kumiko ono [email protected]
DESCRIPTION
End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03. Kumiko Ono [email protected]. IETF61. Requirements. draft-ietf-sipping-e2m-sec-reqs-04. Changes since 03. Section 2.1: Examples of Scenarios - PowerPoint PPT PresentationTRANSCRIPT
End-to-middle Security in SIPdraft-ietf-sipping-e2m-sec-reqs-04draft-ono-sipping-end2middle-security-03
Kumiko Ono
IETF61
Requirements
draft-ietf-sipping-e2m-sec-reqs-04
Changes since 03
• Section 2.1: Examples of Scenarios– Removed the text that overlapped with the scope of
session policies– Removed the text that described an illegal behavior of
a proxy server
Changes since 03 (cont’d)
• Section 4: Requirements for a Solution– Added notes to describe the requirements met by
session policies– Added a note to describe the requirements met by an
existing mechanism, digest authentication– Changed "SHOULD" to "MAY“
REQ-CONF-4: It MAY allow a UA to request that the recipient UA disclose information to the proxy server, which requesting UA is disclosing the information to. The request itself SHOULD be secure.
– Added the conditions of the requirements.• References
– Divided references to normative and informative.
• In WG LC till Nov.20
• Feedbacks are appreciated.
Mechanism
draft-ono-sipping-end2middle-security-03
Open Issue#1: Labeling the target body for “middle”
Option A-1. A new SIP header i.e.: “Proxy-Required-Body"
Option A-2. A new parameter in a SIP header i.e.: "content-id" param in Route head
erOption B-1. A new MIME header i.e.: "Content-Target"Option B-2. A new parameter in a MIME header i.e.: "required-entity" param in
"Content-Disposition"My Proposal:Option A-1. A new SIP header
Open Issue#2: Notification with a new error code
Proxy should have a way to notify a UA about e2m security utilization in addition to using UAC driven method, such as session policy package.
1) When a proxy server needs to view an encrypted data sent by UAC, it requires end-to-middle confidentiality.
• An existing error code, "493 Undecipherable“ and target content type in Warning header
2) When a proxy server needs to validate the data integrity of the message, it requires end-to-middle integrity.
• 403? • A new error code, such as "495 Signature required"
and target content type in Warning header
Next Step
• Can we adopt this as a WG item?