SlideShare une entreprise Scribd logo

IETF-73 SIP Derive

Victor Pascual Ávila
Victor Pascual Ávila
1  sur  14
1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri Kuthan Jiri.Kuthan@tekelec.com Dorgham Sisalem Dorgham.Sisalem@tekelec.com Raphael Coeffic Raphael.Coeffic@tekelec.com Victor Pascual Victor.Pascual@tekelec.com
2 Problem statement • When someone is calling you, you ‘d like to be able to know the identity of the caller – “who are you?” • But this is not always possible to determine – draft-elwell-sip-e2e-identity-important • Are we comfortable enough to answer the question “are you calling me?” by determining: – whoever is calling me (even unknown party) can be reached at the address it is claiming in the From header field {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
3 Return Routability Check in a nutshell • It is a simple “better-than-nothing“ approach to URI verification – End-to-end solution based on SIP routing • It leverages the location service retargeting – No trust models – No additional infrastructures apart from what it takes to route the INVITE message • It is NOT a solution for the whole identity problem • It does not determine identity (“who are you?”), just the source URI of the call (“are you calling me?”) {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
4 Known Limitations • It can at best confirm URI veracity. DERIVE cannot provide a refute claim • Reverse Routability is known not to be available in many cases – unregistered phone, call forwarding, etc. • Additional latency in call setup {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
5 Security Considerations {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73 • Reliance on security of the Registrar, DNS and IP routing systems • DoS opportunity with indirection – DERIVE allows attacker to drive other UAs to send DERIVE requests to a victim • Privacy – In the absence of some sort of authorization mechanism it can reveal sensitive information
6 Open Issues (1/3): Is Dialog Package Usable for This? • Dialog package support exists • Interpretations differ in how they may implement the negative case: “4xx vs empty NOTIFY” • Only for INVITE-initiated dialogs • If we don't re-use the dialog event package – we need to find some other widely-deployed and well- defined UA behavior that we can leverage – or we need to define new behavior on both the caller and callee equipment • new method for call-back validation? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
7 Open Issues (2/3): B2BUA traversal • There is no normative reference in B2BUA behavior we can lean upon and which would be guaranteed to travel end-to-end • Possible solutions: –“if you break it, you fix it” (if you are lucky to be on the reverse path) –start working on a token that normatively survives B2BUA traversal • draft-kaplan-sip-session-id {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
8 Open Issues (3/3): PSTN interworking • SIP URIs (even with telephone numbers) verifiable with the originating domain using DERIVE • Unlike TEL URIs which are not clearly associated with an owner • Do you think it makes sense to attack the TEL URIs? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
9 WG Survey • Who thinks that life is good without a light-weight way to verify a SIP URI? (and who thinks it isn’t?) • If folks see the problem, who thinks that reverse URI checking can help to solve it? (not necessarily based on the dialog-package) • And out of those who would actually like to contribute to this? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
10 BACKUP {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
11 A proposed solution • Use SIP to ask the caller as claimed in From URI “are you calling me”? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73 atlanta.com biloxi.com bob@biloxi.comalice@atlanta.com Call Call Call Are you calling me? Are you calling me? Yes Yes Ring Ring Ring
12 A Proposed Solution (cont.) • A subscription to the Dialog event package is used to check if the UA registered at the AOR in the “From” header is aware of the call. • The subscription is restricted to the “half-dialog” formed by Call-ID and From-tag from the INVITE. • For this, a SUBSCRIBE message is sent to the AOR in the “From” header field from the original INVITE. • Depending on the result of the subscription, we conclude that the “From” was legitimate, or that we do not know exactly. • Assumptions: – The Location Service at atlanta.com (caller’s domain) is somehow trustworthy – Alice is currently registered at atlanta.com – IP routing and DNS are not compromised {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
13 A Proposed Solution (cont.) Provisional responses are omitted from the illustration for the sake of clarity {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
14 Related work • Return routability check: – draft-wing-sip-e164-rrc • Identity: – RFC 4474, RFC 3325, RFC 3893, RFC 4916 – draft-ietf-sipping-update-pai – draft-elwell-sip-identity-handling-ua – draft-elwell-sip-e2e-identity-important – draft-york-sip-visual-identifier-trusted-identity – draft-ietf-sip-privacy – draft-kaplan-sip-asserter-identity • Issues with e164 URIs: – draft-elwell-sip-e164-problem-statement • Identity / security on the media path: – draft-fischer-sip-e2e-sec-media (expired) – draft-wing-sip-identity-media (expired) ... And many others {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73

Recommandé

WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16Victor Pascual Ávila
 
IETF 78 - Alto - Server Discovery
IETF 78 - Alto - Server DiscoveryIETF 78 - Alto - Server Discovery
IETF 78 - Alto - Server DiscoveryVictor Pascual Ávila
 
PFPファシグラ(2009/07/03)
PFPファシグラ(2009/07/03)PFPファシグラ(2009/07/03)
PFPファシグラ(2009/07/03)nishikawa_makoto7
 
Live Streaming over P2PSIP
Live Streaming over P2PSIPLive Streaming over P2PSIP
Live Streaming over P2PSIPVictor Pascual Ávila
 
IETF-71 P2PSIP Clients
IETF-71 P2PSIP ClientsIETF-71 P2PSIP Clients
IETF-71 P2PSIP ClientsVictor Pascual Ávila
 
International SIP conference 2009
International SIP conference 2009International SIP conference 2009
International SIP conference 2009Victor Pascual Ávila
 
Green Guerrillas Youth Media Tech Collective Ona Move
Green Guerrillas Youth Media Tech Collective Ona MoveGreen Guerrillas Youth Media Tech Collective Ona Move
Green Guerrillas Youth Media Tech Collective Ona MoveSouthern Tier Advocacy & Mitigation Project, Incorporated
 
WebRTC from the service provider prism
WebRTC from the service provider prismWebRTC from the service provider prism
WebRTC from the service provider prismVictor Pascual Ávila
 

Recommandé

WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16WebRTC standards overview -- WebRTC Barcelona Meetup MWC16
WebRTC standards overview -- WebRTC Barcelona Meetup MWC16Victor Pascual Ávila
 
IETF 78 - Alto - Server Discovery
IETF 78 - Alto - Server DiscoveryIETF 78 - Alto - Server Discovery
IETF 78 - Alto - Server DiscoveryVictor Pascual Ávila
 
PFPファシグラ(2009/07/03)
PFPファシグラ(2009/07/03)PFPファシグラ(2009/07/03)
PFPファシグラ(2009/07/03)nishikawa_makoto7
 
Live Streaming over P2PSIP
Live Streaming over P2PSIPLive Streaming over P2PSIP
Live Streaming over P2PSIPVictor Pascual Ávila
 
IETF-71 P2PSIP Clients
IETF-71 P2PSIP ClientsIETF-71 P2PSIP Clients
IETF-71 P2PSIP ClientsVictor Pascual Ávila
 
International SIP conference 2009
International SIP conference 2009International SIP conference 2009
International SIP conference 2009Victor Pascual Ávila
 
Green Guerrillas Youth Media Tech Collective Ona Move
Green Guerrillas Youth Media Tech Collective Ona MoveGreen Guerrillas Youth Media Tech Collective Ona Move
Green Guerrillas Youth Media Tech Collective Ona MoveSouthern Tier Advocacy & Mitigation Project, Incorporated
 
WebRTC from the service provider prism
WebRTC from the service provider prismWebRTC from the service provider prism
WebRTC from the service provider prismVictor Pascual Ávila
 
VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
148 Call Center Call Back Options
148 Call Center Call Back Options148 Call Center Call Back Options
148 Call Center Call Back OptionsChief Innovation
 
OxCEPT Introduction
OxCEPT IntroductionOxCEPT Introduction
OxCEPT IntroductionMattSims
 
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...UXPA International
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene KimGene Kim
 
IETF-76 SIP Identity Adhoc
IETF-76 SIP Identity AdhocIETF-76 SIP Identity Adhoc
IETF-76 SIP Identity AdhocVictor Pascual Ávila
 
Selling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesSelling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesMaor Shwartz
 
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...Jon Stevens-Hall
 
Agile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take AwaysAgile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take AwaysSynerzip
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational ChallengesNicolas Corrarello
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Razi Rais
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911Priyanka Aash
 
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016Stanford University
 
Working model to patentability
Working model to patentabilityWorking model to patentability
Working model to patentabilityfungfung Chen
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing BugcrowdCasey Ellis
 
IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPVictor Pascual Ávila
 
IETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesIETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesVictor Pascual Ávila
 

Contenu connexe

Similaire à IETF-73 SIP Derive

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to knowEric Klein
 
148 Call Center Call Back Options
148 Call Center Call Back Options148 Call Center Call Back Options
148 Call Center Call Back OptionsChief Innovation
 
OxCEPT Introduction
OxCEPT IntroductionOxCEPT Introduction
OxCEPT IntroductionMattSims
 
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...UXPA International
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene KimGene Kim
 
Selling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesSelling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesMaor Shwartz
 
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...Jon Stevens-Hall
 
Agile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take AwaysAgile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take AwaysSynerzip
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksC4Media
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational ChallengesNicolas Corrarello
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class NineFRSecure
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Codemotion
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Razi Rais
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guideCristian Calderon
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...EC-Council
 
Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911Priyanka Aash
 
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016Stanford University
 
Working model to patentability
Working model to patentabilityWorking model to patentability
Working model to patentabilityfungfung Chen
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing BugcrowdCasey Ellis
 

Similaire à IETF-73 SIP Derive (20)

VoIP Security 101 what you need to know
VoIP Security 101 what you need to knowVoIP Security 101 what you need to know
VoIP Security 101 what you need to know
 
148 Call Center Call Back Options
148 Call Center Call Back Options148 Call Center Call Back Options
148 Call Center Call Back Options
 
OxCEPT Introduction
OxCEPT IntroductionOxCEPT Introduction
OxCEPT Introduction
 
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
Mechanical Turk Demystified: Best practices for sourcing and scaling quality ...
 
2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim2012 SxSW When IT Says No by Gene Kim
2012 SxSW When IT Says No by Gene Kim
 
IETF-76 SIP Identity Adhoc
IETF-76 SIP Identity AdhocIETF-76 SIP Identity Adhoc
IETF-76 SIP Identity Adhoc
 
Selling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companiesSelling 0days to governments and offensive security companies
Selling 0days to governments and offensive security companies
 
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
DevOps Enterprise Summit 2019 - How Swarming Enables Enterprise Support to wo...
 
Agile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take AwaysAgile2011 Conference – Key Take Aways
Agile2011 Conference – Key Take Aways
 
Tor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel TricksTor in Haskell & Other Unikernel Tricks
Tor in Haskell & Other Unikernel Tricks
 
Solving CI Operational Challenges
Solving CI Operational ChallengesSolving CI Operational Challenges
Solving CI Operational Challenges
 
2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine2019 FRSecure CISSP Mentor Program: Class Nine
2019 FRSecure CISSP Mentor Program: Class Nine
 
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
Melanie Rieback, Klaus Kursawe - Blockchain Security: Melting the "Silver Bul...
 
Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption Improving privacy in blockchain using homomorphic encryption
Improving privacy in blockchain using homomorphic encryption
 
Elastix network security guide
Elastix network security guideElastix network security guide
Elastix network security guide
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911Defcon 22-quaddi-r3plicant-hefley-hacking-911
Defcon 22-quaddi-r3plicant-hefley-hacking-911
 
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
Customer Discovery in the DOD/IC Workshop H4D Stanford 2016
 
Working model to patentability
Working model to patentabilityWorking model to patentability
Working model to patentability
 
Introducing Bugcrowd
Introducing BugcrowdIntroducing Bugcrowd
Introducing Bugcrowd
 

Plus de Victor Pascual Ávila

IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPVictor Pascual Ávila
 
WebRTC standards update (April 2015)
WebRTC standards update (April 2015)WebRTC standards update (April 2015)
WebRTC standards update (April 2015)Victor Pascual Ávila
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introVictor Pascual Ávila
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014Victor Pascual Ávila
 
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)Victor Pascual Ávila
 
WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)Victor Pascual Ávila
 
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAsIETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAsVictor Pascual Ávila
 
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...Victor Pascual Ávila
 
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...Victor Pascual Ávila
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)Victor Pascual Ávila
 
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...Victor Pascual Ávila
 
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Victor Pascual Ávila
 
WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)Victor Pascual Ávila
 
WebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideWebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideVictor Pascual Ávila
 
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)Victor Pascual Ávila
 
Telco-OTT: infrastructure challenges and solutions
Telco-OTT: infrastructure challenges and solutionsTelco-OTT: infrastructure challenges and solutions
Telco-OTT: infrastructure challenges and solutionsVictor Pascual Ávila
 

Plus de Victor Pascual Ávila (20)

IETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIPIETF98 - 3rd-Party Authentication for SIP
IETF98 - 3rd-Party Authentication for SIP
 
IETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use casesIETF meeting - SIP OAuth use cases
IETF meeting - SIP OAuth use cases
 
WebRTC standards update (April 2015)
WebRTC standards update (April 2015)WebRTC standards update (April 2015)
WebRTC standards update (April 2015)
 
Upperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC introUpperside WebRTC conference - WebRTC intro
Upperside WebRTC conference - WebRTC intro
 
WebRTC standards update - November 2014
WebRTC standards update - November 2014WebRTC standards update - November 2014
WebRTC standards update - November 2014
 
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
Guidelines to support RTCP end-to-end in Back-to-Back User Agents (B2BUAs)
 
DTLS-SRTP Handling in SIP B2BUAs
DTLS-SRTP Handling in SIP B2BUAsDTLS-SRTP Handling in SIP B2BUAs
DTLS-SRTP Handling in SIP B2BUAs
 
WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)WebRTC Standards Update (October 2014)
WebRTC Standards Update (October 2014)
 
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAsIETF 90 - DTLS-SRTP Handling in SIP B2BUAs
IETF 90 - DTLS-SRTP Handling in SIP B2BUAs
 
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
IETF 90 -- Guidelines to support RTCP end-to-end in SIP Back-to-Back User Age...
 
WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)WebRTC standards update (Jul 2014)
WebRTC standards update (Jul 2014)
 
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
Digital Services Congress - OTT track - WebRTC panel: "Will WebRTC Mean a Mor...
 
WebRTC standards update (April 2014)
WebRTC standards update (April 2014)WebRTC standards update (April 2014)
WebRTC standards update (April 2014)
 
WebRTC DataChannels demystified
WebRTC DataChannels demystifiedWebRTC DataChannels demystified
WebRTC DataChannels demystified
 
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
IMS Value in a World of WebRTC and Mobile -- WebRTC Expo, Santa Clara, CA (No...
 
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
Realistic Future Service Provider Opportunities -- WebRTC Expo, Santa Clara, ...
 
WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)WebRTC standards update (13 Nov 2013)
WebRTC standards update (13 Nov 2013)
 
WebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guideWebRTC Standards -- The 10 Minutes guide
WebRTC Standards -- The 10 Minutes guide
 
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
WebRTC and VoIP: bridging the gap (Kamailio world conference 2013)
 
Telco-OTT: infrastructure challenges and solutions
Telco-OTT: infrastructure challenges and solutionsTelco-OTT: infrastructure challenges and solutions
Telco-OTT: infrastructure challenges and solutions
 

IETF-73 SIP Derive

  • 1. 1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri Kuthan Jiri.Kuthan@tekelec.com Dorgham Sisalem Dorgham.Sisalem@tekelec.com Raphael Coeffic Raphael.Coeffic@tekelec.com Victor Pascual Victor.Pascual@tekelec.com
  • 2. 2 Problem statement • When someone is calling you, you ‘d like to be able to know the identity of the caller – “who are you?” • But this is not always possible to determine – draft-elwell-sip-e2e-identity-important • Are we comfortable enough to answer the question “are you calling me?” by determining: – whoever is calling me (even unknown party) can be reached at the address it is claiming in the From header field {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 3. 3 Return Routability Check in a nutshell • It is a simple “better-than-nothing“ approach to URI verification – End-to-end solution based on SIP routing • It leverages the location service retargeting – No trust models – No additional infrastructures apart from what it takes to route the INVITE message • It is NOT a solution for the whole identity problem • It does not determine identity (“who are you?”), just the source URI of the call (“are you calling me?”) {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 4. 4 Known Limitations • It can at best confirm URI veracity. DERIVE cannot provide a refute claim • Reverse Routability is known not to be available in many cases – unregistered phone, call forwarding, etc. • Additional latency in call setup {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 5. 5 Security Considerations {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73 • Reliance on security of the Registrar, DNS and IP routing systems • DoS opportunity with indirection – DERIVE allows attacker to drive other UAs to send DERIVE requests to a victim • Privacy – In the absence of some sort of authorization mechanism it can reveal sensitive information
  • 6. 6 Open Issues (1/3): Is Dialog Package Usable for This? • Dialog package support exists • Interpretations differ in how they may implement the negative case: “4xx vs empty NOTIFY” • Only for INVITE-initiated dialogs • If we don't re-use the dialog event package – we need to find some other widely-deployed and well- defined UA behavior that we can leverage – or we need to define new behavior on both the caller and callee equipment • new method for call-back validation? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 7. 7 Open Issues (2/3): B2BUA traversal • There is no normative reference in B2BUA behavior we can lean upon and which would be guaranteed to travel end-to-end • Possible solutions: –“if you break it, you fix it” (if you are lucky to be on the reverse path) –start working on a token that normatively survives B2BUA traversal • draft-kaplan-sip-session-id {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 8. 8 Open Issues (3/3): PSTN interworking • SIP URIs (even with telephone numbers) verifiable with the originating domain using DERIVE • Unlike TEL URIs which are not clearly associated with an owner • Do you think it makes sense to attack the TEL URIs? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 9. 9 WG Survey • Who thinks that life is good without a light-weight way to verify a SIP URI? (and who thinks it isn’t?) • If folks see the problem, who thinks that reverse URI checking can help to solve it? (not necessarily based on the dialog-package) • And out of those who would actually like to contribute to this? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 10. 10 BACKUP {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 11. 11 A proposed solution • Use SIP to ask the caller as claimed in From URI “are you calling me”? {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73 atlanta.com biloxi.com bob@biloxi.comalice@atlanta.com Call Call Call Are you calling me? Are you calling me? Yes Yes Ring Ring Ring
  • 12. 12 A Proposed Solution (cont.) • A subscription to the Dialog event package is used to check if the UA registered at the AOR in the “From” header is aware of the call. • The subscription is restricted to the “half-dialog” formed by Call-ID and From-tag from the INVITE. • For this, a SUBSCRIBE message is sent to the AOR in the “From” header field from the original INVITE. • Depending on the result of the subscription, we conclude that the “From” was legitimate, or that we do not know exactly. • Assumptions: – The Location Service at atlanta.com (caller’s domain) is somehow trustworthy – Alice is currently registered at atlanta.com – IP routing and DNS are not compromised {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 13. 13 A Proposed Solution (cont.) Provisional responses are omitted from the illustration for the sake of clarity {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73
  • 14. 14 Related work • Return routability check: – draft-wing-sip-e164-rrc • Identity: – RFC 4474, RFC 3325, RFC 3893, RFC 4916 – draft-ietf-sipping-update-pai – draft-elwell-sip-identity-handling-ua – draft-elwell-sip-e2e-identity-important – draft-york-sip-visual-identifier-trusted-identity – draft-ietf-sip-privacy – draft-kaplan-sip-asserter-identity • Issues with e164 URIs: – draft-elwell-sip-e164-problem-statement • Identity / security on the media path: – draft-fischer-sip-e2e-sec-media (expired) – draft-wing-sip-identity-media (expired) ... And many others {Jiri.Kuthan, Dorgham.Sisalem, Raphael.Coeffic, Victor.Pascual}@tekelec.com IETF73