Internet Engineering Task Force Bryan J. Byerly Internet Draft David Daiker draft-byerly-sip-hide-route-00.txt Shailandra Bhatnagar October, 2000 Cisco Systems Expires: March, 2001 SIP Record-Route/Route Hiding Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/lid-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract This document describes a proposed extension to SIP. This document proposes a mechansim to encrypt/hide Record-Route and Route entries in or to support confidentiality of SIP proxy routing information. The functionality of the Record-Route and Route headers are preserved. The introduction of this extension allows a set of trusted SIP proxies to cooperatively hide the route that SIP PDUs transit from untrusted proxies and user agents. Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 1 Internet Draft SIP Record-Route/Route Hiding October 2000 1 Introduction Some ISPs value the ability to limit topology knowledge that untrusted users can glean from network traffic transiting the ISP's borders. One example of this is configuration of ISP routers to not respond to traceroute ICMP queries. Another example is usage of the SIP Via header hiding. Although the SIP RFC (RFC2543) specifies Via hiding/encryption as a mechanism to prevent leakage of layer 5 routing information from Via headers, it does not address routing information leaked through Record-Route and Route headers. This draft proposes a SIP extension which preserves the functionality of Route and Record-Route headers but prevents leakage of routing information through those headers. The main difference between Via hiding and Record-Route/Route hiding is the directionality in which hiding needs to occur. Via header hiding/encryption is needed only unidirectionally (from caller to called party). Record-Route/Route header hiding is needed bi-directionally. The approach proposed for Record-Route/Route header hiding is the same approach taken for Via header hiding: Each proxy protects its previous hop. Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 2 Internet Draft SIP Record-Route/Route Hiding October 2000 2 Mechanics of Record-Route/Route header hiding 2.1 Message flow of Record-Route/Route without Record-Route/Route hiding The diagram below illustrates the normal message flow when proxies P1, P2, and P3 add themselves to the Record-Route header. UAC P1 P2 P3 UAS | | | | | |--REQ-->| | | | | | | | | | |--REQ-->| | | | | Record-Route: P1 | | | | | | | | |--REQ-->| | | | | Record-Route: P2, P1 | | | | | | | | |--REQ-->| | | | | Record-Route: P3, P2, P1 | | | | | | | | |<-RSP---| | | | | Record-Route: P3, P2, P1 | | | | Contact: UAS | | | | | | | |<-RSP---| | | | | Record-Route: P3, P2, P1 | | | Contact: UAS | | | | | | |<-RSP---| | | | | Record-Route: P3, P2, P1 | | Contact: UAS | | | | | | | |<-RSP---| | | | | Record-Route: P3, P2, P1 | | | Contact: UAS | | | | | | | | |--REQ-->| | | | | Route: P2, P3, UAS | | | | | | | | |--REQ-->| | | | | Route: P3, UAS | | | | | | | | | |--REQ-->| | | | | Route: UAS | | | | | | | | | |--REQ-->| | | | | | Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 3 Internet Draft SIP Record-Route/Route Hiding October 2000 2.2 Algorithm for Record-Route header hiding: The approach used to encrypt Record-Route and Route headers is the same approach used to encrypt Via headers: Each proxy protects its previous hop. In the following logic "right" and "left" refer to the order of entries in a catenated header. For example, in: Record-Route: , , is to the left of . is to the right of . 2.2.1 Request handling logic: Here's the proxy logic to implement on a request PDU: /* Record-Route header logic */ if (this proxy is introducing himself into Record-Route header) { if (a Record-Route entry already exists) { Using your secret key, encrypt and replace the left-most entry. } Add your FQDN to the beginning of the Record-Route header } /* Route header logic */ if (topmost Route entry is marked "hidden") { Remove the topmost entry of the Route header. Using your secret key, decrypt this entry and route this PDU to it. } 2.2.2 Record-Route response logic: Here's the proxy logic to implement on a response PDU: /* Record-Route header logic */ if (your plain-text FQDN is present in the Record-Route header) { if (a Record-Route entry exists to left) { Using your secret key, encrypt and replace the left entry. } if ((a Record-Route entry exists to right) && (the entry is marked "hidden")) { Using your secret key, decrypt and replace the right entry. } } Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 4 Internet Draft SIP Record-Route/Route Hiding October 2000 2.3 Reusing Hide header The Hide: [hop/route] header usage is extended to apply to Record-Route and Route headers (as well as Via headers). The Hide: [hop/route] header usage is extended to be bi-directional. (i.e. The Hide header may be present in requests and/or responses). See [RFC2543, Section 6.23 Hide] for more information on Hide header. A client or proxy requesting "Hide: hop/route" can only rely on keeping the path private if it sends the request to a trusted proxy. Hidden Record-Route and Route headers reuse the Via header "hidden" option as described in [RFC2543, Section 6.44]. 2.4 Design tradeoffs/considerations There is an advantage gained by encrypting the Record-Route/Route information instead of simply hiding the information in proxy control blocks. Storing the route information in a proxy would require the proxy to maintain long-duration state. Pushing the route state to the endpoints allows the proxy to remain stateless. The disadvantage to encryption is that it requires more processing in SIP proxies and therefore impacts signalling latency. This results in increased call setup times. When a proxy encrypts headers such as Via, State, and Record-Route/Route, the proxy is encrypting information for its own future use. In such cases, use of a private key suffices. (i.e. No key exchange operations are needed). Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 5 Internet Draft SIP Record-Route/Route Hiding October 2000 2.5 Message flow using encrypted Record-Route/Route The diagram below illustrates the message flow when proxies P1, P2, and P3 add themselves to the Record-Route header using encrypted Record-Route/Route headers. In the message flow below, K1 represents proxy 1's secret key, K2 represents proxy 2's secret key, and K3 represents proxy 3's secret key. The E(X, Kn) syntax indicates the encrypted form of X using key n. REQ indicates a SIP request message (such as INVITE or ACK). RSP indicates a SIP response message (such as 200). UAC P1 P2 P3 UAS | | | | | |--REQ-->| | | | | | | | | | |--REQ-->| | | | | Record-Route: P1 | | | Hide: hop | | | | | | | | | |--REQ-->| | | | | Record-Route: P2, E(P1,K2) | | | Hide: hop | | | | | | | | | |--REQ-->| | | | | Record-Route: P3, E(P2,K3), E(P1,K2) | | | | Hide: hop | | | | | | | | |<-RSP---| | | | | Record-Route: P3, E(P2,K3), E(P1,K2) | | | | Contact: UAS | | | | | | | |<-RSP---| | | | | Record-Route: P3, P2, E(P1,K2) | | | Contact: UAS | | | | Hide: hop | | | | | | | |<-RSP---| | | | | Record-Route: E(P3,K2), P2, P1 | | Contact: UAS | | | | Hide: hop | | | | | | | |<-RSP---| | | | | Record-Route: E(P3,K2), E(P2,K1), P1 | Contact: UAS | | | | Hide: hop | | | | | | | | |--REQ-->| | | | | Route: E(P2,K1), E(P3,K2), UAS | | | | | | | |--REQ-->| | | | | Route: E(P3,K2), UAS | | | | | | | | |--REQ-->| | | | | Route: UAS | | | | | | | | | |--REQ-->| | | | | | Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 6 Internet Draft SIP Record-Route/Route Hiding October 2000 3 Security Considerations Security issues are the primary topic of this RFC. This document proposes an extension to SIP to prevent leakage of layer 5 routing information to untrusted proxies and user agents through Record-Route and Route headers. The use of Record-Route/Route and Via header hiding is discouraged unless path privacy is truly needed; Hide fields impose extra processing costs and restrictions for proxies. Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 6 Internet Draft SIP Record-Route/Route Hiding October 2000 4 Further Examples Only the relevant headers have been included in the following examples. 4.1 Standard INVITE/200/ACK sequence using Record-Route/Route and Via header hiding In this example, proxies P1, P2, and P3 are all configured to request Hide: hop. UAC P1 P2 P3 UAS | | | | | |--[1]INV->| | | | | | | | | | |--[2]INV-->| | | | | Record-Route: P1 | | | | Hide: hop | | | | | | | | | |--[3]INV-->| | | | | Record-Route: P2, E(P1,K2) | | | Hide: hop | | | | | | | | | |--[4]INV-->| | | | | Record-Route: P3, E(P2,K3), | | | | | E(P1,K2) | | | | Hide: hop | | | | | | | | |<-[5]200---| | | | | Record-Route: P3, E(P2,K3), | | | | | E(P1,K2) | | | | Contact: UAS | | | | | | | |<-[6]200---| | | | | Record-Route: P3, P2, E(P1,K2) | | | Contact: UAS | | | | Hide: hop | | | | | | | |<-[7]200---| | | | | Record-Route: E(P3,K2), P2, P1 | | | Contact: UAS | | | | Hide: hop | | | | | | | |<-[8]200--| | | | | Record-Route: E(P3,K2), E(P2,K1), P1 | | Contact: UAS | | | | Hide: hop | | | | | | | | |--[9]ACK->| | | | | Route: E(P2,K1), E(P3,K2), UAS | | | | | | | | |--[10]ACK->| | | | | Route: E(P3,K2), UAS | | | | | | | | | |--[11]ACK->| | | | | Route: UAS | | | | | | | | | |--[12]ACK->| | | | | | | | | | | Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 7 Internet Draft SIP Record-Route/Route Hiding October 2000 [1] SIP UAC to SIP proxy server 1: INVITE sip:bob@p1.isp.com SIP/2.0 Via: SIP/2.0/UDP alice-pc.isp.com From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [2] SIP proxy server 1 to SIP proxy server 2: INVITE sip:bob@p2.isp.com SIP/2.0 Via: SIP/2.0/UDP p1.isp.com Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [3] SIP proxy server 2 to SIP proxy server 3: INVITE sip:bob@p3.isp.com SIP/2.0 Via: SIP/2.0/UDP p2.isp.com Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: , ;hidden Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 8 Internet Draft SIP Record-Route/Route Hiding October 2000 [4] SIP proxy server 3 to UAS: INVITE sip:bob@bob-pc.isp.com SIP/2.0 Via: SIP/2.0/UDP p3.isp.com Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: , ;hidden, ;hidden Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [5] UAS to SIP proxy server 3: SIP/2.0 200 OK Via: SIP/2.0/UDP p3.isp.com Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden Via: E(SIP/2.0/UDP p1.isp.com, K2);hiddden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: , ;hidden, ;hidden Contact: bob-pc.isp.com From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [6] SIP proxy server 3 to SIP proxy server 2: SIP/2.0 200 OK Via: SIP/2.0/UDP p2.isp.com Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: , , ;hidden Contact: bob-pc.isp.com Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 9 Internet Draft SIP Record-Route/Route Hiding October 2000 [7] SIP proxy server 2 to SIP proxy server 1: SIP/2.0 200 OK Via: SIP/2.0/UDP p1.isp.com Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Record-Route: ;hidden, , Contact: bob-pc.isp.com Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [8] SIP proxy server 1 to UAC SIP/2.0 200 OK Via: SIP/2.0/UDP alice-pc.isp.com Record-Route: ;hidden, ;hidden, Contact: bob-pc.isp.com Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [9] SIP UAC to SIP proxy server 1: ACK sip:p1.isp.com SIP/2.0 Via: SIP/2.0/UDP alice-pc.isp.com Route: ;hidden, ;hidden, From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 10 Internet Draft SIP Record-Route/Route Hiding October 2000 [10] SIP proxy server 1 to SIP proxy server 2: ACK sip:p2.isp.com SIP/2.0 Via: SIP/2.0/UDP p1.isp.com Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Route: ;hidden, Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [11] SIP proxy server 2 to SIP proxy server 3: ACK sip:p3.isp.com SIP/2.0 Via: SIP/2.0/UDP p2.isp.com Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Route: Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp [12] SIP proxy server 3 to UAS: ACK sip:bob-pc.isp.com SIP/2.0 Via: SIP/2.0/UDP p3.isp.com Via: E(SIP/2.0/UDP p2.isp.com, K3);hidden Via: E(SIP/2.0/UDP p1.isp.com, K2);hidden Via: E(SIP/2.0/UDP alice-pc.isp.com, K1);hidden Hide: hop From: sip:alice@isp.com To: sip:bob@isp.com Call-ID: 12345600@alice-pc.isp.com CSeq: 1 INVITE Content-Type: application/sdp Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 11 Internet Draft SIP Record-Route/Route Hiding October 2000 Outstanding issues/questions: 1) We are re-using the Hide: header to imply that Via headers AND Record-Route/Route headers should be hidden by proxies. Is this ok? Alternatively, another header (Hide-Route:) could be used. This draft redefines the Hide: header to mean that both Via headers AND Record-Route/Route headers should be hidden. 2) Can/should we use the State: header to store entries for Record-Route/Route? NOTES: - The State header itself leaks routing information unless each proxy encrypts all previously added State headers. 3) Can we do simple hiding of Record-Route/Route entries? NOTES: - This would appear to cause a proxy to maintain long-term route state. 6 Acknowledgements We would like to thank David Williams, Nilesh Trivedi, and JC Ferguson of Cisco Systems for their insights, inputs, and comments. 7 References [SIP] Handley, M., H. Schulzrinne, E. Schooler, and J. Rosenberg. "SIP: Session Initiation Protocol", RFC 2543, March 1999. [SIP-ID] Handley, Schulzrinne, Schooler, Rosenberg. "SIP: Session Initiation Protocol", draft-ietf-sip-rfc2543bis-00.ps, July 13, 2000. [SIP-STATE] Marshall, W. et al. "SIP Extensions for supporting Distributed Call State", draft-dcsgroup-sip-state-01.txt, March 2000. [REQ] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels," RFC-2119, March 1997. Byerly/Daiker/Bhatnagar draft-byerly-sip-hide-route-00.txt Page 12 Internet Draft SIP Record-Route/Route Hiding October 2000 Authors' Addresses Bryan J. Byerly Cisco Systems 7025 Kit Creek Road P.O. Box 14987 Research Triangle Park, NC 27709 USA Email: byerly@cisco.com David Daiker Cisco Systems 7025 Kit Creek Road P.O. Box 14987 Research Triangle Park, NC 27709 USA Email: ddaiker@cisco.com Shailandra Bhatnagar Cisco Systems 7025 Kit Creek Road P.O. Box 14987 Research Triangle Park, NC 27709 USA Email: shbhatna@cisco.com