draft-ietf-sipcore-sec-flows-07.txt   draft-ietf-sipcore-sec-flows-08.txt 
Network Working Group C. Jennings Network Working Group C. Jennings
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational K. Ono Intended status: Informational K. Ono
Expires: June 16, 2011 Columbia University Expires: July 18, 2011 Columbia University
R. Sparks R. Sparks
B. Hibbard, Ed. B. Hibbard, Ed.
Tekelec Tekelec
December 13, 2010 January 14, 2011
Example call flows using Session Initiation Protocol (SIP) security Example call flows using Session Initiation Protocol (SIP) security
mechanisms mechanisms
draft-ietf-sipcore-sec-flows-07 draft-ietf-sipcore-sec-flows-08
Abstract Abstract
This document shows example call flows demonstrating the use of This document shows example call flows demonstrating the use of
Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail Transport Layer Security (TLS), and Secure/Multipurpose Internet Mail
Extensions (S/MIME) in Session Initiation Protocol (SIP). It also Extensions (S/MIME) in Session Initiation Protocol (SIP). It also
provides information that helps implementers build interoperable SIP provides information that helps implementers build interoperable SIP
software. To help facilitate interoperability testing, it includes software. To help facilitate interoperability testing, it includes
certificates used in the example call flows and processes to create certificates used in the example call flows and processes to create
certificates for testing. certificates for testing.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 16, 2011. This Internet-Draft will expire on July 18, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. CA Certificates . . . . . . . . . . . . . . . . . . . . . 4 2.1. CA Certificates . . . . . . . . . . . . . . . . . . . . . 4
2.2. Host Certificates . . . . . . . . . . . . . . . . . . . . 8 2.2. Host Certificates . . . . . . . . . . . . . . . . . . . . 8
2.3. User Certificates . . . . . . . . . . . . . . . . . . . . 9 2.3. User Certificates . . . . . . . . . . . . . . . . . . . . 10
3. Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12 3. Callflow with Message Over TLS . . . . . . . . . . . . . . . . 12
3.1. TLS with Server Authentication . . . . . . . . . . . . . . 12 3.1. TLS with Server Authentication . . . . . . . . . . . . . . 12
3.2. MESSAGE Transaction Over TLS . . . . . . . . . . . . . . . 13 3.2. MESSAGE Transaction Over TLS . . . . . . . . . . . . . . . 13
4. Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15 4. Callflow with S/MIME-secured Message . . . . . . . . . . . . . 15
4.1. MESSAGE Request with Signed Body . . . . . . . . . . . . . 15 4.1. MESSAGE Request with Signed Body . . . . . . . . . . . . . 15
4.2. MESSAGE Request with Encrypted Body . . . . . . . . . . . 20 4.2. MESSAGE Request with Encrypted Body . . . . . . . . . . . 20
4.3. MESSAGE Request with Encrypted and Signed Body . . . . . . 22 4.3. MESSAGE Request with Encrypted and Signed Body . . . . . . 22
5. Observed Interoperability Issues . . . . . . . . . . . . . . . 29 5. Observed Interoperability Issues . . . . . . . . . . . . . . . 29
6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 31 6. Additional Test Scenarios . . . . . . . . . . . . . . . . . . 31
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 35
9. Security Considerations . . . . . . . . . . . . . . . . . . . 36 9. Security Considerations . . . . . . . . . . . . . . . . . . . 36
10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 37 10. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 37
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 40
11.1. Normative References . . . . . . . . . . . . . . . . . . . 40 11.1. Normative References . . . . . . . . . . . . . . . . . . . 40
11.2. Informative References . . . . . . . . . . . . . . . . . . 41 11.2. Informative References . . . . . . . . . . . . . . . . . . 41
Appendix A. Making Test Certificates . . . . . . . . . . . . . . 42 Appendix A. Making Test Certificates . . . . . . . . . . . . . . 43
A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 43 A.1. makeCA script . . . . . . . . . . . . . . . . . . . . . . 44
A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 47 A.2. makeCert script . . . . . . . . . . . . . . . . . . . . . 48
Appendix B. Certificates for Testing . . . . . . . . . . . . . . 50 Appendix B. Certificates for Testing . . . . . . . . . . . . . . 51
B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 50 B.1. Certificates Using EKU . . . . . . . . . . . . . . . . . . 51
B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 57 B.2. Certificates NOT Using EKU . . . . . . . . . . . . . . . . 58
B.3. Certificate Chaining with a Non-Root CA . . . . . . . . . 65 B.3. Certificate Chaining with a Non-Root CA . . . . . . . . . 66
Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 72 Appendix C. Message Dumps . . . . . . . . . . . . . . . . . . . . 73
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 76
1. Introduction 1. Introduction
This document is informational and is not normative on any aspect of This document is informational and is not normative on any aspect of
SIP. SIP.
SIP with TLS ([RFC5246]) implementations are becoming very common. SIP with TLS ([RFC5246]) implementations are becoming very common.
Several implementations of the S/MIME ([RFC5751]) portion of SIP Several implementations of the S/MIME ([RFC5751]) portion of SIP
([RFC3261]) are also becoming available. After several ([RFC3261]) are also becoming available. After several
interoperability events, it is clear that it is difficult to write interoperability events, it is clear that it is difficult to write
skipping to change at page 5, line 29 skipping to change at page 5, line 29
7e:12:30:86:9e:f8:57:6c:a2:a4:28:51:e4:f7:f0:ce:29:9c: 7e:12:30:86:9e:f8:57:6c:a2:a4:28:51:e4:f7:f0:ce:29:9c:
82:34:f2:02:3c:43:62:36:94:44:c1:ad:b4:79:f7:6e:f9:e2: 82:34:f2:02:3c:43:62:36:94:44:c1:ad:b4:79:f7:6e:f9:e2:
bd:f9:15:cc:e8:de:b0:9d:9c:2f:18:30:a9:eb:3f:d4:56:c9: bd:f9:15:cc:e8:de:b0:9d:9c:2f:18:30:a9:eb:3f:d4:56:c9:
61:8d:78:b2:fb:4e:e5:22:1d:00:c4:cf:ce:9c:fe:d6:f1:4f: 61:8d:78:b2:fb:4e:e5:22:1d:00:c4:cf:ce:9c:fe:d6:f1:4f:
01:9d:92:58:e0:78:2a:cb:69:36:18:ac:1b:53:0d:86:b1:91: 01:9d:92:58:e0:78:2a:cb:69:36:18:ac:1b:53:0d:86:b1:91:
34:8b:de:05:5d:22:18:2a:67:e5:ea:f2:77:01:d6:9c:60:17: 34:8b:de:05:5d:22:18:2a:67:e5:ea:f2:77:01:d6:9c:60:17:
06:84:83:6f:b6:88:7e:ce:c8:63:d4:30:6d:90:72:fe:59:f4: 06:84:83:6f:b6:88:7e:ce:c8:63:d4:30:6d:90:72:fe:59:f4:
32:04:e6:af:d4:be:99:44:c8:de:3d:01:88:d7:8a:35:30:c2: 32:04:e6:af:d4:be:99:44:c8:de:3d:01:88:d7:8a:35:30:c2:
2d:77:e9:70 2d:77:e9:70
The certificate content shown above and throughout this document was
rendered by the OpenSSL "x509" tool. These dumps are included only
as informative examples. Output may vary among future revisions of
the tool. At the time of this document's publication, there were
some irregularities in the output shown above that are worth noting.
First, the presentation of Distinguished Names (DN) is inconsistent,
e.g. the "Issuer" field appears to be in Lightweight Directory Access
Protocol (LDAP) format, while the "DirName" field in the "X509v3
extensions" portion appears to be in Distributed Computing
Environment (DCE) format. Second, if LDAP format was intended, the
spaces should have been omitted after the delimiting commas, and the
elements should have been presented in order of most-specific to
least-specific. Please refer to Appendix A of [RFC4514]. Using the
"Issuer" DN from above as an example and following guidelines in
[RFC4514], it should have instead appeared as:
Issuer: OU=Sipit Test Certificate Authority,O=sipit,L=San Jose,
ST=California,C=US
The ASN.1 parse of the CA certificate is shown below. The ASN.1 parse of the CA certificate is shown below.
0:l=1083 cons: SEQUENCE 0:l=1083 cons: SEQUENCE
4:l= 803 cons: SEQUENCE 4:l= 803 cons: SEQUENCE
8:l= 3 cons: cont [ 0 ] 8:l= 3 cons: cont [ 0 ]
10:l= 1 prim: INTEGER :02 10:l= 1 prim: INTEGER :02
13:l= 9 prim: INTEGER :96A384174EEF8A4C 13:l= 9 prim: INTEGER :96A384174EEF8A4C
24:l= 13 cons: SEQUENCE 24:l= 13 cons: SEQUENCE
26:l= 9 prim: OBJECT :sha1WithRSAEncryption 26:l= 9 prim: OBJECT :sha1WithRSAEncryption
37:l= 0 prim: NULL 37:l= 0 prim: NULL
skipping to change at page 41, line 49 skipping to change at page 41, line 49
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000. [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC4134] Hoffman, P., "Examples of S/MIME Messages", RFC 4134, [RFC4134] Hoffman, P., "Examples of S/MIME Messages", RFC 4134,
July 2005. July 2005.
[RFC4475] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J., [RFC4475] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J.,
and H. Schulzrinne, "Session Initiation Protocol (SIP) and H. Schulzrinne, "Session Initiation Protocol (SIP)
Torture Test Messages", RFC 4475, May 2006. Torture Test Messages", RFC 4475, May 2006.
[RFC4514] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): String Representation of Distinguished Names",
RFC 4514, June 2006.
[ssldump-manpage] [ssldump-manpage]
Rescorla, E., "SSLDump manpage". Rescorla, E., "SSLDump manpage".
Appendix A. Making Test Certificates Appendix A. Making Test Certificates
These scripts allow you to make certificates for test purposes. The These scripts allow you to make certificates for test purposes. The
certificates will all share a common CA root so that everyone running certificates will all share a common CA root so that everyone running
these scripts can have interoperable certificates. WARNING - these these scripts can have interoperable certificates. WARNING - these
certificates are totally insecure and are for test purposes only. certificates are totally insecure and are for test purposes only.
All the CA created by this script share the same private key to All the CA created by this script share the same private key to
 End of changes. 9 change blocks. 
15 lines changed or deleted 38 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/