IETF Logo Mail Archive

Re: [dispatch] BEHAVE for B2BUAs charter proposal

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 17 October 2011 20:31 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 983CD11E8081 for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2011 13:31:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.439
X-Spam-Level:
X-Spam-Status: No, score=-2.439 tagged_above=-999 required=5 tests=[AWL=0.160, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2SJtam5KdXXP for <dispatch@ietfa.amsl.com>; Mon, 17 Oct 2011 13:31:32 -0700 (PDT)
Received: from qmta08.westchester.pa.mail.comcast.net (qmta08.westchester.pa.mail.comcast.net [76.96.62.80]) by ietfa.amsl.com (Postfix) with ESMTP id 8FABF11E807F for <dispatch@ietf.org>; Mon, 17 Oct 2011 13:31:32 -0700 (PDT)
Received: from omta16.westchester.pa.mail.comcast.net ([76.96.62.88]) by qmta08.westchester.pa.mail.comcast.net with comcast id lwSY1h0041uE5Es58wXYwy; Mon, 17 Oct 2011 20:31:32 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([24.62.109.41]) by omta16.westchester.pa.mail.comcast.net with comcast id lwXY1h00j0tdiYw3cwXY1G; Mon, 17 Oct 2011 20:31:32 +0000
Message-ID: <4E9C90A2.2020400@alum.mit.edu>
Date: Mon, 17 Oct 2011 16:31:30 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: dispatch@ietf.org
References: <2A0C30FC-9B55-4762-B3A4-98681654C41B@acmepacket.com> <482C8466-60D1-43D0-AD48-C2FD4EB8490A@edvina.net> <EE3B604D-FB2C-4B26-B2A9-93DFED02161B@wimmreuter.de>
In-Reply-To: <EE3B604D-FB2C-4B26-B2A9-93DFED02161B@wimmreuter.de>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [dispatch] BEHAVE for B2BUAs charter proposal
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dispatch>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2011 20:31:33 -0000

On 10/17/11 4:03 PM, Wilhelm Wimmreuter wrote:
> Think it shall be RFC4474
>
> Agree, it is underspecified and in parts to some extents way overloaded.
> - Signs elements that will be modified by SBCs
> - Signs things that have only marginally to do with the originators identity
> - does nit clearly distinguish between the originators domain and a phone number
> - ...
>
> However it seems to be quite difficult and likely becomes even more complex if we add things like federations and cross PKI certificate acceptance.
>
> My guess is that we to take a lot of usability issues in to consideration if we want to make it really useful. e.g. initial enrollment and certificate renewal.
>
> Besides usability, one shall think about reducing the functionality to sign the originating identity and domain only. This still would allow to protect the sip message by other means. This approach has the advantage of separating transport security and the originating identity. With this clear separation, authentication would become transparent to SBCs and other servers in the setup path. With that, any element in the call path can validate the caller ID and decide on further authorization. This would also be relevant for the recently signed CALLER-ID Act.

IIUC you are in essence suggesting signing a blank sheet of paper and 
then sending it. The recipient will know that the sheet was blank when 
signed, and gets to decide whether to believe other stuff on the 
received sheet.

When you say "protecting the message by other means", presumably you 
mean transitive trust, since a lot of what matters in the message is 
changed by the B2BUAs. The point of 4474 was to get beyond transitive trust.

	Thanks,
	Paul

> Willi
>
>
> On 17.10.2011, at 17:16, Olle E. Johansson wrote:
>
>>
>> 14 okt 2011 kl. 22:24 skrev Hadriel Kaplan:
>>
>>> Howdy,
>>> a year ago or so, there was a thread and informal bar-bof around the topic of "Should the IETF have a BEHAVE WG for SBCs".  I do not know the conclusion of the discussion, but it appears there was not enough interest at the time, or perhaps not enough concrete work to do and people to do it.  Since that time, we've had several I-Ds which could arguably fit in such a WG, or at least benefit from one, if it applied to B2BUAs in general.
>>>
>>> This email is to see if there's interest now, but with a slightly different tack: a concrete WG charter proposal, as described below.
>>>
>>> Interest/comments/flames welcomed.
>> I think it's high time to start this work. We have seen the need for it in the discussions around Asterisk
>> for a very long time. One could easily add SIP Identity for User Agents to this list, as RFC 4744 is
>> horribly underspecified in this regard...
>>
>> /O
>>>
>>>
>>> Description of STRAW Working Group
>>> ====================================
>>> Name: Sip Traversal Required for Applications to Work (STRAW)
>>>
>>> Problem Statement:
>>> Within the context of the SIP protocol and architecture, a Back-to-Back User Agent (B2BUA) is any SIP device in the logical path between two User Agents performing a role beyond that of a Proxy as defined in RFC 3261.  The B2BUA may be as simple as a session-stateful Proxy becoming a B2BUA in order to terminate dead sessions by generating BYEs; or it may be a 3PCC-style agent only modifying SDP; or it may be a Session Border Controller performing such functions as in RFC 5853; or it may be an Enterprise PBX terminating REFERs and such; or it may be a complete UAS and UAC implementation with a PRI loopback in-between.
>>>
>>> In its most extreme form, the scope of the SIP protocol ends at the UAS of the B2BUA, and a new SIP protocol scope begins on its UAC side.  In practice, however, users expect some SIP protocol aspects to go beyond the scope of the B2BUA's UAS side, and be traversed onto its UAC side, as if the B2BUA was not an end unto itself; this is similar to the expectation that emails work when they cross from POP and IMAP to/from SMTP.
>>>
>>> It is impossible to normatively define all the behaviors of B2BUAs in general, or even subsets of them such as SBCs. Unlike consumer NATs, B2BUAs perform widely varying functions for purposes which may be unique to their environment, unique to their architecture, or unique to the wishes of their administrator.  Instead of defining all things a given type of B2BUA must do, a more practical objective would be to define what very few things any B2BUA must do to make a specific SIP mechanism work, and let the market decide whether to do those things.
>>>
>>> The name of this working group reflects that practical objective: if there were a thin straw between the SIP UAS and UAC of a B2BUA, what must be passed through that straw and used on each side.  Or viewed another way, if a B2BUA were in fact a UAS and UAC connected with a PRI loopback circuit, and if we could extend ISDN, what information would we carry in ISDN across the PRI for a specific SIP mechanism to work end-to-end.
>>>
>>> For example, the WG could produce a document which specifies that the Max-Forwards header field value should be copied and decremented across the B2BUA, if the B2BUA wishes to prevent loops.  Administrators could then tell their B2BUA vendors to comply with the document, if the administrator so wishes.
>>>
>>> Objectives:
>>> The objectives of the STRAW Working Group are to publish normative documents which define which SIP header fields, parameters, MIME bodies, body content fields/information, or media-plane characteristics are required to traverse between the User Agent "sides" of a B2BUA for specific functions to work.
>>>
>>> Deliverables would indicate which types of B2BUAs would apply or not.  For example, a document defining the requirements for end-to-end DTLS-SRTP would not apply to B2BUAs which terminate media, such as transcoders or recorders.
>>>
>>> The intention of this WG is to document such requirements in separate documents, per SIP or media function, instead of as one document for all functions.  That will both reduce the time to publication, as well a provide B2BUA administrators and manufacturers with simple comply/no-comply criteria.
>>>
>>>
>>> Initial Deliverables:
>>> 1) A document defining the requirements for B2BUAs to identify specific features/capabilities support.
>>> 2) A document defining the requirements for B2BUAs with respect to loop detection/prevention.
>>> 3) A document defining the requirements for B2BUAs to support end-to-end and hop-by-hop media-loopback test calls.
>>> 4) A document defining the requirements for B2BUAs to support DTLS-SRTP (RFC 5764) end-to-end.
>>> 5) A document defining the requirements for B2BUAs to support STUN connectivity checks end-to-end.
>>>
>>> [also add a taxonomy document?]
>>>
>>> _______________________________________________
>>> dispatch mailing list
>>> dispatch@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dispatch
>>
>> ---
>> * Olle E Johansson - oej@edvina.net
>> * Cell phone +46 70 593 68 51, Office +46 8 96 40 20, Sweden
>>
>>
>>
>> _______________________________________________
>> dispatch mailing list
>> dispatch@ietf.org
>> https://www.ietf.org/mailman/listinfo/dispatch
>
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>

v2.39.1 | Report a Bug | By Email | System Status