Re: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments
Christer Holmberg <christer.holmberg@ericsson.com> Sat, 13 September 2014 10:19 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7D21A883D for <insipid@ietfa.amsl.com>; Sat, 13 Sep 2014 03:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd91yJ0hSfRA for <insipid@ietfa.amsl.com>; Sat, 13 Sep 2014 03:18:59 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88BF71A883C for <insipid@ietf.org>; Sat, 13 Sep 2014 03:18:57 -0700 (PDT)
X-AuditID: c1b4fb30-f79736d0000053b8-d0-54141a101dcc
Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 25.B9.21432.01A14145; Sat, 13 Sep 2014 12:18:56 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.136]) by ESESSHC018.ericsson.se ([153.88.183.72]) with mapi id 14.03.0174.001; Sat, 13 Sep 2014 12:18:55 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Paul E. Jones" <paulej@packetizer.com>, "Adam Gensler (agensler)" <agensler@cisco.com>
Thread-Topic: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments
Thread-Index: AQHPrCDhKQ90DAn8HkiQQ2+H7MoUs5vCdgmAgAMCVACAK5ScIIAAwu+AgAC44oCAC4l3AIAAJIwQ///lG4CAACRtwP//4XiAgAD7ikI=
Date: Sat, 13 Sep 2014 10:18:55 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1D44A063@ESESSMB209.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B1D4498FF@ESESSMB209.ericsson.se>, <em7de453b8-e55f-4799-9bdd-63adb655d675@sydney>
In-Reply-To: <em7de453b8-e55f-4799-9bdd-63adb655d675@sydney>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.147]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKLMWRmVeSWpSXmKPExsUyM+Jvja6AlEiIwa9ffBZLv99hs5h//xmT xfkLG5gcmD2m/N7I6rFkyU8mj4Z9R9kDmKO4bFJSczLLUov07RK4Mm40XmMrWCJRcfP1K+YG xrPCXYycHBICJhJnj3xnhrDFJC7cW8/WxcjFISRwlFHi+59uJghnCaPEtgt72bsYOTjYBCwk uv9pgzSICMRKTL/9hBXEZhbQlFix+DY7iC0s4CQx9+tsFogaZ4kFf6ZB2WUSpw7cYAEZwyKg KrHwkxJImFfAV6L50gs2EFtIoFZi6z6IkZwCNhLTvk5mBLEZgW77fmoNE8QqcYlbT+YzQdws ILFkz3mo+0UlXj7+xwoyXkJASWLa1jSIch2JBbs/sUHY2hLLFr5mhlgrKHFy5hOWCYxis5BM nYWkZRaSlllIWhYwsqxiFC1OLU7KTTcy0kstykwuLs7P08tLLdnECIyng1t+G+xgfPnc8RCj AAejEg9vwl3hECHWxLLiytxDjNIcLErivAvPzQsWEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnV wOi3iz/k4JXq5tKslzOL/q273ePZsp1lYcrLnUfNDv36OjN6QX3dyWPB0v6+j/Y2N/YyLuSf bnE1e1bcjFMyv3fYXCjz5OFnMPn+fvYutVM9uacnBd+Rajuct0r39+nUgMoKj4tTN5/P2Sv0 332lKjdn77MX/Xpv5nzSZpnCYL8m6MPFKXMZNwgqsRRnJBpqMRcVJwIAsdWlQogCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/insipid/mAdhMzXK_A_nLEbFdcV7ye8FAUM
Cc: "insipid@ietf.org" <insipid@ietf.org>
Subject: Re: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/insipid/>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 10:19:00 -0000
Hi Paul, >>>>>>You need to give people technical reasons why they reasons they >>>>>>modify Call-ID don't apply to Session-ID. "Because the draft says >>>>>>so" >>>>>>is not such reason :) >>>>> >>>>>How about we modify the first paragraph of Section 7 to read this >>>>>way: >>>>> >>>>>"In order to ensure the integrity of the end-to-end session >>>>>identifier, intermediaries, such as proxies >or session border >>>>>controllers, MUST NOT alter the UUID values found in the Session-ID >>>>>header, >except as described in this section." >>>>> >>>>>Would that help or do you think we need something else? >>>> >>>>Unfortunately I don't think it will help. >>>> >>>>No matter what the spec says, intermediaries will modify the header >>>>field if they see a need to do so. You need to describe why such need >>>>does not occur for the Session-ID header field. >>>> >>> >>> The reasons the Call-ID or other headers were changed at the SBC was >>>because they revealed >>> specific information about the user, including device information, >>>user identifiers, etc. The Session > Identifier is defined to be >>>random (per section 4.1 of the solution spec). This is also spelled >>>out in >>> the referenced requirements document. >> >>Nobody is going to read the requirements document - you need to >>describe it in THIS document. > > Oh, I wasted time on a document nobody will read?!?! :-) In the INSIPID WG we obviously read/used it as input for the Session-ID solution :) >>>Given that, what more do we really need to say here? I'm happy to >>>modify that sentence in some >way that helps, but I don't want to make >>>it so complex that it gets in the way of the procedures. >Maybe we >>>need something in the security considerations section? >>> >>> I think I understand roughly what you're shooting for, but I'm not >>>sure what we can add that >> doesn't confuse the text, replicate text from the requirements >>document, etc. Can you suggest >> some text and where to put it? >> >>I think the text above, about revealing sensitive information, is good :) >> >> > > How about this? > > "In consideration of the fact that the Session Identifier is constructed > in such a way as to not reveal any personal, device, or domain > identifying information and in order to ensure the integrity of the > end-to-end session identifier, intermediaries, such as proxies or > session border controllers, MUST NOT alter the UUID values found in the > Session-ID header, except as described in this section." I would use different wording. Something like: "The call-id often reveal personal, device, domain or other sensitive information associated with an end-user, which is why intermediaries, such as proxies and session border controllers alter the call-id. In order to ensure the integrity of the end-to-end session identifier, it is constructed in a way which does not reveal such information, removing the need for intermediaries to alter it (except as described in this section)." Regards, Christer
- [Insipid] Pre-WGLC INSIPID Session-ID Review Comm… Adam Gensler (agensler)
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Gonzalo Salgueiro (gsalguei)
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … R.Jesske
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Adam Gensler (agensler)
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … James Polk
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Paul E. Jones
- Re: [Insipid] Pre-WGLC INSIPID Session-ID Review … Christer Holmberg