Re: [P2PSIP] Review of draft-ietf-p2psip-sip-06
Marc Petit-Huguenin <petithug@acm.org> Tue, 15 November 2011 00:19 UTC
Return-Path: <petithug@acm.org>
X-Original-To: p2psip@ietfa.amsl.com
Delivered-To: p2psip@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6577411E80D0 for <p2psip@ietfa.amsl.com>; Mon, 14 Nov 2011 16:19:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.62
X-Spam-Level:
X-Spam-Status: No, score=-102.62 tagged_above=-999 required=5 tests=[AWL=-0.020, BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2y4JGA18TxLz for <p2psip@ietfa.amsl.com>; Mon, 14 Nov 2011 16:19:18 -0800 (PST)
Received: from implementers.org (implementers.org [IPv6:2604:3400:dc1:41:216:3eff:fe5b:8240]) by ietfa.amsl.com (Postfix) with ESMTP id E9D9E1F0C8A for <p2psip@ietf.org>; Mon, 14 Nov 2011 16:19:09 -0800 (PST)
Received: from [IPv6:2001:df8:0:64:ca0a:a9ff:fe2e:a4f6] (unknown [IPv6:2001:df8:0:64:ca0a:a9ff:fe2e:a4f6]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client CN "petithug", Issuer "implementers.org" (verified OK)) by implementers.org (Postfix) with ESMTPS id 17E2520371 for <p2psip@ietf.org>; Tue, 15 Nov 2011 00:09:29 +0000 (UTC)
Message-ID: <4EC1AFFA.6060906@acm.org>
Date: Tue, 15 Nov 2011 08:19:06 +0800
From: Marc Petit-Huguenin <petithug@acm.org>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.23) Gecko/20111010 Icedove/3.1.15
MIME-Version: 1.0
To: P2PSIP Mailing List <p2psip@ietf.org>
References: <4E49B882.7060001@acm.org> <4EC159BA.5020909@acm.org>
In-Reply-To: <4EC159BA.5020909@acm.org>
X-Enigmail-Version: 1.1.2
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Subject: Re: [P2PSIP] Review of draft-ietf-p2psip-sip-06
X-BeenThere: p2psip@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Peer-to-Peer SIP working group discussion list <p2psip.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/p2psip>, <mailto:p2psip-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/p2psip>
List-Post: <mailto:p2psip@ietf.org>
List-Help: <mailto:p2psip-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/p2psip>, <mailto:p2psip-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Nov 2011 00:19:21 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/15/2011 02:11 AM, Marc Petit-Huguenin wrote: > No response to this review, but I have an additional comment on this draft: > > 11. Section 3 > > "Note that these rules permit Alice to forward calls to Bob without > his permission. However, they do not permit Alice to forward Bob's > calls to her." > > One way to allow Alice to forward Bob's calls to her (or someone else) in a > secure way is to use the access control policy defined in > draft-knauf-p2psip-share. With -sip-06, only the owner of the certificate can > store a SIP-REGISTRATION, that we can represent like this: > > Resource Kind Node-ID URI signer > bob@c.com------1--->0x12345678--->sip:bob@m.com bob@c.com > > What Share can bring here is the possibility to have an authorized third-party > modifying the SIP registration: > > Resource Kind Node-ID URI signer > bob@c.com----1001-->0x12345678--->sip:bob@c.com bob@c.com > > Resource Kind Index ACL signer > bob@c.com-----18--->0x56780001-->bob@c.com 1001 true bob@c.com > bob@c.com-----18--->0x56780002-->alice@c.com 1001 false bob@c.com > > Here Bob (the boss) delegates to Alice (his assistant[1]) the right to modify > its registration, so Alice can now change it: > > Resource Kind Node-ID URI signer > bob@c.com----1001-->0x12345678--->sip:alice@m.com alice@c.com > > One problem is that we cannot reuse the Kind 1 (SIP), because it is already > bound to USER-NODE-MATCH, so we have to create a new kind (1001) that is bound > to USER-CHAIN-ACL. Unfortunately I do not see an easy solution to use the > original Kind (1) with USER-CHAIN-ACL. > > I would suggest to add an informative reference to draft-p2psip-knauf-share, and I meant "add an informative reference in draft-ietf-p2psip-sip to draft-knauf-p2psip-share". > to add a similar example in an appendix. > > > [1] For the record, the example I sent to the Share authors had Alice as the > boss, and Bob as her assistant, but I had to invert the example to match the > text in -sip. > > On 08/16/2011 08:23 AM, Marc Petit-Huguenin wrote: >> 1. Section 3: SipRegistration structure >> >> I would suggest to use "SipRegistration Resource Record" instead, to match the >> terminology in -concepts. >> >> Same thing for SipRegistration PDU in the same section. >> >> >> 2. Section 3: 1st paragraph >> >> s/This uses the SIP-REGISTRATION Kind-ID/This uses the SIP-REGISTRATION Kind/ >> >> >> 3. Section 3: opaque contact_prefs<0..2^16-1>; >> >> The format of the contact_prefs field is not described. Is it RFC 3840 or RFC >> 2533 (better in my opinion) or something else? >> >> >> 4. Section 3: Destination destination_list<0..2^16-1>; >> >> I think it would be better to have a list of destination_list instead, to be >> able to register different paths to the destination. This could be useful if a >> node decides to register as a client to multiple peers, using the procedure in >> the second bullet of section 3.2.1 of -base. >> >> >> 5. Section 3, second bullet of last list. >> >> It says that the storing peer must check that "[t]he certificate contains a >> Node-ID that is the same as the dictionary key it is being stored at.", which is >> not exactly true when the certificate contains multiple Node-ID. It would be >> better to say: >> >> "The Node-ID of the signer is the same as the dictionary key it is being stored at." >> >> >> 6. Section 4, first item in list >> >> "Check to see if the domain part of the AOR matches the domain name of an >> overlay of which he is a member." >> >> The way I understand this sentence, the "sip:petithug@implementers.org" AOR >> matches an overlay named "overlay.implementers.org". Was that the intent of >> this rule, or was the intent that the "sip:petithug@implementers.org" AOR only >> matches the "implementers.org" overlay? >> >> >> 7. Section 5. >> >> "If certificate-based authentication is in use, the responding peer MUST present >> a certificate with a Node-ID matching the terminal entry in the route list." >> >> If this sentence is about the AppAttach itself (and not about the connection >> created by the AppAttach), isn't that rule already part of -base? >> >> >> 8. Section 6. Second sentence. >> >> I do not understand what this sentence means. >> >> >> 9. Section 8.1. "In this section we discuss security issues that are likely to >> be relevant to any usage of RELOAD." >> >> There is no security issues discussed in section 8.1. >> >> >> 10. Section 9 >> >> Please change "TBD" by the code point that was already assigned (1, I think), so >> early implementations can do interoperability testing. >> >> >> Nits >> ==== >> >> - Abstract >> >> s/(RELOAD),/(RELOAD)./ >> >> - Section 2 >> >> s/consiered/considered/ >> > - -- Marc Petit-Huguenin Personal email: marc@petit-huguenin.org Professional email: petithug@acm.org Blog: http://blog.marc.petit-huguenin.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk7Br/gACgkQ9RoMZyVa61fCTgCfQqApyrWerSBJV55zmG/svCRi zi0An33Zv3DsWywaChy+fWXNQz7aWi68 =L0Lf -----END PGP SIGNATURE-----
- [P2PSIP] Review of draft-ietf-p2psip-sip-06 Marc Petit-Huguenin
- Re: [P2PSIP] Review of draft-ietf-p2psip-sip-06 Marc Petit-Huguenin
- Re: [P2PSIP] Review of draft-ietf-p2psip-sip-06 Marc Petit-Huguenin