SlideShare uma empresa Scribd logo

SIPCORE - presentation of SIP and DANE (IETF #89)

Olle E Johansson
Olle E Johansson

A presentation of how DANE may apply to the Session Initiation Protocol (SIP). Written for the SIPcore meeting at IETF #89 in London, 2014

Tecnologia
1 de 29
SIP and DNS-sec based TLS setup (DANE) random thoughts by oej@edvina.net
 Olle E. Johansson ! V 3.14 - 2014-02-27 IETF 89, London, March 2014 1
Today’s question • SIP DANE Do we want to add this work to our charter? 2 Olle E. Johansson
SIP TLS • SIP uri target domain is verified against SubjectAltName uri records • if no SAN uri records, SAN DNS records • If no SAN records, CN • But no CN check if there are SAN records! RFC 5922 SIP DANE 3 Olle E. Johansson
Dependencies DNS TLS SIP SIP domain certificates DNSsec DANE SIP + DANE To trust DANE
 you need to trust DNSsec SIP DANE 4
Dane simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com Certificate
 identifier TLS client SIP DANE 5
Questions TLS server
 stockholm.example.com Is the certificate
 signer (CA) the right one? Do I trust this certificate? Am I talking with the 
 right server? TLS client SIP DANE 6
DANE simplified TLS server
 My service use this CA DNS zone
 signed, trusted stockholm.example.com My service use this certificate TLS client SIP DANE My service use the private
 key that match this public key 7 Certificate
 identifier
Dane summary • • • SIP DANE Can publish constraints • • This CA is the only one accepted This certificate is the only one accepted Can publish root of private CA • This CA cert is the one used to sign my server certificates Can publish certificates In all cases, a full cert or the public key can be published - or fingerprints of these. 8 Olle E. Johansson
TLSA selector and matching Selector • 0 - Full certificate included in TLSA • 1 - Public key included in TLSA Matching • 0 = Exact match • 1 = the data is SHA-256 hash of content • 2 = the data is SHA-512 hash of content SIP DANE 9 Olle E. Johansson
TLSA records • Usage 0: CA constraint. Certificate or public key of CA • Usage 1: Certificate constraint. Certificate or public key of cert signed by CA. • Usage 2. Certificate or public key of cert serving as trust anchor for the cert given by the server (”private CA”) • Usage 3: A certificate or public key that matches the cert given by the server (No PKIX check) SIP DANE 10 Olle E. Johansson
DANE simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com 2.Verify the TLS server cert
 in handshake with TLSA record. TLS client SIP DANE 1. Check the TLSA record for service 11 Certificate
 identifier
The DANE promise • If you trust the DNS (using DNSsec)
 then we can use that instead of the certificate store to check server identity and authorisation. SIP DANE 12 Olle E. Johansson
Back to SIP SIP DANE 13
SIP DOMAIN CERTS • Connect a SIP URI domain part with a certificate • Mix server identification with domain authorisation • Only domains in the certificates • New certificate every time we add a domain or subdomain • No wildcard certs SIP DANE 14 Olle E. Johansson
What about SNI • Many certificates on one TLS server and IP. • No support for DNS names • ONLY host names. SIP DANE 15 Olle E. Johansson
SIP sip:alice@example.com example.com NAPTR We just trust that we’ve hit
 the right server if the cert
 contains the domain. example.net SRV host sip02.example.org Cert with “example.com” SIP DANE 16 Olle E. Johansson
DANE Secure delegation sip:alice@example.com if the DNS queries for NAPTR and SRV records was verified and protected with DNSsec, we have a secure delegation from example.com to sip02.example.org Protected by DNSsec example.com NAPTR example.net SRV host sip02.example.org Cert with “sip02.example.org” SIP DANE 17 Olle E. Johansson
Not fully secure is insecure • If the NAPTR was DNSsec protected but not the SRV, we have no secure delegation. • If there’s no DNSsec in either NAPTR nor SRV we’re insecure too. • The SIP Uri to TLS certificate matching in RFC 5922 applies in this case SIP DANE 18 Olle E. Johansson
If we have a secure delegation • Check for TLSA record for the srv host name and port • _5068._udp.sip02.example.org • If no TLSA record is found, then DANE doesn’t apply - proceed according to RFC 5922 • If TLSA record exists, continue to the next slide SIP DANE 19 Olle E. Johansson
Our identifiers • The SIP domain in the request URI • Used in insecure delegation • The SRV FQDN from SRV lookup of the domain (protected with DNSsec) • Used in secure delegation as well as with TLSA record verification SIP DANE 20 Olle E. Johansson
Validation • With TLSA usage 0 and 1, use these constraints then verify cert as before • With TLSA usage 2 and 3, use the information to validate cert • • SIP DANE If either TLSA validation fails, connection should fail. With usage 0 and 1, after TLSA validation normal PKIX validation happens.
 21 Olle E. Johansson
Sideways jumps • When a NAPTR or SRV record points to a name in another domain, the client needs to make sure that the new domain is validated in DNSsec as well. • If not, delegation is insecure SIP DANE 22 Olle E. Johansson
SIP Fallback logic • If there’s no secure delegation, use RFC 5922, if that fails go to next SRV server in the list • When out of SRV servers, TLS connection has failed. SIP DANE 23 Olle E. Johansson
Compatibility with nonSRV clients • Fallback to RFC 5922 • Since dane-srv-02 requires TLS SNI this will be sorted out by the server. • SRV/DANE compatible UAs will require cert for SRV host name • Non SRV/DANE UAs will require cert with SIP uri target domain SIP DANE 24 Olle E. Johansson
If no SNI support is available • Cert with • CommonName = hostname • SubjectAltName = SIP domain SIP DANE 25 Olle E. Johansson
SIP connection reuse • RFC 5923 use TLS cert content to add aliases to a connection. • With DANE, the cert will include only the hostname • SIP/DANE will have to add aliases as they are verified using DNSsec • If a domain share a SRV hostname and the trust chain is verified between domain and SRV, the existing connection to the SRV host may be used for this domain too (and alias added to the alias table)
 SIP DANE 26 Olle E. Johansson
Verification of client certificates in RFC 5923 • Connection reuse requires a SIP server using RFC 5923 to request a client certificate • Which DNS name do we use to look up TLSA records and verify the client? Can this be done? SIP DANE 27 Olle E. Johansson
Not to worry about now • SIP identity • SIMPLE • SIPS: uri’s For these use cases,
 there’s no difference compared with other TLS usage in SIP. SIP DANE 28 Olle E. Johansson
Reading material RFC 5922 SIP Domain Certificates RFC 6698 draft-ietf-dane-srv DNS based authentication of named entities (DANE) DANE and SRV/MX records draft-ietf-dane-smime DANE and SMIME identities draft-ogud-dane-vocabulary DANE vocabulary for application usages RFC 5923 Connection Reuse in SIP draft-johansson-dispatch-dane-sip-01 The draft on SIP and DANE SIP DANE 29 Olle E. Johansson

Recomendados

SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
Olle E Johansson
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slides
Olle E Johansson
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
Olle E Johansson
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
Mark Smith
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
Olle E Johansson
 

Recomendados

SIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and moreSIP and DNS - federation, failover, load balancing and more
SIP and DNS - federation, failover, load balancing and more
Olle E Johansson
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP2015 update: SIP and IPv6 issues - staying Happy in SIP
2015 update: SIP and IPv6 issues - staying Happy in SIP
Olle E Johansson
 
Sipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slidesSipforum SIP & IPv6 discussion slides
Sipforum SIP & IPv6 discussion slides
Olle E Johansson
 
Sip & IPv6 - time for action!
Sip & IPv6 - time for action!Sip & IPv6 - time for action!
Sip & IPv6 - time for action!
Olle E Johansson
 
Campus networking
Campus networkingCampus networking
Campus networking
Jisc
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
Fred Bovy
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
Mark Smith
 
Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!Kamailio World 2016: Update your SIP!
Kamailio World 2016: Update your SIP!
Olle E Johansson
 
Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
Daniel-Constantin Mierla
 
FOSS Sthlm: Realtime Communication Update
FOSS Sthlm: Realtime Communication UpdateFOSS Sthlm: Realtime Communication Update
FOSS Sthlm: Realtime Communication Update
Olle E Johansson
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
Olle E Johansson
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
IKT-Norge
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
Olle E Johansson
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installations
Olle E Johansson
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
ManmeetShandilya2
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
APNIC
 
Modern networking for php developers (PHP Dorset)
Modern networking for php developers (PHP Dorset)Modern networking for php developers (PHP Dorset)
Modern networking for php developers (PHP Dorset)
SynchroM
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHY
IKT-Norge
 
Tech f42
Tech f42Tech f42
Tech f42
SelectedPresentations
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
APNIC
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
APNIC
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
stefansayer
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
Olle E Johansson
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
Kundan Singh
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
Bangladesh Network Operators Group
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
Bangladesh Network Operators Group
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
Skeeve Stevens
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6
Fastly
 
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Thi công sơn giá rẻ
 
GoRiseMe Global Passion
GoRiseMe Global PassionGoRiseMe Global Passion
GoRiseMe Global Passion
GoRise Me
 

Mais conteúdo relacionado

Mais procurados

Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6
Fastly
 

Mais procurados (20)

Kamailio - SIP Servers Everywhere
Kamailio - SIP Servers EverywhereKamailio - SIP Servers Everywhere
Kamailio - SIP Servers Everywhere
 
FOSS Sthlm: Realtime Communication Update
FOSS Sthlm: Realtime Communication UpdateFOSS Sthlm: Realtime Communication Update
FOSS Sthlm: Realtime Communication Update
 
Kamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuffKamailio World 2018: Having fun with new stuff
Kamailio World 2018: Having fun with new stuff
 
Henrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspectiveHenrik Strøm - IPv6 from the attacker's perspective
Henrik Strøm - IPv6 from the attacker's perspective
 
TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6TCP/IP Geeks Stockholm :: Introduction to IPv6
TCP/IP Geeks Stockholm :: Introduction to IPv6
 
Astricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installationsAstricon 2010: Scaling Asterisk installations
Astricon 2010: Scaling Asterisk installations
 
Ipo spaces calling document-v1
Ipo spaces calling document-v1Ipo spaces calling document-v1
Ipo spaces calling document-v1
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSEC
 
Modern networking for php developers (PHP Dorset)
Modern networking for php developers (PHP Dorset)Modern networking for php developers (PHP Dorset)
Modern networking for php developers (PHP Dorset)
 
Gabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHYGabriel Paues - IPv6 address planning + making the case for WHY
Gabriel Paues - IPv6 address planning + making the case for WHY
 
Tech f42
Tech f42Tech f42
Tech f42
 
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
2nd ICANN APAC-TWNIC Engagement Forum: Why RPKI Matters
 
Testing Rolling Roots
Testing Rolling RootsTesting Rolling Roots
Testing Rolling Roots
 
Getting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshopGetting started with SIP Express Media Server SIP app server and SBC - workshop
Getting started with SIP Express Media Server SIP app server and SBC - workshop
 
Kamailio on air
Kamailio on airKamailio on air
Kamailio on air
 
Peer-to-peer Internet telephony
Peer-to-peer Internet telephonyPeer-to-peer Internet telephony
Peer-to-peer Internet telephony
 
Preventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP addressPreventing Traffic with Spoofed Source IP address
Preventing Traffic with Spoofed Source IP address
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
Rapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP NetworksRapid IPv6 Deployment for ISP Networks
Rapid IPv6 Deployment for ISP Networks
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6
 

Destaque

LinkedIn Case Studies May 16
LinkedIn Case Studies May 16LinkedIn Case Studies May 16
LinkedIn Case Studies May 16
Tristram Dyer
 
Minimizing Risks and Maximizing Success in Government Contracting
Minimizing Risks and Maximizing Success in Government ContractingMinimizing Risks and Maximizing Success in Government Contracting
Minimizing Risks and Maximizing Success in Government Contracting
lruzicka
 
Mekesson Quarterly Reports 2009 2nd
Mekesson Quarterly Reports 2009 2ndMekesson Quarterly Reports 2009 2nd
Mekesson Quarterly Reports 2009 2nd
finance2
 
goldman sachs Restated Certificate of Incorporation
goldman sachs Restated Certificate of Incorporation goldman sachs Restated Certificate of Incorporation
goldman sachs Restated Certificate of Incorporation
finance2
 

Destaque (20)

Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng cóNgôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
Ngôi nhà ven biển vỏn vẹn 47m² nhưng cái gì cũng có
 
GoRiseMe Global Passion
GoRiseMe Global PassionGoRiseMe Global Passion
GoRiseMe Global Passion
 
ZARA: We're Taking it to The Streets
ZARA: We're Taking it to The StreetsZARA: We're Taking it to The Streets
ZARA: We're Taking it to The Streets
 
LinkedIn Case Studies May 16
LinkedIn Case Studies May 16LinkedIn Case Studies May 16
LinkedIn Case Studies May 16
 
беркутова 2502
беркутова 2502беркутова 2502
беркутова 2502
 
Build and Deploy Pipelines, or How I Learned to Stop Worrying and Love Deplo...
Build and Deploy Pipelines, or How I Learned to Stop Worrying and Love Deplo...Build and Deploy Pipelines, or How I Learned to Stop Worrying and Love Deplo...
Build and Deploy Pipelines, or How I Learned to Stop Worrying and Love Deplo...
 
Legal hacks para startups
Legal hacks para startupsLegal hacks para startups
Legal hacks para startups
 
Hot Cinema Program January 2016
Hot Cinema Program January 2016Hot Cinema Program January 2016
Hot Cinema Program January 2016
 
Minimizing Risks and Maximizing Success in Government Contracting
Minimizing Risks and Maximizing Success in Government ContractingMinimizing Risks and Maximizing Success in Government Contracting
Minimizing Risks and Maximizing Success in Government Contracting
 
Исследование корпоративные медиа 2016
Исследование корпоративные медиа 2016Исследование корпоративные медиа 2016
Исследование корпоративные медиа 2016
 
Ppt solat jama dan qosor
Ppt solat jama dan qosorPpt solat jama dan qosor
Ppt solat jama dan qosor
 
Virreinato del peru
Virreinato del peruVirreinato del peru
Virreinato del peru
 
Directing conversation sessions
Directing conversation sessionsDirecting conversation sessions
Directing conversation sessions
 
Delitos informáticos Pesentación
Delitos informáticos Pesentación Delitos informáticos Pesentación
Delitos informáticos Pesentación
 
Xô Crise (organizador: Caio Camargo)
Xô Crise (organizador: Caio Camargo)Xô Crise (organizador: Caio Camargo)
Xô Crise (organizador: Caio Camargo)
 
Projetos - Estudos Preliminares
Projetos - Estudos PreliminaresProjetos - Estudos Preliminares
Projetos - Estudos Preliminares
 
Lesson Plan Senior High School 3
Lesson Plan Senior High School 3Lesson Plan Senior High School 3
Lesson Plan Senior High School 3
 
brief history of stylistics
brief history of stylistics brief history of stylistics
brief history of stylistics
 
Mekesson Quarterly Reports 2009 2nd
Mekesson Quarterly Reports 2009 2ndMekesson Quarterly Reports 2009 2nd
Mekesson Quarterly Reports 2009 2nd
 
goldman sachs Restated Certificate of Incorporation
goldman sachs Restated Certificate of Incorporation goldman sachs Restated Certificate of Incorporation
goldman sachs Restated Certificate of Incorporation
 

Semelhante a SIPCORE - presentation of SIP and DANE (IETF #89)

ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
Deploy360 Programme (Internet Society)
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
Deploy360 Programme (Internet Society)
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
Deploy360 Programme (Internet Society)
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
Deploy360 Programme (Internet Society)
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
Maarten Smeets
 

Semelhante a SIPCORE - presentation of SIP and DANE (IETF #89) (20)

DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)DANE-based TLS verification in the SIP protocol (v 2)
DANE-based TLS verification in the SIP protocol (v 2)
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
DANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLSDANE and DNSSEC Authentication Chain Extension for TLS
DANE and DNSSEC Authentication Chain Extension for TLS
 
An Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSECAn Introduction to DANE - Securing TLS using DNSSEC
An Introduction to DANE - Securing TLS using DNSSEC
 
RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?RIPE 86: DNSSEC — Yes or No?
RIPE 86: DNSSEC — Yes or No?
 
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
ION Cape Town - DANE: The Future of Transport Layer Security (TLS)
 
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
2nd ICANN APAC-TWNIC Engagement Forum: DNS Oblivion
 
ION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLSION Santiago - DNSSEC and DANE Based Security for TLS
ION Santiago - DNSSEC and DANE Based Security for TLS
 
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87SIP & TLS - a very brief overview for the POSH BOF at IETF 87
SIP & TLS - a very brief overview for the POSH BOF at IETF 87
 
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan YorkION Tokyo: The Business Case for DNSSEC and DANE, Dan York
ION Tokyo: The Business Case for DNSSEC and DANE, Dan York
 
RIPE 82: DNS Evolution
RIPE 82: DNS EvolutionRIPE 82: DNS Evolution
RIPE 82: DNS Evolution
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
Webinar SSL English
Webinar SSL EnglishWebinar SSL English
Webinar SSL English
 
NZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSECNZNOG 2013 - Experiments in DNSSEC
NZNOG 2013 - Experiments in DNSSEC
 
ION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLSION Sri Lanka - DANE: The Future of TLS
ION Sri Lanka - DANE: The Future of TLS
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
All you need to know about transport layer security
All you need to know about transport layer securityAll you need to know about transport layer security
All you need to know about transport layer security
 
DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)DNS based Authentication of Named Entities (DANE)
DNS based Authentication of Named Entities (DANE)
 

Mais de Olle E Johansson

Mais de Olle E Johansson (20)

Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)Cybernode.se: Securing the software supply chain (CRA)
Cybernode.se: Securing the software supply chain (CRA)
 
CRA - overview of vulnerability handling
CRA - overview of vulnerability handlingCRA - overview of vulnerability handling
CRA - overview of vulnerability handling
 
Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)Introduction to the proposed EU cyber resilience act (CRA)
Introduction to the proposed EU cyber resilience act (CRA)
 
The birth and death of PSTN
The birth and death of PSTNThe birth and death of PSTN
The birth and death of PSTN
 
WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019WebRTC and Janus intro for FOSS Stockholm January 2019
WebRTC and Janus intro for FOSS Stockholm January 2019
 
Webrtc overview
Webrtc overviewWebrtc overview
Webrtc overview
 
Realtime communication over a dual stack network
Realtime communication over a dual stack networkRealtime communication over a dual stack network
Realtime communication over a dual stack network
 
The Realtime Story - part 2
The Realtime Story - part 2The Realtime Story - part 2
The Realtime Story - part 2
 
Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016Sip2016 - a talk at VOIP2DAY 2016
Sip2016 - a talk at VOIP2DAY 2016
 
Sips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocolSips must die, die, die - about TLS usage in the SIP protocol
Sips must die, die, die - about TLS usage in the SIP protocol
 
SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)SIP :: Half outbound (random notes)
SIP :: Half outbound (random notes)
 
SIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer worldSIP & TLS - Security in a peer to peer world
SIP & TLS - Security in a peer to peer world
 
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
Tio tester av TLS - Transport Layer Security (TLS-O-MATIC.COM)
 
Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.Why is Kamailio so different? An introduction.
Why is Kamailio so different? An introduction.
 
RFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the timeRFC 7435 - Opportunistic security - Some protection most of the time
RFC 7435 - Opportunistic security - Some protection most of the time
 
TCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: ManifestoTCP/IP geeks Stockholm :: Manifesto
TCP/IP geeks Stockholm :: Manifesto
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
WebRTC - a quick introduction
WebRTC - a quick introductionWebRTC - a quick introduction
WebRTC - a quick introduction
 
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
Reboot the Open Realtime Revolution - #MoreCrypto (Fall 2014)
 
#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS#Morecrypto 1.8 - with introduction to TLS
#Morecrypto 1.8 - with introduction to TLS
 

Último

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
Puma Security, LLC
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 

Último (20)

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

SIPCORE - presentation of SIP and DANE (IETF #89)

  • 1. SIP and DNS-sec based TLS setup (DANE) random thoughts by oej@edvina.net
 Olle E. Johansson ! V 3.14 - 2014-02-27 IETF 89, London, March 2014 1
  • 2. Today’s question • SIP DANE Do we want to add this work to our charter? 2 Olle E. Johansson
  • 3. SIP TLS • SIP uri target domain is verified against SubjectAltName uri records • if no SAN uri records, SAN DNS records • If no SAN records, CN • But no CN check if there are SAN records! RFC 5922 SIP DANE 3 Olle E. Johansson
  • 4. Dependencies DNS TLS SIP SIP domain certificates DNSsec DANE SIP + DANE To trust DANE
 you need to trust DNSsec SIP DANE 4
  • 5. Dane simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com Certificate
 identifier TLS client SIP DANE 5
  • 6. Questions TLS server
 stockholm.example.com Is the certificate
 signer (CA) the right one? Do I trust this certificate? Am I talking with the 
 right server? TLS client SIP DANE 6
  • 7. DANE simplified TLS server
 My service use this CA DNS zone
 signed, trusted stockholm.example.com My service use this certificate TLS client SIP DANE My service use the private
 key that match this public key 7 Certificate
 identifier
  • 8. Dane summary • • • SIP DANE Can publish constraints • • This CA is the only one accepted This certificate is the only one accepted Can publish root of private CA • This CA cert is the one used to sign my server certificates Can publish certificates In all cases, a full cert or the public key can be published - or fingerprints of these. 8 Olle E. Johansson
  • 9. TLSA selector and matching Selector • 0 - Full certificate included in TLSA • 1 - Public key included in TLSA Matching • 0 = Exact match • 1 = the data is SHA-256 hash of content • 2 = the data is SHA-512 hash of content SIP DANE 9 Olle E. Johansson
  • 10. TLSA records • Usage 0: CA constraint. Certificate or public key of CA • Usage 1: Certificate constraint. Certificate or public key of cert signed by CA. • Usage 2. Certificate or public key of cert serving as trust anchor for the cert given by the server (”private CA”) • Usage 3: A certificate or public key that matches the cert given by the server (No PKIX check) SIP DANE 10 Olle E. Johansson
  • 11. DANE simplified DNS zone
 signed, trusted TLS server
 stockholm.example.com 2.Verify the TLS server cert
 in handshake with TLSA record. TLS client SIP DANE 1. Check the TLSA record for service 11 Certificate
 identifier
  • 12. The DANE promise • If you trust the DNS (using DNSsec)
 then we can use that instead of the certificate store to check server identity and authorisation. SIP DANE 12 Olle E. Johansson
  • 13. Back to SIP SIP DANE 13
  • 14. SIP DOMAIN CERTS • Connect a SIP URI domain part with a certificate • Mix server identification with domain authorisation • Only domains in the certificates • New certificate every time we add a domain or subdomain • No wildcard certs SIP DANE 14 Olle E. Johansson
  • 15. What about SNI • Many certificates on one TLS server and IP. • No support for DNS names • ONLY host names. SIP DANE 15 Olle E. Johansson
  • 16. SIP sip:alice@example.com example.com NAPTR We just trust that we’ve hit
 the right server if the cert
 contains the domain. example.net SRV host sip02.example.org Cert with “example.com” SIP DANE 16 Olle E. Johansson
  • 17. DANE Secure delegation sip:alice@example.com if the DNS queries for NAPTR and SRV records was verified and protected with DNSsec, we have a secure delegation from example.com to sip02.example.org Protected by DNSsec example.com NAPTR example.net SRV host sip02.example.org Cert with “sip02.example.org” SIP DANE 17 Olle E. Johansson
  • 18. Not fully secure is insecure • If the NAPTR was DNSsec protected but not the SRV, we have no secure delegation. • If there’s no DNSsec in either NAPTR nor SRV we’re insecure too. • The SIP Uri to TLS certificate matching in RFC 5922 applies in this case SIP DANE 18 Olle E. Johansson
  • 19. If we have a secure delegation • Check for TLSA record for the srv host name and port • _5068._udp.sip02.example.org • If no TLSA record is found, then DANE doesn’t apply - proceed according to RFC 5922 • If TLSA record exists, continue to the next slide SIP DANE 19 Olle E. Johansson
  • 20. Our identifiers • The SIP domain in the request URI • Used in insecure delegation • The SRV FQDN from SRV lookup of the domain (protected with DNSsec) • Used in secure delegation as well as with TLSA record verification SIP DANE 20 Olle E. Johansson
  • 21. Validation • With TLSA usage 0 and 1, use these constraints then verify cert as before • With TLSA usage 2 and 3, use the information to validate cert • • SIP DANE If either TLSA validation fails, connection should fail. With usage 0 and 1, after TLSA validation normal PKIX validation happens.
 21 Olle E. Johansson
  • 22. Sideways jumps • When a NAPTR or SRV record points to a name in another domain, the client needs to make sure that the new domain is validated in DNSsec as well. • If not, delegation is insecure SIP DANE 22 Olle E. Johansson
  • 23. SIP Fallback logic • If there’s no secure delegation, use RFC 5922, if that fails go to next SRV server in the list • When out of SRV servers, TLS connection has failed. SIP DANE 23 Olle E. Johansson
  • 24. Compatibility with nonSRV clients • Fallback to RFC 5922 • Since dane-srv-02 requires TLS SNI this will be sorted out by the server. • SRV/DANE compatible UAs will require cert for SRV host name • Non SRV/DANE UAs will require cert with SIP uri target domain SIP DANE 24 Olle E. Johansson
  • 25. If no SNI support is available • Cert with • CommonName = hostname • SubjectAltName = SIP domain SIP DANE 25 Olle E. Johansson
  • 26. SIP connection reuse • RFC 5923 use TLS cert content to add aliases to a connection. • With DANE, the cert will include only the hostname • SIP/DANE will have to add aliases as they are verified using DNSsec • If a domain share a SRV hostname and the trust chain is verified between domain and SRV, the existing connection to the SRV host may be used for this domain too (and alias added to the alias table)
 SIP DANE 26 Olle E. Johansson
  • 27. Verification of client certificates in RFC 5923 • Connection reuse requires a SIP server using RFC 5923 to request a client certificate • Which DNS name do we use to look up TLSA records and verify the client? Can this be done? SIP DANE 27 Olle E. Johansson
  • 28. Not to worry about now • SIP identity • SIMPLE • SIPS: uri’s For these use cases,
 there’s no difference compared with other TLS usage in SIP. SIP DANE 28 Olle E. Johansson
  • 29. Reading material RFC 5922 SIP Domain Certificates RFC 6698 draft-ietf-dane-srv DNS based authentication of named entities (DANE) DANE and SRV/MX records draft-ietf-dane-smime DANE and SMIME identities draft-ogud-dane-vocabulary DANE vocabulary for application usages RFC 5923 Connection Reuse in SIP draft-johansson-dispatch-dane-sip-01 The draft on SIP and DANE SIP DANE 29 Olle E. Johansson