Re: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments

["Paul E. Jones" <paulej@packetizer.com>]

Christer,

>>>You need to give people technical reasons why they reasons they 
>>>modify
>>>Call-ID don't apply to Session-ID. "Because the draft says so" is not
>>>such reason :)
>>
>>How about we modify the first paragraph of Section 7 to read this way:
>>
>>"In order to ensure the integrity of the end-to-end session 
>>identifier, intermediaries, such as proxies >or session border 
>>controllers, MUST NOT alter the UUID values found in the Session-ID 
>>header, >except as described in this section."
>>
>>Would that help or do you think we need something else?
>
>Unfortunately I don't think it will help.
>
>No matter what the spec says, intermediaries will modify the header 
>field if they see a need to do so. You need to describe why such need 
>does not occur for the Session-ID header field.
>

The reasons the Call-ID or other headers were changed at the SBC was 
because they revealed specific information about the user, including 
device information, user identifiers, etc.  The Session Identifier is 
defined to be random (per section 4.1 of the solution spec).  This is 
also spelled out in the referenced requirements document.

Given that, what more do we really need to say here?  I'm happy to 
modify that sentence in some way that helps, but I don't want to make it 
so complex that it gets in the way of the procedures.  Maybe we need 
something in the security considerations section?

I think I understand roughly what you're shooting for, but I'm not sure 
what we can add that doesn't confuse the text, replicate text from the 
requirements document, etc.  Can you suggest some text and where to put 
it?

Paul