Re: [Insipid] Stephen Farrell's No Objection on draft-ietf-insipid-logme-reqs-12: (with COMMENT)

"Dawes, Peter, Vodafone Group" <Peter.Dawes@vodafone.com> Wed, 01 February 2017 20:18 UTC

Return-Path: <Peter.Dawes@vodafone.com>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E0DE1299D7; Wed, 1 Feb 2017 12:18:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.354
X-Spam-Level:
X-Spam-Status: No, score=-5.354 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-1.156, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oHWHKtPCmJyw; Wed, 1 Feb 2017 12:18:44 -0800 (PST)
Received: from mail1.bemta6.messagelabs.com (mail1.bemta6.messagelabs.com [193.109.254.112]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E04B1299A3; Wed, 1 Feb 2017 12:18:43 -0800 (PST)
Received: from [193.109.254.3] by server-8.bemta-6.messagelabs.com id 9A/FB-21675-1A242985; Wed, 01 Feb 2017 20:18:41 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDKsWRWlGSWpSXmKPExsWi75nTo7vQaVK EwYyDfBZHt71gsZg7xc9ixp+JzBaPHv1gsph//xmTxfS919gd2Dym/N7I6rG2+yqbx5IlP5kC mKNYM/OS8isSWDNO/rjFXnDFtOLSTrYGxs06XYxcHEIC2xglLl8/zwjhHGKU6N+3kB3OeXv4G yuEs5FR4t21hSxdjBwcbAL2EjP2xHQxcnKICHhKPOw7xQJSwyxwn1Fi49IfzCA1wgJZEhtfBk DUZEvMfXGdDcI2kni+9CkriM0ioCJxe+8GdhCbVyBUYvaRxWwgrUICPhIbv5iAhDkFfCW2v7j PAmIzCshKfGlczQxiMwuIS9x6Mp8JxJYQEJBYsuc8M4QtKvHy8T9WiBodiQW7P7FB2NoSyxa+ ZoZYJShxcuYTsJlCAqoS/1YuYprAKDYLydhZSNpnIWmfhaR9ASPLKkaN4tSistQiXUNTvaSiz PSMktzEzBxdQwMzvdzU4uLE9NScxKRiveT83E2MwFhkAIIdjN+WBRxilORgUhLljX8wMUKILy k/pTIjsTgjvqg0J7X4EKMMB4eSBO8Xh0kRQoJFqempFWmZOcCkAJOW4OBREuGtA0nzFhck5hZ npkOkTjEqSonzJjgCJQRAEhmleXBtsER0iVFWSpiXEegQIZ6C1KLczBJU+VeM4hyMSsK8TCBT eDLzSuCmvwJazAS02P1VH8jikkSElFQDo/vTEgVmzrkpqndvbnsudOpvUJfwuodP67lSlxl9r NlsHeR+kidqQfOcgzuC2C76H5rnIqOrkDJ7Im+wbnCA8O8CjgDtXCana5sObbxeePPDvdqfSl snml5ya5QqKXvBkrLMmu2g7IFpLa5zVSbp1TN0mz5dsYbJsNTu6KU0lmsb/s2Qslr6TYmlOCP RUIu5qDgRANfxujk/AwAA
X-Env-Sender: Peter.Dawes@vodafone.com
X-Msg-Ref: server-15.tower-184.messagelabs.com!1485980320!94036112!1
X-Originating-IP: [47.73.108.140]
X-StarScan-Received:
X-StarScan-Version: 9.1.1; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29637 invoked from network); 1 Feb 2017 20:18:41 -0000
Received: from vgdpm14vr.vodafone.com (HELO voxe03hw.internal.vodafone.com) (47.73.108.140) by server-15.tower-184.messagelabs.com with AES256-SHA256 encrypted SMTP; 1 Feb 2017 20:18:41 -0000
Received: from VOEXH11W.internal.vodafone.com (47.73.211.215) by edge1.vodafone.com (195.232.244.48) with Microsoft SMTP Server (TLS) id 15.0.1178.4; Wed, 1 Feb 2017 21:18:40 +0100
Received: from VOEXC02W.internal.vodafone.com (145.230.101.22) by VOEXH11W.internal.vodafone.com (47.73.211.209) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 1 Feb 2017 21:18:40 +0100
Received: from VOEXC17W.internal.vodafone.com (145.230.101.19) by VOEXC02W.internal.vodafone.com (145.230.101.22) with Microsoft SMTP Server (TLS) id 14.3.294.0; Wed, 1 Feb 2017 21:18:40 +0100
Received: from VOEXM31W.internal.vodafone.com ([169.254.7.53]) by voexc17w.internal.vodafone.com ([145.230.101.19]) with mapi id 14.03.0294.000; Wed, 1 Feb 2017 21:18:39 +0100
From: "Dawes, Peter, Vodafone Group" <Peter.Dawes@vodafone.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: [Insipid] Stephen Farrell's No Objection on draft-ietf-insipid-logme-reqs-12: (with COMMENT)
Thread-Index: AQHSfJajavmJxKZqI0yQ0voTpeKlMqFUlS7Q
Date: Wed, 1 Feb 2017 20:18:38 +0000
Message-ID: <4A4F136CBD0E0D44AE1EDE36C4CD9D99C8C7240A@VOEXM31W.internal.vodafone.com>
References: <148595894907.19146.186759558704017451.idtracker@ietfa.amsl.com>
In-Reply-To: <148595894907.19146.186759558704017451.idtracker@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/insipid/IqU63cl8jpAgL8dnYnb5QsD7ZHA>
Cc: "insipid@ietf.org" <insipid@ietf.org>, "draft-ietf-insipid-logme-reqs@ietf.org" <draft-ietf-insipid-logme-reqs@ietf.org>, "insipid-chairs@ietf.org" <insipid-chairs@ietf.org>, "gsalguei@cisco.com" <gsalguei@cisco.com>
Subject: Re: [Insipid] Stephen Farrell's No Objection on draft-ietf-insipid-logme-reqs-12: (with COMMENT)
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/insipid/>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 20:18:47 -0000

Hello Stephen,
Thanks for the in-depth review of the draft. Some responses below.

Best regards,
Peter and Arun (co-authors)

> -----Original Message-----
> From: insipid [mailto:insipid-bounces@ietf.org] On Behalf Of Stephen Farrell
> Sent: 01 February 2017 14:22
> To: The IESG
> Cc: insipid@ietf.org; insipid-chairs@ietf.org; draft-ietf-insipid-logme-
> reqs@ietf.org; gsalguei@cisco.com
> Subject: [Insipid] Stephen Farrell's No Objection on draft-ietf-insipid-logme-
> reqs-12: (with COMMENT)
> 
> Stephen Farrell has entered the following ballot position for
> draft-ietf-insipid-logme-reqs-12: No Objection
> 
> When responding, please keep the subject line intact and reply to all email
> addresses included in the To and CC lines. (Feel free to cut this introductory
> paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-insipid-logme-reqs/
> 
> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> 
> Note that I'm balloting no-objection here. If some of these things weren't
> fixed, I'd be a DISCUSS ballot when the protocol spec turned up, should I still
> be on the IESG at that point (which I guess is unlikely:-)
> 
> - 3.2: I think "trust domain" isn't a great term, and doesn't really match the
> definition offered well. You're including the entire "source" operator plus the
> bits of any other operator that have agreed to help the source-operator with
> logging. I don't think that set of things is really a domain. Nor are the things in
> that set "trusted" except to do this logging stuff properly. It's also not clear to
> me if the relevant set is meant to differ per-call, or to be the same for all calls
> that a source-operator might originate.
> 

The term "trust domain" appears in RFC 3324 (referred to by RFC 3325, RFC 7316) and RFC 6404. In the 3GPP profile of SIP, it appears in TS 24.229. RFC 3324 concerns network asserted identities and defines a trust domain as a collection of nodes with secure connections that have configuration information on which connected nodes to trust. 

RFC 6404 concerns security threats related to the interconnection of service providers. SIP service providers (SSPs) who have a peering or transit contract are in the trust domain, others are not: "Each SSP may have connections to one or more remote SSPs through peering or transit contracts.  A potentially compromised remote SSP that attacks other SSPs is out of the scope of this document; this document focuses on attacks on an SSP from outside the trust domain such an SSP may have with other SSPs.".

The TS 24.229 description of  the trust domain (clause 4.4) includes the following excerpts "For the IM CN subsystem, this trust domain consists of the functional entities that belong to the same operator's network " and " Additionally, other nodes within the IM CN subsystem that are not part of the same operator's domain may or may not be part of the trust domain, depending on whether an interconnect agreement exists with the remote network. " and " Within the IM CN subsystem trust domains will be applied to a number of header fields. These trust domains do not necessarily contain the same functional entities or cover the same operator domains."

The use of trust domain in logme-reqs is similar to its use in RFC 6404 and TS 24.229. The trust domain needs a wide scope in terms of included networks because one of the reasons for the logme mechanism is the unpredictability in advance of SIP routing through multiple connected service providers, transit networks, etc. It is also important to define trust domain as it applies specifically to "logme marking" as a protocol element because trust domain does not always impact all parts of SIP equally. 

logme marking is expected to be applied for regression testing and troubleshooting. It will often be pre-arranged and involve a SIP client specifically for testing owned and operated by a service provider. The trust domain is not expected to change from call to call but only a very small subset of calls will be used for testing.

> - 5.1: REQ1 seems to me to ignore privacy in one bad respect - isn't the right
> thing to log the entire message
> *except* bits that are considered sensitive by the logging entity concerned?
> E.g. any secrets or PII in the SIP message may be best not logged. Forcing
> everyone to log the entire thing would seem brittle to me - it may cause
> operators to not co-operate with one another esp if data privacy laws differ
> between them. (Or maybe more likely, the logs will not have the sensitive
> bits, or will eventually have them XXXX'd out.)
> 

Specifying logging the entire message means that troubleshooting tools will know they have all fields. Privacy might require that one service provider remove some protocol elements before passing a SIP message to a peer service provider, logme marking won't be able to bring them back. Within a service provider, logging must obey data protection laws regardless of any RFC.

If the user needs privacy, their user agent should follow the procedures documented in RFC 3323. This way we can avoid imposing privacy related requirements on SIP entities that log messages.

> - REQ9: Not quite sure, but I wonder are there additional requirements for
> intermediaries inserting this that aren't covered. For example, that that not
> be (ab)used for other than diagnostics and hence ought not be on by default
> and maybe more. I think the thing to do is to get someone to do a privacy
> analysis of this situation before the protocol spec is done - some minor
> changes might make a biggish difference there.

We can do a privacy analysis as part of the solution.

> 
> - 6.1: See above wrt 3.2. I'm not convinced that there is such a thing as a
> "trust domain boundary" as you use the term. I think (not sure) that may
> mean that logme stuff is either dropped on ingress or else never dropped
> which'd seem like a bad outcome.

Logme marking of a SIP request will be present until a SIP message is passed to a peer service provider that is not part of the prior logging agreement, and then it will be removed. Note that a response to that request might be logme marked as it re-enters the service provider that removed it from the request.

> 
> 
> _______________________________________________
> insipid mailing list
> insipid@ietf.org
> https://www.ietf.org/mailman/listinfo/insipid