Re: [Insipid] Mirja Kühlewind's No Objection on draft-ietf-insipid-logme-marking-12: (with COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Wed, 15 August 2018 07:38 UTC

DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=kuehlewind.net; b=kMM/EPjYKYd2bEZGn15MCAxuZsdnTKj+n7RVYnDePmz0li+L/3Wie/bI271GF2zIplK4vxErd5iuDKSaGXPFWP2of8mF76qVLUniRUiV0T+ycY+azJWRs/4qqMbK9JQO58xDr6hTcw4UkdHYP/zPVfdBD+/A1+/XQsM7noVy5EA=; h=Received:Received:Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:X-Mailer:X-PPP-Message-ID:X-PPP-Vhost;
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <CBE69AF1-8AFC-4FC2-898A-0D70B96BE009@cisco.com>
Date: Wed, 15 Aug 2018 09:31:44 +0200
Cc: "Arun Arunachalam (carunach)" <carunach@cisco.com>, "insipid-chairs@ietf.org" <insipid-chairs@ietf.org>, "Dawes, Peter, Vodafone Group" <Peter.Dawes@vodafone.com>, "Gonzalo Salgueiro (gsalguei)" <gsalguei@cisco.com>, "insipid@ietf.org" <insipid@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-insipid-logme-marking@ietf.org" <draft-ietf-insipid-logme-marking@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <4EA01E28-6DEB-4B6F-861F-E2C753E37541@kuehlewind.net>
References: <153417744610.24989.8583018232862453031.idtracker@ietfa.amsl.com> <47069B3D-25CE-409F-9099-E235D656C498@cisco.com> <a7811c35-2843-1b8b-1862-4fe7e0abe69a@kuehlewind.net> <CBE69AF1-8AFC-4FC2-898A-0D70B96BE009@cisco.com>
To: "Arun Arunachalam (carunach)" <carunach=40cisco.com@dmarc.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/insipid/chdx3q64VJ3hHctQTJmWZdjqN1k>
Subject: Re: [Insipid] Mirja Kühlewind's No Objection on draft-ietf-insipid-logme-marking-12: (with COMMENT)
Precedence: list

Hi Arun,

please see below.

> Am 15.08.2018 um 00:13 schrieb Arun Arunachalam (carunach) <carunach=40cisco.com@dmarc.ietf.org>:
> 
> Thanks Mirja.
> 
> We would like to get a couple of clarifications. Please see inline.
> 
> 
>> On Aug 14, 2018, at 12:47 PM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
>> 
>> Hi Arun, hi Peter,
>> 
>> please see below.
>> 
>> On 14.08.2018 16:51, Arun Arunachalam (carunach) wrote:
>>> Hi Mirja,
>>> 
>>> Thanks for taking the time to review and sharing feedback!
>>> 
>>> Please see inline.
>>> 
>>>> On Aug 13, 2018, at 12:24 PM, Mirja Kühlewind <ietf@kuehlewind.net> wrote:
>>>> 
>>>> Mirja Kühlewind has entered the following ballot position for
>>>> draft-ietf-insipid-logme-marking-12: No Objection
>>>> 
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>> 
>>>> 
>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>> 
>>>> 
>>>> The document, along with other ballot positions, can be found here:
>>>> https://datatracker.ietf.org/doc/draft-ietf-insipid-logme-marking/
>>>> 
>>>> 
>>>> 
>>>> ----------------------------------------------------------------------
>>>> COMMENT:
>>>> ----------------------------------------------------------------------
>>>> 
>>>> A couple of quick comments/questions:
>>>> 
>>>> 1) How do you know that both endpoints are "log me" enabled? I guess because of
>>>> the requirement that all messages of a dialog must have the marker, you cannot
>>>> just add it and see if the other end is able to apply it to its responses…?
>>> 
>>> 
>>> It is not possible for the originating endpoint to determine whether the terminating endpoint or intermediary supports “log me” prior to setting up a dialog.
>>>  
>>> If the originating endpoint sent an INVITE with logme marker and received a provisional or final response with logme marker then it can infer that one or more of the intermediaries in the call signaling path (or) the terminating endpoint supports "log me".
>> 
>> Okay, this does makes sense to me, however, it is a bit contradicting to the normative requirement in Section 3.2:
>> "If a request or response is "log me" marked, then all re-transmissions of the request or response MUST be similarly "log me" marked. “
> 
> 
> We are trying to better understand this comment specifically how it contradicts. The purpose of the above sentence was to address a scenario in which a SIP message with “log me” marker is sent over UDP and it gets re-transmitted. This sentence was added to make sure that the re-transmitted message also had the “log me” marker. Please explain.


Sorry I was actually copied the wrong statement:

"Once the "log me" marking is started for a dialog, all subsequent
   requests and responses in this dialog are "log me" marked and marking
   is stopped when this dialog and its related dialogs end.“

This is not normative, so there is no conflict, but it’s a bit confusing given you don’t know if the other end supports logme or not. If you could clarify, that it is okay to probe with a logme message in the first request and then see if the other end replies, would be really helpful I think. Also if you send a logme message and the other end does not send one back, should other messages for me originating host in the same dialog be marked or not? That is not fully clear and it is seems that most of the normative statements in the draft only apply to the case where both hosts (or some intermediate on both sides) are already known to support logme. Maybe double-check!

> 
> 
>> 
>> Maybe you can clarify this and maybe also spell out more explicitly in the document what you just explained above.
>> 
>>> 
>>> 
>>> 
>>>> 
>>>> 2) Sec 3.2: "firstly because it is configured to
>>>>   do so, or secondly because it has detected that a dialog is being
>>>>   "log me" marked, causing it to maintain state to ensure that all
>>>>   requests and responses in the dialog are similarly "log me" marked."
>>>> I was first quite confused by this sentence because I though the second case
>>>> meant that intermediates needs to ensure that all messages are marked
>>>> correctly. However, I guess the second case is when the other ends is
>>>> configured to do marking, one needs to reply with the marking as well. I think
>>>> I was mainly confused by the word "detects". Maybe it's worth to further
>>>> clarify this sentence…?
>>> 
>>> We can rephrase as:
>>>  
>>>    A user agent or intermediary adds a "log me" marker in an unmarked
>>>    request or response in two cases: firstly because it is configured to
>>>    add the marking to a dialog-creating request, or secondly because it has 
>>>    received a dialog-creating request that is being "log me" marked, causing it to 
>>>    maintain state to ensure that all requests and responses in the dialog are 
>>>    similarly "log me" marked.
>> 
>> Thanks! Much better for me!
>> 
>>> 
>>> 
>>>> 
>>>> 3) Section 4.6 feels a little misplace but I not sure where it belong otherwise
>>>> (maybe section 3 or 5?). Or maybe move section 4.5 in an own section later in
>>>> the doc…?
>>> 
>>> 
>>> We added "4.6 Error Handling” under Section 4 since this section talks about endpoint and intermediary behavior. Error handling needs to be implemented in SIP entities, and we could reword the beginning of 4.6. to: "The two error types that SIP entities must handle are defined in Section 5, a missing marker error and an error of "log me" marking that begins mid-dialog."
>>> 
>>> Or if needed, we could move it as first part of Section 5 and rename this section as "5. Error Handling” and make “5.1 Error cases” as a sub-section.
>> I'd prefer this solution. But it's just an editorial comment, so I leave it to you.
> 
> 
> We plan to move it to Section 5.
> 
> 
>> 
>>> 
>>> Please let us know your preference. 
>>> 
>>>> 
>>>> 4) Also Section 4.6: "It MUST NOT forward the "log me" marker"
>>>> Does it mean an intermediate MUST remove the marker if an error is detected? Is
>>>> that safe given the proxy scenarios? If at all I would recommend to use MAY
>>>> here, I guess…
>>> 
>>> If the proxy is logme aware then it is expected to remove logme marker in error scenarios. It is safe to remove. The objective is to stop the propagation of incorrect marking as soon as possible.
>> 
>> I have the feeling that this could be more explicitly spelled out in the doc and maybe also providing further guidance when it is actually safe to remove a marking would be really good.
> 
> 
> The situations when “log me” marking can be safely removed is discussed in Section 8.2 "Log Me" Marker Removal” and in Section 8.3 “Denial of Service Attacks". Please let us know whether these sections address your comment (or) whether we are missing something specific.
> 
These sections only discuss the case of inter-domain traffic. My question was should an intermediate that understands logme also remove markings in error cases (markings show up mitdterm or something)? Maybe you can say something more in section 5 or 4.6.


> 
>> 
>>> 
>>>> 
>>>> 5) Sec 8.1.:
>>>> "An end user or network administrator MUST give permission for a
>>>>   terminal to perform "log me" marking in the context of regression
>>>>   testing or troubleshooting a problem. "
>>>> and
>>>> "The configuration of a SIP intermediary to perform
>>>>   "log me" marking on behalf of a terminal MUST be authorized by the
>>>>   network administrator."
>>>> I'm actually not sure what these normative sentences mean for an
>>>> implementation. Is this maybe rather "An implementation MUST provide a
>>>> configuration to active logging and logging MUST be disabled by default.”?
>>> 
>>> We can rephrase as:
>>> 
>>>   “Log me” marking MUST be disabled by default both at the endpoints and intermediaries and MUST be enabled only by authorized users. 
>>>    For example, an end user or network administrator must give permission for a terminal that supports “log me” marking in order to initiate marking.
>>>    Similarly, a network administrator must enable a configuration at the SIP intermediary to perform "log me" marking on behalf of a terminal that doesn’t
>>>    support “log me” marking. The permission MUST be limited to only specific calls of interest that are originated in a given time duration.  
>> Yes, thanks!
>> 
>>>  
>>>> 
>>>> 6) Section 8.2:
>>>> "If SIP requests and responses are exchanged with an external network
>>>>   with which there is no agreement to pass "log me" marking, then the
>>>>   "log me" marking is removed."
>>>> Should this be normative, maybe:
>>>> "If SIP requests and responses are exchanged with an external network
>>>>   with which there is no agreement to pass "log me" marking, then the
>>>>   "log me" marking SHOULD be removed at the network border."
>>>> Or MUST?
>>> 
>>> The last sentence in section 3.4.2 says “However, since a "log me" marker may cause a SIP entity to log 
>>> the SIP header and body of a request or response, if no agreement exists between peer networks then the
>>>  "log me" marker MUST be removed at a network boundary.”
>>> 
>>> So we can add a few words in 8.2 to say:
>>> "If SIP requests and responses are exchanged with an external network with which there is no agreement to 
>>> pass "log me" marking, then the "log me" marking is removed as mandated in section 3.4.2."
>> 
>> Thanks, adding the reference really helps!
>>> 
>>> 
>>>> 
>>>> 7) Also a related question: Should a network perform ingress filtering/removal
>>>> of "log me" markers?
>>> 
>>> Yes, this scenario is discussed in Section 4.5.2.5.
>> 
>> Yes, the scenarios is fine but providing guidance that ingress filtering should be done, should probably be also discussed in the security considerations section.
> 
> 
> We think the following text in Section 8.2 covers both egress and ingress filtering:
> 
> "If SIP requests and responses are exchanged with an external network with which there is no agreement to pass "log me" marking, then the "log me" marking is removed as mandated in section 3.4.2.”
> 
> If we need to explicitly mention ingress filtering, we can update the text as:
> 
> "If SIP requests and responses are exchanged with an external network with which there is no agreement to pass "log me" marking, then egress/ingress filtering is applied to remove "log me” marking as mandated in section 3.4.2.“


I somehow happen to read this only as egress filtering. But you are right, it doesn’t say that. However, it probably doesn’t hurt to be explicit here.

Thanks!
Mirja


> 
> Thanks!
> Peter & Arun
> 
> 
> 
> 
> 
>> 
>> Mirja
>> 
>> 
>>> 
>>>> 
>>>> 8) Nit:
>>>> Sec 2: I guess the following sentence was coped and pasted from RFC8123 and
>>>> should be removed for this doc: "Rather than describing interoperability
>>>>   requirements, they are used to describe requirements to be satisfied
>>>>   by the "log me" marking solution.”
>>> 
>>> Yes, we will remove it.
>>> 
>>> Thanks!
>>> Peter & Arun
>>> 
>>>> 
>>>> 
>>> 
>> 
>

[Insipid] Mirja Kühlewind's No Objection on draft… Mirja Kühlewind
Re: [Insipid] Mirja Kühlewind's No Objection on d… Arun Arunachalam (carunach)
Re: [Insipid] Mirja Kühlewind's No Objection on d… Mirja Kühlewind
Re: [Insipid] Mirja Kühlewind's No Objection on d… Arun Arunachalam (carunach)
Re: [Insipid] Mirja Kühlewind's No Objection on d… Ben Campbell
Re: [Insipid] Mirja Kühlewind's No Objection on d… Mirja Kuehlewind (IETF)
Re: [Insipid] Mirja Kühlewind's No Objection on d… Dawes, Peter, Vodafone Group
Re: [Insipid] Mirja Kühlewind's No Objection on d… Arun Arunachalam (carunach)
Re: [Insipid] Mirja Kühlewind's No Objection on d… Mirja Kuehlewind (IETF)
Re: [Insipid] Mirja Kühlewind's No Objection on d… Dawes, Peter, Vodafone Group
Re: [Insipid] Mirja Kühlewind's No Objection on d… Benjamin Kaduk
Re: [Insipid] Mirja Kühlewind's No Objection on d… Dawes, Peter, Vodafone Group