1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.

Slides:

Advertisements

Similar presentations

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Advertisements

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.

IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.

Mobile Code Security Yurii Kuzmin. What is Mobile Code? Term used to describe general-purpose executables that run in remote locations. Web browsers come.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

SIP Working Group Jonathan Rosenberg dynamicsoft.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Proxy Authentication of the Emergency Status of SIP Calls draft-barnes-ecrit-auth-00 Richard Barnes IETF 69, Chicago, IL, USA.

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

3.9 Derivatives of Exponential and Logarithmic Functions.

SIP working group status Keith Drage, Dean Willis.

Trust Anchor Management Problem Statement 69 th IETF Trust Anchor Management BOF Carl Wallace.

Blending RTSP and SIP signaling for IPTV and VoD services in the IMS Presented by Robert Marston Department of Electrical Engineering University of Cape.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Session Initiation Protocol (SIP) 王承宇張永霖.

EAP WG EAP Key Management Framework Draft-ietf-eap-keying-03.txt Bernard Aboba Microsoft.

STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.

MASS / DKIM BOF IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass IETF – Paris 4 Août 2005 dkim.org  mipassoc.org/mass MIPA.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.

1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.

802.1 af discussion First two slides are my picture of ae requirements - these may need some refining Next slide is my interpretation of KSP implementation.

VoN September ‘98 1 9/17/98 VoN Standards Update Jonathan Rosenberg Bell Laboratories September 17, 1998.

STIR Problem Statement IETF 88 (Vancouver) Tuesday Session Jon Peterson.

1 SIPREC draft-ietf-siprec-architecture-00 An Architecture for Media Recording using SIP IETF SIPREC INTERIM – Sept 28 th 2010 Andrew Hutton.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

SAML FTF #4 Workitems Bob Blakley. SAML “SenderVouches” SubjectConfirmation Method: A Proposed Alternative to Bindings 0.5 Proposals.

Session Recording (SIPREC) Protocol (draft-ietf-siprec-protocol-09) Leon Portman Henry Lum

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-01 David Hancock, Daryl Malas.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,

1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.

A Modest Proposal Jonathan Rosenberg Cisco. Problem Statement Increasing gap between our specs and the SIP industry –Proxies vs. B2BUA –Open Internet.

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

SIP-H.323 Interworking Group RRR-1 IETF-48 SIP-H.323 Interworking Requirements draft-agrawal-sip-h323-interworking-reqs-00.txt Hemant.

Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.

Emergency Context Resolution with Internet Technologies BOF (ecrit) Jon Peterson, Hannes Tschofenig BOF Chairs.

File Transfer Services in the Context of SIP Based Communication Markus Isomäki draft-isomaki-sipping-file-transfer-00.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt.

GMPLS Recovery Signaling Issues draft-rhodes-rsvp-recovery-signaling-01 Nic Neate Data Connection Ltd (DCL)

Key Management in AAA Russ Housley Incoming Security Area Director.

IETF70, Vancouver, December 2007draft-wing-sip-identity-media-011 SIP Identity using Media Path draft-wing-sip-identity-media-01 Dan Wing,

Fall 2006CS 395: Computer Security1 Key Management.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Page 1 IETF Speermint Working Group Speermint draft-ietf-speermint-requirements-04 IETF 71 - Wednesday March 12, 2008 Jean-François Mulé -

Andrew Allen ROUTING OUT OF DIALOG REQUESTS draft-allen-dispatch-routing-out-of-dialog-request-01 Dispatch IETF 92 March 23 rd 2015.

Chap5: Designing Trusted Operating Systems.  What makes an operating system “secure”? Or “trustworthy”?  How are trusted systems designed, and which.

Update on Security Analysis for Location Phil Hawkes

AAVS Middleware Security Group Bob Cowles CERN – September 14, 2005.

CLUE WG Interim Meeting San Jose, CA Sept , 2012

Message Authentication Code

End-to-middle Security in SIP

sip-identity-04 Added new response codes for various conditions

Trust Anchor Management Problem Statement

Request-URI Param Delivery

Analysis of Use of Separate Identity Header for SIP RPH Signing

RFC PASSporT Construction 6.2 Verifier Behavior

RFC PASSporT Construction 6.2 Verifier Behavior

Potential L2 security options for UL BCS

SAML/SIP Profiles and Call Initiation

Presentation transcript:

1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements for intermediary traversal Skepticism about some use cases Solutions that overcome the deficiencies of existing approaches –Where existing solutions include both 4474 and 3325 –Does a solution do a better job with E.164 numbers, for example, than 4474 or 3325?

2 Desirable Properties Generality –One mechanism with universal applicability Different mechanisms with different strengths open the door to bid-downs “Configurable” DKIM-style assertions worrisome… Authentication, i.e. binding the session with domain-based assertion of identity Enables media security –At least provides a signature over key/desc Unconnected Applicability –Useful to decide whether or not to accept a request

3 Intermediary Authority over Signaling Intermediaries do not restrict themselves to the RFC3261 “amdr” rules of proxies (used by RFC4474) –However, scope of intermediary agency must have practical limits –Otherwise, there is no way to differentiate legitimate actions from attacks and no scope for protecting SIP signaling UAs implicitly authorize some intermediary alterations and not others –We all seem to agree that UAs do not, for example, authorize intermediary changes to the key fingerprints in SDP Today, this is poorly understood –We need the real “amdr” before we get into solutioneering –That requires, essentially, some formalization of SBCs

4 Promising Directions Intermediaries Instruct UAs –ICE, pieces of GRUU, original problem space of session-policy, etc. –Original chartered direction on this problem Best architectural approach IMHO Verification Assertions –Intermediary verifies Identity and resigns as itself May make arbitrary changes before it does so –Why is this better? It’s clear who is responsible