Re: [dispatch] PROTO Review: draft-drage-sipping-rfc3455bis-09.txt

Mary Barnes <mary.ietf.barnes@gmail.com> Fri, 10 January 2014 19:48 UTC

Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F1ED1AE005 for <dispatch@ietfa.amsl.com>; Fri, 10 Jan 2014 11:48:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.698
X-Spam-Level:
X-Spam-Status: No, score=-1.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, GB_I_INVITATION=-2, HTML_MESSAGE=0.001, MANGLED_AVOID=2.3, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EGd2Kf-rVcO4 for <dispatch@ietfa.amsl.com>; Fri, 10 Jan 2014 11:48:37 -0800 (PST)
Received: from mail-wg0-x22b.google.com (mail-wg0-x22b.google.com [IPv6:2a00:1450:400c:c00::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 0D3041AE1B7 for <dispatch@ietf.org>; Fri, 10 Jan 2014 11:48:36 -0800 (PST)
Received: by mail-wg0-f43.google.com with SMTP id k14so4427926wgh.34 for <dispatch@ietf.org>; Fri, 10 Jan 2014 11:48:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=WWk9eqEp+ZWI7vbpoHf/XbbUeNRmmdPAy8hrV4zp+rI=; b=IBAWHj4KJ/A9q0tIdd3++e4u61lt95FTem0bzZuHgV2ZBMqKlkRU+j9YQmr9I/lvCL tPhXDUUHqgmB0wFf9ZYkBMA1ZlRwk/RzXFJgarQJsTaYuLsBBjVMAx2MslvWvfYGw9lz ay2Q9cRi14XuEp/VEwoSFnE4DIwM4EHGQTSgSluuH/oWVBUZNVulLVgr/BaqH/lOBiDE uBkHxujtA0rUU5UFhhzj9kk81oBjNhOoNrPqBAegAMu8FYYgRYYz4KyNB0gpwttCGyca oqXjQXS6ZiE6EO3Ugc963xKocJhXmWPiS1+jt6XqsrudgwQ/Q2NGc+xO/y1sVrLAbOEZ Y5VQ==
MIME-Version: 1.0
X-Received: by 10.180.206.41 with SMTP id ll9mr4269912wic.7.1389383306491; Fri, 10 Jan 2014 11:48:26 -0800 (PST)
Received: by 10.216.172.9 with HTTP; Fri, 10 Jan 2014 11:48:26 -0800 (PST)
In-Reply-To: <BBF5DDFE515C3946BC18D733B20DAD233985F212@XMB122CNC.rim.net>
References: <CAHBDyN7b32R9CR89rJrJOq03KeF7So-iW_5i4k8bX+BUzhT4fw@mail.gmail.com> <BBF5DDFE515C3946BC18D733B20DAD233985F212@XMB122CNC.rim.net>
Date: Fri, 10 Jan 2014 13:48:26 -0600
Message-ID: <CAHBDyN6Z4fLL_DFZa-SgFsVWXA8TwwUm6LUio0NkuW3CucgSxA@mail.gmail.com>
From: Mary Barnes <mary.ietf.barnes@gmail.com>
To: Andrew Allen <aallen@blackberry.com>
Content-Type: multipart/alternative; boundary=001a11c3888270bd0204efa302b6
Cc: "dispatch@ietf.org" <dispatch@ietf.org>, "dean.willis@softarmor.com" <dean.willis@softarmor.com>
Subject: Re: [dispatch] PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2014 19:48:45 -0000

Thanks Andrew.  So, that needs to be clearly stated in the abstract as
well.  In addition, the Overview section states:
"This document is an update to RFC3455".  So that also needs to be fixed.
Given the number of changes at this point, I would now prefer Roland make
those changes before we ask Gonzalo to progress it to IETF LC.

Mary.


On Fri, Jan 10, 2014 at 1:45 PM, Andrew Allen <aallen@blackberry.com> wrote:

>
> I think it obsoletes RFC 3455. It is a complete replacement for the
> original.
>
> Andrew
>
>  *From*: Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
> *Sent*: Friday, January 10, 2014 02:37 PM Eastern Standard Time
> *To*: R.Jesske@telekom.de <R.Jesske@telekom.de>
> *Cc*: DISPATCH <dispatch@ietf.org>rg>; Dean Willis <dean.willis@softarmor.com>
>
> *Subject*: Re: [dispatch] PROTO Review:
> draft-drage-sipping-rfc3455bis-09.txt
>
>  There is yet one more change needed.  This document is an Updates to
> 3455bis (AFAIK, unless Obseletes works better for 3GPP usage).  That
> categorization needs to be included in the document header (3rd line).
>
>  Thanks,
> Mary.
>
>
> On Fri, Jan 10, 2014 at 1:34 PM, Mary Barnes <mary.ietf.barnes@gmail.com>wrote;wrote:
>
>> IN addition to removing the unused references in the next update, there
>> are still 4 domain names that are not using an appropriate documentation
>> domain (e.g., home.net).  Please add that change to the list for the
>> next revision.  I'm going to ahead and forward the PROTO write-up to
>> Gonzalo, noting the changes that are needed and suggesting those changes
>> can be made along with other IETF LC changes.
>>
>>  Thanks,
>> Mary
>>
>>
>> On Wed, Jan 8, 2014 at 2:46 AM, <R.Jesske@telekom.de> wrote:
>>
>>>  Thank you Marry,
>>>
>>> for doing all this review.
>>>
>>> So I have now put out the errors.
>>>
>>> There are still some unused references which are in our informal
>>> reference section. But useful for the reader to know they exist.
>>>
>>> There are also some warnings with regard to IP addresses and wrong FQDNs
>>> which I think is some interpretation of strings in the text which are not
>>> meant to be a IP address or FQDN at all.
>>>
>>>
>>>
>>> Detail see below.
>>>
>>>
>>>
>>> So now hopefully everything is ready for the next step.
>>>
>>>
>>>
>>> Best Regards
>>>
>>>
>>>
>>> Roland
>>>
>>>
>>>
>>> tmp/draft-drage-sipping-rfc3455bis-12.txt:
>>>
>>>
>>>
>>>   Checking boilerplate required by RFC 5378 and the IETF Trust (see
>>>
>>>   http://trustee.ietf.org/license-info):
>>>
>>>
>>> ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>      No issues found here.
>>>
>>>
>>>
>>>   Checking nits according to
>>> http://www.ietf.org/id-info/1id-guidelines.txt:
>>>
>>>
>>> ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>      No issues found here.
>>>
>>>
>>>
>>>   Checking nits according to http://www.ietf.org/id-info/checklist :
>>>
>>>
>>> ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>  == There are 4 instances of lines with non-RFC2606-compliant FQDNs in
>>> the
>>>
>>>      document.
>>>
>>>
>>>
>>>   == There are 4 instances of lines with non-RFC5735-compliant IPv4
>>> addresses
>>>
>>>      in the document.  If these are example addresses, they should be
>>> changed.
>>>
>>>
>>>
>>>
>>>
>>>   Miscellaneous warnings:
>>>
>>>
>>> ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>      No issues found here.
>>>
>>>
>>>
>>>   Checking references for intended status: Informational
>>>
>>>
>>> ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>   == Missing Reference: 'RFC XXXX' is mentioned on line 1662, but not
>>> defined
>>>
>>>
>>>
>>>   -- Looks like a reference, but probably isn't: '3' on line 1943
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3262' is defined on line 2068, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3311' is defined on line 2072, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3428' is defined on line 2078, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3903' is defined on line 2090, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC6086' is defined on line 2101, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>
>>>
>>>      Summary: 0 errors (**), 0 flaws (~~), 8 warnings (==), 1 comment
>>> (--).
>>>
>>>
>>>
>>>      Run idnits with the --verbose option for more detailed information
>>> about
>>>
>>>      the items above.
>>>
>>>
>>> --------------------------------------------------------------------------------
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Von:* Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
>>> *Gesendet:* Dienstag, 7. Januar 2014 18:55
>>>
>>> *An:* Jesske, Roland
>>> *Cc:* DISPATCH; Gonzalo Camarillo; Atle Monrad; Dean Willis
>>> *Betreff:* Re: PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>>
>>> Thanks Roland.  I have reviewed that version and all the changes I
>>> suggested have been made.  However, in doing the PROTO write-up I realized
>>> that I wasn't certain anyone had reviewed the ABNF. So, I ran the ABNF
>>> through Bill Fenner's tool:
>>>
>>> http://tools.ietf.org/tools/bap/abnf.cgi
>>>
>>>
>>>
>>> And, there are a couple things that need to be fixed:
>>>
>>> 1)  DOT needs to change to "." (we had this same bug in RFC 4244):
>>>
>>> transit-ioi-indexed-value = transit-ioi-name DOT transit-ioi-index
>>>
>>>
>>>
>>> 2)  There's an extra space here (between * and parenthesis):
>>>
>>> transit-ioi-name          = ALPHA * (ALPHA / DIGIT)
>>>
>>> NEw: transit-ioi-name          = ALPHA *(ALPHA / DIGIT)
>>>
>>>
>>>
>>> There are also a number of long lines in the ABNF that should be fixed.
>>>
>>>
>>>
>>> In addition, IDNITS identifies other errors and warnings per the
>>> following.  Those should also be addressed including considering whether
>>> obsolete references need changing:
>>>
>>>
>>>
>>> idnits 2.13.01
>>>
>>>
>>>
>>> tmp/draft-drage-sipping-rfc3455bis-11.txt:
>>>
>>>
>>>
>>>   Checking boilerplate required by RFC 5378 and the IETF Trust (see
>>>
>>>   http://trustee.ietf.org/license-info):
>>>
>>>   ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>      No issues found here.
>>>
>>>
>>>
>>>   Checking nits according to http://www.ietf.org/id-info/1id-guidelines.txt:
>>>
>>>   ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>      No issues found here.
>>>
>>>
>>>
>>>   Checking nits according to http://www.ietf.org/id-info/checklist :
>>>
>>>   ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>   ** There are 9 instances of too long lines in the document, the longest one
>>>
>>>      being 20 characters in excess of 72.
>>>
>>>
>>>
>>>   == There are 4 instances of lines with non-RFC2606-compliant FQDNs in the
>>>
>>>      document.
>>>
>>>
>>>
>>>   == There are 4 instances of lines with non-RFC5735-compliant IPv4 addresses
>>>
>>>      in the document.  If these are example addresses, they should be changed.
>>>
>>>
>>>
>>>
>>>
>>>   Miscellaneous warnings:
>>>
>>>   ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>   == The document seems to contain a disclaimer for pre-RFC5378 work, but was
>>>
>>>      first submitted on or after 10 November 2008.  The disclaimer is usually
>>>
>>>      necessary only for documents that revise or obsolete older RFCs, and that
>>>
>>>      take significant amounts of text from those RFCs.  If you can contact all
>>>
>>>      authors of the source material and they are willing to grant the BCP78
>>>
>>>      rights to the IETF Trust, you can and should remove the disclaimer.
>>>
>>>      Otherwise, the disclaimer is needed and you can ignore this comment.
>>>
>>>      (See the Legal Provisions document at
>>>
>>>      http://trustee.ietf.org/license-info for more information.)
>>>
>>>
>>>
>>>
>>>
>>>   Checking references for intended status: Informational
>>>
>>>   ----------------------------------------------------------------------------
>>>
>>>
>>>
>>>   == Missing Reference: 'RFC XXXX' is mentioned on line 1667, but not defined
>>>
>>>
>>>
>>>   -- Looks like a reference, but probably isn't: '3' on line 1948
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC2976' is defined on line 2065, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3262' is defined on line 2068, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3311' is defined on line 2075, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3428' is defined on line 2081, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   == Unused Reference: 'RFC3903' is defined on line 2093, but no explicit
>>>
>>>      reference was found in the text
>>>
>>>
>>>
>>>   ** Obsolete normative reference: RFC 2234 (Obsoleted by RFC 4234)
>>>
>>>
>>>
>>>   -- Obsolete informational reference (is this intentional?): RFC 2976
>>>
>>>      (Obsoleted by RFC 6086)
>>>
>>>
>>>
>>>   -- Obsolete informational reference (is this intentional?): RFC 3265
>>>
>>>      (Obsoleted by RFC 6665)
>>>
>>>
>>>
>>>
>>>
>>>      Summary: 2 errors (**), 0 flaws (~~), 9 warnings (==), 3 comments (--).
>>>
>>>
>>>
>>>      Run idnits with the --verbose option for more detailed information about
>>>
>>>      the items above.
>>>
>>>  While I apologize for not catching these issues earlier, it really is
>>> the responsibility of authors to check idnits (beyond what the submission
>>> tool requires) for their documents.  I routinely run idnits before I submit
>>> a document as it can also save time when fixing the  nits that the
>>> submission tool catches:   https://tools.ietf.org/tools/idnits/
>>>
>>>
>>>
>>> Regards,
>>>
>>> Mary.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Jan 7, 2014 at 12:35 AM, <R.Jesske@telekom.de> wrote:
>>>
>>> Hi Mary,
>>>
>>> Now a new revision is available.
>>>
>>>
>>>
>>> Thank you and Best Regards
>>>
>>>
>>>
>>> Roland
>>>
>>>
>>>
>>> *Von:* Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
>>> *Gesendet:* Montag, 6. Januar 2014 20:00
>>>
>>>
>>> *An:* Jesske, Roland
>>> *Cc:* DISPATCH; Gonzalo Camarillo; Atle Monrad; Dean Willis
>>> *Betreff:* Re: PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>>
>>> Hi Roland,
>>>
>>>
>>>
>>> One final editorial nit below.  If you can spin a revision, then I'll
>>> send the PROTO write-up to the AD.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Mary.
>>>
>>>
>>>
>>> On Thu, Jan 2, 2014 at 3:29 AM, <R.Jesske@telekom.de> wrote:
>>>
>>> Hi Mary,
>>>
>>> I wish you a happy new year 2014. And the best for the next year.
>>>
>>>
>>>
>>> I was looking again on my changes I made due to your proposal in
>>> December.
>>>
>>> I realized that if I change the SHOULD to MUST we have now a backward
>>> compatibility problem.
>>>
>>> We are using the P-Associated-URI also over the IMS user interface which
>>> is not encrypted.
>>>
>>> So I propose to add some more words.
>>>
>>> …
>>>
>>> Section 6.1
>>>
>>> …
>>>
>>>          <t>An eavesdropper could possibly collect the list of
>>> identities a user is registered.
>>>
>>>        This can have privacy implications. To mitigate this problem,
>>> this extension SHOULD
>>>
>>>        only be used in a secured environment, where encryption of SIP
>>> messages is
>>>
>>>        provided either end-to-end or hop-by-hop.  </t>
>>>
>>>
>>>
>>>       <t> Since the P-Associated-URI header field value allows to
>>> implicitly register
>>>
>>>       a bundle of URIs with one REGISTER Message the impact of security
>>> using the P-Associated-URI header field is not higher than
>>>
>>>       using single REGISTER messages when registering all identities
>>> explicit.</t>
>>>
>>> [MB] I just have some editorial suggestions for the above:
>>>
>>> NEW:
>>>
>>> <t> While the P-Associated-URI header field value allows the implicit
>>> registration of
>>>
>>>       a bundle of URIs with one REGISTER Message the impact of security
>>> using the P-Associated-URI header field is no higher than
>>>
>>>       using separate REGISTER messages for each of the URIs. </t>
>>>
>>> [/MB]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> For the P-Called-Party-Id the change should be also done like as follows:
>>>
>>>
>>>
>>>         <t>An eavesdropper could possibly collect the list of
>>> identities a user is registered.
>>>
>>>        This can have privacy implications.  To mitigate this problem,
>>> this extension SHOULD
>>>
>>>        only be used in a secured environment, where encryption of SIP
>>> messages is
>>>
>>>        provided either end-to-end or hop-by-hop.  </t>
>>>
>>>
>>>
>>>         <t>Normally within a 3GPP environment the P-Called-Party-ID is
>>> not sent towards end users but may be exchanged between carriers where
>>> other security mechanisms than SIP encryption are used.  </t>
>>>
>>>
>>>
>>> Sorry coming so late.
>>>
>>> If this is OK for you I will include it to a new version.
>>>
>>>
>>>
>>> Thank you and Best Regards
>>>
>>>
>>>
>>> Roland
>>>
>>>
>>>
>>> *Von:* Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
>>> *Gesendet:* Freitag, 27. Dezember 2013 19:45
>>>
>>>
>>> *An:* Jesske, Roland
>>> *Cc:* DISPATCH; Gonzalo Camarillo; Atle Monrad; Dean Willis
>>> *Betreff:* Re: PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>>
>>> Hi Roland,
>>>
>>>
>>>
>>> Thanks for making these changes. I finally had a chance to review this
>>> updated version.   I still have a couple comments on the security section
>>> as I think you will get questions during SEC review around this unless some
>>> more detail is provided on security threats and impacts.   I've extracted
>>> these few points from previous review comment threads.
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Mary.
>>>
>>>
>>>
>>> ----Previous point  --------------------------------->
>>>
>>> - Section 6.1: this needs some tighter wording.  What is meant by "potentially annoying"  for example?
>>>
>>>  *[*RJ] I do not know. This is original text. So I deleted the words.
>>>
>>> -
>>>
>>> [MB] So, you removed that part of the sentence and are left with:
>>>
>>> "This attack should not have any significant impacts."
>>>
>>>
>>>
>>>
>>>
>>> I don't think that adds any value and just begs the question "what are the insignificant impacts and are there any privacy concerns"?  Really, it's the next paragraph that provides details of the impacts.  I think you could probably remove that sentence altogether and not lose anything.
>>>
>>>
>>>
>>>
>>>
>>>
>>> [/MB]
>>>
>>>
>>>
>>> ----Previous point --------------------------------->
>>>
>>>
>>>
>>> -  Section 6.2: I think you need to be more specific about the "nature" that makes this header not of particular concern with regards to security. Does it reveal additional, unique information about an individual that isn't available in other headers.  Also, the 2nd paragraph needs some work - maybe something like:
>>>
>>>
>>>
>>>
>>>
>>>
>>> OLD:
>>>
>>>
>>>
>>>
>>>
>>> An eavesdropper may collect the list of identities a user is registered.  This may have privacy implications.  To mitigate this problem, this extension SHOULD only be used in a secured environment, where encryption of SIP messages is provided either end-to-end or
>>>
>>>
>>>
>>>
>>>
>>>
>>> hop-by-hop.
>>>
>>> NEW:
>>>
>>>
>>>
>>> An eavesdropper could possibly collect the list of identities a user is registered.  This can have privacy implications.  To mitigate this problem, this extension MUST only be used in a secured environment, where encryption of SIP messages is provided either end-to-end or hop-by-hop.
>>>
>>> ----End previous point ------------------------------<
>>>
>>>
>>>
>>> [MB]  The suggested change for the first sentence didn't get into the revision.  And, I believe you still need to identify privacy/security implications by addressing whether or not this header reveals any unique information about an individual that isn't available in other headers.   [/MB]
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Tue, Dec 3, 2013 at 7:00 AM, <R.Jesske@telekom.de> wrote:
>>>
>>> Hi Mary,
>>>
>>> Thank you for your comments and proposals.
>>>
>>> I have now included all comments and uploaded a new version.
>>>
>>> So we can now proceed.
>>>
>>>
>>>
>>> Thank you and Best Regards
>>>
>>>
>>>
>>> Roland
>>>
>>>
>>>
>>> A new version of I-D, draft-drage-sipping-rfc3455bis-10.txt
>>>
>>> has been successfully submitted by Roland Jesske and posted to the IETF
>>> repository.
>>>
>>>
>>>
>>> Filename:   draft-drage-sipping-rfc3455bis
>>>
>>> Revision:   10
>>>
>>> Title:            Private Header (P-Header) Extensions to the Session
>>> Initiation Protocol (SIP) for the 3rd-Generation Partnership Project (3GPP)
>>>
>>> Creation date:    2013-12-03
>>>
>>> Group:            Individual Submission
>>>
>>> Number of pages: 46
>>>
>>> URL:
>>> http://www.ietf.org/internet-drafts/draft-drage-sipping-rfc3455bis-10.txt
>>>
>>> Status:
>>> http://datatracker.ietf.org/doc/draft-drage-sipping-rfc3455bis
>>>
>>> Htmlized:
>>> http://tools.ietf.org/html/draft-drage-sipping-rfc3455bis-10
>>>
>>> Diff:
>>> http://www.ietf.org/rfcdiff?url2=draft-drage-sipping-rfc3455bis-10
>>>
>>>
>>>
>>> Abstract:
>>>
>>>    This document describes a set of private Session Initiation Protocol
>>>
>>>    (SIP) header fields (P-headers) used by the 3rd-Generation
>>>
>>>    Partnership Project (3GPP), along with their applicability, which is
>>>
>>>    limited to particular environments.  The P-header fields are for a
>>>
>>>    variety of purposes within the networks that the partners use,
>>>
>>>    including charging and information about the networks a call
>>>
>>>    traverses.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> *Von:* Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
>>> *Gesendet:* Montag, 25. November 2013 23:01
>>>
>>>
>>> *An:* Jesske, Roland
>>> *Cc:* DISPATCH; Gonzalo Camarillo; Atle Monrad; Dean Willis
>>>
>>> *Betreff:* Re: PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>>
>>> Hi Roland,
>>>
>>>
>>>
>>> Thanks for your response.  Additional comments below [MB].
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Mary.
>>>
>>>
>>>
>>> On Thu, Nov 21, 2013 at 7:21 AM, <R.Jesske@telekom.de> wrote:
>>>
>>> Hi Mary,
>>>
>>> Thank you for your review.
>>>
>>> I have added now your proposals to the draft.
>>>
>>> Other comments please see below.
>>>
>>>
>>>
>>> I hope now everything is OK.
>>>
>>>
>>>
>>> Thank you and Best Regards
>>>
>>>
>>>
>>> Roland
>>>
>>>
>>>
>>> *Von:* Mary Barnes [mailto:mary.ietf.barnes@gmail.com]
>>> *Gesendet:* Dienstag, 29. Oktober 2013 17:27
>>> *An:* Jesske, Roland
>>> *Cc:* DISPATCH; Gonzalo Camarillo; Atle Monrad; Dean Willis
>>> *Betreff:* PROTO Review: draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>>
>>> In preparation for the PROTO write-up, I have reviewed the document in
>>> detail.  My detailed review was originally based on the -08, but I also
>>> reviewed the 09 diff.  There are a few errors that have been introduced in
>>> the -09 and many of my -08 comments remain - I've separated comments from
>>> nits below.  A number of these comments are with regards to text that was
>>> not changed from RFC 3455, but I think some of the text requires updating
>>> and we need to keep in mind that this an entirely new IESG that will be
>>> reviewing this document, so they won't have the same context of the IESG
>>> that approved RFC 3455.  I will note that I also have not validated the
>>> content of section 9 against a diff of this document and RFC 3455.  I will
>>> need to do that before I progress the document unless the authors can point
>>> me to another review that has done that.
>>>
>>>
>>>
>>> Regards,
>>>
>>> Mary.
>>>
>>>
>>>
>>> Summary:  This document needs some work prior to being progressed.
>>>
>>>
>>>
>>> Comments:
>>>
>>> ----------------
>>>
>>> - Section 1.  I think you should be explicit that these extensions apply
>>> only to a private network - saying they are "generally not applicable" is
>>> too soft, so I would suggest some minor rewording something like:
>>>
>>> OLD:
>>>
>>>    The SIP extensions specified in this document make certain
>>>
>>>
>>>
>>>    assumptions regarding network topology, linkage between SIP and lower
>>>
>>>    layers, and the availability of transitive trust.  These assumptions
>>>
>>>    are generally NOT APPLICABLE in the Internet as a whole.
>>>
>>>
>>>
>>>   NEW:
>>>
>>>
>>>
>>>    The SIP extensions specified in this document make certain
>>>
>>>    assumptions regarding network topology, linkage between SIP and lower
>>>
>>>    layers, and the availability of transitive trust.  These assumptions
>>>
>>>    apply only to private networks and are not appropriate for use in an Internet environment.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> - Section 3.  This section needs to be updated.  I don't think that 10 year old background is relevant in the current context.   You should be able to model this after the text in more recent 3GPP P-header documents, referring to the SIP change process.
>>>
>>>
>>>
>>>  [RJ] OK, I have changed the text:
>>>
>>> The Third Generation Partnership Project (3GPP) has selected SIP as
>>>
>>>      the protocol used to establish and tear down multimedia sessions in
>>> the
>>>
>>>      context of its IP Multimedia Subsystem (IMS). For more information
>>> on
>>>
>>>      the IMS, a detailed description can be found in 3GPP TS 23.228 .
>>> This document is an update of RFC3455   which covers the requirements in
>>> RFC4083 and describes updates and adds private extensions to address those
>>> requirements which are needed in for 3GPP Release 11. Each extension, or
>>> set of related extensions is described in its own section below
>>>
>>> [MB] I suggest just a bit more rewording.  Note that I didn't see that
>>> this document is adding any new headers
>>>
>>>
>>>
>>>     The Third Generation Partnership Project (3GPP) uses SIP as
>>>
>>>      the protocol  to establish and tear down multimedia sessions in the
>>>
>>>      context of its IP Multimedia Subsystem (IMS), as described in
>>>
>>>      the 3GPP TS 23.228 specification.
>>>
>>>      RFC 3455 defines SIP private header extensions (referred to as
>>> P-headers) which are
>>>
>>>      required by the 3GPP specification. Note that the requirements for
>>> these extensions
>>>
>>>      are documented in RFC 4083.   This document is an update to
>>> RFC3455.
>>>
>>>      This document updates existing P-header descriptions
>>>
>>>      to address additional requirements which are needed for 3GPP
>>> Release 11.
>>>
>>>      Each of the P-headers is described in the sections below.
>>>
>>>
>>>
>>> [/MB]
>>>
>>>
>>>
>>>     - Section 4.1. "registered address-of-record" -> "registered SIP address-of-record"
>>>
>>> - Section 4.1, 3rd paragraph.  "Note that, generally speaking," -> "Note that in standard SIP usage [RFC3261]"
>>>
>>> - Section 4.1.2.3.  I don't think this is stated properly.  I think the intent is that this header is not applicable to proxies, therefore the proxy MUST relay the header field unchanged.  I would suggest rewording something like:
>>>
>>> OLD:
>>>
>>>    This memo does not define any procedure at the proxy.  The proxy does
>>>
>>>    not add, read, modify or delete the header field, and therefore any
>>>
>>>    proxy will relay this header field unchanged.
>>>
>>>
>>>
>>> NEW:
>>>
>>>
>>>
>>>    This header is not intended to be used by proxies - a proxy does
>>>
>>>    not add, read, modify or delete the header field, and therefore any
>>>
>>>    proxy MUST relay this header field unchanged.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Section 4.2, 1st paragraph.  The behavior in this sentence is not normative from a SIP protocol perspective, thus MAY is not appropriate.  I suggest the MAY be changed to "can".
>>>
>>>    The UAS MAY use the information to render different distinctive audiovisual alerting
>>>
>>>    tones, depending on the URI used to receive the invitation to the
>>>
>>>    session.
>>>
>>> Section 4.2.2.2, 2nd paragraph.  The behavior in this sentence is not normative from a SIP protocol perspective, thus  I suggest the MAY be changed to "can".
>>>
>>>
>>>
>>> - Section 4.3.3, last paragraph.  I think this ought to be a MUST: "The identifier should be globally unique.."
>>>
>>>
>>>
>>> - Section 4.3.2.1.  This text has changed from the -08.   I don't know what a "normal User Equipment" is and the term "User Equipment" is not defined in this specification.  I think it would be better to say something like. However, even with this proposed change, I think you also need text for user agent server behavior - i.e., what would a UAS do if it received this header.
>>>
>>>
>>>
>>> OLD:
>>>
>>>    A normal User Equipment has normally no knowledge of the P-Visited-
>>>
>>>    Network-ID when sending the REGISTER.  Therefore user agent clients
>>>
>>>    do not insert a P-Visited-Network-ID header field in any SIP message.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> NEW:
>>>
>>>    In the context of the network to which the header fields defined in this document apply, a User Agent has no knowledge of the P-Visited-Network-ID when sending the REGISTER request.  Therefore user agent clients MUST NOT insert a P-Visited-Network-ID header field in any SIP message.
>>>
>>>
>>>
>>> - Section 4.3.2.2:, 2nd paragraph:  "home network MAY use" -> "home network can use"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> - Section 4.3.2.2, last paragraph:
>>>
>>>
>>>
>>>
>>>
>>> OLD: Note that a received P-Visited-Network-ID from a UA is a failure case and must be deleted.
>>>
>>>
>>>
>>> NEW:  Note that a received P-Visited-Network-ID from a UA is a failure case and MUST be deleted when the request is forwarded.
>>>
>>>
>>>
>>> Section 4.4.2.1, 2nd paragraph:  "MUST trust the proxy" -> "MUST have a trust relationship with the proxy"
>>>
>>>
>>>
>>> Section 4.4.2.1, 3rd paragraph:  "there must also be a transitive trust" ->  "there MUST also be a transitive trust"
>>>
>>> Section 4.4.2.2, 2nd paragraph: "MAY act upon any information present" -> "can act upon any information present",  "MAY use the call id" -> "can use the call id"
>>>
>>> Section 4.5.2: 2nd paragraph: "MAY use the hostnames" -> "can use the hostnames"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Section 4.5.2.1 2nd paragraph: "MAY use the contents" -> "can use the contents"
>>>
>>>
>>>
>>> - Section 4.6.2, 3rd paragraph: "MAY use the values" -> "can use the values"
>>>
>>>  - Section 4.6.3, 3rd paragraph: needs some editorial work.  Maybe the following change would work:
>>>
>>>
>>>
>>>
>>>
>>> OLD:
>>>
>>>
>>>
>>>    Depending on the call scenario it is needed to add for each transit
>>>
>>>    network either a transit network name or a void value.  Nevertheless
>>>
>>>    it can not be guaranteed that all values will appear within the P-Charging-Vector header field.
>>>
>>>
>>>
>>>
>>>
>>> NEW:
>>>
>>>
>>>
>>>    Depending on the call scenario, each transit network can add either a transit network name or a void    value.  However, it can not be guaranteed that all the values that are added will appear within the P-Charging-Vector header field.
>>>
>>>
>>>
>>> - Section 4.6.3, next to last paragraph: "which needs to be incremented" -> "which MUST be incremented"
>>>
>>>
>>>
>>> - Section 4.6.3, last paragraph.  I have no idea what that is trying to say other than void values have no index.  What does "taken into consideration" mean. Are you talking about limits on the number of entries or are you suggesting that the number of void values must be considered when setting the index for the transit network names?
>>>
>>>
>>>
>>>  [RJ] Yes! Changed the text to:
>>>
>>>
>>>
>>> A void value has no index. By adding the next value the index has to be incremented by the number of void entries +1.
>>>
>>>
>>>
>>> - Section 4.6.4.2: I don't know what this means:  "A deletion of the elements could appear depending on the network policy and trust rules".  Is it just trying to say that along with the adding and modifying in the previous sentence that the elements can also be deleted by the proxy?
>>>
>>>
>>>
>>>  [RJ] Yes, I have changed the text:
>>>
>>> Procedures described within 4.6.2.2 apply. A transit-ioi MAY be
>>>
>>>            added or modified by a proxy. A deletion of the transit-ioi
>>> or a entry within the tranist-ioi could
>>>
>>>            appear depending on the network policy and trust rules. This
>>> is
>>>
>>>            also valid by replacing the transit-ioi with a void value.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> - Section 5.7. Delete this text and table.   We aren't these tables anymore as they really don't provide any useful information.  You just need to verbally state what messages these headers can appear in.
>>>
>>>
>>>
>>>  [RJ] OK
>>>
>>>
>>>
>>> So I changed 5.7 to “New header”
>>>
>>> The P-Associated-URI can appear in SIP REGISTER method and 2xx resonses,
>>> P-Called-Party-ID can appear in SIP INVITE, OPTIONS, PUBLISH,SUBSCRIBE,
>>> MESSAGE methods and all responses, P-Visited-Network-ID can appear in all
>>> SIP methods except ACK, BYE and CANCEL and all responses,
>>> P-Access-Network-Info can appear in all SIP methods exept ACK and CANCEL,
>>> P-Charging-Vector  can appear in all SIP methods exept CANCEL and the
>>> P-Charging-Function-Addresses can appear in all SIP methods exept ACK and
>>> CANCEL.
>>>
>>>  [MB] I suggest you put each of these in separate sentences - i.e.,
>>> rather than use comma separators, use a period.  You should also spell out
>>> that these are header fields - i.e., "The P-Associated-URI header field can
>>> appear....2xx responses.   The P-Called-Party-ID header field....
>>>
>>>
>>>
>>>
>>>
>>> - Section 6.1: this needs some tighter wording.  What is meant by "potentially annoying"  for example?
>>>
>>>
>>>
>>>  [RJ] I do not know. This is original text. So I deleted the words.
>>>
>>>
>>>
>>> - Section 6.2: I think you need to be more specific about the "nature" that makes this header not of particular concern with regards to security. Does it reveal additional, unique information about an individual that isn't available in other headers.  Also, the 2nd paragraph needs some work - maybe something like:
>>>
>>>
>>>
>>> OLD:
>>>
>>> An eavesdropper may collect the list of identities a user is registered.  This may have privacy implications.  To mitigate this problem, this extension SHOULD only be used in a secured environment, where encryption of SIP messages is provided either end-to-end or
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> hop-by-hop.
>>>
>>>
>>>
>>>
>>>
>>> NEW:
>>>
>>>
>>>
>>>  An eavesdropper could possibly collect the list of identities a user is registered.  This can have privacy implications.  To mitigate this problem, this extension MUST only be used in a secured environment, where encryption of SIP messages is provided either end-to-end or hop-by-hop.
>>>
>>>
>>>
>>> [MB]  So, I think the first sentence is trying to say: "An eavesdropper
>>> could possibly collect the list of identities a user has registered."
>>>
>>> or  "An eavesdropper could possibly collect the list of identities
>>> registered by a user."
>>>
>>> [/MB]
>>>
>>>   - Section 6.4,
>>>
>>> --3rd paragraph: "should not" -> "MUST NOT"
>>>
>>>
>>>
>>> -- 7th paragraph:  "SHOULD NOT be sent" -> "MUST NOT be sent"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> -- 8th paragraph: "SHOULD NOT send sensitive information" -> "MUST NOT send sensitive information"
>>>
>>>
>>>
>>>
>>>
>>> -- 9th paragraph: "is required to delete" -> "is REQUIRED to delete"
>>>
>>>
>>>
>>> -- 10th paragraph:  How does a network ensure the information is not of a sensitive nature?   I would think that the information just should not be sent outside of the trust domain.  I believe that's consistent with the scope of these headers, is it not?
>>>
>>>
>>>
>>>  [RJ] Yes that is also my understanding so I deleted that paragraph. I think the rest is sufficient and described well how to behave.
>>>
>>>
>>>
>>> -- 11th paragraph: So, what does a proxy do with that information.  What are the implications if the information is used and it's not valid?
>>>
>>>  [RJ] Yes I did some changes as follows.
>>>
>>>
>>>
>>>         <t>A proxy receiving a message containing the
>>> P-Access-Network-Info
>>>
>>>        header field from a non-trusted entity is not able to guarantee
>>> the
>>>
>>>        validity of the contents. Thus this content SHOULD be deleted based on local policy.</t>
>>>
>>>
>>>
>>> - Section 9, item 2.  I think you need to add this text with regards to the recommendation to use RFC 4244 (bis) to the body of this document and include a real reference.
>>>
>>>
>>>
>>>  [RJ] OK done. I let the reference RFC4244 since 3GPP uses currently only RFC4244.
>>>
>>> Replaced following text:
>>>
>>> With section 9.2
>>>
>>>        <t>Requirements for a more general solution are proposed in <xref
>>>
>>>          target="RFC4244"></xref>. 3GPP will continue to use the
>>>
>>>          P-Called-Party-ID header field even though RFC 4244 <xref
>>>
>>>          target="RFC4244"></xref> has now been published.</t>
>>>
>>>
>>>
>>> I think the text in Section 9.2 is better.
>>>
>>>  *Nits:*
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> - Section 4.1, 2nd paragraph.  "has associated to an address-of-record" -> "has associated with an address-of-record"
>>>
>>> - Section 4.1.2.2, 2nd paragraph, "In case" -> "If",  "shall not" -> SHALL NOT
>>>
>>> - Section 4.3.2.2, last sentence.  The -09 introduced a typo: "T means" -> "This means"
>>>
>>>
>>>
>>> - Section 4.3.2.3, 1st paragraph after 1st example.  The -09 introduced another typo: "the REGISTRAR" -> "at the REGISTRAR"
>>>
>>>
>>>
>>> Section 4.2.2.1, 3rd paragraph:  "there must also be a transitive trust" ->  "there MUST also be a transitive trust"
>>>
>>>
>>>
>>> Section 4.6, 2nd paragraph: "includes, includes but is not limited to" -> "includes, but is not limited to,"
>>>
>>>
>>>
>>> Section 4.6.2.2, 1st paragraph: "one ore more" -> "one or more"
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>     On Tue, Oct 8, 2013 at 11:58 AM, <R.Jesske@telekom.de> wrote:
>>>
>>> Dear all,
>>> I would like to inform you that I have implemented all comments coming
>>> from the expert review done by Dean Willis. Also an editorial cleanup was
>>> made.
>>>
>>> If there are still some comments that needs to be implemented please
>>> inform me.
>>>
>>> From my side I would be happy to proceed the draft further towards
>>> publication.
>>>
>>> Thank you and Best Regards
>>>
>>> Roland
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
>>> Gesendet: Dienstag, 8. Oktober 2013 13:40
>>> An: Christer Holmberg; Keith Drage; Jesske, Roland
>>> Betreff: New Version Notification for
>>> draft-drage-sipping-rfc3455bis-09.txt
>>>
>>>
>>> A new version of I-D, draft-drage-sipping-rfc3455bis-09.txt
>>> has been successfully submitted by Keith Drage and posted to the IETF
>>> repository.
>>>
>>> Filename:        draft-drage-sipping-rfc3455bis
>>> Revision:        09
>>> Title:           Private Header (P-Header) Extensions to the Session
>>> Initiation Protocol (SIP) for the 3rd-Generation Partnership Project (3GPP)
>>> Creation date:   2013-10-08
>>> Group:           Individual Submission
>>> Number of pages: 47
>>> URL:
>>> http://www.ietf.org/internet-drafts/draft-drage-sipping-rfc3455bis-09.txt
>>> Status:
>>> http://datatracker.ietf.org/doc/draft-drage-sipping-rfc3455bis
>>> Htmlized:
>>> http://tools.ietf.org/html/draft-drage-sipping-rfc3455bis-09
>>> Diff:
>>> http://www.ietf.org/rfcdiff?url2=draft-drage-sipping-rfc3455bis-09
>>>
>>> Abstract:
>>>    This document describes a set of private Session Initiation Protocol
>>>    (SIP) header fields (P-headers) used by the 3rd-Generation
>>>    Partnership Project (3GPP), along with their applicability, which is
>>>    limited to particular environments.  The P-header fields are for a
>>>    variety of purposes within the networks that the partners use,
>>>    including charging and information about the networks a call
>>>    traverses.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission until the htmlized version and diff are available at
>>> tools.ietf.org.
>>>
>>> The IETF Secretariat
>>>
>>>   -
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>>
>  ---------------------------------------------------------------------
> This transmission (including any attachments) may contain confidential
> information, privileged material (including material protected by the
> solicitor-client or other applicable privileges), or constitute non-public
> information. Any use of this information by anyone other than the intended
> recipient is prohibited. If you have received this transmission in error,
> please immediately reply to the sender and delete this information from
> your system. Use, dissemination, distribution, or reproduction of this
> transmission by unintended recipients is not authorized and may be unlawful.
>