SlideShare una empresa de Scribd logo

SIP & TLS - a very brief overview for the POSH BOF at IETF 87

Olle E Johansson
Olle E Johansson

A very brief overview of SIP for a BOF at IETF 87 in Berlin.

Tecnología
1 de 17
Descargar para leer sin conexión
Session initiation protocol & TLS Olle E. Johansson, IETF 87 Berlin, July 2013 oej@edvina.net * @oej POSH bof v 1.42
IETF 87 - July 2013 - oej@edvina.net Executive summary: • SIP security filosophy: ”Let’s put a nice and soft fluffyTLS wrapper around the connection and it’s now secure” (oej) • There’s no tradition of datacom-type security in the telco world. Customer requirements are <null>. ”SIP end to end security is like a jumping bunny with a lock in the mouth” (old IETF draft)
IETF 87 - July 2013 - oej@edvina.net The problem with SIP security • A lot of servers - proxys and b2bua’s - in the signalling path are designed to be man-in-the-middle attack platforms by default • There’s no way for a SIP client to verify remote servers (or authorize their usage). • Very hard to make sure information integrity is intact for messages between endpoints • Too much trust put into the network.
IETF 87 - July 2013 - oej@edvina.net RFC 3261 • Defines a SIPS: uri. • Support for TLS for both SIP: and SIPS: uri’s • Requires SIP TLS server certificates to have canonical hostname. How is this related to the URI? • For SIPS:TLS hop by hop, but not the last hop. • Summary: Confusing. SIP 2.0
IETF 87 - July 2013 - oej@edvina.net RFC 3263 Locating SIP servers using DNS • Requires that the DOMAIN NAME in the hostname part of the URI is in the certificate. • Released at the same time as RFC 3261 that requires HOST NAME
IETF 87 - July 2013 - oej@edvina.net RFC 5922 Sip domain certificates • Defines SIP Domain certificates and redefines matching between SIP URI and X.509 PKIX certificate. Certificate now needs to match DOMAIN part of SIP URI. • Certificate can have multiple URI’s as SubjAltName ext fields. • Domain in CN is supported if no SAN extensions exists. Mixes authentication and authorization
IETF 87 - July 2013 - oej@edvina.net RFC 5923 - Connection reuse • Requires mutual TLS certificates for reuse of connection - for server2server connections. • If no client cert, then server needs to open new TLS connection for requests in the other direction. • Doesn’t define how a server knows if a connection is a ”client” or a ”server” ?
IETF 87 - July 2013 - oej@edvina.net Mistakes • Via and Route headers are in 99% of the cases IP addresses. • Certificates are in 99% of the cases host names or domains == No match. • RFC 5922 says that these headers needs to be domains (for SRV failover) or host names
IETF 87 - July 2013 - oej@edvina.net When bad things happen • Client contacts SIP server over TLS. SIP server tries to reach another server using TLS. Bad stuff happens. • No error codes, warnings or any other docs on how to signal this situation back.
IETF 87 - July 2013 - oej@edvina.net SIP Presence Funny enough named ”simple” • Lot’s of missing information about TLS usage. • Server has active role - but how does authorization work? • Client can only identify first hop TLS server, which in most cases is NOT the presence server. • Since SIMPLE is used for certificate handling, phone provisioning, personal presence and chat there are a lot of serious security issues here.
IETF 87 - July 2013 - oej@edvina.net RFC 6072 SIP certificate distribution • Use presence to subscribe to another SIP uri’s certificate • Use presence to PUBLISH certificate • Use presence to provision UA Cert and Key • Puts a lot of trust in the network • Requires TLS between ua and certificate handling presence server • Not compatible with SIP outbound
IETF 87 - July 2013 - oej@edvina.net SIP & S/MIME • Well.Yes. Hmmm.
IETF 87 - July 2013 - oej@edvina.net RFC 4474 SIP identity • Federated message integrity and identity assurance • Protects headers and attachment • Signed by domain cert • Domain cert verified by https (or something else like Dane). • Uses HTTPS to fetch (self-signed) CA cert for SIP domain. A cool idea.
IETF 87 - July 2013 - oej@edvina.net My draft on SIP DANE usage • Use DNSsec protection of NAPTR and SRV records for authorization • Use DNSsec/TLSA records for authentication • Focuses on client to server connections • Needs more work on server2server connection reuse draft-johansson-dane-sip
IETF 87 - July 2013 - oej@edvina.net TLS usage • Don’t mix authorization with authentication • Encryption - confidentiality - is based on knowing who you are talking to. Without proper authentication you might as well forget it. • Authorization is different for different protocols (I guess)
IETF 87 - July 2013 - oej@edvina.net Ahead • Lots of work needed to clean up TLS requirements - for presence, outbound and more • The same problem as XMPP with e2e security • Is S/MIME the way to go, really? • Where and what are the customer requirements?
IETF 87 - July 2013 - oej@edvina.net References • A good overview: http://tools.ietf.org/html/draft-gurbani-sip-sipsec-00

Recomendados

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)PROIDEA
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Alan Quayle
 
Fast Answers about Pertino
Fast Answers about PertinoFast Answers about Pertino
Fast Answers about PertinoPertino
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpnsharetech
 

Recomendados

SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldOlle E Johansson
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Olle E Johansson
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2Olle E Johansson
 
ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?ION Sri Lanka - Why Implement DNSSEC?
ION Sri Lanka - Why Implement DNSSEC?Deploy360 Programme (Internet Society)
 
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)
CONFidence 2017: Deploying Secure NFS in a Large Enterprise (Moritz Willers)PROIDEA
 
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...
Tools for Offensive RTC security. Introducing SIPVicious PRO and the demo ser...Alan Quayle
 
Fast Answers about Pertino
Fast Answers about PertinoFast Answers about Pertino
Fast Answers about PertinoPertino
 
IPsec vpn
IPsec vpnIPsec vpn
IPsec vpnsharetech
 
ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsDeploy360 Programme (Internet Society)
 
How to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoHow to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoPertino
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017Ales Lichtenberg
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!Alan Quayle
 
Types of VPN
Types of VPNTypes of VPN
Types of VPNNetProtocol Xpert
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
What is VPN?
What is VPN?What is VPN?
What is VPN?NetProtocol Xpert
 
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017VOIP2DAY
 
Tekirdağ mem
Tekirdağ memTekirdağ mem
Tekirdağ memGeorge Bekiaridis
 
Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin ChallengeCorey Topf
 
The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...Baden Hughes
 
Ppt
PptPpt
Pptalejandrolunamtz
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Hans Kemp
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers WorkshopCorey Topf
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieCorey Topf
 
Techo may9th
Techo may9thTecho may9th
Techo may9thCorey Topf
 
Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Corey Topf
 
Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08zappos
 
The bambino tour
The bambino tourThe bambino tour
The bambino tourelenargy
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 SpongesCorey Topf
 

Más contenido relacionado

La actualidad más candente

How to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoHow to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoPertino
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017Ales Lichtenberg
 
The Security layer
The Security layerThe Security layer
The Security layerSwetha S
 
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!Alan Quayle
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesOVHcloud
 
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017VOIP2DAY
 

La actualidad más candente (9)

ION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network OperatorsION Sri Lanka - TLS for Network Operators
ION Sri Lanka - TLS for Network Operators
 
How to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with PertinoHow to set up a Multi-Cloud VPC with Pertino
How to set up a Multi-Cloud VPC with Pertino
 
SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017SUTOL 2016 - Secure IBM Traveler for 2017
SUTOL 2016 - Secure IBM Traveler for 2017
 
The Security layer
The Security layerThe Security layer
The Security layer
 
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
TADSummit Comverse WebRTC, WebRTC is for telcos too. Today!
 
Types of VPN
Types of VPNTypes of VPN
Types of VPN
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
What is VPN?
What is VPN?What is VPN?
What is VPN?
 
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
Evolución de soluciones de colaboración | Diana Mate - VoIP2DAY 2017
 

Destacado

Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin ChallengeCorey Topf
 
The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...Baden Hughes
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Hans Kemp
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers WorkshopCorey Topf
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieCorey Topf
 
Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Corey Topf
 
Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08zappos
 
The bambino tour
The bambino tourThe bambino tour
The bambino tourelenargy
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and proceduresStevenSegaert
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 SpongesCorey Topf
 
The organisation of social security coordination
The organisation of social security coordinationThe organisation of social security coordination
The organisation of social security coordinationStevenSegaert
 
Dutch PHP Conference
Dutch PHP ConferenceDutch PHP Conference
Dutch PHP Conferencecalevans
 
IADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 DeeltijdIADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 DeeltijdHans Kemp
 
Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1Hans Kemp
 
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...Baden Hughes
 

Destacado (20)

Tekirdağ mem
Tekirdağ memTekirdağ mem
Tekirdağ mem
 
Chapin Challenge
Chapin ChallengeChapin Challenge
Chapin Challenge
 
The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...The Effects of Cross-Pollination : How non-library mass market services are c...
The Effects of Cross-Pollination : How non-library mass market services are c...
 
Ppt
PptPpt
Ppt
 
Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1Iad2 0910 Q1 Hoorcollege 1
Iad2 0910 Q1 Hoorcollege 1
 
Writers Workshop
Writers WorkshopWriters Workshop
Writers Workshop
 
Vocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrieVocabulary tuesdayswithmorrie
Vocabulary tuesdayswithmorrie
 
Techo may9th
Techo may9thTecho may9th
Techo may9th
 
Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)Day 1 - Start with the WHY (readings, texts, and slides)
Day 1 - Start with the WHY (readings, texts, and slides)
 
Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08Zappos-SIMA-05-15-08
Zappos-SIMA-05-15-08
 
The bambino tour
The bambino tourThe bambino tour
The bambino tour
 
Implementation of security standards and procedures
Implementation of security standards and proceduresImplementation of security standards and procedures
Implementation of security standards and procedures
 
Week 13 Sponges
Week 13 SpongesWeek 13 Sponges
Week 13 Sponges
 
The organisation of social security coordination
The organisation of social security coordinationThe organisation of social security coordination
The organisation of social security coordination
 
Dutch PHP Conference
Dutch PHP ConferenceDutch PHP Conference
Dutch PHP Conference
 
IADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 DeeltijdIADD1 0809Q3 Hoorcollege2 Deeltijd
IADD1 0809Q3 Hoorcollege2 Deeltijd
 
A1 olympics
A1 olympicsA1 olympics
A1 olympics
 
Iberika role
Iberika role Iberika role
Iberika role
 
Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1Iad2 0809 Q4 Hoorcollege 1
Iad2 0809 Q4 Hoorcollege 1
 
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
If We're Not There Yet, How Far Do We Have To Go ? Web Metadata at The Univer...
 

Similar a SIP & TLS - a very brief overview for the POSH BOF at IETF 87

#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2Olle E Johansson
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and sslMohd Arif
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLSOlle E Johansson
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECCarlos Martinez Cagnazzo
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer securityMaarten Smeets
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlWarren Bent
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Warren Bent
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)Olle E Johansson
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitToni de la Fuente
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPSJackio Kwok
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 

Similar a SIP & TLS - a very brief overview for the POSH BOF at IETF 87 (20)

#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Ip sec and ssl
Ip sec and sslIp sec and ssl
Ip sec and ssl
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS#MoreCrypto : Introduction to TLS
#MoreCrypto : Introduction to TLS
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals Shanghai Breakout: Wireless LAN Security Fundamentals
Shanghai Breakout: Wireless LAN Security Fundamentals
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
Authenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call ControlAuthenticated Identites in VoIP Call Control
Authenticated Identites in VoIP Call Control
 
Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2Presentation To Vo Ip Round Table V2
Presentation To Vo Ip Round Table V2
 
DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Alfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transitAlfresco DevCon 2019: Encryption at-rest and in-transit
Alfresco DevCon 2019: Encryption at-rest and in-transit
 
020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS020618 Why Do we Need HTTPS
020618 Why Do we Need HTTPS
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 

Más de Olle E Johansson

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Olle E Johansson
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handlingOlle E Johansson
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Olle E Johansson
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTNOlle E Johansson
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffOlle E Johansson
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack networkOlle E Johansson
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolOlle E Johansson
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)Olle E Johansson
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Olle E Johansson
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIPOlle E Johansson
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6Olle E Johansson
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Olle E Johansson
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeOlle E Johansson
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreOlle E Johansson
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoOlle E Johansson
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introductionOlle E Johansson
 

Más de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: Manifesto
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introduction
 

Último

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 

Último (20)

Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 

SIP & TLS - a very brief overview for the POSH BOF at IETF 87

  • 1. Session initiation protocol & TLS Olle E. Johansson, IETF 87 Berlin, July 2013 oej@edvina.net * @oej POSH bof v 1.42
  • 2. IETF 87 - July 2013 - oej@edvina.net Executive summary: • SIP security filosophy: ”Let’s put a nice and soft fluffyTLS wrapper around the connection and it’s now secure” (oej) • There’s no tradition of datacom-type security in the telco world. Customer requirements are <null>. ”SIP end to end security is like a jumping bunny with a lock in the mouth” (old IETF draft)
  • 3. IETF 87 - July 2013 - oej@edvina.net The problem with SIP security • A lot of servers - proxys and b2bua’s - in the signalling path are designed to be man-in-the-middle attack platforms by default • There’s no way for a SIP client to verify remote servers (or authorize their usage). • Very hard to make sure information integrity is intact for messages between endpoints • Too much trust put into the network.
  • 4. IETF 87 - July 2013 - oej@edvina.net RFC 3261 • Defines a SIPS: uri. • Support for TLS for both SIP: and SIPS: uri’s • Requires SIP TLS server certificates to have canonical hostname. How is this related to the URI? • For SIPS:TLS hop by hop, but not the last hop. • Summary: Confusing. SIP 2.0
  • 5. IETF 87 - July 2013 - oej@edvina.net RFC 3263 Locating SIP servers using DNS • Requires that the DOMAIN NAME in the hostname part of the URI is in the certificate. • Released at the same time as RFC 3261 that requires HOST NAME
  • 6. IETF 87 - July 2013 - oej@edvina.net RFC 5922 Sip domain certificates • Defines SIP Domain certificates and redefines matching between SIP URI and X.509 PKIX certificate. Certificate now needs to match DOMAIN part of SIP URI. • Certificate can have multiple URI’s as SubjAltName ext fields. • Domain in CN is supported if no SAN extensions exists. Mixes authentication and authorization
  • 7. IETF 87 - July 2013 - oej@edvina.net RFC 5923 - Connection reuse • Requires mutual TLS certificates for reuse of connection - for server2server connections. • If no client cert, then server needs to open new TLS connection for requests in the other direction. • Doesn’t define how a server knows if a connection is a ”client” or a ”server” ?
  • 8. IETF 87 - July 2013 - oej@edvina.net Mistakes • Via and Route headers are in 99% of the cases IP addresses. • Certificates are in 99% of the cases host names or domains == No match. • RFC 5922 says that these headers needs to be domains (for SRV failover) or host names
  • 9. IETF 87 - July 2013 - oej@edvina.net When bad things happen • Client contacts SIP server over TLS. SIP server tries to reach another server using TLS. Bad stuff happens. • No error codes, warnings or any other docs on how to signal this situation back.
  • 10. IETF 87 - July 2013 - oej@edvina.net SIP Presence Funny enough named ”simple” • Lot’s of missing information about TLS usage. • Server has active role - but how does authorization work? • Client can only identify first hop TLS server, which in most cases is NOT the presence server. • Since SIMPLE is used for certificate handling, phone provisioning, personal presence and chat there are a lot of serious security issues here.
  • 11. IETF 87 - July 2013 - oej@edvina.net RFC 6072 SIP certificate distribution • Use presence to subscribe to another SIP uri’s certificate • Use presence to PUBLISH certificate • Use presence to provision UA Cert and Key • Puts a lot of trust in the network • Requires TLS between ua and certificate handling presence server • Not compatible with SIP outbound
  • 12. IETF 87 - July 2013 - oej@edvina.net SIP & S/MIME • Well.Yes. Hmmm.
  • 13. IETF 87 - July 2013 - oej@edvina.net RFC 4474 SIP identity • Federated message integrity and identity assurance • Protects headers and attachment • Signed by domain cert • Domain cert verified by https (or something else like Dane). • Uses HTTPS to fetch (self-signed) CA cert for SIP domain. A cool idea.
  • 14. IETF 87 - July 2013 - oej@edvina.net My draft on SIP DANE usage • Use DNSsec protection of NAPTR and SRV records for authorization • Use DNSsec/TLSA records for authentication • Focuses on client to server connections • Needs more work on server2server connection reuse draft-johansson-dane-sip
  • 15. IETF 87 - July 2013 - oej@edvina.net TLS usage • Don’t mix authorization with authentication • Encryption - confidentiality - is based on knowing who you are talking to. Without proper authentication you might as well forget it. • Authorization is different for different protocols (I guess)
  • 16. IETF 87 - July 2013 - oej@edvina.net Ahead • Lots of work needed to clean up TLS requirements - for presence, outbound and more • The same problem as XMPP with e2e security • Is S/MIME the way to go, really? • Where and what are the customer requirements?
  • 17. IETF 87 - July 2013 - oej@edvina.net References • A good overview: http://tools.ietf.org/html/draft-gurbani-sip-sipsec-00