| rfc8862v5.txt | rfc8862.txt | |||
|---|---|---|---|---|
| Internet Engineering Task Force (IETF) J. Peterson | Internet Engineering Task Force (IETF) J. Peterson | |||
| Request for Comments: 8862 Neustar | Request for Comments: 8862 Neustar | |||
| BCP: 228 R. Barnes | BCP: 228 R. Barnes | |||
| Category: Best Current Practice Cisco | Category: Best Current Practice Cisco | |||
| ISSN: 2070-1721 R. Housley | ISSN: 2070-1721 R. Housley | |||
| Vigil Security | Vigil Security | |||
| July 2020 | January 2021 | |||
| Best Practices for Securing RTP Media Signaled with SIP | Best Practices for Securing RTP Media Signaled with SIP | |||
| Abstract | Abstract | |||
| Although the Session Initiation Protocol (SIP) includes a suite of | Although the Session Initiation Protocol (SIP) includes a suite of | |||
| security services that has been expanded by numerous specifications | security services that has been expanded by numerous specifications | |||
| over the years, there is no single place that explains how to use SIP | over the years, there is no single place that explains how to use SIP | |||
| to establish confidential media sessions. Additionally, existing | to establish confidential media sessions. Additionally, existing | |||
| mechanisms have some feature gaps that need to be identified and | mechanisms have some feature gaps that need to be identified and | |||
| skipping to change at line 40 ¶ | skipping to change at line 40 ¶ | |||
| received public review and has been approved for publication by the | received public review and has been approved for publication by the | |||
| Internet Engineering Steering Group (IESG). Further information on | Internet Engineering Steering Group (IESG). Further information on | |||
| BCPs is available in Section 2 of RFC 7841. | BCPs is available in Section 2 of RFC 7841. | |||
| Information about the current status of this document, any errata, | Information about the current status of this document, any errata, | |||
| and how to provide feedback on it may be obtained at | and how to provide feedback on it may be obtained at | |||
| https://www.rfc-editor.org/info/rfc8862. | https://www.rfc-editor.org/info/rfc8862. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2020 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at line 322 ¶ | skipping to change at line 322 ¶ | |||
| * The UPDATE carrying signed SDP with a fingerprint in the backwards | * The UPDATE carrying signed SDP with a fingerprint in the backwards | |||
| direction needs to be sent during dialog establishment, following | direction needs to be sent during dialog establishment, following | |||
| the receipt of a Provisional Response Acknowledgement (PRACK) | the receipt of a Provisional Response Acknowledgement (PRACK) | |||
| after a provisional 1xx response. | after a provisional 1xx response. | |||
| * For use with this SIPBRANDY profile for media confidentiality, the | * For use with this SIPBRANDY profile for media confidentiality, the | |||
| UAS that responds to the INVITE request needs to act as an | UAS that responds to the INVITE request needs to act as an | |||
| authentication service for the UPDATE sent in the backwards | authentication service for the UPDATE sent in the backwards | |||
| direction. | direction. | |||
| * The text in Section 4.4.1 of [RFC4916] regarding the receipt at a | * Per the text in Section 4.4.1 of [RFC4916] regarding the receipt | |||
| User Agent Client (UAC) of error code 428, 436, 437, or 438 in | at a User Agent Client (UAC) of error code 428, 436, 437, or 438 | |||
| response to a mid-dialog request RECOMMENDS treating the dialog as | in response to a mid-dialog request, it is RECOMMENDED that the | |||
| terminated. However, Section 6.1.1 of [RFC8224] allows the | dialog be treated as terminated. However, Section 6.1.1 of | |||
| retransmission of requests with repairable error conditions. In | [RFC8224] allows the retransmission of requests with repairable | |||
| particular, an authentication service might retry a mid-dialog | error conditions. In particular, an authentication service might | |||
| rather than treating the dialog as terminated, although only one | retry a mid-dialog rather than treating the dialog as terminated, | |||
| such retry is permitted. | although only one such retry is permitted. | |||
| * Note that the examples in [RFC4916] are based on [RFC4474] and | * Note that the examples in [RFC4916] are based on [RFC4474] and | |||
| will not match signatures using [RFC8224]. | will not match signatures using [RFC8224]. | |||
| Future work may be done to revise [RFC4916] for STIR; that work | Future work may be done to revise [RFC4916] for STIR; that work | |||
| should take into account any impacts on the SIPBRANDY profile | should take into account any impacts on the SIPBRANDY profile | |||
| described in this document. The use of [RFC4916] has some further | described in this document. The use of [RFC4916] has some further | |||
| interactions with Interactive Connectivity Establishment (ICE) | interactions with Interactive Connectivity Establishment (ICE) | |||
| [RFC8445]; see Section 7. | [RFC8445]; see Section 7. | |||
| skipping to change at line 579 ¶ | skipping to change at line 579 ¶ | |||
| DOI 10.17487/RFC8445, July 2018, | DOI 10.17487/RFC8445, July 2018, | |||
| <https://www.rfc-editor.org/info/rfc8445>. | <https://www.rfc-editor.org/info/rfc8445>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| [RFC8838] Ivov, E., Uberti, J., and P. Saint-Andre, "Trickle ICE: | [RFC8838] Ivov, E., Uberti, J., and P. Saint-Andre, "Trickle ICE: | |||
| Incremental Provisioning of Candidates for the Interactive | Incremental Provisioning of Candidates for the Interactive | |||
| Connectivity Establishment (ICE) Protocol", RFC 8838, | Connectivity Establishment (ICE) Protocol", RFC 8838, | |||
| DOI 10.17487/RFC8838, July 2020, | DOI 10.17487/RFC8838, January 2021, | |||
| <https://www.rfc-editor.org/info/rfc8838>. | <https://www.rfc-editor.org/info/rfc8838>. | |||
| [RFC8839] Petit-Huguenin, M., Nandakumar, S., Holmberg, C., Keränen, | [RFC8839] Petit-Huguenin, M., Nandakumar, S., Holmberg, C., Keränen, | |||
| A., and R. Shpount, "Session Description Protocol (SDP) | A., and R. Shpount, "Session Description Protocol (SDP) | |||
| Offer/Answer Procedures for Interactive Connectivity | Offer/Answer Procedures for Interactive Connectivity | |||
| Establishment (ICE)", RFC 8839, DOI 10.17487/RFC8839, July | Establishment (ICE)", RFC 8839, DOI 10.17487/RFC8839, | |||
| 2020, <https://www.rfc-editor.org/info/rfc8839>. | January 2021, <https://www.rfc-editor.org/info/rfc8839>. | |||
| [RFC8840] Ivov, E., Stach, T., Marocco, E., and C. Holmberg, "A | [RFC8840] Ivov, E., Stach, T., Marocco, E., and C. Holmberg, "A | |||
| Session Initiation Protocol (SIP) Usage for Incremental | Session Initiation Protocol (SIP) Usage for Incremental | |||
| Provisioning of Candidates for the Interactive | Provisioning of Candidates for the Interactive | |||
| Connectivity Establishment (Trickle ICE)", | Connectivity Establishment (Trickle ICE)", RFC 8840, | |||
| DOI 10.17487/RFC8840, RFC 8840, July 2020, | DOI 10.17487/RFC8840, January 2021, | |||
| <https://www.rfc-editor.org/info/rfc8840>. | <https://www.rfc-editor.org/info/rfc8840>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [ACME-Auth-Token] | [ACME-Auth-Token] | |||
| Peterson, J., Barnes, M., Hancock, D., and C. Wendt, "ACME | Peterson, J., Barnes, M., Hancock, D., and C. Wendt, "ACME | |||
| Challenges Using an Authority Token", Work in Progress, | Challenges Using an Authority Token", Work in Progress, | |||
| Internet-Draft, draft-ietf-acme-authority-token-05, 9 | Internet-Draft, draft-ietf-acme-authority-token-05, 9 | |||
| March 2020, <https://tools.ietf.org/html/draft-ietf-acme- | March 2020, <https://tools.ietf.org/html/draft-ietf-acme- | |||
| authority-token-05>. | authority-token-05>. | |||
| End of changes. 6 change blocks. | ||||
| 15 lines changed or deleted | 15 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||