IETF Logo Mail Archive

Re: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments

Christer Holmberg <christer.holmberg@ericsson.com> Sat, 13 September 2014 10:19 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: insipid@ietfa.amsl.com
Delivered-To: insipid@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F7D21A883D for <insipid@ietfa.amsl.com>; Sat, 13 Sep 2014 03:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sd91yJ0hSfRA for <insipid@ietfa.amsl.com>; Sat, 13 Sep 2014 03:18:59 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88BF71A883C for <insipid@ietf.org>; Sat, 13 Sep 2014 03:18:57 -0700 (PDT)
X-AuditID: c1b4fb30-f79736d0000053b8-d0-54141a101dcc
Received: from ESESSHC018.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 25.B9.21432.01A14145; Sat, 13 Sep 2014 12:18:56 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.136]) by ESESSHC018.ericsson.se ([153.88.183.72]) with mapi id 14.03.0174.001; Sat, 13 Sep 2014 12:18:55 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Paul E. Jones" <paulej@packetizer.com>, "Adam Gensler (agensler)" <agensler@cisco.com>
Thread-Topic: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments
Thread-Index: AQHPrCDhKQ90DAn8HkiQQ2+H7MoUs5vCdgmAgAMCVACAK5ScIIAAwu+AgAC44oCAC4l3AIAAJIwQ///lG4CAACRtwP//4XiAgAD7ikI=
Date: Sat, 13 Sep 2014 10:18:55 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1D44A063@ESESSMB209.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B1D4498FF@ESESSMB209.ericsson.se>, <em7de453b8-e55f-4799-9bdd-63adb655d675@sydney>
In-Reply-To: <em7de453b8-e55f-4799-9bdd-63adb655d675@sydney>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.147]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrKLMWRmVeSWpSXmKPExsUyM+Jvja6AlEiIwa9ffBZLv99hs5h//xmT xfkLG5gcmD2m/N7I6rFkyU8mj4Z9R9kDmKO4bFJSczLLUov07RK4Mm40XmMrWCJRcfP1K+YG xrPCXYycHBICJhJnj3xnhrDFJC7cW8/WxcjFISRwlFHi+59uJghnCaPEtgt72bsYOTjYBCwk uv9pgzSICMRKTL/9hBXEZhbQlFix+DY7iC0s4CQx9+tsFogaZ4kFf6ZB2WUSpw7cYAEZwyKg KrHwkxJImFfAV6L50gs2EFtIoFZi6z6IkZwCNhLTvk5mBLEZgW77fmoNE8QqcYlbT+YzQdws ILFkz3mo+0UlXj7+xwoyXkJASWLa1jSIch2JBbs/sUHY2hLLFr5mhlgrKHFy5hOWCYxis5BM nYWkZRaSlllIWhYwsqxiFC1OLU7KTTcy0kstykwuLs7P08tLLdnECIyng1t+G+xgfPnc8RCj AAejEg9vwl3hECHWxLLiytxDjNIcLErivAvPzQsWEkhPLEnNTk0tSC2KLyrNSS0+xMjEwSnV wOi3iz/k4JXq5tKslzOL/q273ePZsp1lYcrLnUfNDv36OjN6QX3dyWPB0v6+j/Y2N/YyLuSf bnE1e1bcjFMyv3fYXCjz5OFnMPn+fvYutVM9uacnBd+Rajuct0r39+nUgMoKj4tTN5/P2Sv0 332lKjdn77MX/Xpv5nzSZpnCYL8m6MPFKXMZNwgqsRRnJBpqMRcVJwIAsdWlQogCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/insipid/mAdhMzXK_A_nLEbFdcV7ye8FAUM
Cc: "insipid@ietf.org" <insipid@ietf.org>
Subject: Re: [Insipid] Pre-WGLC INSIPID Session-ID Review Comments
X-BeenThere: insipid@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SIP Session-ID discussion list <insipid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/insipid>, <mailto:insipid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/insipid/>
List-Post: <mailto:insipid@ietf.org>
List-Help: <mailto:insipid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/insipid>, <mailto:insipid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 13 Sep 2014 10:19:00 -0000

Hi Paul,

>>>>>>You need to give people technical reasons why they reasons they
>>>>>>modify Call-ID don't apply to Session-ID. "Because the draft says
>>>>>>so"
>>>>>>is not such reason :)
>>>>>
>>>>>How about we modify the first paragraph of Section 7 to read this
>>>>>way:
>>>>>
>>>>>"In order to ensure the integrity of the end-to-end session
>>>>>identifier, intermediaries, such as proxies >or session border
>>>>>controllers, MUST NOT alter the UUID values found in the Session-ID
>>>>>header, >except as described in this section."
>>>>>
>>>>>Would that help or do you think we need something else?
>>>>
>>>>Unfortunately I don't think it will help.
>>>>
>>>>No matter what the spec says, intermediaries will modify the header
>>>>field if they see a need to do so. You need to describe why such need
>>>>does not occur for the Session-ID header field.
>>>>
>>>
>>>  The reasons the Call-ID or other headers were changed at the SBC was
>>>because they revealed
>>>  specific information about the user, including device information,
>>>user identifiers, etc. The Session > Identifier is defined to be
>>>random (per section 4.1 of the solution spec). This is also spelled
>>>out in
>>>  the referenced requirements document.
>>
>>Nobody is going to read the requirements document - you need to
>>describe it in THIS document.
>
> Oh, I wasted time on a document nobody will read?!?! :-)

In the INSIPID WG we obviously read/used it as input for the Session-ID solution :)


>>>Given that, what more do we really need to say here? I'm happy to
>>>modify that sentence in some >way that helps, but I don't want to make
>>>it so complex that it gets in the way of the procedures. >Maybe we
>>>need something in the security considerations section?
>>>
>>>  I think I understand roughly what you're shooting for, but I'm not
>>>sure what we can add that
>>  doesn't confuse the text, replicate text from the requirements
>>document, etc. Can you suggest
>>  some text and where to put it?
>>
>>I think the text above, about revealing sensitive information, is good :)
>>
>>
>
> How about this?
>
> "In consideration of the fact that the Session Identifier is constructed
> in such a way as to not reveal any personal, device, or domain
> identifying information and in order to ensure the integrity of the
> end-to-end session identifier, intermediaries, such as proxies or
> session border controllers, MUST NOT alter the UUID values found in the
> Session-ID header, except as described in this section."

I would use different wording. Something like:

"The call-id often reveal personal, device, domain or other sensitive information associated
with an end-user, which is why intermediaries, such as proxies and session border
controllers alter the call-id. In order to ensure the integrity of the end-to-end
session identifier, it is constructed in a way which does not reveal such information,
removing the need for intermediaries to alter it (except as described in this section)."

Regards,

Christer

v2.23.0 | Report a Bug | By Email