1 / 10

Kumiko Ono ono.kumiko@lab.ntt.co.jp

End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-03 draft-ono-sipping-end2middle-security-02. Kumiko Ono ono.kumiko@lab.ntt.co.jp. IETF60. Requirements. Changes since 02. Use cases Decreased the dependency on session policies discussion. Requirements

sebastian-makris
Télécharger la présentation

Kumiko Ono ono.kumiko@lab.ntt.co.jp

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-03draft-ono-sipping-end2middle-security-02 Kumiko Ono ono.kumiko@lab.ntt.co.jp IETF60

  2. Requirements

  3. Changes since 02 • Use cases • Decreased the dependency on session policies discussion. • Requirements • Closed an open issue whether the proxy server needs to notify the UAS after receiving a response. • Because there is no such security policies that depends solely on a response. • Deleted text which belonged to a mechanism. • Changed the requirement for discovery mechanism from proxy-driven to UA-driven. • Security Consideration • Added text which relates to DoS attack on proxy servers.

  4. Open Issue: the scope • Is discovery of “middle” overlapping with the scope of the session policy ? • Discussion on the ML • My proposal: • Yes, they are overlapped in the discovery mechanism. I will add notes that refer to the session policy. However, e2m mechanism should have a way to notify proxy’s policy using an error message.

  5. Next Steps for e2m-reqs. • Something missing? • Ready for WGLC?

  6. Mechanism

  7. Open Issues e2m-mechs. • How to discover security policies on “middle” • How to label a body for “middle” for inspection only :-)

  8. How to label a body for “middle” • Option 1: A SIP header and Content-ID MIME header • This is used in Referred-by mechanism. • Option 2: A Content-Target MIME header • This is proposed in e2m I-D.

  9. Environment CPU Intel Celeron 2.2GHz RAM 512MB INVITE message: 568 bytes Passing through a proxy server: 41.5 ms Target data size to be encrypted/signed: 868 byte multipart/mime that contains sipfrag and SDP Public key size (RSA): 1024bits CEK size (3DES): 168bits S/MIME-secured message size (base64-encoded) e2e encryption: 2358 bytes e2e+e2m encryption: 2630bytes Performance at a proxy server Passing through: 47.9ms Checking the label and passing through: Opt1: Label in a new SIP header : +0.1ms Opt2: Label in a new MIME header: +1.0ms Checking the label, decrypting and inspecting a body: Opt1: Label in a new SIP header : +8.8ms Opt2: Label in a new MIME header: +8.4ms Experimental Data

  10. Next Steps for e2m-mechs. • Is there sufficient interest in the SIPPING WG to continue this work?

More Related