SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander.

Slides:

Advertisements

Similar presentations

SIP-T Status Update Jon Peterson Level(3) Communications 49 th IETF.

Advertisements

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

August 2, 2005SIPPING WG IETF 63 ETSI TISPAN ISDN simulation services Roland Jesske Denis Alexeitsev Miguel Garcia-Martin.

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

Additional Data related to an Emergency Call draft-ietf-ecrit-additional-data-00.txt Hannes Tschofenig Brian Rosen.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.

An Overview of SIP Security Dr. Samir Chatterjee Network Convergence Lab Claremont Graduate University

IETF OAuth Proof-of-Possession

SIP Security Issues: The SIP Authentication Procedure and its Processing Load Stefano Salsano, DIE — Universit à di Roma “ Tor Vergata ” Luca Veltri, and.

9,825,461,087,64 10,91 6,00 0,00 8,00 SIP Identity Usage in Enterprise Scenarios IETF #64 Vancouver, 11/2005 draft-fries-sipping-identity-enterprise-scenario-01.txt.

1 ITEC 809 Securing SIP in VoIP Domain Iyad Alsmairat Supervisor: Dr. Rajan Shankaran.

Session Initiation Protocol (SIP) By: Zhixin Chen.

SIP, Session Initiation Protocol Internet Draft, IETF, RFC 2543.

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

SIP Greg Nelson Duc Pham. SIP Introduction Application-layer (signaling) control protocol for initiating a session among users Application-layer (signaling)

Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.

SIP Action Referral Rifaat Shekh-Yusef Cullen Jennings Alan Johnston Francois Audet 1 IETF 80, SPLICES WG, Prague March 29, 2011.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,

DTLS-SRTP Handling in SIP B2BUAs draft-ram-straw-b2bua-dtls-srtp IETF-91 Hawaii, Nov 12, 2014 Presenter: Tirumaleswar Reddy Authors: Ram Mohan, Tirumaleswar.

Session Initiation Protocol Team Members: Manjiri Ayyar Pallavi Murudkar Sriusha Kottalanka Vamsi Ambati Girish Satya LeeAnn Tam.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

1 © NOKIA 1999 FILENAMs.PPT/ DATE / NN SIP Service Architecture Markus Isomäki Nokia Research Center.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Improving the Routing Efficiency of SIP Instant Message SIP 即時傳訊之繞送效能研究 adviser ： Quincy Wu speaker ： Wenping Zhang date ：

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

1 R 255 G 211 B 8 R 255 G 175 B 0 R 127 G 16 B 162 R 163 G 166 B 173 R 137 G 146 B 155 R 175 G 0 B 51 R 52 G 195 B 51 R 0 G 0 B 0 R 255 G 255 B 255 Primary.

Presented By Team Netgeeks SIP Session Initiation Protocol.

IETF #91 OAuth Meeting Derek Atkins Hannes Tschofenig.

1 Diameter SIP application draft-ietf-aaa-diameter-sip-app-03.txt 60 th IETF meeting August 3 rd, 2004 Status.

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

Carrying Location Objects in RADIUS Hannes Tschofenig, Farid Adrangi, Avi Lior, Mark Jones.

All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.

Session Recording (SIPREC) Protocol (draft-ietf-siprec-protocol-09) Leon Portman Henry Lum

MWIF Confidential MWIF-Arch Security Task Force Task 5: Security for Signaling July 11, 2001 Baba, Shinichi Ready for MWIF Kansas.

Using SAML for SIP H. Tschofenig, J. Peterson, J. Polk, D. Sicker, M. Tegnander.

Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.

Open issues from SIP list Jonathan Rosenberg dynamicsoft.

Public Safety Answering Point (PSAP) Callbacks draft-ietf-ecrit-psap-callback-02.txt H. Schulzrinne, H. Tschofenig, M. Patel.

End-to-middle Security in SIP draft-ono-sipping-end2middle-security-04 Kumiko Ono IETF62.

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.

The Session Initiation Protocol - SIP

Security Hannes Tschofenig. Goal for this Meeting Use the next 2 hours to determine what the security consideration section of the OAuth draft(s) should.

7/11/2005ECRIT Security Considerations1 ECRIT Security Considerations draft-taylor-ecrit-security-threats-00.txt Henning Schulzrinne, Raj Shanmugam, Hannes.

1 End-to-middle Security in SIP Kumiko Ono NTT Corporation March 1, 2004 draft-ietf-sipping-e2m-sec-reqs-01.txt draft-ono-sipping-end2middle-security-01.txt.

Andrew Allen ROUTING OUT OF DIALOG REQUESTS draft-allen-dispatch-routing-out-of-dialog-request-01 Dispatch IETF 92 March 23 rd 2015.

S Postgraduate Course in Radio Communications. Application Layer Mobility in WLAN Antti Keurulainen,

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

Postech DP&NM Lab Session Initiation Protocol (SIP) Date: Seongcheol Hong DP&NM Lab., Dept. of CSE, POSTECH Date: Seongcheol.

MSRP (The Message Session Relay Protocol) 姓名：張文萍日期： 2007/04/02.

End-to-middle Security in SIP

Authenticated Identity

SIP over MANETs Introduction to SIP SIP vs MANETs Open Issues

Phil Hunt, Hannes Tschofenig

ECRIT Interim: SIP Location Conveyance

Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.

draft-ietf-simple-message-sessions-00 Ben Campbell

Carrying Location Objects in RADIUS

Transcoding Framework

Agenda and Status SIP Working Group

Session Initiation Protocol (SIP)

A SIP Event Package for DTMF Event Monitoring

Transcoding Framework

OAuth Design Team Call 11th February 2013.

SAML/SIP Profiles and Call Initiation

Presentation transcript:

SAML for SIP Hannes Tschofenig, Jon Peterson, James Polk, Douglas Sicker, Marcus Tegnander

IETF#61 Current Status The SIP header may either carry an Artifact or a CID URI. The draft also allows the Asserting Party to add a URL to point to the Assertion to prevent this level of indirection. The SIP body may carry one or more SAML Assertions. The MIME type of this SAML Assertion is defined in [I-D.hodges-saml- mediatype].[I-D.hodges-saml- mediatype]

IETF#61 What prevents us from finalizing the draft? A few identified problems: Assertion Constraints and Scope: Reference Integrity Canonicalization versus Replication: Related to reference integrity and how fields are hashed. Placement of Assertions in Messages: Header vs. Body, technical mechanisms (e.g., SIP content indirection mechanism) Related draft of importance: Peterson, J., "Security Considerations for Impersonation and Identity in Messaging Systems", draft-peterson-message- identity-00 (work in progress), October 2004.Security Considerations for Impersonation and Identity in Messaging Systems

IETF#61 Assertion Constraints and Scope - Motivation Auth Service INVITITE + Assertion INVITE + Assertion User Agent Proxy Server sip.remote.edusip.local.edu User Agent Malicious Proxy Server can impersonate Alice towards Joe INVITITE + Assertion

IETF#61 Assertion Constraints and Scope Solution Approaches Placing some restrictions in the Assertion (e.g., sender, receiver, lifetime) Reference Integrity Binding the Assertion/Artifact to a particular session (based on a number of selected fields) using a digest From, Call-ID, Date and Contact header Usage of "Holder-of-the-Key" Binds a key (symmetric or asymmetric) to the assertion Allows the SIP UA to actively participate in the exchange. Might be very interesting in relationship with.

IETF#61 Routing Requests through an Authentication Service (proxy model) Auth Service INVITE INVITE (w/Artifact) User Agent Proxy Server sip.remote.edusip.local.edu User Agent INVITE Auth Service attaches Artifact to the SIP message Joe (or even the Proxy Server) need to fetch the Assertion from the Auth Server in order to inspect it.

IETF#61 Routing Requests through an Authentication Service (client redirection model) Auth Service INVITE 428 (w/Artifact-or Assertion)) INVITE (w/Artifact-or-Assertion) User Agent Proxy Server sip.remote.edusip.local.edu User Agent INVITE Joe (or even the Proxy Server) can inspect the Artifact/Assertion Auth Service attaches Artifact or Assertion to the SIP message

IETF#61 Issues for further investigation Which parameters do you use to compute the Reference integrity? Binding the Assertion to the From-To field allows you to reuse the Assertion between (, ) [considering some other constraints] This might, in some scenarios, not be desired. You might want to include the Call-ID in some other scenarios. How does the Authentication Service know what you would like to have?

IETF#61 Going a step further.. Auth Service HTTP INVITE (w/Artifact-or-Assertion) User Agent Proxy Server sip.remote.edusip.local.edu User Agent INVITE Joe (or even the Proxy Server) can inspect the Artifact/Assertion Fetching an Assertion/Artifact using HTTP (or other protocols) What fields do you include in the Assertion to provide Reference Integrity?

IETF#61 Please send us comments! Questions ?