Upload
greta-yarde
View
221
Download
5
Tags:
Embed Size (px)
Citation preview
Yunling Wang
VoIP Security COMS 4995
Nov 24, 2008
XCAPThe Extensible Markup Language (XML)Configuration Access Protocol (XCAP)
2
Contents Motivation
Resource list, presence state, presence authentication
Application Usage URL Construction
XCAP root, document/node selector Operation
Create/fetch/delete Security Concerns
3
Motivation
Presentity
Watcher
Notify
Subscribe
Presence System
4
Motivation-Resource list
Presentity
Presence list
server
Watcher
Notify
Subscribe
Resource list
XCAP Client
XCAP Server
•Presence list server: manages multiple subscriptions to different presentities
•Resource list: keeps a list of presentities for presence list server
•XCAP: directly manipulates resource lists stored on presence list server
5
Presentity
Event Sate
Composer
PresenceAgent
Watcher
Event State
Notify
Subscribe
Publish
•Composer: compose event state according to the presence information in PUBLISH
•Event state: keeps current presence state of the presentity
•XCAP: directly manipulates event state without constant refreshing publicationsXCAP
Client
XCAP Server
Motivation-Presence State
6
Motivation-Presence Authentication
Presentity
Event Sate
Composer
PresenceAgent
Watcher
Presence Authentication Documentation
Notify
Subscribe
Publish
XCAP Client
XCAP Server
•Presence Agent: manages multiple subscriptions from different watchers
•Presence Authentication Document: the authentication information for all the subscribers
•XCAP: directly manipulates event state without constant refreshing publications
7
What is XCAP? XCAP allows a client to read, write, and
modify application configuration data stored in XML format on a server
Normal HTTP primitives can be used to manipulate the data
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists>
8
Application Usage
Each application has its own Application Usage
Define how the XCAP server can manipulate corresponding application documents
Key components: AUID, XML Schema, data validation, resource interdependency, authorization policies
9
AUID Application Unique ID
Unique Identifier for each application Two sub-namespaces
IETF tree: IANA Registry Example: “resource-lists”, “pidf-manipulation” , “pres-rules”
Vendor tree: prefixed with the reverse domain name of the
organization meant to be used in lab environments where no
central registry is needed Example: “com.example.customer-list”
10
Application Usage
Protection Concerns Authorization policies Default: User can read & write their own data; User
can only read global data Resource interdependency
Operation of one element may affect other elements; especially cross-document affection
Data Validation
Uniqueness constraints, referential integrity
11
Background: XML Basics
XML Document: to structure, store, and transport information
XML element: everything from (including) the element's start tag to (including) the element's end tag.
XML Attributes: specified in XML elements’ tags; provide additional information about elements.
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists></xml>
12
Background: XPath
XPath = XML Addressing How to point to specific pieces of an
XML document
resource-lists/list/entry/name
<?xml version="1.0" encoding="UTF-8"?> <resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> </list> </resource-lists>
13
URI Construction
Based on the Concept of XPath
Example: XCAP root / Document Selector / Node Selector XCAP rootContext in which all other resources exist
"http://xcap.example.com" for domain "example.com " Document Selector"/resource-lists/users/sip:[email protected]/index" Node Selector~~/resource-lists/list%5b@name=%22l1%22%5d
The HierarchyGEThttp://xcap.example.com/resource-lists/users/hiroshi/doc1/ ~~/resource-lists/list/list/entry/name
<?xml version="1.0" encoding="UTF-8"?> <resource-lists xmlns="urn:ietf:params:xml:ns:resource-lists"> <list name="friends"> <entry uri="sip:[email protected]"> <name>Bob Jones</name> </entry> <list name="close-friends"> <entry uri="sip:[email protected]"> <name>Hiroshi Aukia</name> </entry> </list> </list> </resource-lists>
15
Operations
HTTP PUT
Create or Replace a Document/Element/Attribute
HTTP DELETE
Delete a Document/Element/Attribute HTTP GET
Fetch a Document/Element/Attribute
Example: Modify an Element
PUT /pidf-manipulation/users /sip:[email protected]/index/ ~~/presence/tuple%5b@id='x8eg92n'%5d/note HTTP/1.1
<note>I'm sleeping</note>
HTTP/1.1 200 OK
<?xml version="1.0" encoding="UTF-8"?> <presence xmlns="urn:ietf:params:xml:ns:pidf"> <tuple id="x8eg92n"> <status> <basic>open</basic> </status> <rp:class>auth-1</rp:class> <contact priority="1.0"> mailto:[email protected] </contact> <note>I'm reading mail </note> </tuple> </presence>
<?xml version="1.0" encoding="UTF-8"?> <presence xmlns="urn:ietf:params:xml:ns:pidf"> <tuple id="x8eg92n"> <status> <basic>open</basic> </status> <rp:class>auth-1</rp:class> <contact priority="1.0"> mailto:[email protected] </contact> <note>I'm sleeping </note> </tuple> </presence>
index
17
Conditional Operation
Conflicts occur with simultaneous multiple modifications
Use etag: A version control
When one resource changes, all resources in the same documents get the same new etag
Client: contain previously known etag in the If-Match header field of request
Server: return new etag in response on success
18
Security Considerations
Data manipulated by XCAP often contains sensitive information
Using HTTP port: 80
– Hard to apply port-based filtering
19
Solutions
Connection over TLS HTTP Digest Authentication URL-analysis-based traffic filtering
The presence of the double tilde (~~) is a strong hint that the URL points to an XML element or attribute
Authorization policies in Application Usage
20
Summary
Access configuration documents on server: Presence system
Maps XML documents and document components into HTTP URIs
HTTP primitives can be used to directly manipulate the data
21
References
http://tools.ietf.org/html/rfc4825 http://tools.ietf.org/html/rfc5025 http://tools.ietf.org/html/rfc4827 http://tools.ietf.org/html/rfc4826 http://www.jdrosen.net/simple_acap.html http://tools.ietf.org/html/rfc3903 http://tools.ietf.org/html/rfc2778 http://openxcap.org/ http://www.w3schools.com/Xml/xml_attributes.asp