Yunling Wang [email protected] VoIP Security COMS 4995 Nov 24, 2008 XCAP The Extensible Markup Language (XML) Configuration Access Protocol (XCAP)
Mar 30, 2015
Yunling Wang
VoIP Security COMS 4995
Nov 24, 2008
XCAPThe Extensible Markup Language (XML)Configuration Access Protocol (XCAP)
2
Contents Motivation
Resource list, presence state, presence authentication
Application Usage URL Construction
XCAP root, document/node selector Operation
Create/fetch/delete Security Concerns
3
Motivation
Presentity
Watcher
Notify
Subscribe
Presence System
4
Motivation-Resource list
Presentity
Presence list
server
Watcher
Notify
Subscribe
Resource list
XCAP Client
XCAP Server
•Presence list server: manages multiple subscriptions to different presentities
•Resource list: keeps a list of presentities for presence list server
•XCAP: directly manipulates resource lists stored on presence list server
5
Presentity
Event Sate
Composer
PresenceAgent
Watcher
Event State
Notify
Subscribe
Publish
•Composer: compose event state according to the presence information in PUBLISH
•Event state: keeps current presence state of the presentity
•XCAP: directly manipulates event state without constant refreshing publicationsXCAP
Client
XCAP Server
Motivation-Presence State
6
Motivation-Presence Authentication
Presentity
Event Sate
Composer
PresenceAgent
Watcher
Presence Authentication Documentation
Notify
Subscribe
Publish
XCAP Client
XCAP Server
•Presence Agent: manages multiple subscriptions from different watchers
•Presence Authentication Document: the authentication information for all the subscribers
•XCAP: directly manipulates event state without constant refreshing publications
7
What is XCAP? XCAP allows a client to read, write, and
modify application configuration data stored in XML format on a server
Normal HTTP primitives can be used to manipulate the data
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists>
8
Application Usage
Each application has its own Application Usage
Define how the XCAP server can manipulate corresponding application documents
Key components: AUID, XML Schema, data validation, resource interdependency, authorization policies
9
AUID Application Unique ID
Unique Identifier for each application Two sub-namespaces
IETF tree: IANA Registry Example: “resource-lists”, “pidf-manipulation” , “pres-rules”
Vendor tree: prefixed with the reverse domain name of the
organization meant to be used in lab environments where no
central registry is needed Example: “com.example.customer-list”
10
Application Usage
Protection Concerns Authorization policies Default: User can read & write their own data; User
can only read global data Resource interdependency
Operation of one element may affect other elements; especially cross-document affection
Data Validation
Uniqueness constraints, referential integrity
11
Background: XML Basics
XML Document: to structure, store, and transport information
XML element: everything from (including) the element's start tag to (including) the element's end tag.
XML Attributes: specified in XML elements’ tags; provide additional information about elements.
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists></xml>
12
Background: XPath
XPath = XML Addressing How to point to specific pieces of an
XML document
resource-lists/list/entry/name
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists>
13
URI Construction
Based on the Concept of XPath
Example: XCAP root / Document Selector / Node Selector XCAP rootContext in which all other resources exist
"http://xcap.example.com" for domain "example.com " Document Selector"/resource-lists/users/sip:[email protected]/index" Node Selector~~/resource-lists/list%5b@name=%22l1%22%5d
The HierarchyGEThttp://xcap.example.com/resource-lists/users/hiroshi/doc1/ ~~/resource-lists/list/list/entry/name
<?xml version="1.0" encoding="UTF-8"?> <resource-lists xmlns="urn:ietf:params:xml:ns:resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> <list name="close-friends"> <entry uri="sip:[email protected]"> <name>Hiroshi Aukia</name> </entry> </list> </list> </resource-lists>
15
Operations
HTTP PUT
Create or Replace a Document/Element/Attribute
HTTP DELETE
Delete a Document/Element/Attribute HTTP GET
Fetch a Document/Element/Attribute
Example: Modify an Element
PUT /pidf-manipulation/users /sip:[email protected]/index/ ~~/presence/tuple%5b@id='x8eg92n'%5d/note HTTP/1.1
<note>I'm sleeping</note>
HTTP/1.1 200 OK
<?xml version="1.0" encoding="UTF-8"?> <presence xmlns="urn:ietf:params:xml:ns:pidf"> <tuple id="x8eg92n"> <status> <basic>open</basic> </status> <rp:class>auth-1</rp:class> <contact priority="1.0"> mailto:[email protected] </contact> <note>I'm reading mail </note> </tuple> </presence>
<?xml version="1.0" encoding="UTF-8"?> <presence xmlns="urn:ietf:params:xml:ns:pidf"> <tuple id="x8eg92n"> <status> <basic>open</basic> </status> <rp:class>auth-1</rp:class> <contact priority="1.0"> mailto:[email protected] </contact> <note>I'm sleeping </note> </tuple> </presence>
index
17
Conditional Operation
Conflicts occur with simultaneous multiple modifications
Use etag: A version control
When one resource changes, all resources in the same documents get the same new etag
Client: contain previously known etag in the If-Match header field of request
Server: return new etag in response on success
18
Security Considerations
Data manipulated by XCAP often contains sensitive information
Using HTTP port: 80
– Hard to apply port-based filtering
19
Solutions
Connection over TLS HTTP Digest Authentication URL-analysis-based traffic filtering
The presence of the double tilde (~~) is a strong hint that the URL points to an XML element or attribute
Authorization policies in Application Usage
20
Summary
Access configuration documents on server: Presence system
Maps XML documents and document components into HTTP URIs
HTTP primitives can be used to directly manipulate the data
21
References
http://tools.ietf.org/html/rfc4825 http://tools.ietf.org/html/rfc5025 http://tools.ietf.org/html/rfc4827 http://tools.ietf.org/html/rfc4826 http://www.jdrosen.net/simple_acap.html http://tools.ietf.org/html/rfc3903 http://tools.ietf.org/html/rfc2778 http://openxcap.org/ http://www.w3schools.com/Xml/xml_attributes.asp