Border Element Hardening –Minimization of Session Establishment Data –Encryption and Integrity Protection of Signalling Messages –Encryption and Integrity Protection of Media Stream

© 2006 NEC Corporation - Confidential November Current Issues / Discussion IPSec vs. TLS –IPSec is a lower-layer solution but often deployed and seen as sufficient for hop-to-hop SSP security –Requirements draft says: Even though SSPs may use lower layer security mechanisms to guarantee some of those security properties, candidate protocols for the LUF and LRF must meet the above requirements authentication/integrity/confidentiality]. –Opinions from the WG? Section on deployment (Comment received at IETF 71) –Are there other solutions besides DNSSEC which are not deployed yet?

© 2006 NEC Corporation - Confidential November How to proceed... We welcome any comments on this work on the mailing list –Are there additional threats missing / not considered? –Are there countermeasures missing / not considered? –Editorial changes / comments? Or contact authors directly if you have any comments: –Saverio Niccolini: –Eric Chen: –Jan Seedorf: –Hendrik Scholz:

© 2006 NEC Corporation - Confidential November History of the draft Early versions of the draft –Investigations on the security threats and attack vectors related to SPEERMINT Classification of the threats Description of instances of the threats –Objectives Identify and enumerate the SPEERMINT-specific threat vectors Help in selecting security-related requirements Input now included in draft-ietf-speermint- requirements-07 Since IETF-72, the draft has become WG item