IETF Logo Mail Archive

Re: [Gen-art] Gen-ART review of draft-drage-sipping-rfc3455bis-13

Jari Arkko <jari.arkko@piuha.net> Thu, 10 April 2014 14:15 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113C51A02A3 for <gen-art@ietfa.amsl.com>; Thu, 10 Apr 2014 07:15:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.85
X-Spam-Level:
X-Spam-Status: No, score=-3.85 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XjGebdZHM5SA for <gen-art@ietfa.amsl.com>; Thu, 10 Apr 2014 07:15:19 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id DDD731A029F for <gen-art@ietf.org>; Thu, 10 Apr 2014 07:15:18 -0700 (PDT)
X-AuditID: c1b4fb25-b7f3b8e0000006f1-8d-5346a774b10e
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id 37.23.01777.477A6435; Thu, 10 Apr 2014 16:15:17 +0200 (CEST)
Received: from mail.lmf.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.56) with Microsoft SMTP Server id 14.3.174.1; Thu, 10 Apr 2014 16:15:16 +0200
Received: from nomadiclab.lmf.ericsson.se (nomadiclab.lmf.ericsson.se [131.160.33.3]) by mail.lmf.ericsson.se (Postfix) with ESMTP id 81DEE1101FF; Thu, 10 Apr 2014 17:15:16 +0300 (EEST)
Received: from nomadiclab.lmf.ericsson.se (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id 83CAF5723D; Thu, 10 Apr 2014 17:15:15 +0300 (EEST)
Received: from [IPv6:::1] (localhost [127.0.0.1]) by nomadiclab.lmf.ericsson.se (Postfix) with ESMTP id ED7ED50679; Thu, 10 Apr 2014 17:15:14 +0300 (EEST)
Content-Type: text/plain; charset="windows-1252"
MIME-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <058CE00BD4D6B94FAD033A2439EA1E4B01E0CE66CA6F@HE113667.emea1.cds.t-internal.com>
Date: Thu, 10 Apr 2014 17:15:15 +0300
Content-Transfer-Encoding: quoted-printable
Message-ID: <74C1B909-BE20-434E-85FD-B866FC855D8A@piuha.net>
References: <CABkgnnVVQCAz=ixeR04rc75Vc-rL2JFQcjT0-hX_UCL-c=FGjQ@mail.gmail.com> <5F92FD08-1636-48C0-9634-8806E9F577FF@piuha.net> <CABkgnnUdkHYxGnFOkaHf-Xc+v=UYiASBS7KBJeC75aEV1SyKMA@mail.gmail.com> <CAHBDyN5a+S-1QUzD0eWpkxMdT0tBZ9_DZELM1FKuutmXNk8a0g@mail.gmail.com> <058CE00BD4D6B94FAD033A2439EA1E4B01E0CE66CA6F@HE113667.emea1.cds.t-internal.com>
To: R.Jesske@telekom.de
X-Mailer: Apple Mail (2.1510)
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrOLMWRmVeSWpSXmKPExsUyM+JvjW7pcrdgg42PeCwaTvewW1x99ZnF 4tqZf4wWn/fvZ7ZoutPFZjG1z9aBzWPnrLvsHkuW/GTymLxxFotH20sFjy+XP7MFsEZx2aSk 5mSWpRbp2yVwZdy/MZepYL9ZxfQnV9kaGDu0uxg5OSQETCS2fm5khbDFJC7cW88GYgsJHGaU WNeq3MXIBWRvYJQ4eWITG4Szl1Fi2cdFLBBV6xgl5n2whkjMY5RYMKMNbBSzgIHEkUVzwGxe AT2J54+/gjUIC3hJ3Dl/jB3EZhNQl/hw8xKYzSkQK7H2w0yw1SwCqhKbTlxnhJhzmVFiyptg CFtbYtnC18wQM20kzvy7xQpxxB0miesbOEBsEQFJiSs3uqHekZU4fe45C4StJnH13CZmiHpF iYn3t7NNYBSdheTUWUhOnYVk3QJG5lWM7LmJmTnp5UabGIGRc3DLb9UdjHfOiRxilOZgURLn /fDWOUhIID2xJDU7NbUgtSi+qDQntfgQIxMHp1QDY3dAyxG5/khdzv6d91+cYbl6lWXFjzkq zjMTSkNfNnnMn9uQv+n82vkvb+vOl8zd8fBr+RaDEP/jLDzBLrU/Gv56nk/uVTioXrdVRu/v M5U9Rn8nb/ix9C7jGr7VDqX/J8Y3sx1ifaPCHSGolXRiyrGHKW1cGm2MZ0/X73Dj+cWheTNX u1VFQYmlOCPRUIu5qDgRALU+SKNqAgAA
Archived-At: http://mailarchive.ietf.org/arch/msg/gen-art/FrSz46ofkjC9vZd11dX1l0tW_rg
Cc: rlb@ipv.sx, gen-art@ietf.org, gonzalo.camarillo@ericsson.com, draft-drage-sipping-rfc3455bis@tools.ietf.org, atle.monrad@ericsson.com, mary.ietf.barnes@gmail.com
Subject: Re: [Gen-art] Gen-ART review of draft-drage-sipping-rfc3455bis-13
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Apr 2014 14:15:24 -0000

Roland,

Thanks for your responses. I think these are generally to the right direction, I have commented below where I think some further discussion is needed.

On Apr 10, 2014, at 11:07 AM, R.Jesske@telekom.de wrote:

> Hi Marry,
> I’m really sorry, this mail slipped through my hands. And I didn’t see anything in the data tracker history. Since I’m the main Editor, it is my fault that this was not answered.
> It is true we cannot claim any speed if we do nothing. Again I’m Sorry.
> 
> So here are my answers. For the Gen-review.
> So I have created a Version -14 which I can upload now. Please indicate if I should do this or if I should wait for further comments?
> 
> I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at
> 
> <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
> 
> Please resolve these comments along with any other Last Call comments you may receive.
> 
> Document: draft-drage-sipping-rfc3455bis-13
> Reviewer: Martin Thomson
> Review Date: 2014-02-27
> IETF LC End Date: 2014-03-14
> IESG Telechat date: (if known)
> 
> Summary: I find it strange that this 3GPP document is being published on the standards track.  But since it's a -bis there is clearly precedent, and it is otherwise sound.
> 
> [RJ] Yes it is informal as RFC3455 is I’ll change that.

It is published for informational according to the last call announcement, and I can't find any statement from the draft that this would be on the standards track.

> Major issues:
> 
> This document doesn't include enough information for me to some of the headers.  For example, there isn't enough information in the document to allow me to interpret the contents of cgi-3gpp:
>          cgi-3gpp     = "cgi-3gpp" EQUAL (token / quoted-string)
> (I pick on P-Access-Network-Info, because I'm somewhat familiar with it.)
> 
> This can probably be addressed by the inclusion of appropriate normative references.  I seem to recall there being a 3GPP TS that covered at least some of these.
> 
> [RJ] Below that section we have the text:
> The access-info MAY contain additional information relating to the access network. The values for "cgi-3gpp", "utran-cell-id-3gpp",
>       "i-wlan-node-id", "dsl-location" and "ci-3gpp2", "ci-3gpp2-femto" and  "gstn-location" are defined in 3GPP TS 24.229
> 
> Do we need more?

I think this is fine.

But would anyone mind if 24.229 was a normative reference? In my mind I need to read it to understand what to put into these attributes.

> Minor issues:
> 
> RFC 4244 is now obsolete, see 7044.  (related nit: Change log entry #2 seems quite defensive, unnecessarily so.  This document only needs to define P-Called-Party-ID, and reference History-Info as an alternative
> mechanism.)
> 
> [RJ] Replaced
> [RJ] Due to your comment I have removed the whole text as follows:
> Additionally the P-Called-Party-ID
>       header field has been defined within 3GPP systems since release
>       5, and therefore it is realistic to expect implementations to be
>       already released to the field.  It is therefore considered that
>       replacement of the P-Called-Party-ID header field within 3GPP
>       systems causes more issues that it solves, and therefore the
>       update of RFC3455 <xref
>         target="RFC3455"></xref> to remove the P-Called-Party-ID header field
>       will not be addressed.  However it is recommended that any new
>       usage of this type of functionality should use the History-Info
>       header field defined in RFC 7044 <xref target="RFC7044"></xref>rather than the P-Called-Party-ID header field

OK for me.

> Change log entry #5, mentions a shortcoming of 3455 (no registry for access network types), but the draft does nothing about it.  It seems to be propagating the mistake it notes.
> 
> [RJ] Yes I can agree this. so this seems a action for future.

Yes.

> 
> A lot has happened since RFC 3455 was published.  The privacy considerations around the use of P-Access-Network-Info are unchanged from their pre-Geopriv form.  In particular, I find the UA knowledge part to be problematic; Geopriv definitions can probably help here.
> 
> [RJ] sorry cannot do 

I think a better approach would be to describe the issues, rather than try to change what the implementations do, if that is what you meant by using Geopriv definitions.

> S6.1 P-Associated-URI is a powerful linkability vector, which could be a far more serious privacy leak than the text implies.  The following seems like good advice, but is not sufficient:
> 
>   An eavesdropper could possibly collect the list of identities a user
>   is registered.  This can have privacy implications.  To mitigate this
>   problem, this extension SHOULD only be used in a secured environment,
>   where encryption of SIP messages is provided either end-to-end or
>   hop-by-hop.
> 
> You also have to trust the other end of the hop with the information.
> I think that's implicit, but probably needs to be stated.
> 
> [RJ] I have addedthe following:
> And where a trustrelationship equivalent with that defined in RFC 3325 <xref target="RFC3325">between entities exist

This is good, but I'd be even more explicit. Maybe add "That is, the privacy of the user relies on the other entities in the session not disclosing information that they have learned about the user.

> 
> S6.4  This claim sounds false to me:
> 
>   However, there
>   are no security problems resulting from a UA inserting incorrect
>   information.  Networks providing services based on the information
>   carried in the P-Access-Network-Info header field will therefore need
>   to trust the UA sending the information.  A rogue UA sending false
>   access network information will do no more harm than to restrict the
>   user from using certain services.
> 
> Any parameter whereby changing it can cause loss of service is likely to be true in the inverse.  The draft makes no claims that would make me believe otherwise.
> 
> [RJ] Since we have the P-Access-Network-Info as header that is also set up by the IMS entity P-CSCF with adding the network provided element there is a difference in interpreting the header by Applications. Of course the network provided information is trustful and can be used for sensitive services since the user provided information should only be used by services which are not sensitive.
> 
> [RJ] Is this sufficient?

I feel that this may need more explanation. If you point was that the P-CSCF adds information that is trustworthy and leads to discovery of false information planted by the rogue UA, then maybe we should be explicit about this.

Jari

v2.23.0 | Report a Bug | By Email