Doc we need to have draft-ietf-sip-dtls-srtp-framework-01 on the -71 agenda?

Is there any need for discussion of the DTLS framework
(draft-ietf-sip-dtls-srtp-framework-01) during our meeting?

The authors think that it is pretty much ready for WGLC and
that all
known issues have been resolved.


The list has been fairly quiet on the topic.

Anybody read the new version yet and have an opinion?

--
Dean
_______________________________________________
Sip mailing list  https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip

Dean Willis wrote:
> Is there any need for discussion of the DTLS framework
> (draft-ietf-sip-dtls-srtp-framework-01) during our
meeting?
> 
> The authors think that it is pretty much ready for WGLC
and that all
> known issues have been resolved.

I do not agree.

One of the points I raise in my rfc4474-concerns draft is
that dtls-srtp 
is basing integrity of the fingerprint on 4474, and that
4474 does not 
provide integrity against intermediary modifications of the
number, and 
even for userdomain names this can happen.

I think this needs to be called out in the draft. The
security 
considerations section does not discuss this.

-Jonathan R.


-- 
Jonathan D. Rosenberg, Ph.D.                   499 Thornall
St.
Cisco Fellow                                   Edison, NJ
08837
Cisco, Voice Technology Group
jdrosencisco.com
http://www.jdrosen.net 
                       PHONE: (408) 902-3084
http://www.cisco.com
_______________________________________________
Sip mailing list  https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip

At Thu, 28 Feb 2008 14:18:30 -0500,
Jonathan Rosenberg wrote:
> 
> 
> 
> Dean Willis wrote:
> > Is there any need for discussion of the DTLS
framework
> > (draft-ietf-sip-dtls-srtp-framework-01) during our
meeting?
> > 
> > The authors think that it is pretty much ready for
WGLC and that all
> > known issues have been resolved.
> 
> I do not agree.
> 
> One of the points I raise in my rfc4474-concerns draft
is that dtls-srtp 
> is basing integrity of the fingerprint on 4474, and
that 4474 does not 
> provide integrity against intermediary modifications of
the number, and 
> even for userdomain names this can happen.
> 
> I think this needs to be called out in the draft. The
security 
> considerations section does not discuss this.

Because it's not a DTLS-SRTP issue. It's a SIP/4474 issue.

The fingerprint in the SIP messaging does *not* tie the
DTLS-SRTP
handshake to the phone number or to the domain name. Rather,
it ties
the media to the SIP signalling. Period. It allows whatever
guarantees
you are prepared to assert about the signalling to be
extended to
media. If those guarantees allow you to make assertions
about the
caller (or callee) identity, then great.  If not, then
DTLS-SRTP
doesn't help, nor is it intended to.

Look at it this way:
When the phone rings (or your UA shows you that the other
side has
answered), it can show you some meta-information about who
you're
talking to. The objections you have to RFC 4474 (and I'm not
saying I
agree with them) already apply at this point, before a
single RTP
packet has traversed the wire. This is not a DTLS-SRTP
issue.

-Ekr
_______________________________________________
Sip mailing list  https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip

Without a means of binding the secure media to the identity
of the
remote party, DTLS-SRTP is not a complete solution. I don't
think we can
say the framework is finished until we have that complete
solution. In
particular, the framework uses RFC 4474 as part of the
mechanism - if
the solution to the RFC 4474 problem turns out to be
something different
from RFC 4474, the framework would be wrong.

John

> -----Original Message-----
> From: sip-bouncesietf.org [mailto:sip-bouncesietf.org]
On 
> Behalf Of Eric Rescorla
> Sent: 28 February 2008 19:31
> To: Jonathan Rosenberg
> Cc: sipietf.org; Dean Willis
> Subject: Re: [Sip] Doc we need to have 
> draft-ietf-sip-dtls-srtp-framework-01 on the -71
agenda?
> 
> At Thu, 28 Feb 2008 14:18:30 -0500,
> Jonathan Rosenberg wrote:
> > 
> > 
> > 
> > Dean Willis wrote:
> > > Is there any need for discussion of the DTLS
framework
> > > (draft-ietf-sip-dtls-srtp-framework-01)
during our meeting?
> > > 
> > > The authors think that it is pretty much
ready for WGLC 
> and that all
> > > known issues have been resolved.
> > 
> > I do not agree.
> > 
> > One of the points I raise in my rfc4474-concerns
draft is 
> that dtls-srtp 
> > is basing integrity of the fingerprint on 4474,
and that 
> 4474 does not 
> > provide integrity against intermediary
modifications of the 
> number, and 
> > even for userdomain names this can happen.
> > 
> > I think this needs to be called out in the draft.
The security 
> > considerations section does not discuss this.
> 
> Because it's not a DTLS-SRTP issue. It's a SIP/4474
issue.
> 
> The fingerprint in the SIP messaging does *not* tie the
DTLS-SRTP
> handshake to the phone number or to the domain name.
Rather, it ties
> the media to the SIP signalling. Period. It allows
whatever guarantees
> you are prepared to assert about the signalling to be
extended to
> media. If those guarantees allow you to make assertions
about the
> caller (or callee) identity, then great.  If not, then
DTLS-SRTP
> doesn't help, nor is it intended to.
> 
> Look at it this way:
> When the phone rings (or your UA shows you that the
other side has
> answered), it can show you some meta-information about
who you're
> talking to. The objections you have to RFC 4474 (and
I'm not saying I
> agree with them) already apply at this point, before a
single RTP
> packet has traversed the wire. This is not a DTLS-SRTP
issue.
> 
> -Ekr
> _______________________________________________
> Sip mailing list  https://www
.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP
Protocol
> Use sip-implementorscs.columbia.edu for
questions on current sip
> Use sippingietf.org for new developments on the
application of sip
> 
_______________________________________________
Sip mailing list  https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip