Re: [dispatch] New I-D: draft-dawes-dispatch-mediasec-parameter-01
"Elwell, John" <john.elwell@siemens-enterprise.com> Thu, 20 May 2010 13:43 UTC
Return-Path: <john.elwell@siemens-enterprise.com>
X-Original-To: dispatch@core3.amsl.com
Delivered-To: dispatch@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1C4FF3A69CC for <dispatch@core3.amsl.com>; Thu, 20 May 2010 06:43:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.171
X-Spam-Level:
X-Spam-Status: No, score=-2.171 tagged_above=-999 required=5 tests=[AWL=0.428, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 22RRJhduADiu for <dispatch@core3.amsl.com>; Thu, 20 May 2010 06:43:26 -0700 (PDT)
Received: from ms03.m0019.fra.mmp.de.bt.com (m0019.fra.mmp.de.bt.com [62.180.227.30]) by core3.amsl.com (Postfix) with ESMTP id 206833A69EB for <dispatch@ietf.org>; Thu, 20 May 2010 06:43:17 -0700 (PDT)
Received: from senmx11-mx ([62.134.46.9] [62.134.46.9]) by ms03.m0020.fra.mmp.de.bt.com with ESMTP id BT-MMP-238199; Thu, 20 May 2010 15:43:10 +0200
Received: from MCHP063A.global-ad.net (unknown [172.29.37.61]) by senmx11-mx (Server) with ESMTP id D57671EB82AB; Thu, 20 May 2010 15:43:10 +0200 (CEST)
Received: from MCHP058A.global-ad.net ([172.29.37.55]) by MCHP063A.global-ad.net ([172.29.37.61]) with mapi; Thu, 20 May 2010 15:43:10 +0200
From: "Elwell, John" <john.elwell@siemens-enterprise.com>
To: "Leis, Peter (NSN - DE/Munich)" <peter.leis@nsn.com>, ext Hadriel Kaplan <HKaplan@acmepacket.com>, "Dawes, Peter, VF-Group" <Peter.Dawes@vodafone.com>, "dispatch@ietf.org" <dispatch@ietf.org>
Date: Thu, 20 May 2010 15:43:09 +0200
Thread-Topic: [dispatch] New I-D: draft-dawes-dispatch-mediasec-parameter-01
Thread-Index: AcrmqvRb0oMPHsADQou35HEOHpkh5AAqrLBwAAk+WIAAD9d+AAAExKawAB23s7AAoA94sADKuJwAAoMDiCAACXnDkA==
Message-ID: <A444A0F8084434499206E78C106220CAE3649ADA@MCHP058A.global-ad.net>
References: <C6A11A02FF1FBF438477BB38132E47410614F0CD@EITO-MBX02.internal.vodafone.com><430FC6BDED356B4C8498F634416644A91A8A5F15EF@mail><D075E484906AB6479EEDA3624C87FAD1C204C3@DEMUEXC035.nsn-intra.net><430FC6BDED356B4C8498F634416644A91A8A5F1711@mail><D075E484906AB6479EEDA3624C87FAD1C2083F@DEMUEXC035.nsn-intra.net><430FC6BDED356B4C8498F634416644A91A8A5F18BC@mail> <D075E484906AB6479EEDA3624C87FAD1C20F7C@DEMUEXC035.nsn-intra.net> <A444A0F8084434499206E78C106220CAE34B4862@MCHP058A.global-ad.net> <D075E484906AB6479EEDA3624C87FAD1D03085@DEMUEXC035.nsn-intra.net>
In-Reply-To: <D075E484906AB6479EEDA3624C87FAD1D03085@DEMUEXC035.nsn-intra.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dispatch] New I-D: draft-dawes-dispatch-mediasec-parameter-01
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2010 13:43:28 -0000
Peter, I could not locate the particular requirements in the referenced document, which does not seem to have a Requirements section as such. Please cite the particular requirements that answer my questions and point to the section/paragraph where rationale for those requirements is given. The Internet Draft will need to be enhanced to give more rationale for requirements, rather than rely on reference to a relatively large external document that allegedly has requirements hidden somewhere within it. Thanks, John > -----Original Message----- > From: Leis, Peter (NSN - DE/Munich) [mailto:peter.leis@nsn.com] > Sent: 20 May 2010 10:05 > To: Elwell, John; ext Hadriel Kaplan; Dawes, Peter, VF-Group; > dispatch@ietf.org > Subject: RE: [dispatch] New I-D: > draft-dawes-dispatch-mediasec-parameter-01 > > hello, > > sorry for the late reply. > > The requirments for media-plane security in 3GPP IMS have been defined > in TS 33.328 http://www.3gpp.org/ftp/Specs/html-info/33328.htm . > > For SDES SRTP there are two modes defined, one is end2end and one is > end2accessedge. We need to provide a solution for both modes. > > And for end2accessedge we do have a requirement that the UE knows > whether or not the network (P-CSCF) will support SDES-SRTP before the > session takes place as described below. > > Peter > > > -----Original Message----- > > From: ext Elwell, John [mailto:john.elwell@siemens-enterprise.com] > > Sent: Friday, May 07, 2010 4:17 PM > > To: Leis, Peter (NSN - DE/Munich); ext Hadriel Kaplan; Dawes, > > Peter, VF-Group; dispatch@ietf.org > > Subject: RE: [dispatch] New I-D: > > draft-dawes-dispatch-mediasec-parameter-01 > > > > > > > > > -----Original Message----- > > > From: dispatch-bounces@ietf.org > > > [mailto:dispatch-bounces@ietf.org] On Behalf Of Leis, Peter > > > (NSN - DE/Munich) > > > Sent: 03 May 2010 14:32 > > > To: ext Hadriel Kaplan; Dawes, Peter, VF-Group; dispatch@ietf.org > > > Subject: Re: [dispatch] New I-D: > > > draft-dawes-dispatch-mediasec-parameter-01 > > > > > > > > > comments inline > > > > > > > -----Original Message----- > > > > From: ext Hadriel Kaplan [mailto:HKaplan@acmepacket.com] > > > > Sent: Friday, April 30, 2010 5:47 PM > > > > To: Leis, Peter (NSN - DE/Munich); Dawes, Peter, VF-Group; > > > > dispatch@ietf.org > > > > Subject: RE: [dispatch] New I-D: > > > > draft-dawes-dispatch-mediasec-parameter-01 > > > > > > > > > > > > > > > > > -----Original Message----- > > > > > From: Leis, Peter (NSN - DE/Munich) > [mailto:peter.leis@nsn.com] > > > > > Sent: Friday, April 30, 2010 4:17 AM > > > > > To: Hadriel Kaplan; Dawes, Peter, VF-Group; dispatch@ietf.org > > > > > > > > > > > -----Original Message----- > > > > > > From: ext Hadriel Kaplan [mailto:HKaplan@acmepacket.com] > > > > > > Sent: Thursday, April 29, 2010 6:59 PM > > > > > > > > > > > > Right, but I'm trying to figure out why that is. I mean > > > > > > what's the reason the UA needs to know at Registration time > > > > > > that it's next-hop b2bua can do srtp, instead of letting SDP > > > > > > handle it? > > > > > > > > > > > > I *think* the answer is so that it can later send an INVITE > > > > > > with an SDP offer without failing the request - is that > > > > the reason? > > > > > > > > > > Right > > > > > > > > OK, and I also agree that's a real problem. That issue was > > > > raised in the IETF in 2006/2007. There was a very simple > > > > proposal to avoid that, in > > > > draft-kaplan-mmusic-best-effort-srtp, but the decision of the > > > > MMUSIC WG was to instead use > > > > draft-ietf-mmusic-sdp-capability-negotiation to accomplish > > > > it. That draft is now in the RFC editor's queue. I know > > > > it's a lot of processing overhead, but that was the decision. > > > > And I think 3gpp has put support for that into some > > > release or other. > > > > > > > > > > The requirement in 3GPP is, that the UE has to know whether > > or not the > > > network (P-CSCF) will support SDES-SRTP before the session > > > takes place, > > > if it wants to employ End2AccessEdge media plane > security. This will > > > ensure that the IMS UE shares the media keys only with the > > P-CSCF and > > > not with some other entity. > > [JRE] Why would the UE "want to employ End2AccessEdge" media > > plane security, as opposed to E2E media plane security? I > > would have thought the UE would always prefer the latter. > > Furthermore, the UE should not use keys that have value > > outside this particular communication session, so if they get > > passed on beyond the P-CSCF, no harm is done. In fact, if > > they reach the remote UA, you can end up with E2E security, > > which would be great from the UE's perspective. > > > > > In addition, in 3GPP there is a > > > requirement > > > that the UE knows whether media plane security is > > established between > > > itself and the network (i.e. End2AccessEdge), or whether > media plane > > > security is established between itself and the far end. > > [JRE] That would be interesting to know, but it is a more > > general problem - any B2BUA can terminate SRTP, and SIP does > > not provide any mechanism to indicate whether SRTP is truly > > end-to-end or just end-to-some-B2BUA. Also a gateway to TDM > > will terminate SRTP, and SIP does not provide any means of > > indicating whether SRTP is truly end-to-end or > > end-to-first-TDM-gateway. > > > > John > > > > > > > > As you said, CapNeg has a lot of processing overhead, and > > in addition, > > > it does not solve the requirements I have listed. > > > > > > > > > > > > > > > > > RFC 3840 does only cover UA indicating support, > but not SBC > > > > > > indicating > > > > > > > support. > > > > > > > > > > > > Actually, in a way it does. An SBC is a B2BUA. As a UA, it > > > > > > can indicate feature tags. What it *can't* do is > indicate it > > > > > > in the REGISTER response it sends to the UA. But the UA > > > > > > could send an OPTIONS to the B2BUA and get it in a feature > > > > > > tag of the response to the OPTIONS. I know it sucks to send > > > > > > more SIP messages, but I don't see how to avoid that and be > > > > > > consistent with the SIP architecture. It's really weird for > > > > > > a REGISTER response to indicate media capabilities of the > > > > Registrar. > > > > > > > > > > use of OPTIONS was discussed, but due to the additional > > > > signalling, it > > > > > was discarded. > > > > > > > > Considering all of the other signaling already required > > > > (subscription to reg-event, subscription to presence, xcap, > > > > possibly subscription to Config server) isn't an OPTIONS just > > > > a nit at this point? And that way this could be a general > > > > solution, instead of a 3gpp-specific one. > > > > > > > > > > > > > The indication of network support for SDES-SRTP in response > > > > to REGISTER > > > > > is not included by the registrar, but by the network > > > > element placed at > > > > > the edge (the SBC/B2BUA) > > > > > > > > I know, but from the UA's perspective the REGISTER response > > > > is coming from the Registrar, possibly through proxies. > > > > There's no logical/conceptual model in the IETF for a > > > > REGISTER response to indicate media capabilities of some > > > > middle hop of the REGISTER. > > > > > > > > -hadriel > > > > > > > _______________________________________________ > > > dispatch mailing list > > > dispatch@ietf.org > > > https://www.ietf.org/mailman/listinfo/dispatch > > > > > >
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… James M. Polk
- [dispatch] New I-D: draft-dawes-dispatch-mediasec… Dawes, Peter, VF-Group
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Adam Roach
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Paul Kyzivat
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… DRAGE, Keith (Keith)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Paul Kyzivat
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Hadriel Kaplan
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Dawes, Peter, VF-Group
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Paul Kyzivat
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Hadriel Kaplan
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Hadriel Kaplan
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Hadriel Kaplan
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Cullen Jennings
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Leis, Peter (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Belling, Thomas (NSN - DE/Munich)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… DRAGE, Keith (Keith)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Elwell, John
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… DRAGE, Keith (Keith)
- Re: [dispatch] New I-D: draft-dawes-dispatch-medi… Dawes, Peter, VF-Group
- [dispatch] FW: Re: New I-D: draft-dawes-dispatch-… Dawes, Peter, VF-Group