IETF Logo Mail Archive

Re: [dispatch] BEHAVE for B2BUAs charter proposal

Wilhelm Wimmreuter <wilhelm@wimmreuter.de> Mon, 17 October 2011 20:53 UTC

Return-Path: <wilhelm@wimmreuter.de>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E745521F8B83 for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2011 13:53:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.249
X-Spam-Level:
X-Spam-Status: No, score=-2.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QahH3WADmOx5 for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2011 13:53:15 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by ietfa.amsl.com (Postfix) with ESMTP id B909021F8B88 for <dispatch@ietf.org>; Mon, 17 Oct 2011 13:53:14 -0700 (PDT)
Received: from wwn04.wwnet.ww (p4FE5AB6B.dip.t-dialin.net [79.229.171.107]) by mrelayeu.kundenserver.de (node=mreu4) with ESMTP (Nemesis) id 0Lunm1-1R7LRZ31jF-0108EQ; Mon, 17 Oct 2011 22:53:13 +0200
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Wilhelm Wimmreuter <wilhelm@wimmreuter.de>
In-Reply-To: <4E9C90A2.2020400@alum.mit.edu>
Date: Mon, 17 Oct 2011 22:53:12 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <46684468-E14A-4A98-AA18-E731158665C8@wimmreuter.de>
References: <2A0C30FC-9B55-4762-B3A4-98681654C41B@acmepacket.com> <482C8466-60D1-43D0-AD48-C2FD4EB8490A@edvina.net> <EE3B604D-FB2C-4B26-B2A9-93DFED02161B@wimmreuter.de> <4E9C90A2.2020400@alum.mit.edu>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
X-Mailer: Apple Mail (2.1084)
X-Provags-ID: V02:K0:Zk3HcYrJ8M+dQv9ONIrPKBhZTUiTCrI2yRALynEiNCv BjApz/mvjx0jK5V0ULvsM8c/9kUGcjQj+qG+VNrE2vU1u6us24 89ukLRvMD/l7BwAtA8OnTfVitDZYVXy0lueXanoWcuN//6/9mK T3tIr46fEYHviVl2e1smllJHI2So8pU5K2MDhKyt2bMQtnWbQH 8FS6tUEjZV4uG93hkwFpuEsJ0dyQxJAWvUOsV/iM9Kx2AlXFwc E8OR7uecN5zXaZK3ENFB6hbJJfLbaPNEQHR7k471YM/TcVMbVm 7Za2iurMxrjJ79KOHMzDkZA5+PJnpSWJqaAvhHZ7/5T39UEHBZ Vbt1MqrZ4ZRdy4OSmP0hNmzo4LH1DKGklDGBW68pdIiYa3SJnT hnrEdr2tKbtyQ==
Cc: dispatch@ietf.org
Subject: Re: [dispatch] BEHAVE for B2BUAs charter proposal
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 20:53:16 -0000

On 17.10.2011, at 22:31, Paul Kyzivat wrote:

> On 10/17/11 4:03 PM, Wilhelm Wimmreuter wrote:
>> Think it shall be RFC4474
>> 
>> Agree, it is underspecified and in parts to some extents way overloaded.
>> - Signs elements that will be modified by SBCs
>> - Signs things that have only marginally to do with the originators identity
>> - does nit clearly distinguish between the originators domain and a phone number
>> - ...
>> 
>> However it seems to be quite difficult and likely becomes even more complex if we add things like federations and cross PKI certificate acceptance.
>> 
>> My guess is that we to take a lot of usability issues in to consideration if we want to make it really useful. e.g. initial enrollment and certificate renewal.
>> 
>> Besides usability, one shall think about reducing the functionality to sign the originating identity and domain only. This still would allow to protect the sip message by other means. This approach has the advantage of separating transport security and the originating identity. With this clear separation, authentication would become transparent to SBCs and other servers in the setup path. With that, any element in the call path can validate the caller ID and decide on further authorization. This would also be relevant for the recently signed CALLER-ID Act.
> 
> IIUC you are in essence suggesting signing a blank sheet of paper and then sending it. The recipient will know that the sheet was blank when signed, and gets to decide whether to believe other stuff on the received sheet.

Not really a blank shet of paper ;-). Just the identity of the originator but not the parts of the message that can be changed on link by link. Other elements shall be protected link by link if necessary. As such the digest will be reduced to a minimum and can be forwarded transparently throughout the chain.


> 
> When you say "protecting the message by other means", presumably you mean transitive trust, since a lot of what matters in the message is changed by the B2BUAs. The point of 4474 was to get beyond transitive trust.

Guess transitive is the best way since all other stuff can only be protected on a link by link base. Did we not have the same problem with IPsec as well?

On top of this, I believe that the final solution must be a user centric authentication anyhow and with that we can only accept a digest with information that will not be modified throughout the communication path. e.g. originating id, terminating id and possibly the timestamp. 

Thanks

Willi

> 
> 	Thanks,
> 	Paul
> 
>> Willi
>> 
>> 
>> On 17.10.2011, at 17:16, Olle E. Johansson wrote:
>> 
>>> 
>>> 14 okt 2011 kl. 22:24 skrev Hadriel Kaplan:
>>> 
>>>> Howdy,
>>>> a year ago or so, there was a thread and informal bar-bof around the topic of "Should the IETF have a BEHAVE WG for SBCs".  I do not know the conclusion of the discussion, but it appears there was not enough interest at the time, or perhaps not enough concrete work to do and people to do it.  Since that time, we've had several I-Ds which could arguably fit in such a WG, or at least benefit from one, if it applied to B2BUAs in general.
>>>> 
>>>> This email is to see if there's interest now, but with a slightly different tack: a concrete WG charter proposal, as described below.
>>>> 
>>>> Interest/comments/flames welcomed.
>>> I think it's high time to start this work. We have seen the need for it in the discussions around Asterisk
>>> for a very long time. One could easily add SIP Identity for User Agents to this list, as RFC 4744 is
>>> horribly underspecified in this regard...
>>> 
>>> /O
>>>> 
>>>> 
>>>> Description of STRAW Working Group
>>>> ====================================
>>>> Name: Sip Traversal Required for Applications to Work (STRAW)
>>>> 
>>>> Problem Statement:
>>>> Within the context of the SIP protocol and architecture, a Back-to-Back User Agent (B2BUA) is any SIP device in the logical path between two User Agents performing a role beyond that of a Proxy as defined in RFC 3261.  The B2BUA may be as simple as a session-stateful Proxy becoming a B2BUA in order to terminate dead sessions by generating BYEs; or it may be a 3PCC-style agent only modifying SDP; or it may be a Session Border Controller performing such functions as in RFC 5853; or it may be an Enterprise PBX terminating REFERs and such; or it may be a complete UAS and UAC implementation with a PRI loopback in-between.
>>>> 
>>>> In its most extreme form, the scope of the SIP protocol ends at the UAS of the B2BUA, and a new SIP protocol scope begins on its UAC side.  In practice, however, users expect some SIP protocol aspects to go beyond the scope of the B2BUA's UAS side, and be traversed onto its UAC side, as if the B2BUA was not an end unto itself; this is similar to the expectation that emails work when they cross from POP and IMAP to/from SMTP.
>>>> 
>>>> It is impossible to normatively define all the behaviors of B2BUAs in general, or even subsets of them such as SBCs. Unlike consumer NATs, B2BUAs perform widely varying functions for purposes which may be unique to their environment, unique to their architecture, or unique to the wishes of their administrator.  Instead of defining all things a given type of B2BUA must do, a more practical objective would be to define what very few things any B2BUA must do to make a specific SIP mechanism work, and let the market decide whether to do those things.
>>>> 
>>>> The name of this working group reflects that practical objective: if there were a thin straw between the SIP UAS and UAC of a B2BUA, what must be passed through that straw and used on each side.  Or viewed another way, if a B2BUA were in fact a UAS and UAC connected with a PRI loopback circuit, and if we could extend ISDN, what information would we carry in ISDN across the PRI for a specific SIP mechanism to work end-to-end.
>>>> 
>>>> For example, the WG could produce a document which specifies that the Max-Forwards header field value should be copied and decremented across the B2BUA, if the B2BUA wishes to prevent loops.  Administrators could then tell their B2BUA vendors to comply with the document, if the administrator so wishes.
>>>> 
>>>> Objectives:
>>>> The objectives of the STRAW Working Group are to publish normative documents which define which SIP header fields, parameters, MIME bodies, body content fields/information, or media-plane characteristics are required to traverse between the User Agent "sides" of a B2BUA for specific functions to work.
>>>> 
>>>> Deliverables would indicate which types of B2BUAs would apply or not.  For example, a document defining the requirements for end-to-end DTLS-SRTP would not apply to B2BUAs which terminate media, such as transcoders or recorders.
>>>> 
>>>> The intention of this WG is to document such requirements in separate documents, per SIP or media function, instead of as one document for all functions.  That will both reduce the time to publication, as well a provide B2BUA administrators and manufacturers with simple comply/no-comply criteria.
>>>> 
>>>> 
>>>> Initial Deliverables:
>>>> 1) A document defining the requirements for B2BUAs to identify specific features/capabilities support.
>>>> 2) A document defining the requirements for B2BUAs with respect to loop detection/prevention.
>>>> 3) A document defining the requirements for B2BUAs to support end-to-end and hop-by-hop media-loopback test calls.
>>>> 4) A document defining the requirements for B2BUAs to support DTLS-SRTP (RFC 5764) end-to-end.
>>>> 5) A document defining the requirements for B2BUAs to support STUN connectivity checks end-to-end.
>>>> 
>>>> [also add a taxonomy document?]
>>>> 
>>>> _______________________________________________
>>>> dispatch mailing list
>>>> dispatch@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/dispatch
>>> 
>>> ---
>>> * Olle E Johansson - oej@edvina.net
>>> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> dispatch mailing list
>>> dispatch@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dispatch
>> 
>> _______________________________________________
>> dispatch mailing list
>> dispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/dispatch
>> 
> 
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch

v2.39.1 | Report a Bug | By Email | System Status