IETF Logo Mail Archive

Re: [Insipid] Will the identifier pass unchanged through B2BUAs?

Paul Kyzivat <pkyzivat@alum.mit.edu> Thu, 01 August 2013 12:52 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F1921E80CF for <insipid@ietfa.amsl.com>; Thu, 1 Aug 2013 05:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.387
X-Spam-Level:
X-Spam-Status: No, score=-0.387 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_NET=0.611, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DeU+LsLQppuZ for <insipid@ietfa.amsl.com>; Thu, 1 Aug 2013 05:52:32 -0700 (PDT)
Received: from qmta08.emeryville.ca.mail.comcast.net (qmta08.emeryville.ca.mail.comcast.net [IPv6:2001:558:fe2d:43:76:96:30:80]) by ietfa.amsl.com (Postfix) with ESMTP id 7811121E811C for <insipid@ietf.org>; Thu, 1 Aug 2013 05:52:19 -0700 (PDT)
Received: from omta19.emeryville.ca.mail.comcast.net ([76.96.30.76]) by qmta08.emeryville.ca.mail.comcast.net with comcast id 7Qij1m0011eYJf8A8QsKyd; Thu, 01 Aug 2013 12:52:19 +0000
Received: from dhcp-15b9.meeting.ietf.org ([130.129.21.185]) by omta19.emeryville.ca.mail.comcast.net with comcast id 7Qq71m00B3zbtzW01QqAH1; Thu, 01 Aug 2013 12:50:17 +0000
Message-ID: <51FA597E.5030106@alum.mit.edu>
Date: Thu, 01 Aug 2013 14:50:06 +0200
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Hadriel Kaplan <hadriel.kaplan@oracle.com>
References: <51F7A26B.1000704@ericsson.com> <C6504F53-FAF0-4DBF-811D-DD7960961B2B@oracle.com> <51F8BA2B.3030100@nostrum.com> <3CC43D36-9B37-4D86-AA71-5CE33BC13590@oracle.com> <51F8D216.50904@nostrum.com> <7F18DCB7-0B1A-44CE-A6B3-BDF514EBF717@oracle.com> <51F8E5F3.6050101@alum.mit.edu> <B610A79F-3E85-4ABC-9898-541F630905E7@oracle.com> <4A4F136CBD0E0D44AE1EDE36C4CD9D996EE91746@VOEXM31W.internal.vodafone.com> <72B7836E-BA8A-4473-8A3D-2FD391AB62FC@oracle.com> <51F93FC3.40206@alum.mit.edu> <9DBF0FDC-8866-4957-BEA6-8C1D7A4617FF@oracle.com>
In-Reply-To: <9DBF0FDC-8866-4957-BEA6-8C1D7A4617FF@oracle.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20121106; t=1375361539; bh=w1enlprP5R8uAKBEOnvuEaTtFvdwcqaB0hLBRj9SHME=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=XsqOqQCKIfckQX6TatPX9lH3rHZVFdBFDbrDl1Buuxn6twfdqZfNg7uSbScqRR0CI W7lrl2QWT52/SQWTmv6tgq/3397sD2RXor8FegcHqNqo11HLv3oXOsxtWrKefOaRyk xvdjHMdCdKfYPlL7bKDwT7cdjyslGo5N54YY2HGQs2tKxK2rwsfNh4W0kvH/01uCwA OIaxYzxWyZBy9ZI6nsAF2TZiN5UlocOSmqSE3IE1pCSrFX2Ta5IwZx7jC7J3fjaRRo UJeBsTHO/AN+n13iI+uMGu2efEfLY4c99YjdNe9sqtnJGozH7lkkzgRvCim+YGQy0+ eF7QuRDd9SCvQ==
Cc: insipid@ietf.org
Subject: Re: [Insipid] Will the identifier pass unchanged through B2BUAs?
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/insipid>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Aug 2013 12:52:38 -0000

On 8/1/13 12:24 AM, Hadriel Kaplan wrote:
>
> On Jul 31, 2013, at 12:48 PM, Paul Kyzivat <pkyzivat@alum.mit.edu> wrote:
>>>> This is simplistic but I think it meets REQ3. The discussion on Gonzalo's question seems to me to be about a different requirement along the lines of "how the Session-ID header field is generated and used must be compared with generation and use of header fields that a SIP B2BUA or other intermediary removes or modifies to ensure that a SIP B2BUA or other intermediary does not have any reason to remove the Session-ID: header field."
>>>
>>> Yup.  Basically a "why do we think the MUST statement generated by REQ3 would actually be followed or not".
>>
>> Because if they don't follow it then any product that wants to claim conformance to a feature that requires session-id will fail in the presence of such B2BUA. If those features are themselves valuable, then people will demand products that conform to them.
>
> It's not the "products that conform to them" that's the issue, it's whether the operators/admins of the products want them to do it and whether it's possible to do without breaking something else.
>
> Take the Call-ID header, for example - even if there weren't a security problem with revealing IP Addresses, fundamentally there are call scenarios that simply don't work if the Call-ID is left unchanged by B2BUAs.  Some of the scenarios are very subtle and only show up in certain deployments; others are more obvious, like out-of-dialog REFER handling.  B2BUA products don't change the Call-ID because it's fun, they change it to make things *work*.[1]  So if a new feature/mechanism is defined in the IETF which relies on Call-ID remaining unchanged, it doesn't matter if the product vendor and owner/admins want to support the new feature; it's giving them a choice of: "to get this new feature, you must break other features".

I "understand" the rationale for changing callid to hide ip or dns 
addresses. (I think its silly, but I understand there are people that 
are paranoid about such things. I'm paranoid about *different* things.)

I don't understand why you would need to "fix" callids for other 
reasons. I'd be interested in hearing (offline) about such cases. I 
can't think of anything except broken implementations.

>> Yes, I know that is naive, but its all the leverage we have.
>
> It's not naive - it *is* all the leverage we have.  The entire concept of INSIPID and STRAW docs is that a purchaser of equipment who wants feature X in RFC Y, tells its vendors to comply with RFC Y; if the vendors don't do RFC Y, then they can't have feature X.
>
> The challenge is when we use RFC Y to accomplish multiple different features Z and W, we run the risk that not all of X+Z+W are achievable simultaneously, in practice.  So in the Session-ID case, if it turns out a SBC has to change a Session-ID to match/not-match others in order to make calls work right, vs. leaving it alone for troubleshooting purposes, it will invariably choose to change it to make calls work instead of help troubleshooting, as will its owner.  Calls have to work... the spice must flow.

The implication of this is that we should have *no* general mechanisms.
Rather we should have many many feature-specific mechanisms. IIUC, that 
is a description of the systems we have been replacing, and one of the 
main reasons they needed to be replaced.

	Thanks,
	Paul

> Thus when faced with the STIR stuff needing to do caller-id verification, in my opinion it would be safer to not use Session-ID, than rely on it surviving e2e.  I don't *know* it won't survive e2e, since Session-ID hasn't gotten much deployment yet.  It's just a hunch based on the use-cases people have in mind for it.  They're not "benign" use-cases; they affect calls failing or succeeding.
>
> -hadriel
> [1] This isn't entirely the case - I've been told by some B2BUA vendors that their internal architecture limits their ability to do certain things transparently, such as Call-ID handling.  I won't name who they are because I was told in confidence, but they don't all attend the IETF and it's not my place to represent their views/issues.
>
>

v2.23.0 | Report a Bug | By Email