1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

Slides:

Advertisements

Similar presentations

Re-INVITE Handling draft-camarillo-sipping-reinvite-00.txt

Advertisements

SIP Session-ID draft-kaplan-sip-session-id-02 Hadriel Kaplan.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

IETF 71 SIPPING WG meeting draft-ietf-sipping-pai-update-00.

SIP and IMS Enabled Residential Gateway Sergio Romero Telefónica I+D Jan Önnegren Ericsson AB Alex De Smedt Thomson Telecom.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

DISPATCH Call-Info purpose for TRS (draft-kyzivat-dispatch-trs-call-info-purpose-02) IETF 92, March 23, 2015 Author: Paul Kyzivat Presenting: Brian Rosen.

Identifying intra-realm calls with explicit addressing realm identifier attribute François AUDET SIPPING WG Meeting IETF-57.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

RTP Relay Support in Intelligent Gateway Author: Pieere Pi

1 RTCWEB interim Remote recording use case / requirements John Elwell.

TURN draft-ietf-behave-turn-07 Philip Matthews, Avaya Jonathan Rosenberg, Cisco Rohan Mahy, Plantronics.

Voice over Internet Services and Privacy. Agenda Problem Description Scope Recommendations.

July 10, 2006rtpsec BOF IETF-661 Best Effort SRTP Phil Zimmermann Alan Johnston.

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

PSTN – User ENUM – „Infrastructure ENUM“ An ETSI View Richard Stastny IETF60 San Diego.

All rights reserved © 1999, Alcatel, Paris. page n° 1 SIP for Xcast SIP for the establishment of xcast-based multiparty.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

1 A Path Forward on Identity Agreement on a problem space –We all agree that E.164 numbers don’t work well with RFC4474 –Less agreement about the requirements.

B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.

S/MIME Certificates Cullen Jennings

PPSP NAT traversal Lichun Li, Jun Wang, Wei Chen {li.lichun1, draft-li-ppsp-nat-traversal-02.

Cullen Jennings Certificate Directory for SIP.

SIPPING IETF 57 Jonathan Rosenberg dynamicsoft.

November 2005IETF64 - ECRIT1 Emergency Service Identifiers draft-ietf-sipping-sos-01 draft-schulzrinne-sipping-service-01 Henning Schulzrinne Columbia.

Peering Considerations for Directory Assistance and Operator Services - John Haluska Telcordia SPEERMINT, IETF 68 Prague, Czech Republic 20 March 2007.

The State of VoIP Peering Charles Studt Director of Product Management, VoEX.

S/MIME and Certs Cullen Jennings

Content-oriented Networking Platform: A Focus on DDoS Countermeasure ( In incremental deployment perspective) Authors: Junho Suh, Hoon-gyu Choi, Wonjun.

Peering: A Minimalist Approach Rohan Mahy IETF 66 — Speermint WG.

Requirements for SIP-based VoIP Interconnection (BCP) draft-natale-sip-voip-requirements-00.txt Bob Natale For Consideration by the.

Rfc4474bis-01 IETF 90 (Toronto) STIR WG Jon. First principles (yet again) Separating the work into two buckets: 1) Signaling – What fields are signed,

1 IETF 88 (Vancouver) November 6, 2013 Cullen Jennings V3.

Requirements Hash Cash & Pay IETF 62 - Sipping WG Cullen Jennings.

Caller Prefs and Friends Jonathan Rosenberg dynamicsoft.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Page 1 IETF Speermint Working Group Speermint Requirements/Guidelines for SIP session peering draft-ietf-speermint-requirements-02 IETF 69 - Monday July.

Interactive Connectivity Establishment : ICE

Open issues from SIP list Jonathan Rosenberg dynamicsoft.

Name that User John Elwell Cullen Jennings Venkatesh Venkataramanan

17 February 2016 SIPPING - IEPREP Joint Meeting Fred Baker - IEPREP co-chair Rohan Mahy - SIPPING co-chair.

Networking Components Assignment 3 Corbin Watkins.

IETF70, Vancouver, December 2007draft-wing-sip-identity-media-011 SIP Identity using Media Path draft-wing-sip-identity-media-01 Dan Wing,

ENUM-based Softswitch Requirement 19 Mar th IETF – Prague, Czech JoonHyung National Internet Development.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Globally Identifiable Number (GIN) Registration Adam Roach draft-martini-roach-gin-01 IETF 77 – Anaheim, CA, USA March 22, 2010.

1 Coping with Early Media Brian Stucker Nortel Systems/Standards Architect November 6th, 2006.

Peer-to-Peer Solutions Between Service Providers David A. Bryan CTO, Jasomi Networks October 10, 2002 – Fall VON, Atlanta, GA.

Postech DP&NM Lab Session Initiation Protocol (SIP) Date: Seongcheol Hong DP&NM Lab., Dept. of CSE, POSTECH Date: Seongcheol.

7-May-02SIP/SIPPING Interim Meeting1 Application Interaction Requirements Draft-culpepper-app-interact-reqs-01.txt.

End-to-middle Security in SIP

draft-rescorla-fallback-01

THIS IS THE WAY ENUM Variants Jim McEachern

Cullen Jennings S/MIME Certificates Cullen Jennings

IP-NNI Joint Task Force Status Update

Chris Wendt, David Hancock (Comcast)

SIP Identity issues John Elwell, Jonathan Rosenberg et alia

IP-NNI Joint Task Force Status Update

Jean-François Mulé CableLabs

Hannes Tschofenig Henning Schulzrinne M. Shanmugam

RFC PASSporT Construction 6.2 Verifier Behavior

IP Interconnection Profile

Emergency Calling Services (Calls for police, fire, ambulance, etc.)

Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006

draft-ietf-stir-oob-02 Out of Band

Presentation transcript:

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia

2 SIP Identity - do we have a problem? 7 drafts cited in corresponding presentation at IETF 71 3 more drafts since then: –draft-elwell-sip-e2e-identity-important-00 –draft-kaplan-sip-asserter-identity-00 –draft-kaplan-sip-uris-change-00 Huge amount of traffic since IETF 71 –by far the largest discussion topic based on list traffic So is there a problem? –It seems there must be, but disagreement on exactly what the problem is –Focus today on what the problem is – ignore solutions for now –Look at broader picture – what do UAS and called user need? –Ignore related issues of PSTN interworking and response identity

3 List threads since IETF 71 (as of a few days ago)

4 Use case showing media steering breaking signature on -style URI Supplier.com submits signed caller ID Carrier.net has one or more SBCs doing media steering: –to ensure RTP media flow across QoS-assured paths (e.g., avoiding low bandwidth paths, or over the Internet via another ISP) –therefore changes IP addresses / ports in SDP Customer.com receives same caller ID but signature broken Applies to other scenarios with >=1 intermediate domains, e.g.: supplier.comcarrier.netcustomer.comUACUAS signature:d6s475f… signature:d6s475f… (BROKEN) carrier1.netcarrier2.netcarrier3.netUACUAS supplier.com UAC carrier1.net carrier2. net carrier3.net customer.com UAS

5 Potential work-arounds Carrier.net re-signs using its certificate (carrier.net as subject) –Can’t because it needs a supplier.com certificate (subject must match domain in From URI) Carrier.net changes the From URI and re-signs using its certificate –Can’t, without scrambling the URI somehow, such as –This would undoubtedly break any URI matching at the UAS or at a customer.com proxy, e.g., for white list or other automatic call handling (ACH) checks –If presented to the called user in this form, it might be confusing at best –Even worse if multiple carrier domains involved, resulting in something like –Additional burden on carriers – they may not wish to do this Use a STUN relay to achieve media steering –This requires knowledge on part of the UA to insert the relay

6 Potential work-arounds (continued) Carrier.net, as a CA, could sign a certificate with subject supplier.com, and then use that to re-sign the message –Not precluded by RFC 4474 –Requires verifier in customer.com to recognise carrier.net as a trusted CA –Allows re-signing without changing the From URI Limitations of above: –Effectively this introduces transitive trust, since the callee has to trust carrier.net, which in turn has trusted the upstream domain, and so on –Verifier in customer.com cannot see the trust chain – only sees that carrier.net has signed on behalf of supplier.com –Breaks if any domain on the path: does not support re-signing (i.e., breaks the signature without re-signing) does not trust the assertion by its upstream domain (might happen with ad hoc peering) Apart from not doing media steering, there does not seem to be an effective work-around with the present RFC 4474

7 Other issues The horse has already bolted with E.164-based SIP URIs –In present deployments, domain name is often changed as request crosses domain boundaries –In present deployments, there is no sense of the domain part of an E.164-based SIP URI representing “ownership” of the number –No consistency as to when user=phone is or is not used –Therefore don’t try to fix this- focus on non-E.164-based (or non- telephone-number-based) SIP URIs Handling of received identity information at UAS: –Use of PAI versus From/Identity –Various forms of URI representing the same user – how to cope with this for phone book look-up, white-listing, automated call handling (ACH) –From information received, what to present to the user (not how) including aspects such as telephone number, non-telephone-number user part, domain name, PAI versus From, security level –Whole area is very undefined and would probably benefit from a BCP

8 Dan's Whitelist Goal: Identify a repeat caller who uses an IP device so we can whitelist Requirements: –Out of band media fingerprinting –Correlation of identity between calls, able to match identity of new caller to previous caller –Work through B2BUA/SBC

9 Questions for SIP WG 1.Does the WG wish to work on solving the problem of achieving end-to-end (or end- domain-to-end-domain) authenticated identity for non-number-based SIP URIs when media steering is performed by transit domains? 2.Does the WG wish to work on a BCP or similar saying how a UA should handle received identity information?