110 likes | 255 Views
End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02. Kumiko Ono ono.kumiko@lab.ntt.co.jp. IETF60. Requirements. Changes since 02. Use cases Decreased the dependency on session policies discussion. Requirements
E N D
End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-03draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60
Changes since 02 • Use cases • Decreased the dependency on session policies discussion. • Requirements • Closed an open issue whether the proxy server needs to notify the UAS after receiving a response. • Because there is no such security policies that depends solely on a response. • Deleted text which belonged to a mechanism. • Changed the requirement for discovery mechanism from proxy-driven to UA-driven. • Security Consideration • Added text which relates to DoS attack on proxy servers.
Open Issue: the scope • Is discovery of “middle” overlapping with the scope of the session policy ? • Discussion on the ML • My proposal: • Yes, they are overlapped in the discovery mechanism. I will add notes that refer to the session policy. However, e2m mechanism should have a way to notify proxy’s policy using an error message.
Next Steps for e2m-reqs. • Something missing? • Ready for WGLC?
Open Issues e2m-mechs. • How to discover security policies on “middle” • How to label a body for “middle” for inspection only :-)
How to label a body for “middle” • Option 1: A SIP header and Content-ID MIME header • This is used in Referred-by mechanism. • Option 2: A Content-Target MIME header • This is proposed in e2m I-D.
Environment CPU Intel Celeron 2.2GHz RAM 512MB INVITE message: 568 bytes Passing through a proxy server: 41.5 ms Target data size to be encrypted/signed: 868 byte multipart/mime that contains sipfrag and SDP Public key size (RSA): 1024bits CEK size (3DES): 168bits S/MIME-secured message size (base64-encoded) e2e encryption: 2358 bytes e2e+e2m encryption: 2630bytes Performance at a proxy server Passing through: 47.9ms Checking the label and passing through: Opt1: Label in a new SIP header : +0.1ms Opt2: Label in a new MIME header: +1.0ms Checking the label, decrypting and inspecting a body: Opt1: Label in a new SIP header : +8.8ms Opt2: Label in a new MIME header: +8.4ms Experimental Data
Next Steps for e2m-mechs. • Is there sufficient interest in the SIPPING WG to continue this work?