End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-03
draft-ono-sipping-end2middle-security-02
Kumiko Ono
IETF60
Requirements
Changes since 02
• Use cases– Decreased the dependency on session policies discu
ssion. • Requirements
– Closed an open issue whether the proxy server needs to notify the UAS after receiving a response.
• Because there is no such security policies that depends solely on a response.
– Deleted text which belonged to a mechanism.– Changed the requirement for discovery mechanism fr
om proxy-driven to UA-driven.• Security Consideration
– Added text which relates to DoS attack on proxy servers.
Open Issue: the scope
• Is discovery of “middle” overlapping with the scope of the session policy ?– Discussion on the ML– My proposal:
• Yes, they are overlapped in the discovery mechanism. I will add notes that refer to the session policy.
However, e2m mechanism should have a way to notify proxy’s policy using an error message.
Next Steps for e2m-reqs.
• Something missing?
• Ready for WGLC?
Mechanism
Open Issues e2m-mechs.
1. How to discover security policies on “middle”
2. How to label a body for “middle” for inspection only :-)
How to label a body for “middle”
• Option 1: A SIP header and Content-ID MIME header
– This is used in Referred-by mechanism.
• Option 2: A Content-Target MIME header– This is proposed in e2m I-D.
Experimental Data• Environment
– CPU Intel Celeron 2.2GHz– RAM 512MB– INVITE message: 568 bytes– Passing through a proxy server:
41.5 ms– Target data size to be encrypted/
signed: 868 byte• multipart/mime that contains sipf
rag and SDP– Public key size (RSA): 1024bits– CEK size (3DES): 168bits
• S/MIME-secured message size (base64-encoded)– e2e encryption: 2358 bytes– e2e+e2m encryption: 2630bytes
• Performance at a proxy server– Passing through: 47.9ms
– Checking the label and passing through:• Opt1: Label in a new SIP header : +0.1ms • Opt2: Label in a new MIME header: +1.0ms
– Checking the label, decrypting and inspecting a body:
• Opt1: Label in a new SIP header : +8.8ms• Opt2: Label in a new MIME header: +8.4ms
Next Steps for e2m-mechs.
• Is there sufficient interest in the SIPPING WG to continue this work?
Top Related