Internet DRAFT - draft-byerly-sip-hide-route
draft-byerly-sip-hide-route
Internet Engineering Task Force Bryan J. Byerly
Internet Draft David Daiker
draft-byerly-sip-hide-route-00.txt Shailandra Bhatnagar
October, 2000 Cisco Systems
Expires: March, 2001
SIP Record-Route/Route Hiding
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/lid-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes a proposed extension to SIP.
This document proposes a mechansim to encrypt/hide Record-Route and
Route entries in or to support confidentiality of SIP proxy
routing information. The functionality of the Record-Route and
Route headers are preserved.
The introduction of this extension allows a set of
trusted SIP proxies to cooperatively hide the route that
SIP PDUs transit from untrusted proxies and user agents.
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 1
Internet Draft SIP Record-Route/Route Hiding October 2000
1 Introduction
Some ISPs value the ability to limit topology knowledge that
untrusted users can glean from network traffic transiting
the ISP's borders.
One example of this is configuration of ISP routers to not respond
to traceroute ICMP queries. Another example is usage of the
SIP Via header hiding.
Although the SIP RFC (RFC2543) specifies Via hiding/encryption
as a mechanism to prevent leakage of layer 5 routing information
from Via headers, it does not address routing information leaked
through Record-Route and Route headers.
This draft proposes a SIP extension which preserves the
functionality of Route and Record-Route headers but prevents
leakage of routing information through those headers.
The main difference between Via hiding and Record-Route/Route
hiding is the directionality in which hiding needs to occur.
Via header hiding/encryption is needed only unidirectionally
(from caller to called party). Record-Route/Route header
hiding is needed bi-directionally.
The approach proposed for Record-Route/Route header hiding
is the same approach taken for Via header hiding:
Each proxy protects its previous hop.
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 2
Internet Draft SIP Record-Route/Route Hiding October 2000
2 Mechanics of Record-Route/Route header hiding
2.1 Message flow of Record-Route/Route without Record-Route/Route hiding
The diagram below illustrates the normal message flow when proxies
P1, P2, and P3 add themselves to the Record-Route header.
UAC P1 P2 P3 UAS
| | | | |
|--REQ-->| | | |
| | | | |
| |--REQ-->| | |
| | Record-Route: P1 |
| | | | |
| | |--REQ-->| |
| | | Record-Route: P2, P1
| | | | |
| | | |--REQ-->|
| | | | Record-Route: P3, P2, P1
| | | | |
| | | |<-RSP---|
| | | | Record-Route: P3, P2, P1
| | | | Contact: UAS
| | | | |
| | |<-RSP---| |
| | | Record-Route: P3, P2, P1
| | | Contact: UAS
| | | | |
| |<-RSP---| | |
| | Record-Route: P3, P2, P1
| | Contact: UAS | |
| | | | |
|<-RSP---| | | |
| Record-Route: P3, P2, P1 | |
| Contact: UAS | | |
| | | | |
|--REQ-->| | | |
| Route: P2, P3, UAS | |
| | | | |
| |--REQ-->| | |
| | Route: P3, UAS | |
| | | | |
| | |--REQ-->| |
| | | Route: UAS |
| | | | |
| | | |--REQ-->|
| | | | |
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 3
Internet Draft SIP Record-Route/Route Hiding October 2000
2.2 Algorithm for Record-Route header hiding:
The approach used to encrypt Record-Route and Route headers is
the same approach used to encrypt Via headers:
Each proxy protects its previous hop.
In the following logic "right" and "left" refer to the order
of entries in a catenated header. For example, in:
Record-Route: <sip:p1.cisco.com>, <sip:p2.cisco.com>, <sip:p3.cisco.com>
<sip:p1.cisco.com> is to the left of <sip:p2.cisco.com>.
<sip:p3.cisco.com> is to the right of <sip:p2.cisco.com>.
2.2.1 Request handling logic:
Here's the proxy logic to implement on a request PDU:
/* Record-Route header logic */
if (this proxy is introducing himself into Record-Route header) {
if (a Record-Route entry already exists) {
Using your secret key, encrypt and replace the
left-most entry.
}
Add your FQDN to the beginning of the Record-Route header
}
/* Route header logic */
if (topmost Route entry is marked "hidden") {
Remove the topmost entry of the Route header.
Using your secret key, decrypt this entry and
route this PDU to it.
}
2.2.2 Record-Route response logic:
Here's the proxy logic to implement on a response PDU:
/* Record-Route header logic */
if (your plain-text FQDN is present in the Record-Route header) {
if (a Record-Route entry exists to left) {
Using your secret key, encrypt and replace the
left entry.
}
if ((a Record-Route entry exists to right) &&
(the entry is marked "hidden")) {
Using your secret key, decrypt and replace the
right entry.
}
}
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 4
Internet Draft SIP Record-Route/Route Hiding October 2000
2.3 Reusing Hide header
The Hide: [hop/route] header usage is extended to apply to
Record-Route and Route headers (as well as Via headers).
The Hide: [hop/route] header usage is extended to be
bi-directional. (i.e. The Hide header may be present in
requests and/or responses).
See [RFC2543, Section 6.23 Hide] for more information on Hide
header.
A client or proxy requesting "Hide: hop/route" can only rely on
keeping the path private if it sends the request to a trusted proxy.
Hidden Record-Route and Route headers reuse the Via header "hidden"
option as described in [RFC2543, Section 6.44].
2.4 Design tradeoffs/considerations
There is an advantage gained by encrypting the Record-Route/Route
information instead of simply hiding the information in proxy
control blocks. Storing the route information in a proxy would
require the proxy to maintain long-duration state. Pushing the
route state to the endpoints allows the proxy to remain stateless.
The disadvantage to encryption is that it requires more processing
in SIP proxies and therefore impacts signalling latency.
This results in increased call setup times.
When a proxy encrypts headers such as Via, State, and
Record-Route/Route, the proxy is encrypting information
for its own future use. In such cases, use of a private key
suffices. (i.e. No key exchange operations are needed).
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 5
Internet Draft SIP Record-Route/Route Hiding October 2000
2.5 Message flow using encrypted Record-Route/Route
The diagram below illustrates the message flow when proxies
P1, P2, and P3 add themselves to the Record-Route header using
encrypted Record-Route/Route headers.
In the message flow below, K1 represents proxy 1's secret key,
K2 represents proxy 2's secret key, and K3 represents proxy 3's
secret key. The E(X, Kn) syntax indicates the encrypted form
of X using key n. REQ indicates a SIP request message (such
as INVITE or ACK). RSP indicates a SIP response message
(such as 200).
UAC P1 P2 P3 UAS
| | | | |
|--REQ-->| | | |
| | | | |
| |--REQ-->| | |
| | Record-Route: P1 |
| | Hide: hop | |
| | | | |
| | |--REQ-->| |
| | | Record-Route: P2, E(P1,K2)
| | | Hide: hop |
| | | | |
| | | |--REQ-->|
| | | | Record-Route: P3, E(P2,K3), E(P1,K2)
| | | | Hide: hop
| | | | |
| | | |<-RSP---|
| | | | Record-Route: P3, E(P2,K3), E(P1,K2)
| | | | Contact: UAS
| | | | |
| | |<-RSP---| |
| | | Record-Route: P3, P2, E(P1,K2)
| | | Contact: UAS |
| | | Hide: hop |
| | | | |
| |<-RSP---| | |
| | Record-Route: E(P3,K2), P2, P1
| | Contact: UAS | |
| | Hide: hop | |
| | | | |
|<-RSP---| | | |
| Record-Route: E(P3,K2), E(P2,K1), P1
| Contact: UAS | | |
| Hide: hop | | |
| | | | |
|--REQ-->| | | |
| Route: E(P2,K1), E(P3,K2), UAS |
| | | | |
| |--REQ-->| | |
| | Route: E(P3,K2), UAS |
| | | | |
| | |--REQ-->| |
| | | Route: UAS |
| | | | |
| | | |--REQ-->|
| | | | |
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 6
Internet Draft SIP Record-Route/Route Hiding October 2000
3 Security Considerations
Security issues are the primary topic of this RFC.
This document proposes an extension to SIP to prevent leakage
of layer 5 routing information to untrusted proxies and user
agents through Record-Route and Route headers.
The use of Record-Route/Route and Via header hiding is discouraged
unless path privacy is truly needed; Hide fields impose extra
processing costs and restrictions for proxies.
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 6
Internet Draft SIP Record-Route/Route Hiding October 2000
4 Further Examples
Only the relevant headers have been included in the following
examples.
4.1 Standard INVITE/200/ACK sequence using Record-Route/Route and
Via header hiding
In this example, proxies P1, P2, and P3 are all configured
to request Hide: hop.
UAC P1 P2 P3 UAS
| | | | |
|--[1]INV->| | | |
| | | | |
| |--[2]INV-->| | |
| | Record-Route: P1 | |
| | Hide: hop | |
| | | | |
| | |--[3]INV-->| |
| | | Record-Route: P2, E(P1,K2)
| | | Hide: hop |
| | | | |
| | | |--[4]INV-->|
| | | | Record-Route: P3, E(P2,K3),
| | | | | E(P1,K2)
| | | | Hide: hop
| | | | |
| | | |<-[5]200---|
| | | | Record-Route: P3, E(P2,K3),
| | | | | E(P1,K2)
| | | | Contact: UAS
| | | | |
| | |<-[6]200---| |
| | | Record-Route: P3, P2, E(P1,K2)
| | | Contact: UAS |
| | | Hide: hop |
| | | | |
| |<-[7]200---| | |
| | Record-Route: E(P3,K2), P2, P1 |
| | Contact: UAS | |
| | Hide: hop | |
| | | | |
|<-[8]200--| | | |
| Record-Route: E(P3,K2), E(P2,K1), P1 |
| Contact: UAS | | |
| Hide: hop | | |
| | | | |
|--[9]ACK->| | | |
| Route: E(P2,K1), E(P3,K2), UAS | |
| | | | |
| |--[10]ACK->| | |
| | Route: E(P3,K2), UAS | |
| | | | |
| | |--[11]ACK->| |
| | | Route: UAS |
| | | | |
| | | |--[12]ACK->|
| | | | |
| | | | |
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 7
Internet Draft SIP Record-Route/Route Hiding October 2000
[1] SIP UAC to SIP proxy server 1:
INVITE sip:bob@p1.isp.com SIP/2.0
Via: SIP/2.0/UDP alice-pc.isp.com
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[2] SIP proxy server 1 to SIP proxy server 2:
INVITE sip:bob@p2.isp.com SIP/2.0
Via: SIP/2.0/UDP p1.isp.com
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:bob@p1.isp.com;maddr=p1.isp.com>
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[3] SIP proxy server 2 to SIP proxy server 3:
INVITE sip:bob@p3.isp.com SIP/2.0
Via: SIP/2.0/UDP p2.isp.com
Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:bob@p2.isp.com;maddr=p2.isp.com>,
<sip:E(bob@p1.isp.com;maddr=p1.isp.com, K2)>;hidden
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 8
Internet Draft SIP Record-Route/Route Hiding October 2000
[4] SIP proxy server 3 to UAS:
INVITE sip:bob@bob-pc.isp.com SIP/2.0
Via: SIP/2.0/UDP p3.isp.com
Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden
Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:bob@p3.isp.com;maddr=p3.isp.com>,
<sip:E(bob@p2.isp.com;maddr=p2.isp.com, K3)>;hidden,
<sip:E(bob@p1.isp.com;maddr=p1.isp.com, K2)>;hidden
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[5] UAS to SIP proxy server 3:
SIP/2.0 200 OK
Via: SIP/2.0/UDP p3.isp.com
Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden
Via: E(SIP/2.0/UDP p1.isp.com, K2);hiddden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:bob@p3.isp.com;maddr=p3.isp.com>,
<sip:E(bob@p2.isp.com;maddr=p2.isp.com, K3)>;hidden,
<sip:E(bob@p1.isp.com;maddr=p1.isp.com, K2)>;hidden
Contact: bob-pc.isp.com
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[6] SIP proxy server 3 to SIP proxy server 2:
SIP/2.0 200 OK
Via: SIP/2.0/UDP p2.isp.com
Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:bob@p3.isp.com;maddr=p3.isp.com>,
<sip:bob@p2.isp.com;maddr=p2.isp.com>,
<sip:E(bob@p1.isp.com;maddr=p1.isp.com, K2)>;hidden
Contact: bob-pc.isp.com
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 9
Internet Draft SIP Record-Route/Route Hiding October 2000
[7] SIP proxy server 2 to SIP proxy server 1:
SIP/2.0 200 OK
Via: SIP/2.0/UDP p1.isp.com
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Record-Route: <sip:E(bob@p3.isp.com;maddr=p3.isp.com, K2)>;hidden,
<sip:bob@p2.isp.com;maddr=p2.isp.com>,
<sip:bob@p1.isp.com;maddr=p1.isp.com>
Contact: bob-pc.isp.com
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[8] SIP proxy server 1 to UAC
SIP/2.0 200 OK
Via: SIP/2.0/UDP alice-pc.isp.com
Record-Route: <sip:E(bob@p3.isp.com;maddr=p3.isp.com, K2)>;hidden,
<sip:E(bob@p2.isp.com;maddr=p2.isp.com, K1)>;hidden,
<sip:bob@p1.isp.com;maddr=p1.isp.com>
Contact: bob-pc.isp.com
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[9] SIP UAC to SIP proxy server 1:
ACK sip:p1.isp.com SIP/2.0
Via: SIP/2.0/UDP alice-pc.isp.com
Route: <sip:E(bob@p2.isp.com;maddr=p2.isp.com, K1)>;hidden,
<sip:E(bob@p3.isp.com;maddr=p3.isp.com, K2)>;hidden,
<sip:bob-pc.isp.com>
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 10
Internet Draft SIP Record-Route/Route Hiding October 2000
[10] SIP proxy server 1 to SIP proxy server 2:
ACK sip:p2.isp.com SIP/2.0
Via: SIP/2.0/UDP p1.isp.com
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Route: <sip:E(bob@p3.isp.com;maddr=p3.isp.com, K2)>;hidden,
<sip:bob-pc.isp.com>
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[11] SIP proxy server 2 to SIP proxy server 3:
ACK sip:p3.isp.com SIP/2.0
Via: SIP/2.0/UDP p2.isp.com
Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Route: <sip:bob-pc.isp.com>
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
[12] SIP proxy server 3 to UAS:
ACK sip:bob-pc.isp.com SIP/2.0
Via: SIP/2.0/UDP p3.isp.com
Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden
Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden
Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden
Hide: hop
From: sip:alice@isp.com
To: sip:bob@isp.com
Call-ID: 12345600@alice-pc.isp.com
CSeq: 1 INVITE
Content-Type: application/sdp
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 11
Internet Draft SIP Record-Route/Route Hiding October 2000
Outstanding issues/questions:
1) We are re-using the Hide: header to imply that
Via headers AND Record-Route/Route headers should be
hidden by proxies.
Is this ok? Alternatively, another header (Hide-Route:)
could be used.
This draft redefines the Hide: header to mean that both
Via headers AND Record-Route/Route headers should be hidden.
2) Can/should we use the State: header to store entries for
Record-Route/Route?
NOTES:
- The State header itself leaks routing information
unless each proxy encrypts all previously added
State headers.
3) Can we do simple hiding of Record-Route/Route entries?
NOTES:
- This would appear to cause a proxy to maintain
long-term route state.
6 Acknowledgements
We would like to thank David Williams, Nilesh Trivedi,
and JC Ferguson of Cisco Systems for their insights, inputs,
and comments.
7 References
[SIP] Handley, M., H. Schulzrinne, E. Schooler, and J. Rosenberg.
"SIP: Session Initiation Protocol", RFC 2543, March 1999.
[SIP-ID] Handley, Schulzrinne, Schooler, Rosenberg.
"SIP: Session Initiation Protocol",
draft-ietf-sip-rfc2543bis-00.ps, July 13, 2000.
[SIP-STATE] Marshall, W. et al. "SIP Extensions for supporting
Distributed Call State", draft-dcsgroup-sip-state-01.txt,
March 2000.
[REQ] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels," RFC-2119, March 1997.
Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 12
Internet Draft SIP Record-Route/Route Hiding October 2000
Authors' Addresses
Bryan J. Byerly
Cisco Systems
7025 Kit Creek Road
P.O. Box 14987
Research Triangle Park, NC 27709
USA
Email: byerly@cisco.com
David Daiker
Cisco Systems
7025 Kit Creek Road
P.O. Box 14987
Research Triangle Park, NC 27709
USA
Email: ddaiker@cisco.com
Shailandra Bhatnagar
Cisco Systems
7025 Kit Creek Road
P.O. Box 14987
Research Triangle Park, NC 27709
USA
Email: shbhatna@cisco.com
