summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc6404.txt
diff options
context:
space:
mode:
authorThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
committerThomas Voss <mail@thomasvoss.com> 2024-11-27 20:54:24 +0100
commit4bfd864f10b68b71482b35c818559068ef8d5797 (patch)
treee3989f47a7994642eb325063d46e8f08ffa681dc /doc/rfc/rfc6404.txt
parentea76e11061bda059ae9f9ad130a9895cc85607db (diff)
doc: Add RFC documents
Diffstat (limited to 'doc/rfc/rfc6404.txt')
-rw-r--r--doc/rfc/rfc6404.txt1235
1 files changed, 1235 insertions, 0 deletions
diff --git a/doc/rfc/rfc6404.txt b/doc/rfc/rfc6404.txt
new file mode 100644
index 0000000..c24c474
--- /dev/null
+++ b/doc/rfc/rfc6404.txt
@@ -0,0 +1,1235 @@
+
+
+
+
+
+
+Internet Engineering Task Force (IETF) J. Seedorf
+Request for Comments: 6404 S. Niccolini
+Category: Informational NEC
+ISSN: 2070-1721 E. Chen
+ NTT
+ H. Scholz
+ VOIPFUTURE
+ November 2011
+
+
+ Session PEERing for Multimedia INTerconnect (SPEERMINT)
+ Security Threats and Suggested Countermeasures
+
+Abstract
+
+ The Session PEERing for Multimedia INTerconnect (SPEERMINT) working
+ group (WG) provides a peering framework that leverages the building
+ blocks of existing IETF-defined protocols such as SIP and ENUM for
+ the interconnection between SIP Service Providers (SSPs). The
+ objective of this document is to identify and enumerate SPEERMINT-
+ specific threat vectors and to give guidance for implementers on
+ selecting appropriate countermeasures. Security requirements for
+ SPEERMINT that have been derived from the threats detailed in this
+ document can be found in RFC 6271; this document provides concrete
+ countermeasures to meet those SPEERMINT security requirements. In
+ this document, the different security threats related to SPEERMINT
+ are classified into threats to the Lookup Function (LUF), the
+ Location Routing Function (LRF), the Signaling Function (SF), and the
+ Media Function (MF) of a specific SIP Service Provider. Various
+ instances of the threats are briefly introduced inside the
+ classification. Finally, existing security solutions for SIP and
+ RTP/RTCP (Real-time Transport Control Protocol) are presented to
+ describe countermeasures currently available for such threats. Each
+ SSP may have connections to one or more remote SSPs through peering
+ or transit contracts. A potentially compromised remote SSP that
+ attacks other SSPs is out of the scope of this document; this
+ document focuses on attacks on an SSP from outside the trust domain
+ such an SSP may have with other SSPs.
+
+
+
+
+
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 1]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+Status of This Memo
+
+ This document is not an Internet Standards Track specification; it is
+ published for informational purposes.
+
+ This document is a product of the Internet Engineering Task Force
+ (IETF). It represents the consensus of the IETF community. It has
+ received public review and has been approved for publication by the
+ Internet Engineering Steering Group (IESG). Not all documents
+ approved by the IESG are a candidate for any level of Internet
+ Standard; see Section 2 of RFC 5741.
+
+ Information about the current status of this document, any errata,
+ and how to provide feedback on it may be obtained at
+ http://www.rfc-editor.org/info/rfc6404.
+
+Copyright Notice
+
+ Copyright (c) 2011 IETF Trust and the persons identified as the
+ document authors. All rights reserved.
+
+ This document is subject to BCP 78 and the IETF Trust's Legal
+ Provisions Relating to IETF Documents
+ (http://trustee.ietf.org/license-info) in effect on the date of
+ publication of this document. Please review these documents
+ carefully, as they describe your rights and restrictions with respect
+ to this document. Code Components extracted from this document must
+ include Simplified BSD License text as described in Section 4.e of
+ the Trust Legal Provisions and are provided without warranty as
+ described in the Simplified BSD License.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 2]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+Table of Contents
+
+ 1. Introduction ....................................................4
+ 2. Security Threats Relevant to SPEERMINT ..........................5
+ 2.1. Threats to the Lookup Function (LUF) .......................5
+ 2.1.1. Threats to LUF Confidentiality ......................5
+ 2.1.2. Threats to LUF Integrity ............................6
+ 2.1.3. Threats to LUF Availability .........................6
+ 2.2. Threats to the Location Routing Function (LRF) .............6
+ 2.2.1. Threats to LRF Confidentiality ......................6
+ 2.2.2. Threats to LRF Integrity ............................7
+ 2.2.3. Threats to LRF Availability .........................7
+ 2.3. Threats to the Signaling Function (SF) .....................7
+ 2.3.1. Threats to SF Confidentiality .......................7
+ 2.3.2. Threats to SF Integrity .............................8
+ 2.3.3. Threats to SF Availability .........................10
+ 2.4. Threats to the Media Function (MF) ........................10
+ 2.4.1. Threats to MF Confidentiality ......................10
+ 2.4.2. Threats to MF Integrity ............................10
+ 2.4.3. Threats to MF Availability .........................11
+ 3. Security Requirements ..........................................11
+ 3.1. Security Requirements from SPEERMINT Requirements
+ Document ..................................................11
+ 3.2. How to Fulfill the Security Requirements for SPEERMINT ....11
+ 4. Suggested Countermeasures ......................................12
+ 4.1. Database Security BCPs ....................................14
+ 4.2. DNSSEC ....................................................14
+ 4.3. DNS Replication ...........................................15
+ 4.4. Cross-Domain Privacy Protection ...........................15
+ 4.5. Secure Exchange of SIP Messages ...........................15
+ 4.6. Ingress Filtering / Reverse-Path Filtering ................16
+ 4.7. Strong Identity Assertion .................................16
+ 4.8. Reliable Border Element Pooling ...........................17
+ 4.9. Rate limit ................................................17
+ 4.10. Topology Hiding ..........................................17
+ 4.11. Border Element Hardening .................................17
+ 4.12. Securing Session Establishment Data ......................18
+ 4.13. Encryption and Integrity Protection of Media Stream ......18
+ 5. Conclusions ....................................................18
+ 6. Security Considerations ........................................18
+ 7. Acknowledgements ...............................................19
+ 8. Informative References .........................................19
+
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 3]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+1. Introduction
+
+ With Voice over IP (VoIP), the need for security is compounded
+ because there is the need to protect both the control plane and the
+ data plane. In a legacy telephone system, security is a more valid
+ assumption. Intercepting conversations requires either physical
+ access to telephone lines or a compromise to the Public Switched
+ Telephone Network (PSTN) nodes or the office Private Branch eXchanges
+ (PBXs). Only particularly security-sensitive organizations bother to
+ encrypt voice traffic over traditional telephone lines. In contrast,
+ the risk of sending unencrypted data across the Internet is more
+ significant (e.g., dual-tone multi-frequency (DTMF) tones
+ corresponding to the credit card number). An additional security
+ threat to Internet Telephony comes from the fact that the signaling
+ devices may be addressed directly by attackers as they use the same
+ underlying networking technology as the multimedia data; traditional
+ telephone systems have the signaling network separated from the data
+ network. This is an increased security threat since a hacker could
+ attack the signaling network and its servers with increased damage
+ potential (call hijacking, call drop, Denial-of-Service (DoS) attacks
+ [RFC4732], etc.). Therefore, there is a need to investigate the
+ different security threats, to extract security-related requirements,
+ and to highlight potential solutions on how to protect against such
+ threats.
+
+ The Session PEERing for Multimedia INTerconnect (SPEERMINT) working
+ group provides a peering framework that leverages the building blocks
+ of existing IETF-defined protocols such as SIP and ENUM for the
+ interconnection between SIP servers [RFC5486]. The objective of this
+ document is to identify and enumerate SPEERMINT-specific threat
+ vectors and to give guidance for implementers on selecting
+ appropriate countermeasures. Security requirements for SPEERMINT can
+ be found in RFC 6271 "Requirements for SIP-Based Session Peering"
+ [RFC6271]. These security requirements for SPEERMINT are derived
+ from the threats that are detailed in this document; they have been
+ moved from an earlier version of this document to the SPEERMINT
+ requirements document [RFC6271]. In addition to being the base for
+ those security requirements, this document provides to implementers
+ advice and examples for concrete countermeasures on how to meet these
+ security requirements for SPEERMINT with technical means. The
+ SPEERMINT terminology outlined in [RFC5486] is used throughout this
+ document.
+
+ In this document, the different security threats related to SPEERMINT
+ are classified into threats to the Lookup Function (LUF), the
+ Location Routing Function (LRF), the Signaling Function (SF), and the
+ Media Function (MF) of a specific SIP Service Provider (SSP).
+ Various instances of the threats are briefly introduced inside the
+
+
+
+Seedorf, et al. Informational [Page 4]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ classification. Finally, existing security solutions for SIP and
+ RTP/RTCP are presented to describe countermeasures currently
+ available for such threats. Each SSP may have connections to one or
+ more remote SSPs through peering or transit contracts. A potentially
+ compromised remote SSP that attacks other SSPs is out of the scope of
+ this document; this document focuses on attacks on an SSP from
+ outside the trust domain such an SSP may have with other SSPs.
+
+2. Security Threats Relevant to SPEERMINT
+
+ This section enumerates potential security threats relevant to
+ SPEERMINT. A taxonomy of VoIP security threats is defined in
+ [VOIPSATAXONOMY]. This taxonomy is comprehensive and also takes into
+ account non-VoIP-specific threats (e.g., loss of power, etc.).
+ Threats relevant to the boundaries of Layer 5 SIP networks are
+ extracted from this taxonomy and mapped to the functions of the
+ SPEERMINT architecture as defined in [RFC6406]. Moreover, additional
+ threats for the SPEERMINT architecture are listed and detailed under
+ the same classification of SPEERMINT functions and according to the
+ CIA (Confidentiality, Integrity, and Availability) triad:
+
+ o Lookup Function (LUF);
+
+ o Location Routing Function (LRF);
+
+ o Signaling Function (SF);
+
+ o Media Function (MF).
+
+2.1. Threats to the Lookup Function (LUF)
+
+ For a given request, the LUF provides a mechanism to determine the
+ identity of the requested resource on the terminating domain. The
+ returned identity can be used to look up Session Establishment Data
+ (SED) using the Location Routing Function (LRF). In direct peerings,
+ the LUF is usually hosted locally, whereas in a federation context,
+ this function may be offered by a third party.
+
+ If the LUF is hosted locally, it is vulnerable to the same threats
+ that affect database systems in general. If the SSP relies on a
+ remote third party to provide the LUF functionality, confidentiality,
+ integrity, and authenticity of the responses are at risk.
+
+2.1.1. Threats to LUF Confidentiality
+
+ For a given request, the Lookup Function (LUF) determines the target
+ domain to which the request should be routed. The following attacks
+ are relevant with respect to eavesdropping on LUF messages:
+
+
+
+Seedorf, et al. Informational [Page 5]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ o SIP URI and peering domain harvesting - an attacker can exploit
+ this weakness if the underlying database has a weak authentication
+ system or if SIP messages are sent unencrypted, and then use the
+ gained knowledge to launch other kinds of attacks.
+
+ o Third-party information - a LUF providing information to multiple
+ companies / third parties can be attacked to obtain information
+ about third party peering configurations and possible contracts.
+
+2.1.2. Threats to LUF Integrity
+
+ The underlying database or LUF messages could be vulnerable to input/
+ output message modification attacks:
+
+ o Injection attack - an attacker could manipulate statements
+ performed on the database LUF messages sent to a third party. A
+ specific version of this attack is known as "SQL injection". An
+ SQL injection is a code insertion into the LUF due to incorrect
+ input validation.
+
+2.1.3. Threats to LUF Availability
+
+ The underlying database or third party LUF service could be
+ vulnerable to:
+
+ o Denial-of-Service attacks - For example, an attacker makes
+ incomplete requests causing the server to create an idle state for
+ each of them, which causes memory to be exhausted.
+
+2.2. Threats to the Location Routing Function (LRF)
+
+ The LRF determines the location of the Signaling Function (SF) for
+ the target domain of a given request. Optionally, it may return
+ additional SED.
+
+2.2.1. Threats to LRF Confidentiality
+
+ Similar to the LUF, the following attacks are related to
+ eavesdropping on LRF messages:
+
+ o URI harvesting - the attacker harvests URIs and IP addresses of
+ the existing User Endpoints (UEs) by issuing a multitude of
+ location requests. Direct intrusion against vulnerable UEs or
+ telemarketing are possible attack scenarios that would use the
+ gained knowledge.
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 6]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ o SIP device enumeration - the attacker discovers the IP address of
+ each intermediate signaling device by looking at the Via and
+ Record-Route headers of a SIP message. Targeting the discovered
+ devices with subsequent attacks is a possible attack scenario.
+
+2.2.2. Threats to LRF Integrity
+
+ An attacker may modify messages, e.g., by feeding bogus information
+ to the LRF, if the routing data is not correctly validated or sent
+ unencrypted. Dynamic call routing discovery and establishment, as in
+ the scope of SPEERMINT, introduce opportunities for attacks such as
+ the following:
+
+ o Man-in-the-Middle attacks - the attacker inserts or has already
+ inserted an unauthorized node in the signaling path modifying the
+ SED. The result is that the attacker is then able to read,
+ insert, and modify the multimedia communications.
+
+ o Incorrect destinations - the attacker redirects the calls to an
+ incorrect destination with the purpose of establishing fraud
+ communications like voice phishing or DoS attacks.
+
+2.2.3. Threats to LRF Availability
+
+ The LRF can be the object of DoS attacks. DoS attacks to the LRF can
+ be carried out by sending a large number of queries to the LRF or
+ LUF, with the result of preventing an Originating SSP from looking up
+ call routing data of any URI outside its administrative domain. As
+ an alternative, the attacker could target the DNS to disable
+ resolution of SIP addresses.
+
+2.3. Threats to the Signaling Function (SF)
+
+ The Signaling Function involves a great number of sensitive
+ information. Through the Signaling Function, User Agents (UAs)
+ assert identities and operators authorize billable resources.
+ Correct and trusted operation of Signaling Function is essential for
+ service providers. This section discusses potential security threats
+ to the Signaling Function to detail the possible attack vectors.
+
+2.3.1. Threats to SF Confidentiality
+
+ SF traffic is vulnerable to eavesdropping, in particular, when the
+ data is moved across multiple SSPs having different levels of
+ security policies. Threats for the SF confidentiality are listed
+ here:
+
+
+
+
+
+Seedorf, et al. Informational [Page 7]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ o Call pattern analysis - the attacker tracks the call patterns of
+ the users violating his/her privacy (e.g., revealing the social
+ network of various users, the daily phone usage, etc.); also,
+ rival SSPs may infer information about the customer base of other
+ SSPs in this way;
+
+ o Password cracking - the challenge-response authentication
+ mechanism of SIP Digest can be attacked with offline dictionary
+ attacks. With such attacks, an attacker tries to exploit weak
+ passwords that are used by incautious users.
+
+ o Network discovery - the attacker may learn information about the
+ internal network structure of a peering partner that is directly
+ or indirectly connected by looking at SIP routing information
+ (i.e, Record-Route, Via or Contact headers).
+
+2.3.2. Threats to SF Integrity
+
+ The integrity of the SF can be violated using SIP request spoofing,
+ SIP reply spoofing, and SIP message tampering.
+
+2.3.2.1. SIP Request Spoofing
+
+ Most SIP request spoofing attacks first require SIP message
+ eavesdropping. However, some of these attacks can be also performed
+ by estimating certain fields in SIP headers (e.g., by exploiting the
+ fact that weak implementations may generate predictable SIP Dialog
+ parameters) or exploiting broken implementations that do not properly
+ verify the content of certain headers. Threats in this category are
+ as follows:
+
+ o session teardown - an attacker can send CANCEL/BYE messages in
+ order to tear down an existing call at the SIP layer; for such an
+ attack, the attacker either needs to know (e.g., by eavesdropping
+ a SIP INVITE message) the SIP Dialog of the call to be hijacked
+ (To-tag, From-tag, Call-ID) or alternatively may rely on SIP
+ implementations that do not properly authenticate requests based
+ on the SIP Dialog;
+
+ o Billing fraud - the attacker can modify and replay an intercepted
+ INVITE request in order to bill a call to a victim UE and avoid
+ paying for the phone call;
+
+ o User ID spoofing - SSPs are responsible for asserting the
+ legitimacy of a user ID; if an SSP fails to achieve the level of
+ identity assertion that the federation to which it belongs
+ expects, it may create an entry point for attackers to conduct
+ user ID spoofing attacks;
+
+
+
+Seedorf, et al. Informational [Page 8]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ o Unwanted requests - the attacker sends requests to interfere with
+ regular operation, e.g., by sending a REGISTER request in order to
+ hijack calls. The SPEERMINT architecture as defined in [RFC6406]
+ does not require registrations between the Signaling Functions
+ (SFs) of the connected SSPs. Hence, superfluous requests like
+ REGISTERs should be rejected.
+
+2.3.2.2. SIP Reply Spoofing
+
+ Threats in this category are as follows:
+
+ o Forged 199 Response - the attacker sends a forged 199 response to
+ terminate an early dialog. The forged response will not terminate
+ the entire session but may alter the direction of the session;
+
+ o Forged 200 Response - having seen the contents of an INVITE
+ request, an eavesdropper can inject a 200 response, affecting the
+ processing of the transaction of all proxies between the injection
+ point and the originating UA and at the originating UA itself. In
+ the extreme case, this can result in a hijacked call. In many
+ cases, however, such an attack will leave signaling artifacts that
+ may allow it to be detected (e.g., the element receiving the
+ forged 200 response may also receive other SIP reply messages from
+ the actual terminating UE);
+
+ o Forged 302 Response - having seen the contents of an INVITE
+ request, an eavesdropper could also inject a forged "302 Moved
+ Temporarily" reply, affecting the processing of the transaction at
+ intermediate entities and the originating UA. This may allow the
+ attacker to successfully redirect the call to any destination UE
+ of his choosing;
+
+ o Forged 404 Response - having seen the contents of an INVITE
+ request, an eavesdropper could also inject a forged "404 Not
+ Found" reply, affecting the processing of the transaction at
+ intermediate entities and the originating UA. Such an attack may
+ result in disrupting the call establishment.
+
+2.3.2.3. SIP Message Tampering
+
+ This threat involves the alteration of important field values in a
+ SIP message or in the Session Description Protocol (SDP) body.
+ Examples of this threat could be the dropping or modification of
+ handshake packets in order to avoid the establishment of a secure RTP
+ session (SRTP). The same approach could be used to degrade the
+ quality of media session by letting a UE negotiate a poor quality
+ codec.
+
+
+
+
+Seedorf, et al. Informational [Page 9]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+2.3.3. Threats to SF Availability
+
+ o Flooding attack - a Signaling Path Border Element (SBE) is
+ susceptible to message flooding attacks that may come from
+ interconnected SSPs;
+
+ o Session blackholing - the attacker (assumed to be able to make
+ Man-in-the-Middle attacks) intentionally drops essential packets,
+ e.g., INVITEs, to prevent certain calls from being established;
+
+ o SIP Fuzzing attack - fuzzing tests and software can be used by
+ attackers to discover and exploit vulnerabilities of a SIP entity.
+ This attack may result in crashing a SIP entity.
+
+2.4. Threats to the Media Function (MF)
+
+ The Media Function (MF) is responsible for the actual delivery of
+ multimedia communication between the users and carries sensitive
+ information. Through the media function, the UE can establish secure
+ communications and monitor the quality of conversations. Correct and
+ trusted operations of MF is essential for privacy and service-
+ assurance issues. This section discusses potential security threats
+ to the MF to detail the possible attack vectors.
+
+2.4.1. Threats to MF Confidentiality
+
+ The MF is vulnerable to eavesdropping in which the attacker may
+ reconstruct the voice conversation or sensitive information (e.g.,
+ PINs from DTMF tones). Some SRTP key exchange mechanisms (e.g.,
+ [RFC4568]) are vulnerable to bid-down attacks, where an attacker
+ selectively changes key exchange protocol fields in order to enforce
+ the establishment of a less secure or even non-secure communication.
+
+2.4.2. Threats to MF Integrity
+
+ Both RTP and RTCP are vulnerable to integrity violation in many ways:
+
+ o Media injection - if an attacker can somehow detect an ongoing
+ media session and eavesdrop a few RTP packets, he can start
+ sending bogus RTP packets to one of the UEs involved using the
+ same codec. If the bogus RTP packets have consistently greater
+ timestamps and sequence numbers (but within the acceptable range)
+ than the legitimate RTP packets, the recipient UE may accept the
+ bogus RTP packets and discard the legitimate ones.
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 10]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ o Media session teardown - the attacker sends bogus RTCP BYE
+ messages to a target UE signaling to tear down the media
+ communication; please note that RTCP messages are normally not
+ authenticated.
+
+ o Quality-of-Service (QoS) degradation - the attacker sends wrong
+ RTCP reports advertising more packet loss or more jitter than
+ actually experimented resulting in the usage of a poor quality
+ codec degrading the overall quality of the call experience.
+
+2.4.3. Threats to MF Availability
+
+ o Malformed messages - the attacker tries to cause a crash or a
+ reboot of the Data Path Border Element (DBE)/UE by sending RTP/
+ RTCP malformed messages;
+
+ o Messages flooding - the attacker tries to exhaust the resources of
+ the DBE/UE by sending many RTP/RTCP messages.
+
+3. Security Requirements
+
+3.1. Security Requirements from SPEERMINT Requirements Document
+
+ The security requirements for SPEERMINT have been moved from an
+ earlier version of this document to the SPEERMINT requirements
+ [RFC6271]. The security requirements for SPEERMINT are the
+ following, from [RFC6271]:
+
+ o Requirement #15: The protocols used to query the Lookup and
+ Location Routing Functions SHOULD support mutual authentication.
+
+ o Requirement #16: The protocols used to query the Lookup and
+ Location Routing Functions SHOULD provide support for data
+ confidentiality and integrity.
+
+ o Requirement #17: The protocols used to enable session peering MUST
+ NOT interfere with the exchanges of media security attributes in
+ SDP. Media attribute lines that are not understood by SBEs must
+ be ignored and passed along the signaling path untouched.
+
+3.2. How to Fulfill the Security Requirements for SPEERMINT
+
+ Requirements #15 and #16 state that the LUF and LRF should support
+ mutual authentication, data confidentiality, and integrity. In
+ principle, these requirements can be fulfilled technically with
+ Transport Layer Security (TLS) or Datagram TLS (DTLS) [RFC5246]
+ [RFC4347] or IP layer security (IPsec) [RFC4301]. From a pure
+
+
+
+
+Seedorf, et al. Informational [Page 11]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ security perspective both solutions fulfill the security requirements
+ for SPEERMINT, just on a different layer, and both solutions are
+ widely deployed.
+
+ However, from a more practical perspective, transport layer security
+ (i.e., TLS or DTLS) has the advantage that the application using it
+ is aware of whether or not security (or rather the corresponding
+ security features) is enabled. For instance, using TLS has the
+ consequence that the connection fails if the corresponding connection
+ endpoint cannot authenticate properly.
+
+ While IPsec fulfills the same requirements from a security
+ perspective, IPsec is somewhat de-coupling security from the
+ application using it. For instance, IPsec is often provided by
+ dedicated entities in such a way that from the application layer, it
+ cannot be recognized whether or not IPsec or certain security
+ features are turned on ("bump-in-the-wire").
+
+ In summary, TLS (or DTLS) has some notable advantages over IPsec for
+ addressing the SPEERMINT security requirements. In particular,
+ transport layer security is preferable over IPsec for SPEERMINT
+ because with TLS (or DTLS) security is more closely coupled to the
+ LUF or LRF. From a mere technical perspective, however, both
+ solutions (transport layer security or IPsec) fulfill the SPEERMINT
+ security requirements, and there may be particular cases where IPsec
+ is a preferable solution.
+
+4. Suggested Countermeasures
+
+ This section describes implementer-specific countermeasures against
+ the threats described in the previous sections and for addressing the
+ SPEERMINT security requirements described in [RFC6271]. The
+ countermeasures listed in this section are not meant to be
+ exhaustive; rather, the suggested countermeasures are aimed to serve
+ as starting points and to give guidance for implementers that are
+ trying to select appropriate countermeasures against certain threats.
+
+ The following table provides a map of the relationships between
+ threats and countermeasures. The suggested countermeasures are
+ discussed in detail in the subsequent subsections.
+
+
+
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 12]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ +-------+---------------+-------------------------------------------+
+ | Group | Threat | Suggested Countermeasure |
+ +-------+---------------+-------------------------------------------+
+ | LUF | Unauthorized | database security BCPs (Section 4.1), |
+ | | access | Secure Exchange of SIP messages |
+ | | | (Section 4.5) |
+ | | SQL injection | database security BCPs (Section 4.1), |
+ | | | Secure Exchange of SIP messages |
+ | | | (Section 4.5) |
+ | | DoS to LUF | database security BCPs (Section 4.1), |
+ | | | Secure Exchange of SIP messages |
+ | | | (Section 4.5) |
+ | LRF | URI | privacy protection (Section 4.4), Secure |
+ | | harvesting | Exchange of SIP messages (Section 4.5) |
+ | | SIP equipment | privacy protection (Section 4.4), Secure |
+ | | enumeration | Exchange of SIP messages (Section 4.5) |
+ | | MitM attack | DNSSEC (Section 4.2), Secure Exchange of |
+ | | | SIP messages (Section 4.5) |
+ | | Incorrect | DNSSEC (Section 4.2), Secure Exchange of |
+ | | destinations | SIP messages (Section 4.5) |
+ | | DoS to LRF | DNS replication (Section 4.3) |
+ | SF | Call pattern | Secure Exchange of SIP messages |
+ | | analysis | (Section 4.5), Securing Session |
+ | | | Establishment Data (Section 4.12) |
+ | | Password | Secure Exchange of SIP messages |
+ | | cracking | (Section 4.5) |
+ | | Network | Securing Session Establishment Data |
+ | | discovery | (Section 4.12), Topology Hiding |
+ | | | (Section 4.10) |
+ | | Session | Secure Exchange of SIP messages |
+ | | teardown | (Section 4.5), ingress filtering |
+ | | | (Section 4.6) |
+ | | Billing fraud | strong identity assertion (Section 4.7) |
+ | | User ID | strong identity assertion (Section 4.7) |
+ | | spoofing | |
+ | | Forged 200 | Secure Exchange of SIP messages |
+ | | Response | (Section 4.5), ingress filtering |
+ | | | (Section 4.6) |
+ | | Forged 302 | Secure Exchange of SIP messages |
+ | | Response | (Section 4.5), ingress filtering |
+ | | | (Section 4.6) |
+ | | Forged 404 | Secure Exchange of SIP messages |
+ | | Response | (Section 4.5), ingress filtering |
+ | | | (Section 4.6) |
+ | | Flooding | reliable border element pooling |
+ | | attack | (Section 4.8), rate limit (Section 4.9) |
+ | | Session | DNSSEC (Section 4.2) |
+ | | blackholing | |
+
+
+
+Seedorf, et al. Informational [Page 13]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ | | SIP fuzzing | border element hardening (Section 4.11) |
+ | | attack | |
+ | MF | Eavesdropping | Encryption and Integrity Protection of |
+ | | | Media Stream (Section 4.13) |
+ | | Media | Encryption and Integrity Protection of |
+ | | injection | Media Stream (Section 4.13) |
+ | | Media session | Encryption and Integrity Protection of |
+ | | teardown | Media Stream (Section 4.13) |
+ | | QoS | Encryption and Integrity Protection of |
+ | | degradation | Media Stream (Section 4.13) |
+ | | Malformed | border element hardening (Section 4.11) |
+ | | messages | |
+ | | Message | rate limit (Section 4.9) |
+ | | flooding | |
+ +-------+---------------+-------------------------------------------+
+
+4.1. Database Security BCPs
+
+ Adequate security measures must be applied to the LUF to prevent it
+ from being a target of attacks often seen on common database systems.
+ Common security Best Current Practices (BCPs) for database systems
+ include the use of strong passwords to prevent unauthorized access,
+ parameterized statements to prevent SQL injections, and server
+ replication to prevent any database from being a single point of
+ failure. [DBSEC] is one of many existing documents that describe BCPs
+ in this area.
+
+4.2. DNSSEC
+
+ If DNS is used by the LRF, it is recommended to deploy the recent
+ version of Domain Name System Security Extensions (informally called
+ "DNSSEC-bis") defined by [RFC4033], [RFC4034], and [RFC4035]. DNSSEC
+ has been designed to protect DNS against well-known attacks such as
+ DNS cache poisoning or Man-in-the-Middle (MitM) attacks on DNS
+ queries. Essentially, DNSSEC is a set of public key cryptography
+ extensions to DNS that provide authentication of DNS data, integrity
+ protection for DNS entries, and authenticated denial of existence
+ regarding non-existing DNS entries. In the context of SSP peering,
+ DNSSEC can provide authentication and integrity regarding the
+ location of a Signaling Function (SF) entity retrieved via DNS.
+ Using DNSSEC can thus help to defend against MitM attacks on DNS
+ queries invoked by the LRF, session blackholing and other attacks
+ that lead traffic to incorrect destinations.
+
+ DNSSEC has been deployed at the root level and in several top-level
+ domains (e.g., .com and .net). Although, at the time of this
+ writing, DNSSEC is still not yet widely deployed on the Internet,
+ even limited deployment can add significant integrity protection and
+
+
+
+Seedorf, et al. Informational [Page 14]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ authentication to the LRF for Signaling Function locations received
+ via DNS entries. Neither end users nor terminals are involved in the
+ DNS resolution process of the LRF. Hence, if a) the sending SSP uses
+ a DNS resolver that supports DNSSEC extensions, b) the receiving SSP
+ stores the location of its Signaling Function cryptographically
+ signed (using DNSSEC extensions) in the DNS, and c) the sending SSP
+ can obtain an authentication chain (i.e., a series of linked DS and
+ DNSKEY records) to the receiving SSP, the LRF can be secured with
+ DNSSEC. In the context of SPEERMINT, all three of these requirements
+ can be fulfilled even in the case of partial DNSSEC deployment. In
+ particular, even without Internet-wide deployment of DNSSEC, it may
+ be possible for a sending SSP to obtain a suitable trust anchor for
+ verifying the receiving SSP's public key. For instance, a suitable
+ trust anchor could be configured for that specific SSP's top-level
+ domain or for the particular SSP's domain directly. If the sending
+ and the receiving SSP use a common ENUM tree, DNSSEC use with the
+ ENUM tree's trust anchor is "straightforward".
+
+4.3. DNS Replication
+
+ DNS replication is a very important countermeasure to mitigate DoS
+ attacks on the LRF. Simultaneously bringing down multiple DNS
+ servers that support the LRF is much more challenging than attacking
+ a sole DNS server (single point of failure).
+
+4.4. Cross-Domain Privacy Protection
+
+ Stripping Via and Record-Route headers, replacing the Contact header,
+ and even changing Call-IDs are the mechanisms described in [RFC3323]
+ to protect SIP privacy. This practice allows an SSP to hide its SIP
+ network topology, prevents intermediate signaling equipment from
+ becoming the target of DoS attacks, as well as protects the privacy
+ of UEs according to their preferences. This practice is effective in
+ preventing SIP equipment enumeration that exploits LRF.
+
+4.5. Secure Exchange of SIP Messages
+
+ SIP can be used on top of UDP or TCP as transport protocol [RFC3261].
+ However, look-up and SED data should be exchanged securely (see
+ security requirements (Section 3.2)), e.g., to increase the
+ difficulty of performing session teardown and forging responses (200,
+ 302, 404, etc). If UDP is used to carry SIP messages, DTLS should be
+ used to secure SIP message exchange between SSPs. If TCP is used as
+ a transport protocol, it can be secured with TLS. Therefore,
+ depending on the underlying transport protocol, SSPs should use
+ either DTLS or TLS to secure SIP message delivery.
+
+
+
+
+
+Seedorf, et al. Informational [Page 15]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ In general, encryption and integrity protection of signaling messages
+ can be achieved on the transport layer (with TLS or DTLS) or on the
+ network layer (with IPsec). Both solutions are technically sound,
+ but transport layer security has some advantages. Please refer to
+ the subsection on fulfilling the SPEERMINT security requirements
+ (Section 3.2) for a discussion on using TLS/DTLS or IPsec for
+ protecting the confidentiality and integrity of signaling messages.
+ Similar to strong identity assertion, a Public Key Infrastructure
+ (PKI) is assumed to be in place for TLS/DTLS (or IPsec) deployment so
+ that SSPs can obtain and trust the keys necessary to decrypt messages
+ and verify signatures sent by other SSPs.
+
+ Message-oriented protection such as [RFC3261] authentication does not
+ fulfill the SPEERMINT requirements (e.g., mutual authentication).
+
+4.6. Ingress Filtering / Reverse-Path Filtering
+
+ Ingress filtering, i.e., blocking all traffic coming from a host that
+ has a source address different than the addresses that have been
+ assigned to that host (see [RFC2827]), can effectively prevent UEs
+ from sending packets with a spoofed source IP address. This can be
+ achieved by reverse-path filtering, i.e., only accepting ingress
+ traffic if responses would take the same path. This practice is
+ effective in preventing session teardown and forged SIP replies (200,
+ 302, 404, etc.), if the recipient correctly verifies the source IP
+ address for the authenticity of each incoming SIP message.
+
+4.7. Strong Identity Assertion
+
+ "Caller ID spoofing" can be achieved thanks to the weak identity
+ assertion on the From URI of an INVITE request. In a single SSP
+ domain, strong identity assertion can be easily achieved by
+ authenticating each INVITE request. However, in the context of
+ SPEERMINT, only the Originating SSP is able to verify the identity
+ directly. In order to overcome this problem, there are currently
+ only two major approaches: transitive trust and cryptographic
+ signature. The transitive trust approach builds a chain of trust
+ among different SSP domains. One example of this approach is a
+ combined mechanism specified in [RFC3324] and [RFC3325]. Using this
+ approach in a transit peering network scenario, the terminating SSP
+ must establish a trust relationship with all SSP domains on the path,
+ which can be seen as an underlying weakness. The use of
+ cryptographic signatures is an alternative approach. "Session
+ Initiation Protocol (SIP) Authenticated Identity Body (AIB) Format"
+ is specified in [RFC3893]. [RFC4474] introduces two new header
+ fields, IDENTITY and IDENTITY-INFO, that allow a SIP server in the
+ Originating SSP to digitally sign an INVITE request after
+ authenticating the sending UE. The terminating SSP can verify if the
+
+
+
+Seedorf, et al. Informational [Page 16]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ INVITE request is signed by a trusted SSP domain. Although this
+ approach does not require the terminating SSP to establish a trust
+ relationship with all transit SSPs on the path, a PKI is assumed to
+ be in place.
+
+4.8. Reliable Border Element Pooling
+
+ It is advisable to implement reliable pooling on border elements. An
+ architecture and protocols for the management of server pools
+ supporting mission-critical applications are addressed in the
+ RSERPOOL WG. Using such mechanisms and protocols (see [RFC5351]
+ [RFC5352] [RFC5353] for details), a UE can effectively increase its
+ capacity in handling flooding attacks.
+
+4.9. Rate limit
+
+ Flooding attacks on SFs and MFs can also be mitigated by limiting the
+ rate of incoming traffic through policing or queuing. In this way,
+ legitimate clients can be denied the service since their traffic may
+ be discarded. Rate limiting can also be applied on a per-source-IP
+ basis under the assumption that the source IP of each attack packet
+ is not spoofed dynamically. Limitations related to NAT and mobility
+ issues apply and may result in false positives (i.e., source IP
+ addresses blocked) when multiple legitimate clients are located
+ behind the same NAT IP address. It may be preferable to limit the
+ number of concurrent 'sessions', i.e., ongoing calls instead of the
+ messaging associated with it (since sessions use more resources on
+ backend-systems). When calculating rate limits, all entities along
+ the session path should be taken into account. SIP entities on the
+ receiving end of a call may be the limiting factor (e.g., the number
+ of ISDN channels on PSTN gateways) rather than the ingress limiting
+ device.
+
+4.10. Topology Hiding
+
+ Topology hiding applies to both the signaling and media plane and
+ consists of limiting the amount of topology information exposed to
+ peering partners. Topology hiding requires back-to-back user agent
+ (B2BUA) functionality. The most common way is the use of a Session
+ Border Controller (SBC) as SBE. Topology hiding is explained in
+ [RFC5853].
+
+4.11. Border Element Hardening
+
+ To prevent attacks that exploit vulnerabilities (such as buffer
+ overflows, format string vulnerabilities, etc.) in SPEERMINT border
+ elements, these implementations should be security hardened. For
+ instance, fuzz testing is a common black box testing technique used
+
+
+
+Seedorf, et al. Informational [Page 17]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ in software engineering. Also, security vulnerability tests can be
+ carried out preventively to assure a UE/SBE/DBE can handle unexpected
+ data correctly without crashing. [RFC4475] and [PROTOS] are examples
+ of torture test cases specific for SIP devices and freely available
+ security testing tools, respectively. These type of tests needs to
+ be carried out before product release and in addition throughout the
+ product life cycle.
+
+4.12. Securing Session Establishment Data
+
+ Session Establishment Data (SED) contains critical information for
+ the routing of SIP sessions. In order to prevent attacks such as
+ service hijacking and denial of service that exploit SED, SSPs should
+ adopt a secure transport protocol that provides authentication,
+ confidentiality and integrity to exchange SED among themselves.
+ Further details can be found in [DRINKS-SPPROV].
+
+4.13. Encryption and Integrity Protection of Media Stream
+
+ The Secure Real-time Transport Protocol (SRTP) [RFC3711] prevents
+ eavesdropping on plain RTP by encrypting the data flow. It uses AES
+ as the default cipher and defines two modes of operation (Segmented
+ Integer Counter Mode and f8-mode), which is agreed upon after
+ negotiation. It also uses HMAC-SHA1 and index keeping to enable
+ message authentication/integrity and replay protection required to
+ prevent media injection attacks. Secure RTCP (SRTCP) provides the
+ same security-related features to RTCP as SRTP does for RTP. SRTCP
+ is described in [RFC3711] as optional. In order to prevent media
+ session teardown, it is recommended to turn this feature on. The
+ choice of the external key management protocol is left to the
+ deployment, a PKI is necessary to implement the security requirements
+ of the SPEERMINT requirements document.
+
+5. Conclusions
+
+ This document presented the different SPEERMINT security threats
+ classified in groups related to the LUF, LRF, SF, and MF,
+ respectively. The multiple instances of the threats were presented
+ with a brief explanation. Finally, suggested countermeasures for
+ SPEERMINT were outlined together with possible mitigation of the
+ existing threats by means of them.
+
+6. Security Considerations
+
+ This document is entirely focused on the security threats for
+ SPEERMINT.
+
+
+
+
+
+Seedorf, et al. Informational [Page 18]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+7. Acknowledgements
+
+ This document was originally inspired by the VOIPSA VoIP Security and
+ Privacy Threat Taxonomy. The authors would like to thank VOIPSA for
+ having produced a comprehensive taxonomy as the starting point of
+ this document. Additionally, the authors would like to thank Cullen
+ Jennings, Jon Peterson, David Schwartz, Hadriel Kaplan, Peter Koch,
+ Daryl Malas, Jason Livingood, and Robert Sparks for useful comments
+ to previous editions of this document on the mailing list as well as
+ during IETF meetings.
+
+ Jan Seedorf and Saverio Niccolini are partially supported by the
+ DEMONS project, a research project supported by the European
+ Commission under its 7th Framework Program (contract no. 257315).
+ The views and conclusions contained herein are those of the authors
+ and should not be interpreted as necessarily representing the
+ official policies or endorsements, either expressed or implied, of
+ the DEMONS project or the European Commission.
+
+8. Informative References
+
+ [DBSEC] Gertz, M. and S. Jajodia, "Handbook of Database Security:
+ Applications and Trends", Springer, 2008.
+
+ [DRINKS-SPPROV]
+ Mule, J., Cartwright, K., Ali, S., and A. Mayrhofer,
+ "Session Peering Provisioning Protocol", Work in Progress,
+ September 2011.
+
+ [PROTOS] Wieser, C., Laakso, M., and H. Schulzrinne, "SIP
+ Robustness Testing for Large-Scale Use", First
+ International Workshop on Software Quality (SOQUA 2004),
+ September 2004.
+
+ [RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
+ Defeating Denial of Service Attacks which employ IP Source
+ Address Spoofing", BCP 38, RFC 2827, May 2000.
+
+ [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
+ A., Peterson, J., Sparks, R., Handley, M., and E.
+ Schooler, "SIP: Session Initiation Protocol", RFC 3261,
+ June 2002.
+
+ [RFC3323] Peterson, J., "A Privacy Mechanism for the Session
+ Initiation Protocol (SIP)", RFC 3323, November 2002.
+
+ [RFC3324] Watson, M., "Short Term Requirements for Network Asserted
+ Identity", RFC 3324, November 2002.
+
+
+
+Seedorf, et al. Informational [Page 19]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ [RFC3325] Jennings, C., Peterson, J., and M. Watson, "Private
+ Extensions to the Session Initiation Protocol (SIP) for
+ Asserted Identity within Trusted Networks", RFC 3325,
+ November 2002.
+
+ [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
+ Norrman, "The Secure Real-time Transport Protocol (SRTP)",
+ RFC 3711, March 2004.
+
+ [RFC3893] Peterson, J., "Session Initiation Protocol (SIP)
+ Authenticated Identity Body (AIB) Format", RFC 3893,
+ September 2004.
+
+ [RFC4033] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "DNS Security Introduction and Requirements",
+ RFC 4033, March 2005.
+
+ [RFC4034] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Resource Records for the DNS Security Extensions",
+ RFC 4034, March 2005.
+
+ [RFC4035] Arends, R., Austein, R., Larson, M., Massey, D., and S.
+ Rose, "Protocol Modifications for the DNS Security
+ Extensions", RFC 4035, March 2005.
+
+ [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
+ Internet Protocol", RFC 4301, December 2005.
+
+ [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
+ Security", RFC 4347, April 2006.
+
+ [RFC4474] Peterson, J. and C. Jennings, "Enhancements for
+ Authenticated Identity Management in the Session
+ Initiation Protocol (SIP)", RFC 4474, August 2006.
+
+ [RFC4475] Sparks, R., Hawrylyshen, A., Johnston, A., Rosenberg, J.,
+ and H. Schulzrinne, "Session Initiation Protocol (SIP)
+ Torture Test Messages", RFC 4475, May 2006.
+
+ [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session
+ Description Protocol (SDP) Security Descriptions for Media
+ Streams", RFC 4568, July 2006.
+
+ [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
+ Service Considerations", RFC 4732, December 2006.
+
+ [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
+ (TLS) Protocol Version 1.2", RFC 5246, August 2008.
+
+
+
+Seedorf, et al. Informational [Page 20]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+ [RFC5351] Lei, P., Ong, L., Tuexen, M., and T. Dreibholz, "An
+ Overview of Reliable Server Pooling Protocols", RFC 5351,
+ September 2008.
+
+ [RFC5352] Stewart, R., Xie, Q., Stillman, M., and M. Tuexen,
+ "Aggregate Server Access Protocol (ASAP)", RFC 5352,
+ September 2008.
+
+ [RFC5353] Xie, Q., Stewart, R., Stillman, M., Tuexen, M., and A.
+ Silverton, "Endpoint Handlespace Redundancy Protocol
+ (ENRP)", RFC 5353, September 2008.
+
+ [RFC5486] Malas, D. and D. Meyer, "Session Peering for Multimedia
+ Interconnect (SPEERMINT) Terminology", RFC 5486,
+ March 2009.
+
+ [RFC5853] Hautakorpi, J., Camarillo, G., Penfield, R., Hawrylyshen,
+ A., and M. Bhatia, "Requirements from Session Initiation
+ Protocol (SIP) Session Border Control (SBC) Deployments",
+ RFC 5853, April 2010.
+
+ [RFC6271] Mule, J-F., "Requirements for SIP-Based Session Peering",
+ RFC 6271, June 2011.
+
+ [RFC6406] Malas, D., Ed. and J. Livingood, Ed., "Session PEERing for
+ Multimedia INTerconnect (SPEERMINT) Architecture",
+ RFC 6406, November 2011.
+
+ [VOIPSATAXONOMY]
+ Zar, J. and et al, "VOIPSA VoIP Security and Privacy
+ Threat Taxonomy, Public Release 1.0",
+ http://www.voipsa.org/Activities/taxonomy.php,
+ October 2005.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 21]
+
+RFC 6404 SPEERMINT Threats and Countermeasures November 2011
+
+
+Authors' Addresses
+
+ Jan Seedorf
+ NEC Laboratories Europe, NEC Europe, Ltd.
+ Kurfuersten-Anlage 36
+ Heidelberg 69115
+ Germany
+
+ Phone: +49 (0) 6221 4342 221
+ EMail: jan.seedorf@neclab.eu
+ URI: http://www.neclab.eu
+
+
+ Saverio Niccolini
+ NEC Laboratories Europe, NEC Europe, Ltd.
+ Kurfuersten-Anlage 36
+ Heidelberg 69115
+ Germany
+
+ Phone: +49 (0) 6221 4342 118
+ EMail: saverio.niccolini@.neclab.eu
+ URI: http://www.neclab.eu
+
+
+ Eric Chen
+ Information Sharing Platform Laboratories, NTT
+ 3-9-11 Midori-cho
+ Musashino, Tokyo 180-8585
+ Japan
+
+ EMail: eric.chen@lab.ntt.co.jp
+ URI: http://www.ntt.co.jp/index_e.html
+
+
+ Hendrik Scholz
+ VOIPFUTURE GmbH
+ Wendenstrasse 4
+ Hamburg 20097
+ Germany
+
+ Phone: +49 (0) 40 688 900 163
+ EMail: hendrik.scholz@voipfuture.com
+ URI: http://voipfuture.com
+
+
+
+
+
+
+
+
+Seedorf, et al. Informational [Page 22]
+