Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013.

Published byVernon Phelps Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013."— Presentation transcript:

1 Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013

2 In-band precedents RFC3325 (short-term identity) – Advantages: deployable, deployed! – Disadvantages: requires trusted network, and… Impersonation thrives in existing trusted networks RFC4474 (long-term identity) – Advantages: Great for SIP URIs and RFC3261 compliance – Disadvantages: doesn’t play well with telephone numbers, much of the world isn’t RFC3261-compliant Many subsequent attempts to do better – Alternative signature scopes, tokens, etc. – VIPR notably tried to solve identity and a host of related problems

3 Components of an in-band solution A field to carry a signature over various headers in a SIP request – e.g., RFC4474 Identity header – Intended to provide a cryptographic assertion of authority over the From header field and other components of the message: Prevent replay by cut-and-paste attacker – Problem: many elements are changed by SIP intermediaries, which to choose? A way to acquire and validate the public key of the signer over those headers – e.g., the RFC4474 Identity-Info header Includes carrying the key in band – Problem: Many viable approaches, which to allow/disallow? RF4474 vaguely assumed public ENUM would have certs for numbers in the DNS

4 In-band STIR Logical Architecture Inter- Mediary Inter- Mediary PBX Endpoint PBX Endpoint User Endpoint User Endpoint User Endpoint User Endpoint User Endpoint Logical Authority Logical Authority Unsigned Requests Inter- Mediary Inter- Mediary PBX Endpoint PBX Endpoint User Endpoint User Endpoint User Endpoint User Endpoint Credential Provisioning Credential Validation Signed Requests

5 Revisiting what? Which RFC4474 assumptions failed? SIP deployments remained focused on PSTN interworking – IP-PSTN, PSTN-IP, IP-PSTN-IP, PSTN-IP-PSTN – Telephone numbers are therefore the primary identifier of SIP – No story for certs in e164.arpa ever took hold Lack of unmediated end-to-end SIP signaling – Deployments are highly mediated, intermediary agency is not bounded – Mediated for various reasons, from NAT to interop to security Policy enforcement of many kinds – Many calls still drop to the PSTN due to lack of IP routes RFC4474 solved for SIP requests in general – Assumed a world with MESSAGEs and NOTIFYs, not just INVITEs

6 Rescoping to the Problem For threats like robocalling and voicemail hacking, man-in-the-middle attacks are not a real concern How best to separate the replay-protection goal from the man-in-the-middle prevention goal? – Not an entirely clean split – Scope the To/From protection to just the telephone number, when a telephone number is present Domain or other parameters not helpful Canonicalization required, a non-trivial problem – Necessarily include some kind of timestamp (Date) – Handle body protection separately, when you need it Ultimately, possible to create some kind of linked two-layer signature

7 Limits of in-band It’s in-band – At best, this addresses the SIP-to-SIP use case Maybe, e.g. IKES, with something else in the middle – Not going to help with SIP-to-PSTN, PSTN-to-PSTN – But we believe IP-to-IP is the future, right? So we still need in-band Will SIP networks allow it? – Difficult to anticipate what will survive deployments No guarantees are possible – Needs to change existing service behavior Intermediaries need to do new things

Download ppt "Identity in SIP (and in-band) STIR BoF Berlin, DE 7/30/2013."

Similar presentations

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.

Rfc4474bis-01 IETF 89 (London) STIR WG Jon & Cullen.
Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.

Authentication in SIP Jon Peterson NeuStar, Inc Internet2 Member Meeting Los Angeles, CA - Nov 2002.
STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.

STIR Credentials IETF 88 (Vancouver) Wednesday Session Jon & Hadriel.
STIR Secure Telephone Identity. Context and drivers STIR Working Group Charter Problem Statement Threats Status of work Related work and links Introduction.

STIR Secure Telephone Identity. Context and drivers STIR Working Group Charter Problem Statement Threats Status of work Related work and links Introduction.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.

September 19, 2006speermint interim1 VoIP Threats and Attacks Alan Johnston.
Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.

Requirements for Resource Priority Mechanisms for the Session Initiation Protocol draft-ietf-ieprep-sip-reqs-01 Henning Schulzrinne Columbia University.
Internet Protocol Security (IPSec)

Internet Protocol Security (IPSec)
August 13-14, 2002 Washington, DC Gary Richenaker Chair ENUM Forum 973 829-4305

August 13-14, 2002 Washington, DC Gary Richenaker Chair ENUM Forum
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri
SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13, 2014 1.

SIP Authorization Framework Use Cases Rifaat Shekh-Yusef, Jon Peterson IETF 91, SIPCore WG Honolulu, Hawaii, USA November 13,
DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.

DTMF & Universal User Key Input Skip Cave InterVoice-Brite Inc.
Voice over Internet Services and Privacy. Agenda Problem Description Scope Recommendations.

Voice over Internet Services and Privacy. Agenda Problem Description Scope Recommendations.
1 NGN Issues - Numbering and Addressing Peter Darling ACIF NGN FOG No. 3.

1 NGN Issues - Numbering and Addressing Peter Darling ACIF NGN FOG No. 3.
Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.
B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.

B2BUA – A New Type of SIP Server Name: Stephen Cipolli Title: System Architect Date: Feb. 12, 2004.
Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.
STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.

STIR Charter (discussion) STIR BoF Berlin, DE 7/30/2013.
Secure Credential Manager Claes Nilsson - Sony Ericsson 2009-12-15.

Secure Credential Manager Claes Nilsson - Sony Ericsson
Chapter 21 Distributed System Security Copyright © 2008.

Chapter 21 Distributed System Security Copyright © 2008.

Similar presentations

Ads by Google