170 likes | 181 Views
This document discusses the session authorization process for UDP media sessions using ICE and username/password authentication. It covers the use of ICE for NAT traversal, the exchange of per-flow usernames and passwords, and the secure authorization process involving SIP proxies, policy servers, and firewalls.
E N D
Media Session Authorization draft-wing-session-auth-00.txt Dan Wingdwing@cisco.com
IPR Declaration • Cisco will be declaring IPR ondraft-wing-session-auth-00.txt
Session Authorization Overview • Authorize UDP Media Sessions • Uses username/passwords of ICE • Authority comes from call controller • Natural packet routing • No NAT, no SBC • Allows multihomed networks • No topology awareness • No topology constraints
ICE Overview • Interactive Connectivity Establishment • Useful for traversing NATs • Per-flow usernames (and passwords) are exchanged in ICE signaling • To verify connectivity, ICE endpoints send the username in media path • STUN Request / Reply (RFC3489)
Media Session Authorization • Per-call username is seen by SIP proxy • SIP proxy gives policy server call info. • Firewall identifies STUN Request • Firewall asks policy server to authorize flow • Firewall opens pinhole • Result: secure authorization of a legitimate flow
ICE with Policy Authorization, Slide 1 informational INVITEFrom: AliceTo: BobIP=X, UDP=x, Token=A1 Alice's Call Controller Bob's Call Controller 2 10 3 6 Alice’s Policy Server Bob’s Policy Server 1 11 9 7 5 8 4 Alice 12 Bob FW-A FW-B X, x STUNRequest
ICE with Policy Authorization, Slide 2 Alice's Call Controller Bob's Call Controller SIP 183 or 200From: BobTo: AliceIP=Z, UDP=z, Token=B1 13 Alice Bob FW-A FW-B 14 15 16 No external authorization check is necessary because the same STUN transaction-id and (flipped) 5-tuple are in STUN Request and Response STUNResponse
Asymmetric Routing: Problem • Firewall can’t learn about bi-directional flow, because it only sees one direction • Thus, can’t use transaction-id and 5-tuple to authorize STUN Response message Firewall-Atlanta Firewall-Dallas Gateway
Asymmetric Routing: Approach A • Firewall asks policy server about STUN Responses, too • Continue using same protocol • Solution A causes additional STUN Request/Response delay
Approach A (slide 1) informational INVITEFrom: AliceTo: BobIP=X, UDP=x, Token=A1 Alice's Call Controller Bob's Call Controller 2 10 3 6 Alice’s Policy Server Bob’s Policy Server 1 11 9 7 5 8 4 Alice 12 Bob FW-A FW-B-1 X, x FW-B-2 STUNRequest
Approach A (slide 2) informational 183 or 200From: BobTo: AliceIP=Z, UDP=z, Token=B1 Alice's Call Controller Bob's Call Controller 13 17 Alice’s Policy Server Bob’s Policy Server 16 18 14 Alice Bob FW-A FW-B-1 Z, z 15 19 FW-B-2 STUNResponse
Asymmetric Routing: Approach B • Tell other firewalls about every valid STUN transaction-id • Example: secure multicast protocol (GDOI?) • Optimization 1: tell firewalls that might need to know (but how do you know?) • Optimization 2: firewalls only need to remember authorized STUN transaction-id for a short time (5-10 seconds) • Solution B adds more state to firewalls
Approach B informational INVITEFrom: AliceTo: BobIP=X, UDP=x, Token=A1 Alice's Call Controller Bob's Call Controller 2 10 3 6 Alice’s Policy Server Bob’s Policy Server 1 6a 11 9 7 5 8 4 Alice 12 Bob FW-A FW-B-1 X, x FW-B-2 FW-B-3 FW-B-4 STUNRequest
Solution B: Tell Firewall (slide 2) 183 or 200From: BobTo: AliceIP=Z, UDP=z, Token=B1 Alice's Call Controller Bob's Call Controller 13 17 Alice’s Policy Server Bob’s Policy Server informational 16 14 Alice Bob FW-A FW-B-1 15 19 FW-B-2 FW-B-3 and FW-B-4 time out the STUN transaction-id aggressively (5-10 seconds) FW-B-2 needs no external authorization check because the same STUN transaction-id and (flipped) 5-tuple are in STUN Request and Response FW-B-3 FW-B-4 STUNResponse
Features • No topology awareness • Supports multi-homed networks • Including asymmetric routing
Drawbacks • Endpoints must cooperate in the scheme • ICE-capable endpoints cooperate as a side-effect of their normal ICE operation • Note well: Only a portion of ICE is needed -- only the exchange of tokens in signaling and the STUN Request/Response in media
Going Forward • Standardize interfaces • SIP proxy to Policy Server • Policy Server to Firewall • Decide on approach A or B for multihomed asymmetric routing