advertisement

SIPCORE - presentation of SIP and DANE (IETF #89)

50 %
50 %
advertisement
Information about SIPCORE - presentation of SIP and DANE (IETF #89)
Technology

Published on March 4, 2014

Author: oej

Source: slideshare.net

Description

A presentation of how DANE may apply to the Session Initiation Protocol (SIP). Written for the SIPcore meeting at IETF #89 in London, 2014
advertisement

SIP and DNS-sec based TLS setup (DANE) random thoughts by oej@edvina.net
 Olle E. Johansson ! V 3.14 - 2014-02-27 IETF 89, London, March 2014 1

Today’s question • SIP & DANE Do we want to add this work to our charter? 2 Olle E. Johansson

SIP & TLS • SIP uri target domain is verified against SubjectAltName uri records • if no SAN uri records, SAN DNS records • If no SAN records, CN • But no CN check if there are SAN records! RFC 5922 SIP & DANE 3 Olle E. Johansson

Dependencies DNS TLS SIP SIP domain certificates DNSsec DANE SIP + DANE To trust DANE
 you need to trust DNSsec SIP & DANE 4

Dane simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com Certificate
 identifier TLS client SIP & DANE 5

Questions TLS server
 stockholm.example.com Is the certificate
 signer (CA) the right one? Do I trust this certificate? Am I talking with the 
 right server? TLS client SIP & DANE 6

DANE simplified TLS server
 My service use this CA DNS zone
 signed, trusted stockholm.example.com My service use this certificate TLS client SIP & DANE My service use the private
 key that match this public key 7 Certificate
 identifier

Dane summary • • • SIP & DANE Can publish constraints • • This CA is the only one accepted This certificate is the only one accepted Can publish root of private CA • This CA cert is the one used to sign my server certificates Can publish certificates In all cases, a full cert or the public key can be published - or fingerprints of these. 8 Olle E. Johansson

TLSA selector and matching Selector • 0 - Full certificate included in TLSA • 1 - Public key included in TLSA Matching • 0 = Exact match • 1 = the data is SHA-256 hash of content • 2 = the data is SHA-512 hash of content SIP & DANE 9 Olle E. Johansson

TLSA records • Usage 0: CA constraint. Certificate or public key of CA • Usage 1: Certificate constraint. Certificate or public key of cert signed by CA. • Usage 2. Certificate or public key of cert serving as trust anchor for the cert given by the server (”private CA”) • Usage 3: A certificate or public key that matches the cert given by the server (No PKIX check) SIP & DANE 10 Olle E. Johansson

DANE simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com 2.Verify the TLS server cert
 in handshake with TLSA record. TLS client SIP & DANE 1. Check the TLSA record for service 11 Certificate
 identifier

The DANE promise • If you trust the DNS (using DNSsec)
 then we can use that instead of the certificate store to check server identity and authorisation. SIP & DANE 12 Olle E. Johansson

Back to SIP SIP & DANE 13

SIP DOMAIN CERTS • Connect a SIP URI domain part with a certificate • Mix server identification with domain authorisation • Only domains in the certificates • New certificate every time we add a domain or subdomain • No wildcard certs SIP & DANE 14 Olle E. Johansson

What about SNI • Many certificates on one TLS server and IP. • No support for DNS names • ONLY host names. SIP & DANE 15 Olle E. Johansson

SIP sip:alice@example.com example.com NAPTR We just trust that we’ve hit
 the right server if the cert
 contains the domain. example.net SRV host sip02.example.org Cert with “example.com” SIP & DANE 16 Olle E. Johansson

DANE Secure delegation sip:alice@example.com if the DNS queries for NAPTR and SRV records was verified and protected with DNSsec, we have a secure delegation from example.com to sip02.example.org Protected by DNSsec example.com NAPTR example.net SRV host sip02.example.org Cert with “sip02.example.org” SIP & DANE 17 Olle E. Johansson

Not fully secure is insecure • If the NAPTR was DNSsec protected but not the SRV, we have no secure delegation. • If there’s no DNSsec in either NAPTR nor SRV we’re insecure too. • The SIP Uri to TLS certificate matching in RFC 5922 applies in this case SIP & DANE 18 Olle E. Johansson

If we have a secure delegation • Check for TLSA record for the srv host name and port • _5068._udp.sip02.example.org • If no TLSA record is found, then DANE doesn’t apply - proceed according to RFC 5922 • If TLSA record exists, continue to the next slide SIP & DANE 19 Olle E. Johansson

Our identifiers • The SIP domain in the request URI • Used in insecure delegation • The SRV FQDN from SRV lookup of the domain (protected with DNSsec) • Used in secure delegation as well as with TLSA record verification SIP & DANE 20 Olle E. Johansson

Validation • With TLSA usage 0 and 1, use these constraints then verify cert as before • With TLSA usage 2 and 3, use the information to validate cert • • SIP & DANE If either TLSA validation fails, connection should fail. With usage 0 and 1, after TLSA validation normal PKIX validation happens.
 21 Olle E. Johansson

Sideways jumps • When a NAPTR or SRV record points to a name in another domain, the client needs to make sure that the new domain is validated in DNSsec as well. • If not, delegation is insecure SIP & DANE 22 Olle E. Johansson

SIP Fallback logic • If there’s no secure delegation, use RFC 5922, if that fails go to next SRV server in the list • When out of SRV servers, TLS connection has failed. SIP & DANE 23 Olle E. Johansson

Compatibility with nonSRV clients • Fallback to RFC 5922 • Since dane-srv-02 requires TLS SNI this will be sorted out by the server. • SRV/DANE compatible UAs will require cert for SRV host name • Non SRV/DANE UAs will require cert with SIP uri target domain SIP & DANE 24 Olle E. Johansson

If no SNI support is available • Cert with • CommonName = hostname • SubjectAltName = SIP domain SIP & DANE 25 Olle E. Johansson

SIP connection reuse • RFC 5923 use TLS cert content to add aliases to a connection. • With DANE, the cert will include only the hostname • SIP/DANE will have to add aliases as they are verified using DNSsec • If a domain share a SRV hostname and the trust chain is verified between domain and SRV, the existing connection to the SRV host may be used for this domain too (and alias added to the alias table)
 SIP & DANE 26 Olle E. Johansson

Verification of client certificates in RFC 5923 • Connection reuse requires a SIP server using RFC 5923 to request a client certificate • Which DNS name do we use to look up TLSA records and verify the client? Can this be done? SIP & DANE 27 Olle E. Johansson

Not to worry about now • SIP identity • SIMPLE • SIPS: uri’s For these use cases,
 there’s no difference compared with other TLS usage in SIP. SIP & DANE 28 Olle E. Johansson

Reading material RFC 5922 SIP Domain Certificates RFC 6698 draft-ietf-dane-srv DNS based authentication of named entities (DANE) DANE and SRV/MX records draft-ietf-dane-smime DANE and SMIME identities draft-ogud-dane-vocabulary DANE vocabulary for application usages RFC 5923 Connection Reuse in SIP draft-johansson-dispatch-dane-sip-01 The draft on SIP and DANE SIP & DANE 29 Olle E. Johansson

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

IETF 89 Meeting Agenda - datatracker.ietf.org

Slides. 1 - Introduction, Status, Agenda; 2 - Registry for Performance Metrics (draft-manyfolks-ippm-metric-registry-00) 3 - IPPM Active Sub-Registry ...
Read more

Ietf | LinkedIn

Ietf. Articles, experts, jobs, and more: get all the professional insights you need on LinkedIn. ... (SIP) (148 members) Wireless Technologies (147 members)
Read more

Document Search - datatracker.ietf.org

Document Search - datatracker.ietf.org
Read more

Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner ...

Download Credentials Roadmap STIR WG IETF 90 (Toronto) Sean Turner (turners@ieca.com) Transcript ...
Read more

Edvina | Facebook

Edvina, Sollentuna. 194 likes · 4 were here. ... Join our Olle E. Johansson for one week of SIP, WebRTC and Kamailio labs and tutorials!
Read more

PPT - SIPCORE PowerPoint Presentation - ID:4627579

SIPCORE. Toronto, Canada Monday, July 21, 2014. Note Well. Toggle navigation. ... SIPCORE PowerPoint PPT Presentation. By cleta; 42 SlideShows; Follow User;
Read more

Sitemap | Deploy360 Programme

Search. Home. Network Operators; Developers; Content Providers; Consumer Electronics; Enterprise And Campus Networks
Read more

www.ietf.org

... Allen draft-allen-sipcore-sip-tree-cap ... 1 Replaced draft-ietf-sip-sips 2006-10-19 ... dane-uks-00 -1 Active I-D ...
Read more