End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03...
-
Upload
chloe-pope -
Category
Documents
-
view
212 -
download
0
Transcript of End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03...
![Page 1: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/1.jpg)
End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-03
draft-ono-sipping-end2middle-security-02
Kumiko Ono
IETF60
![Page 2: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/2.jpg)
Requirements
![Page 3: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/3.jpg)
Changes since 02
• Use cases– Decreased the dependency on session policies discu
ssion. • Requirements
– Closed an open issue whether the proxy server needs to notify the UAS after receiving a response.
• Because there is no such security policies that depends solely on a response.
– Deleted text which belonged to a mechanism.– Changed the requirement for discovery mechanism fr
om proxy-driven to UA-driven.• Security Consideration
– Added text which relates to DoS attack on proxy servers.
![Page 4: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/4.jpg)
Open Issue: the scope
• Is discovery of “middle” overlapping with the scope of the session policy ?– Discussion on the ML– My proposal:
• Yes, they are overlapped in the discovery mechanism. I will add notes that refer to the session policy.
However, e2m mechanism should have a way to notify proxy’s policy using an error message.
![Page 5: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/5.jpg)
Next Steps for e2m-reqs.
• Something missing?
• Ready for WGLC?
![Page 6: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/6.jpg)
Mechanism
![Page 7: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/7.jpg)
Open Issues e2m-mechs.
1. How to discover security policies on “middle”
2. How to label a body for “middle” for inspection only :-)
![Page 8: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/8.jpg)
How to label a body for “middle”
• Option 1: A SIP header and Content-ID MIME header
– This is used in Referred-by mechanism.
• Option 2: A Content-Target MIME header– This is proposed in e2m I-D.
![Page 9: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/9.jpg)
Experimental Data• Environment
– CPU Intel Celeron 2.2GHz– RAM 512MB– INVITE message: 568 bytes– Passing through a proxy server:
41.5 ms– Target data size to be encrypted/
signed: 868 byte• multipart/mime that contains sipf
rag and SDP– Public key size (RSA): 1024bits– CEK size (3DES): 168bits
• S/MIME-secured message size (base64-encoded)– e2e encryption: 2358 bytes– e2e+e2m encryption: 2630bytes
• Performance at a proxy server– Passing through: 47.9ms
– Checking the label and passing through:• Opt1: Label in a new SIP header : +0.1ms • Opt2: Label in a new MIME header: +1.0ms
– Checking the label, decrypting and inspecting a body:
• Opt1: Label in a new SIP header : +8.8ms• Opt2: Label in a new MIME header: +8.4ms
![Page 10: End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60.](https://reader036.fdocuments.us/reader036/viewer/2022083010/5697c0241a28abf838cd4df1/html5/thumbnails/10.jpg)
Next Steps for e2m-mechs.
• Is there sufficient interest in the SIPPING WG to continue this work?