Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-21 Thread Victor Pascual Ávila 
On Fri, Feb 20, 2009 at 6:27 PM, Bogdan-Andrei Iancu
 wrote:
> and in my understanding, if a hope changes something in the body, It
> should be authorized to do that and also it needs to update the Identity..

Nodes that modify parts of the signed information simply break the
signature. Intermediate domains could re-sign but this assumes that
the intermediate domains support RFC4474 while it introduces a
transitive trust.

Cheers,
-- 
Victor Pascual Ávila

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-20 Thread Bogdan-Andrei Iancu 
and in my understanding, if a hope changes something in the body, It 
should be authorized to do that and also it needs to update the Identity..

Regards,
Bogdan


Adrian Georgescu wrote:
> I imagine one would want to use this mechanism exactly between two  
> legitimate hops to make sure that no intermediate has tempered with  
> the messages, isn't it?
>
> Adrian
>
> Bogdan-Andrei Iancu wrote:
>  > Hi Victor,
>  >
>  > I think this "limitation" is part of the mechanism :).
>  >
>  > it is the same as for secure sip and TLS
>
> not really -- changes to payload by legitimate SIP hops work with TLS
> but not with RFC4474.
> That was Victor's point.
>
> -jiri
>
>  > - if you get on the path a node
>  > with not TLS support, the call will fail. In this case, if a hop does
>  > not understand SIP identity and changes the message, the call will be
>  > denied.
>  >
>  > Regards,
>  > Bogdan
>  >
>  > Victor Pascual Ávila wrote:
>  >> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu  projects.com> wrote:
>  >>
>  >>> Beyond being plain interesting, it is the most cost-efective way to
>  >>> implement secure identity between SIP Proxies serving different  
> domains.
>  >>>
>  >> Unless you had a node along the path breaking the signature
>  >>
>  >
>  >
>  > ___
>  > Users mailing list
>  > Users at lists.opensips.org
>  > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>  >
>
>
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>   


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-20 Thread Adrian Georgescu 
I imagine one would want to use this mechanism exactly between two  
legitimate hops to make sure that no intermediate has tempered with  
the messages, isn't it?

Adrian

Bogdan-Andrei Iancu wrote:
 > Hi Victor,
 >
 > I think this "limitation" is part of the mechanism :).
 >
 > it is the same as for secure sip and TLS

not really -- changes to payload by legitimate SIP hops work with TLS
but not with RFC4474.
That was Victor's point.

-jiri

 > - if you get on the path a node
 > with not TLS support, the call will fail. In this case, if a hop does
 > not understand SIP identity and changes the message, the call will be
 > denied.
 >
 > Regards,
 > Bogdan
 >
 > Victor Pascual Ávila wrote:
 >> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu  wrote:
 >>
 >>> Beyond being plain interesting, it is the most cost-efective way to
 >>> implement secure identity between SIP Proxies serving different  
domains.
 >>>
 >> Unless you had a node along the path breaking the signature
 >>
 >
 >
 > ___
 > Users mailing list
 > Users at lists.opensips.org
 > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
 >



___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-19 Thread Jiri Kuthan 
Bogdan-Andrei Iancu wrote:
> Hi Victor,
> 
> I think this "limitation" is part of the mechanism :).
> 
> it is the same as for secure sip and TLS 

not really -- changes to payload by legitimate SIP hops work with TLS 
but not with RFC4474.
That was Victor's point.

-jiri

> - if you get on the path a node
> with not TLS support, the call will fail. In this case, if a hop does 
> not understand SIP identity and changes the message, the call will be 
> denied.
> 
> Regards,
> Bogdan
> 
> Victor Pascual Ávila wrote:
>> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu  
>> wrote:
>>   
>>> Beyond being plain interesting, it is the most cost-efective way to
>>> implement secure identity between SIP Proxies serving different domains.
>>> 
>> Unless you had a node along the path breaking the signature
>>   
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-19 Thread Jiri Kuthan 
The down side of it is however it is apparently unusable.
We have had support for Identity in SER for years and there are today
to my best knowledge zero production uses. Most of the complaints go to the
account of excessive integrity checks and requirement for certificate
authority.

-jiri

Bogdan-Andrei Iancu wrote:
> Hi Adrian,
> 
> This is the part i like about SIP identity:
> - it is more efficient than TLS
> - it is protocol independent. With TLS you have a lot of burn with 
> protocol switching if you want to get some security between 2 nodes.
> 
> Regards,
> Bogdan
> 
> Adrian Georgescu wrote:
>> Beyond being plain interesting, it is the most cost-efective way to 
>> implement secure identity between SIP Proxies serving different domains.
>>
>> Adrian
>>
>> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
>>
>>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
 Hello,


 OpenSIPS 1.5.0 has a new module. The "identity" module is an
 implementation of SIP identity as per RFC 4474
 (http://www.ietf.org/rfc/rfc4474.txt).

 Abstract (from RFC) :

   The existing security mechanisms in the Session Initiation Protocol
   (SIP) are inadequate for cryptographically assuring the identity of
   the end users that originate SIP requests, especially in an
   interdomain context.  This document defines a mechanism for securely
   identifying originators of SIP messages.  It does so by defining two
   new SIP header fields, Identity, for conveying a signature used for
   validating the identity, and Identity-Info, for conveying a reference
   to the certificate of the signer
>>> Really interesting :)
>>>
>>>
>>> -- 
>>> Iñaki Baz Castillo
>>>
>>> ___
>>> Users mailing list
>>> Users@lists.opensips.org 
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> 
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>   
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-11 Thread Bogdan-Andrei Iancu 
Victor Pascual Ávila wrote:
> Bogdan,
>
> On Wed, Feb 11, 2009 at 10:27 AM, Bogdan-Andrei Iancu
>  wrote:
>   
>> Hi Victor,
>>
>> I think this "limitation" is part of the mechanism :).
>>
>> it is the same as for secure sip and TLS - if you get on the path a node
>> with not TLS support, the call will fail. In this case, if a hop does not
>> understand SIP identity and changes the message, the call will be denied.
>> 
>
> You are right.
>
> Just for the sake of completeness for other readers:
> draft-elwell-sip-e2e-identity-important provides a good description
> for the above mentioned limitations
>
> http://tools.ietf.org/html/draft-elwell-sip-e2e-identity-important-02#section-3.5
>   
This is interesting and useful paper - I will link it in the module 
documentation for interested people.

Thanks and regards,
Bogdan

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-11 Thread Victor Pascual Ávila 
Bogdan,

On Wed, Feb 11, 2009 at 10:27 AM, Bogdan-Andrei Iancu
 wrote:
> Hi Victor,
>
> I think this "limitation" is part of the mechanism :).
>
> it is the same as for secure sip and TLS - if you get on the path a node
> with not TLS support, the call will fail. In this case, if a hop does not
> understand SIP identity and changes the message, the call will be denied.

You are right.

Just for the sake of completeness for other readers:
draft-elwell-sip-e2e-identity-important provides a good description
for the above mentioned limitations

http://tools.ietf.org/html/draft-elwell-sip-e2e-identity-important-02#section-3.5

Regards,
-- 
Victor Pascual Ávila

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-11 Thread Bogdan-Andrei Iancu 
Hi Adrian,

This is the part i like about SIP identity:
- it is more efficient than TLS
- it is protocol independent. With TLS you have a lot of burn with 
protocol switching if you want to get some security between 2 nodes.

Regards,
Bogdan

Adrian Georgescu wrote:
> Beyond being plain interesting, it is the most cost-efective way to 
> implement secure identity between SIP Proxies serving different domains.
>
> Adrian
>
> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
>
>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
>>> Hello,
>>>
>>>
>>> OpenSIPS 1.5.0 has a new module. The "identity" module is an
>>> implementation of SIP identity as per RFC 4474
>>> (http://www.ietf.org/rfc/rfc4474.txt).
>>>
>>> Abstract (from RFC) :
>>>
>>>   The existing security mechanisms in the Session Initiation Protocol
>>>   (SIP) are inadequate for cryptographically assuring the identity of
>>>   the end users that originate SIP requests, especially in an
>>>   interdomain context.  This document defines a mechanism for securely
>>>   identifying originators of SIP messages.  It does so by defining two
>>>   new SIP header fields, Identity, for conveying a signature used for
>>>   validating the identity, and Identity-Info, for conveying a reference
>>>   to the certificate of the signer
>>
>> Really interesting :)
>>
>>
>> -- 
>> Iñaki Baz Castillo
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org 
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> 
>
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>   


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-11 Thread Bogdan-Andrei Iancu 
Hi Victor,

I think this "limitation" is part of the mechanism :).

it is the same as for secure sip and TLS - if you get on the path a node 
with not TLS support, the call will fail. In this case, if a hop does 
not understand SIP identity and changes the message, the call will be 
denied.

Regards,
Bogdan

Victor Pascual Ávila wrote:
> On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu  
> wrote:
>   
>> Beyond being plain interesting, it is the most cost-efective way to
>> implement secure identity between SIP Proxies serving different domains.
>> 
>
> Unless you had a node along the path breaking the signature
>   


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-10 Thread Victor Pascual Ávila 
On Tue, Feb 10, 2009 at 10:11 PM, Adrian Georgescu  wrote:
> Beyond being plain interesting, it is the most cost-efective way to
> implement secure identity between SIP Proxies serving different domains.

Unless you had a node along the path breaking the signature
-- 
Victor Pascual Ávila

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-10 Thread Alex Balashov 
What's your view of OSP?

Adrian Georgescu wrote:

> Beyond being plain interesting, it is the most cost-efective way to 
> implement secure identity between SIP Proxies serving different domains.
> 
> Adrian
> 
> On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:
> 
>> El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
>>> Hello,
>>>
>>>
>>> OpenSIPS 1.5.0 has a new module. The "identity" module is an
>>> implementation of SIP identity as per RFC 4474
>>> (http://www.ietf.org/rfc/rfc4474.txt).
>>>
>>> Abstract (from RFC) :
>>>
>>>   The existing security mechanisms in the Session Initiation Protocol
>>>   (SIP) are inadequate for cryptographically assuring the identity of
>>>   the end users that originate SIP requests, especially in an
>>>   interdomain context.  This document defines a mechanism for securely
>>>   identifying originators of SIP messages.  It does so by defining two
>>>   new SIP header fields, Identity, for conveying a signature used for
>>>   validating the identity, and Identity-Info, for conveying a reference
>>>   to the certificate of the signer
>>
>> Really interesting :)
>>
>>
>> -- 
>> Iñaki Baz Castillo
>>
>> ___
>> Users mailing list
>> Users@lists.opensips.org 
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> 
> 
> 
> 
> ___
> Users mailing list
> Users@lists.opensips.org
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users


-- 
Alex Balashov
Evariste Systems
Web: http://www.evaristesys.com/
Tel: (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (678) 237-1775

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-10 Thread Adrian Georgescu 
Beyond being plain interesting, it is the most cost-efective way to  
implement secure identity between SIP Proxies serving different domains.


Adrian

On Feb 10, 2009, at 8:57 PM, Iñaki Baz Castillo wrote:


El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:

Hello,


OpenSIPS 1.5.0 has a new module. The "identity" module is an
implementation of SIP identity as per RFC 4474
(http://www.ietf.org/rfc/rfc4474.txt).

Abstract (from RFC) :

  The existing security mechanisms in the Session Initiation Protocol
  (SIP) are inadequate for cryptographically assuring the identity of
  the end users that originate SIP requests, especially in an
  interdomain context.  This document defines a mechanism for  
securely
  identifying originators of SIP messages.  It does so by defining  
two

  new SIP header fields, Identity, for conveying a signature used for
  validating the identity, and Identity-Info, for conveying a  
reference

  to the certificate of the signer


Really interesting :)


--
Iñaki Baz Castillo

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

Re: [OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-10 Thread Iñaki Baz Castillo 
El Martes, 10 de Febrero de 2009, Bogdan-Andrei Iancu escribió:
> Hello,
>
>
> OpenSIPS 1.5.0 has a new module. The "identity" module is an
> implementation of SIP identity as per RFC 4474
> (http://www.ietf.org/rfc/rfc4474.txt).
>
> Abstract (from RFC) :
>
>The existing security mechanisms in the Session Initiation Protocol
>(SIP) are inadequate for cryptographically assuring the identity of
>the end users that originate SIP requests, especially in an
>interdomain context.  This document defines a mechanism for securely
>identifying originators of SIP messages.  It does so by defining two
>new SIP header fields, Identity, for conveying a signature used for
>validating the identity, and Identity-Info, for conveying a reference
>to the certificate of the signer

Really interesting :)


-- 
Iñaki Baz Castillo

___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

[OpenSIPS-Users] [NEW Module] SIP Identity

2009-02-10 Thread Bogdan-Andrei Iancu 
Hello,


OpenSIPS 1.5.0 has a new module. The "identity" module is an 
implementation of SIP identity as per RFC 4474 
(http://www.ietf.org/rfc/rfc4474.txt).

Abstract (from RFC) :

   The existing security mechanisms in the Session Initiation Protocol
   (SIP) are inadequate for cryptographically assuring the identity of
   the end users that originate SIP requests, especially in an
   interdomain context.  This document defines a mechanism for securely
   identifying originators of SIP messages.  It does so by defining two
   new SIP header fields, Identity, for conveying a signature used for
   validating the identity, and Identity-Info, for conveying a reference
   to the certificate of the signer

This module was written and contributed by Alexander Christ (Cologne 
University of Applied Sciences) almost 2 years go. I took the code and 
refurbished it - updated it for OpenSIPS 1.5.0 and reworked the SIP 
header manipulation code (for creating, adding and searching SIP 
headers), an lot of other thinks.

Unfortunately Alexander was not interested in maintaining this module, 
so I took the job from him, and finally uploaded the module.

Documentation (with examples and scripts) is available on web site : 
http://www.opensips.org/html/docs/modules/devel/identity.html

Please carefully read the "Limitation section" before using this module:
  
http://www.opensips.org/html/docs/modules/devel/identity.html#id228395

The next step (in the future releases) will be to work out these 
limitations.


Regards,
Bogdan


___
Users mailing list
Users@lists.opensips.org
http://lists.opensips.org/cgi-bin/mailman/listinfo/users