[NEW Module] SIP Identity

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[NEW Module] SIP Identity

Bogdan-Andrei Iancu
Hello,


OpenSIPS 1.5.0 has a new module. The "identity" module is an
implementation of SIP identity as per RFC 4474
(http://www.ietf.org/rfc/rfc4474.txt).

Abstract (from RFC) :

   The existing security mechanisms in the Session Initiation Protocol
   (SIP) are inadequate for cryptographically assuring the identity of
   the end users that originate SIP requests, especially in an
   interdomain context.  This document defines a mechanism for securely
   identifying originators of SIP messages.  It does so by defining two
   new SIP header fields, Identity, for conveying a signature used for
   validating the identity, and Identity-Info, for conveying a reference
   to the certificate of the signer

This module was written and contributed by Alexander Christ (Cologne
University of Applied Sciences) almost 2 years go. I took the code and
refurbished it - updated it for OpenSIPS 1.5.0 and reworked the SIP
header manipulation code (for creating, adding and searching SIP
headers), an lot of other thinks.

Unfortunately Alexander was not interested in maintaining this module,
so I took the job from him, and finally uploaded the module.

Documentation (with examples and scripts) is available on web site :
http://www.opensips.org/html/docs/modules/devel/identity.html

Please carefully read the "Limitation section" before using this module:
         
http://www.opensips.org/html/docs/modules/devel/identity.html#id228395

The next step (in the future releases) will be to work out these
limitations.


Regards,
Bogdan


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Iñaki Baz Castillo
El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:

> Hello,
>
>
> OpenSIPS 1.5.0 has a new module. The "identity" module is an
> implementation of SIP identity as per RFC 4474
> (http://www.ietf.org/rfc/rfc4474.txt).
>
> Abstract (from RFC) :
>
>    The existing security mechanisms in the Session Initiation Protocol
>    (SIP) are inadequate for cryptographically assuring the identity of
>    the end users that originate SIP requests, especially in an
>    interdomain context.  This document defines a mechanism for securely
>    identifying originators of SIP messages.  It does so by defining two
>    new SIP header fields, Identity, for conveying a signature used for
>    validating the identity, and Identity-Info, for conveying a reference
>    to the certificate of the signer

Really interesting :)


--
Iñaki Baz Castillo

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Adrian Georgescu
Beyond being plain interesting, it is the most cost-efective way to implement secure identity between SIP Proxies serving different domains.

Adrian

On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:

El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
Hello,


OpenSIPS 1.5.0 has a new module. The "identity" module is an
implementation of SIP identity as per RFC 4474
(http://www.ietf.org/rfc/rfc4474.txt).

Abstract (from RFC) :

  The existing security mechanisms in the Session Initiation Protocol
  (SIP) are inadequate for cryptographically assuring the identity of
  the end users that originate SIP requests, especially in an
  interdomain context.  This document defines a mechanism for securely
  identifying originators of SIP messages.  It does so by defining two
  new SIP header fields, Identity, for conveying a signature used for
  validating the identity, and Identity-Info, for conveying a reference
  to the certificate of the signer

Really interesting :)


--
Iñaki Baz Castillo

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Alex Balashov
What's your view of OSP?

Adrian Georgescu wrote:

> Beyond being plain interesting, it is the most cost-efective way to
> implement secure identity between SIP Proxies serving different domains.
>
> Adrian
>
> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
>
>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
>>> Hello,
>>>
>>>
>>> OpenSIPS 1.5.0 has a new module. The "identity" module is an
>>> implementation of SIP identity as per RFC 4474
>>> (http://www.ietf.org/rfc/rfc4474.txt).
>>>
>>> Abstract (from RFC) :
>>>
>>>   The existing security mechanisms in the Session Initiation Protocol
>>>   (SIP) are inadequate for cryptographically assuring the identity of
>>>   the end users that originate SIP requests, especially in an
>>>   interdomain context.  This document defines a mechanism for securely
>>>   identifying originators of SIP messages.  It does so by defining two
>>>   new SIP header fields, Identity, for conveying a signature used for
>>>   validating the identity, and Identity-Info, for conveying a reference
>>>   to the certificate of the signer
>>
>> Really interesting :)
>>
>>
>> --
>> Iñaki Baz Castillo
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email] <mailto:[hidden email]>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


--
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Victor Pascual Avila
In reply to this post by Adrian Georgescu
On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu <[hidden email]> wrote:
> Beyond being plain interesting, it is the most cost-efective way to
> implement secure identity between SIP Proxies serving different domains.

Unless you had a node along the path breaking the signature
--
Victor Pascual Ávila

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Bogdan-Andrei Iancu
Hi Victor,

I think this "limitation" is part of the mechanism :).

it is the same as for secure sip and TLS - if you get on the path a node
with not TLS support, the call will fail. In this case, if a hop does
not understand SIP identity and changes the message, the call will be
denied.

Regards,
Bogdan

Victor Pascual Ávila wrote:
> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu <[hidden email]> wrote:
>  
>> Beyond being plain interesting, it is the most cost-efective way to
>> implement secure identity between SIP Proxies serving different domains.
>>    
>
> Unless you had a node along the path breaking the signature
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Bogdan-Andrei Iancu
In reply to this post by Adrian Georgescu
Hi Adrian,

This is the part i like about SIP identity:
    - it is more efficient than TLS
    - it is protocol independent. With TLS you have a lot of burn with
protocol switching if you want to get some security between 2 nodes.

Regards,
Bogdan

Adrian Georgescu wrote:

> Beyond being plain interesting, it is the most cost-efective way to
> implement secure identity between SIP Proxies serving different domains.
>
> Adrian
>
> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
>
>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
>>> Hello,
>>>
>>>
>>> OpenSIPS 1.5.0 has a new module. The "identity" module is an
>>> implementation of SIP identity as per RFC 4474
>>> (http://www.ietf.org/rfc/rfc4474.txt).
>>>
>>> Abstract (from RFC) :
>>>
>>>   The existing security mechanisms in the Session Initiation Protocol
>>>   (SIP) are inadequate for cryptographically assuring the identity of
>>>   the end users that originate SIP requests, especially in an
>>>   interdomain context.  This document defines a mechanism for securely
>>>   identifying originators of SIP messages.  It does so by defining two
>>>   new SIP header fields, Identity, for conveying a signature used for
>>>   validating the identity, and Identity-Info, for conveying a reference
>>>   to the certificate of the signer
>>
>> Really interesting :)
>>
>>
>> --
>> Iñaki Baz Castillo
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email] <mailto:[hidden email]>
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Victor Pascual Avila
In reply to this post by Bogdan-Andrei Iancu
Bogdan,

On Wed, Feb 11, 2009 at 10:27 AM, Bogdan-Andrei Iancu
<[hidden email]> wrote:
> Hi Victor,
>
> I think this "limitation" is part of the mechanism :).
>
> it is the same as for secure sip and TLS - if you get on the path a node
> with not TLS support, the call will fail. In this case, if a hop does not
> understand SIP identity and changes the message, the call will be denied.

You are right.

Just for the sake of completeness for other readers:
draft-elwell-sip-e2e-identity-important provides a good description
for the above mentioned limitations

http://tools.ietf.org/html/draft-elwell-sip-e2e-identity-important-02#section-3.5

Regards,
--
Victor Pascual Ávila

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Bogdan-Andrei Iancu
Victor Pascual Ávila wrote:

> Bogdan,
>
> On Wed, Feb 11, 2009 at 10:27 AM, Bogdan-Andrei Iancu
> <[hidden email]> wrote:
>  
>> Hi Victor,
>>
>> I think this "limitation" is part of the mechanism :).
>>
>> it is the same as for secure sip and TLS - if you get on the path a node
>> with not TLS support, the call will fail. In this case, if a hop does not
>> understand SIP identity and changes the message, the call will be denied.
>>    
>
> You are right.
>
> Just for the sake of completeness for other readers:
> draft-elwell-sip-e2e-identity-important provides a good description
> for the above mentioned limitations
>
> http://tools.ietf.org/html/draft-elwell-sip-e2e-identity-important-02#section-3.5
>  
This is interesting and useful paper - I will link it in the module
documentation for interested people.

Thanks and regards,
Bogdan

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Jiri Kuthan
In reply to this post by Bogdan-Andrei Iancu
The down side of it is however it is apparently unusable.
We have had support for Identity in SER for years and there are today
to my best knowledge zero production uses. Most of the complaints go to the
account of excessive integrity checks and requirement for certificate
authority.

-jiri

Bogdan-Andrei Iancu wrote:

> Hi Adrian,
>
> This is the part i like about SIP identity:
>     - it is more efficient than TLS
>     - it is protocol independent. With TLS you have a lot of burn with
> protocol switching if you want to get some security between 2 nodes.
>
> Regards,
> Bogdan
>
> Adrian Georgescu wrote:
>> Beyond being plain interesting, it is the most cost-efective way to
>> implement secure identity between SIP Proxies serving different domains.
>>
>> Adrian
>>
>> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
>>
>>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
>>>> Hello,
>>>>
>>>>
>>>> OpenSIPS 1.5.0 has a new module. The "identity" module is an
>>>> implementation of SIP identity as per RFC 4474
>>>> (http://www.ietf.org/rfc/rfc4474.txt).
>>>>
>>>> Abstract (from RFC) :
>>>>
>>>>   The existing security mechanisms in the Session Initiation Protocol
>>>>   (SIP) are inadequate for cryptographically assuring the identity of
>>>>   the end users that originate SIP requests, especially in an
>>>>   interdomain context.  This document defines a mechanism for securely
>>>>   identifying originators of SIP messages.  It does so by defining two
>>>>   new SIP header fields, Identity, for conveying a signature used for
>>>>   validating the identity, and Identity-Info, for conveying a reference
>>>>   to the certificate of the signer
>>> Really interesting :)
>>>
>>>
>>> --
>>> Iñaki Baz Castillo
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email] <mailto:[hidden email]>
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>  
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: [NEW Module] SIP Identity

Jiri Kuthan
In reply to this post by Bogdan-Andrei Iancu
Bogdan-Andrei Iancu wrote:
> Hi Victor,
>
> I think this "limitation" is part of the mechanism :).
>
> it is the same as for secure sip and TLS

not really -- changes to payload by legitimate SIP hops work with TLS
but not with RFC4474.
That was Victor's point.

-jiri

> - if you get on the path a node
> with not TLS support, the call will fail. In this case, if a hop does
> not understand SIP identity and changes the message, the call will be
> denied.
>
> Regards,
> Bogdan
>
> Victor Pascual Ávila wrote:
>> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu <[hidden email]> wrote:
>>  
>>> Beyond being plain interesting, it is the most cost-efective way to
>>> implement secure identity between SIP Proxies serving different domains.
>>>    
>> Unless you had a node along the path breaking the signature
>>  
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users