SlideShare a Scribd company logo

SIP & TLS - a very brief overview for the POSH BOF at IETF 87

Olle E Johansson
Olle E Johansson

A very brief overview of SIP for a BOF at IETF 87 in Berlin.

Technology
1 of 17
Download to read offline
Session initiation protocol & TLS Olle E. Johansson, IETF 87 Berlin, July 2013 oej@edvina.net * @oej POSH bof v 1.42
IETF 87 - July 2013 - oej@edvina.net Executive summary: • SIP security filosophy: ”Let’s put a nice and soft fluffyTLS wrapper around the connection and it’s now secure” (oej) • There’s no tradition of datacom-type security in the telco world. Customer requirements are <null>. ”SIP end to end security is like a jumping bunny with a lock in the mouth” (old IETF draft)
IETF 87 - July 2013 - oej@edvina.net The problem with SIP security • A lot of servers - proxys and b2bua’s - in the signalling path are designed to be man-in-the-middle attack platforms by default • There’s no way for a SIP client to verify remote servers (or authorize their usage). • Very hard to make sure information integrity is intact for messages between endpoints • Too much trust put into the network.
IETF 87 - July 2013 - oej@edvina.net RFC 3261 • Defines a SIPS: uri. • Support for TLS for both SIP: and SIPS: uri’s • Requires SIP TLS server certificates to have canonical hostname. How is this related to the URI? • For SIPS:TLS hop by hop, but not the last hop. • Summary: Confusing. SIP 2.0
IETF 87 - July 2013 - oej@edvina.net RFC 3263 Locating SIP servers using DNS • Requires that the DOMAIN NAME in the hostname part of the URI is in the certificate. • Released at the same time as RFC 3261 that requires HOST NAME
IETF 87 - July 2013 - oej@edvina.net RFC 5922 Sip domain certificates • Defines SIP Domain certificates and redefines matching between SIP URI and X.509 PKIX certificate. Certificate now needs to match DOMAIN part of SIP URI. • Certificate can have multiple URI’s as SubjAltName ext fields. • Domain in CN is supported if no SAN extensions exists. Mixes authentication and authorization
IETF 87 - July 2013 - oej@edvina.net RFC 5923 - Connection reuse • Requires mutual TLS certificates for reuse of connection - for server2server connections. • If no client cert, then server needs to open new TLS connection for requests in the other direction. • Doesn’t define how a server knows if a connection is a ”client” or a ”server” ?
IETF 87 - July 2013 - oej@edvina.net Mistakes • Via and Route headers are in 99% of the cases IP addresses. • Certificates are in 99% of the cases host names or domains == No match. • RFC 5922 says that these headers needs to be domains (for SRV failover) or host names
IETF 87 - July 2013 - oej@edvina.net When bad things happen • Client contacts SIP server over TLS. SIP server tries to reach another server using TLS. Bad stuff happens. • No error codes, warnings or any other docs on how to signal this situation back.
IETF 87 - July 2013 - oej@edvina.net SIP Presence Funny enough named ”simple” • Lot’s of missing information about TLS usage. • Server has active role - but how does authorization work? • Client can only identify first hop TLS server, which in most cases is NOT the presence server. • Since SIMPLE is used for certificate handling, phone provisioning, personal presence and chat there are a lot of serious security issues here.
IETF 87 - July 2013 - oej@edvina.net RFC 6072 SIP certificate distribution • Use presence to subscribe to another SIP uri’s certificate • Use presence to PUBLISH certificate • Use presence to provision UA Cert and Key • Puts a lot of trust in the network • Requires TLS between ua and certificate handling presence server • Not compatible with SIP outbound
IETF 87 - July 2013 - oej@edvina.net SIP & S/MIME • Well.Yes. Hmmm.
IETF 87 - July 2013 - oej@edvina.net RFC 4474 SIP identity • Federated message integrity and identity assurance • Protects headers and attachment • Signed by domain cert • Domain cert verified by https (or something else like Dane). • Uses HTTPS to fetch (self-signed) CA cert for SIP domain. A cool idea.
IETF 87 - July 2013 - oej@edvina.net My draft on SIP DANE usage • Use DNSsec protection of NAPTR and SRV records for authorization • Use DNSsec/TLSA records for authentication • Focuses on client to server connections • Needs more work on server2server connection reuse draft-johansson-dane-sip
IETF 87 - July 2013 - oej@edvina.net TLS usage • Don’t mix authorization with authentication • Encryption - confidentiality - is based on knowing who you are talking to. Without proper authentication you might as well forget it. • Authorization is different for different protocols (I guess)
IETF 87 - July 2013 - oej@edvina.net Ahead • Lots of work needed to clean up TLS requirements - for presence, outbound and more • The same problem as XMPP with e2e security • Is S/MIME the way to go, really? • Where and what are the customer requirements?
IETF 87 - July 2013 - oej@edvina.net References • A good overview: http://tools.ietf.org/html/draft-gurbani-sip-sipsec-00

Recommended

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
Olle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
Olle E Johansson
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
PROIDEA
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Alan Quayle
 
Fast Answers about Pertino
Fast Answers about PertinoFast Answers about Pertino
Fast Answers about Pertino
Pertino
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 

Recommended

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
Olle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
Olle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
Olle E Johansson
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?
Deploy360 Programme (Internet Society)
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
PROIDEA
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Alan Quayle
 
Fast Answers about Pertino
Fast Answers about PertinoFast Answers about Pertino
Fast Answers about Pertino
Pertino
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpn
sharetech
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
Deploy360 Programme (Internet Society)
 
How to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoHow to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with Pertino
Pertino
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017
Ales Lichtenberg
 
The Security layer
The Security layerThe Security layer
The Security layer
Swetha S
 
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
Alan Quayle
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
NetProtocol Xpert
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
OVHcloud
 
What is VPN?
What is VPN?What is VPN?
What is VPN?
NetProtocol Xpert
 
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
VOIP2DAY
 
Tekirdağ mem
Tekirdağ memTekirdağ mem
Tekirdağ mem
George Bekiaridis
 
Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin Challenge
Corey Topf
 
The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...
Baden Hughes
 
Ppt
PptPpt
Ppt
alejandrolunamtz
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1
Hans Kemp
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers Workshop
Corey Topf
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrie
Corey Topf
 
Techo may9th
Techo may9thTecho may9th
Techo may9th
Corey Topf
 
Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)
Corey Topf
 
Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08
zappos
 
The bambino tour
The bambino tourThe bambino tour
The bambino tour
elenargy
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
StevenSegaert
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 Sponges
Corey Topf
 

More Related Content

What's hot

What's hot (9)

ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
How to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoHow to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with Pertino
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017
 
The Security layer
The Security layerThe Security layer
The Security layer
 
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
What is VPN?
What is VPN?What is VPN?
What is VPN?
 
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
 

Viewers also liked

Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin Challenge
Corey Topf
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1
Hans Kemp
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers Workshop
Corey Topf
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrie
Corey Topf
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
StevenSegaert
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 Sponges
Corey Topf
 
The organisation of social security coordination
The organisation of social security coordinationThe organisation of social security coordination
The organisation of social security coordination
StevenSegaert
 
IADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 DeeltijdIADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 Deeltijd
Hans Kemp
 
Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1
Hans Kemp
 

Viewers also liked (20)

Tekirdağ mem
Tekirdağ memTekirdağ mem
Tekirdağ mem
 
Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin Challenge
 
The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...
 
Ppt
PptPpt
Ppt
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers Workshop
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrie
 
Techo may9th
Techo may9thTecho may9th
Techo may9th
 
Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)
 
Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08
 
The bambino tour
The bambino tourThe bambino tour
The bambino tour
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 Sponges
 
The organisation of social security coordination
The organisation of social security coordinationThe organisation of social security coordination
The organisation of social security coordination
 
Dutch PHP Conference
Dutch PHP ConferenceDutch PHP Conference
Dutch PHP Conference
 
IADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 DeeltijdIADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 Deeltijd
 
A1 olympics
A1 olympicsA1 olympics
A1 olympics
 
Iberika role
Iberika role Iberika role
Iberika role
 
Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1
 
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
 

Similar to SIP & TLS - a very brief overview for the POSH BOF at IETF 87

Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
Mohd Arif
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
Warren Bent
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
Toni de la Fuente
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
Deploy360 Programme (Internet Society)
 

Similar to SIP & TLS - a very brief overview for the POSH BOF at IETF 87 (20)

#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 

More from Olle E Johansson

More from Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: Manifesto
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introduction
 

Recently uploaded

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Recently uploaded (20)

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 

SIP & TLS - a very brief overview for the POSH BOF at IETF 87

  • 1. Session initiation protocol & TLS Olle E. Johansson, IETF 87 Berlin, July 2013 oej@edvina.net * @oej POSH bof v 1.42
  • 2. IETF 87 - July 2013 - oej@edvina.net Executive summary: • SIP security filosophy: ”Let’s put a nice and soft fluffyTLS wrapper around the connection and it’s now secure” (oej) • There’s no tradition of datacom-type security in the telco world. Customer requirements are <null>. ”SIP end to end security is like a jumping bunny with a lock in the mouth” (old IETF draft)
  • 3. IETF 87 - July 2013 - oej@edvina.net The problem with SIP security • A lot of servers - proxys and b2bua’s - in the signalling path are designed to be man-in-the-middle attack platforms by default • There’s no way for a SIP client to verify remote servers (or authorize their usage). • Very hard to make sure information integrity is intact for messages between endpoints • Too much trust put into the network.
  • 4. IETF 87 - July 2013 - oej@edvina.net RFC 3261 • Defines a SIPS: uri. • Support for TLS for both SIP: and SIPS: uri’s • Requires SIP TLS server certificates to have canonical hostname. How is this related to the URI? • For SIPS:TLS hop by hop, but not the last hop. • Summary: Confusing. SIP 2.0
  • 5. IETF 87 - July 2013 - oej@edvina.net RFC 3263 Locating SIP servers using DNS • Requires that the DOMAIN NAME in the hostname part of the URI is in the certificate. • Released at the same time as RFC 3261 that requires HOST NAME
  • 6. IETF 87 - July 2013 - oej@edvina.net RFC 5922 Sip domain certificates • Defines SIP Domain certificates and redefines matching between SIP URI and X.509 PKIX certificate. Certificate now needs to match DOMAIN part of SIP URI. • Certificate can have multiple URI’s as SubjAltName ext fields. • Domain in CN is supported if no SAN extensions exists. Mixes authentication and authorization
  • 7. IETF 87 - July 2013 - oej@edvina.net RFC 5923 - Connection reuse • Requires mutual TLS certificates for reuse of connection - for server2server connections. • If no client cert, then server needs to open new TLS connection for requests in the other direction. • Doesn’t define how a server knows if a connection is a ”client” or a ”server” ?
  • 8. IETF 87 - July 2013 - oej@edvina.net Mistakes • Via and Route headers are in 99% of the cases IP addresses. • Certificates are in 99% of the cases host names or domains == No match. • RFC 5922 says that these headers needs to be domains (for SRV failover) or host names
  • 9. IETF 87 - July 2013 - oej@edvina.net When bad things happen • Client contacts SIP server over TLS. SIP server tries to reach another server using TLS. Bad stuff happens. • No error codes, warnings or any other docs on how to signal this situation back.
  • 10. IETF 87 - July 2013 - oej@edvina.net SIP Presence Funny enough named ”simple” • Lot’s of missing information about TLS usage. • Server has active role - but how does authorization work? • Client can only identify first hop TLS server, which in most cases is NOT the presence server. • Since SIMPLE is used for certificate handling, phone provisioning, personal presence and chat there are a lot of serious security issues here.
  • 11. IETF 87 - July 2013 - oej@edvina.net RFC 6072 SIP certificate distribution • Use presence to subscribe to another SIP uri’s certificate • Use presence to PUBLISH certificate • Use presence to provision UA Cert and Key • Puts a lot of trust in the network • Requires TLS between ua and certificate handling presence server • Not compatible with SIP outbound
  • 12. IETF 87 - July 2013 - oej@edvina.net SIP & S/MIME • Well.Yes. Hmmm.
  • 13. IETF 87 - July 2013 - oej@edvina.net RFC 4474 SIP identity • Federated message integrity and identity assurance • Protects headers and attachment • Signed by domain cert • Domain cert verified by https (or something else like Dane). • Uses HTTPS to fetch (self-signed) CA cert for SIP domain. A cool idea.
  • 14. IETF 87 - July 2013 - oej@edvina.net My draft on SIP DANE usage • Use DNSsec protection of NAPTR and SRV records for authorization • Use DNSsec/TLSA records for authentication • Focuses on client to server connections • Needs more work on server2server connection reuse draft-johansson-dane-sip
  • 15. IETF 87 - July 2013 - oej@edvina.net TLS usage • Don’t mix authorization with authentication • Encryption - confidentiality - is based on knowing who you are talking to. Without proper authentication you might as well forget it. • Authorization is different for different protocols (I guess)
  • 16. IETF 87 - July 2013 - oej@edvina.net Ahead • Lots of work needed to clean up TLS requirements - for presence, outbound and more • The same problem as XMPP with e2e security • Is S/MIME the way to go, really? • Where and what are the customer requirements?
  • 17. IETF 87 - July 2013 - oej@edvina.net References • A good overview: http://tools.ietf.org/html/draft-gurbani-sip-sipsec-00