Re: [Insipid] AD Evaluation of draft-ietf-insipid-session-id-22

Paul Giralt <pgiralt@cisco.com> Tue, 31 May 2016 03:28 UTC

Return-Path: <pgiralt@cisco.com>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540A412D0B7; Mon, 30 May 2016 20:28:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.946
X-Spam-Level:
X-Spam-Status: No, score=-15.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4SUYUM7iLMlq; Mon, 30 May 2016 20:28:11 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3055012D60A; Mon, 30 May 2016 20:28:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=36796; q=dns/txt; s=iport; t=1464665291; x=1465874891; h=subject:mime-version:from:in-reply-to:date:cc:message-id: references:to; bh=e0kyGdhX+DbyzSqKGhXnpygq7reez4vlT5h3XHqw0E4=; b=N7qsQG1NtsCiQ0U/SoeHGg75/txoAz/P4O84kFHjgHQCcaHcR5iLRk6z +KK9MUlGwBXMAx8SSL7IZRtwc0LCF1wV+nP0yUd4mM5HkA5FZHbtJy07L PnHVf7DW5ACka6ZC8ePdj21jQ8+wx3/H2Ee+JAol1mRA64vKbrRVahxL/ E=;
X-Files: signature.asc : 842
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DQAgCOBE1X/4UNJK1bgm9Nu1gOgXqGE?= =?us-ascii?q?QKBNjgUAQEBAQEBAWUnhEYBAQMBGglFCgcFCws4CgICVwaIOgisOpENAQEBAQE?= =?us-ascii?q?BAQECAQEBAQEBAQEBAQEODoYngXeBU4EDhCoCgx0rgi4FiAQKhVeBMokggyuFT?= =?us-ascii?q?YUogWmET4MshTiGM4kZHgFDggYcgWcgiCoBBiCBHgEBAQ?=
X-IronPort-AV: E=Sophos;i="5.26,393,1459814400"; d="asc'?scan'208,217";a="279620729"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 31 May 2016 03:27:48 +0000
Received: from rtp-pgiralt-nitro5.cisco.com (rtp-pgiralt-nitro5.cisco.com [10.116.123.198]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id u4V3Rj2b023696 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 31 May 2016 03:27:47 GMT
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_80FAD78E-143B-4EAD-8BF6-B91087E23951"; protocol="application/pgp-signature"; micalg=pgp-sha512
X-Pgp-Agent: GPGMail 2.6b2
From: Paul Giralt <pgiralt@cisco.com>
In-Reply-To: <D126986C-5821-4DD3-AB10-CD54B2387491@nostrum.com>
Date: Mon, 30 May 2016 23:27:42 -0400
Message-Id: <B78C35A8-98FD-4B75-900D-86B4B098A519@cisco.com>
References: <D126986C-5821-4DD3-AB10-CD54B2387491@nostrum.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <http://mailarchive.ietf.org/arch/msg/insipid/29Ql--IClF9Oxm5UGeFbzc0CUW8>
Cc: insipid@ietf.org, draft-ietf-insipid-session-id.all@ietf.org
Subject: Re: [Insipid] AD Evaluation of draft-ietf-insipid-session-id-22
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/insipid/>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 May 2016 03:28:14 -0000

Ben,

Thank you for your detailed evaluation. Here are some replies to your comments. I welcome WG feedback as well.

> 
> ------------- Substantive Comments:
> 
> - Abstract: The abstract makes it sound like the draft is
> multi-protocol. It's not, it's SIP specific. I recognize the idea is
> that the syntax could be used across signaling protocols, but this
> particular draft only defines how to do so for SIP. Please clarify.
> 


[PG] While the draft is SIP-specific, the Session Identifier defined in the draft is designed to be multi-protocol (e.g. the H.323 implementation described in H.460.27). If you feel we should be more clear that the document is SIP-specific, but the identifier is designed to be multi-protocol, I can modify.


> - General
> 
> - 4.1, 2nd paragraph: Why is the requirement for version 4 or 5 UUIDs
> only a SHOULD? It seems like we should really avoid any sort of
> persistent identifies in the UUID. If we really need the SHOULD, please
> describe when it might be reasonable to choose otherwise.
> 


[PG] The WG agreed on this because of existing endpoints that might want to implement Session-ID but are currently generating other identifiers using other mechanisms such as using the device MAC address. This statement clearly contradicts Section 12 as you pointed out below, so one of the two needs to change. I welcome WG feedback as to which direction would be best. I tend to agree that this should be a MUST and we should make all endpoints use version 4 or 5. Then again, even if an endpoint did not conform to this, everything would still work fine.


> - 4.2, 2nd paragraph: "such as when a UA first initiates a SIP request,"
> 
> Should that be a SIP INVITE request, or SIP dialog-initiating request?
> 


[PG] Cloud be any dialog-initiating request.


> -- 2nd to last paragraph: Is there a normative statement elsewhere than
> devices other than conference-focuses MUST NOT reuse UUIDs? (Also, the
> MUST in this paragraph belongs with the section on MDUs. If this text
> means to simply point out that the MDU section has this requirement,
> then please state it descriptively here.)
> 


[PG] There does not appear to be a normative statement elsewhere, but I agree there probably should be for the sake of clarity. It’s implied in section 4 and 6 when we talk about constructing a UUID for a new session, but could be called out explicitly.


> -- last paragraph: I'm a bit uncomfortable with making storage
> completely out of scope, due to the potential "information-at-rest"
> security or privacy implications. (I note that RFC7206 cites 6872 for
> this purpose).
> 


[PG] In looking at 6872  we could site it here as well; however, if the Session-ID is obscured in logs at res, it defeat the whole purpose of having the Session-ID in the first place as you would not be able to use it for troubleshooting. 6872 doesn’t really seem to mandate much of anything and just has a lot of SHOULDs. If you feel strongly on this, we could put a note to 6872 and highlight the fact that Session-ID should be maintained in logs at rest to be effectively used as a troubleshooting tool.


> - 6, paragraph 8: Has the working group discussed the privacy
> implications of requiring an endpoint to keep the same UUID after a
> redirect, refer, or INVITE-with-replaces? It may be that the peer and
> intermediaries already know the source of the 2nd dialog is the same
> that of the first, but I think it's a topic that needs some mention in
> the text.
> 


[PG] Yes, the privacy implications have been discussed at length. The whole point of the Session ID to allow a call to be tracked. Yes, it can open privacy concerns, since intermediaries can potentially figure out who has been talking to whom and for how long but this is not significantly different than looking at SIP signaling itself. If we do not mandate the same UUID in the situations described above, you end up losing the relationship between the two call legs which again defeats the purpose of having the Session-ID in the first place.


> -- paragraph 10: Both the MAY and MUST seem incorrect here. The MAY is a
> statement of fact, and the MUST is a description of rules elsewhere in
> the draft. I suggest using descriptive language for both.
> 

[PG] I believe the first MUST needs to stay, but agree that the second MAY and MUST should use descriptive language. I will correct to:

   An endpoint MUST assume that the UUID value of the peer endpoint may
   change at any time due to service interactions.  Section 8 discusses
   how endpoints must handle remote UUID changes.


> -7, first paragraph: Does the assumption of no "special treatment" means
> the intermediary  passing the session-id unchanged? Removes it? Either?
> 


[PG] It could be either depending on what the particular intermediary does with headers it does not understand. We should assume it could be either.


> -- 4th paragraph: What happens when a B2BUA that does not implement
> session-id aggregates responses? If it passes through the peer UUIDs
> unchanged, does anything break? Can the UAC be misled about the UUID of
> the resulting peer?
> 


[PG] The UAC should be able to handle this, although there is a potential for out of order messages to cause the UAC to be using a remote UUID that is out of sync, however even this condition should sort itself out.


> -- 3rd paragraph from end: I'm confused by "A non- redirected or
> rejected response", since responses neither get redirected or rejected.
> Do you mean a redirection response or a rejection response? (Perhaps
> using response code classes would be more clear.)
> 


[PG] Yes, this should have read “redirection response or rejection response. Will change to response code classes to make more clear.


> "MUST replace its own UUID" - In what message(s)?
> 


[PG] The example cited is the best explanation, but I agree it’s not clear in the text. I will add some text here to clarify.


> -- 2nd to last paragraph: Why are the SHOULDs not MUSTs? Can you
> describe situations in which one might reasonably not follow the
> SHOULDs?
> 


[PG] I can’t find any reason for the first SHOULD and think it should probably be a MUST. The second SHOULD is related to other comments below about whether or not an intermediary is required to update other participants in a session if it knows that the participant has an out of sync Session-ID. I’m inclined to make this a MUST as well, however I’ve been told there was some feedback from the WG that some might not want to generate additional SIP signaling for the sole purpose of updating a Session-ID.

Is there any WG opinion as to why this should remain a SHOULD instead of a MUST?


> -- last paragraph: The first "MAY" seems like a statement of fact. Is
> the 2nd MAY appropriate? That is, intermediary allowed to _not_ do this,
> and let endpoints get out of sync?
> 


[PG] The first MAY should be may. The second is related to the previous comment. If we allow intermediaries to not update a participant when the Session-ID changes, then this statement is accurate (so currently the draft is consistent), however if we change the above SHOULD to a MUST, then this must change as well.


> -8, last paragraph: Why is the SHOULD not a MUST? When might one
> reasonably not follow it?


[PG] This is also related to the above two comments.


> 
> -9, 2nd paragraph: Does this assume that the conference is new to each
> subsequent MCU? That is, one would never use this approach to bridge two
> existing conferences that already have their own UUIDs?
> 


[PG] Yes, this assumes the conference is new to each subsequent MCU. The case of two existing conferences is not addressed in the draft.


> - 10.3: Why doesn't the b2bua send a re-invite to update the uuid as in
> the next example?
> 

[PG] This again goes back to the fact that updating the UUID is currently optional. That said, we do say that intermediaries SHOULD update the UUID and regardless of what decision is made regarding the mandate to update the UUID, I agree this example should still include the update as a best-practice, so I will modify regardless.


> - 10.5: Please don't use the name of a trademarked, commercial service
> in an RFC. Can you recast this as a "web-based conference service”?


[PG] Totally agree. Will change this.


> Also, this should be clarified to be one of many ways to implement this
> use case, not necessarily a preferred way. (For example,  endpoints
> might initiate the INVITE requests toward the focus.)
> 

[PG] Ok. I will clarify.


> - 10.7, first bullet: It seems highly unlikely that a 3pcc server would
> not be dialog stateful.
> 


[PG] I agree, but any harm in leaving as is? Are we just stating the obvious and we can leave it out entirely?


> - 11: This section creates MUST level requirements for an implementation
> to be backwards compatible with a pre-standard, proprietary version.
> That seems to be a stretch. Did the working group really intend that an
> implementation could not choose not to implement this section?
> 

[PG] Yes, this was the intention. The pre-standard version is a bit more than just proprietary. It is my understanding that the pre-standard version is included as part of the 3GPP Release 9 specification and there are 4-5 million devices that currently implement that version. The WG felt it was important enough to mandate interoperability.


> -- 4th bullet: Wny isn't the presence or absence of remote-uuid
> sufficient for responses?
> 

[PG] Great question. Some implementations of the pre-standard version would blindly copy the contents of the request’s Session-ID header into the response, so if they were to receive a standard version that contains the remote-uuid, they would echo it back. This is to deal with this possibility.


> -- 5th bullet: This seems out of place; it's about non-compliant
> implementations of this document, not about backwards compatibility.
> 


[PG] Yes, that’s true. Let me find another place to put it.


> - 6th bullet: Why would an "old" implementation include "remote-uuid" at
> all?
> 


[PG] As mentioned above, only in the case where it’s blindly reflecting the received Session-ID header.


> - 12, first paragraph: The MUST here seems to conflict with the previous
> SHOULD about using UUID versions other than 4 or 5. (see previous
> comment).
> 


[PG] As mentioned above, you are correct. I’d like some WG feedback as to whether we should just make this a MUST in both places.



> -- 3rd paragraph: Is there an impact if something tampers with or lies
> about session-Id values?
> 


[PG] The only impact would be the inability to easily troubleshoot the call. There should be no impact to the ability to complete and interact with the call. Does this bear mentioning?


> - 15: Thank you for including this.


[PG] Thanks. It’s the least we could do.




> 
> Editorial Comments and Nits:
> 

[PG] I’ll address all of these in the updated version. Thank you for the feedback.


> -1, first paragraph: Please expand SIP on first mention.
> 
> - 4.2, 4th paragraph: Please expand PBX on first mention.
> 
> -- 2nd to last paragraph: This referes to conference focus, but most of
> the relevant section discusses MDUs. Please use consistent terms.
> (either may be okay, but "focus" probably better captures the signaling
> vs media role.)
> 
> -6, paragraph 9: What is meant by "negatively affect"? Is this allowed
> to affect the session in neutral or positive ways?
> 
> -- paragraph 11: Consider s/"MUST take care to ensure"/"MUST ensure".
> The "take care" part softens the message.
> 
> -- 2nd to last paragraph: Redundant normative statements. Consider
> making the first one descriptive, since the second is the more precise
> of the two. (This pattern repeats in section 7 paragraph 7)
> 
> - 7, 2nd paragraph: "which is why intermediaries" I think that's one
> reason why. There are likely others.
> 
> -- 7th paragraph: "If an intermediary receives a SIP message without a
> Session-ID header field or valid header field value..."
> 
> Does this mean either without session-id, or with session-Id but without
> a valid value? (As worded, the second part reads like it means without
> any valid header fields, but that doesn't make sense.)
> 
> -8, first paragraph: This seems redundant to previous sections.
> 
> 10.1, paragraph before SIP detail: It's not really complete if you omit
> stuff :-)
> 
> 10.3: There's no description of the initial re-invite.
> 
> 11, paragraph 5: It's not clear what "that" refers to.
> 
> 
> 
> 
> 
> 
> 
> 
>