Re: [Rum] Let's get into it

Brian Rosen <br@brianrosen.net> Tue, 23 July 2019 21:23 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E74131202CC for <rum@ietfa.amsl.com>; Tue, 23 Jul 2019 14:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AcWueVPlDy1W for <rum@ietfa.amsl.com>; Tue, 23 Jul 2019 14:23:14 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 675F2120159 for <rum@ietf.org>; Tue, 23 Jul 2019 14:23:14 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id h21so43296376qtn.13 for <rum@ietf.org>; Tue, 23 Jul 2019 14:23:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=uiFzCq21yN3X2ADEbBlxLMe+bF6wZg7Gahz/e1rT+Ns=; b=WvxgtK9C42pCmQUtb4tLCPjO6B7P+x4vZZPsz/JGLUoQonxSLrbI8zg8AbRAIL2BUf tAyrGF/q8EGtMoNs+oimEFwYHda/AT/m6JUHPUkChObSVJisJ4o/xoGHjc/26Aq343zK 84UomJy9BbaqMvAKNn/xlw2Ct/YE0ecWsfNVXiCcVb9FAnqpVOuJF0cGw5KA2/Oa3PVf 495zX7+FVR8Fb1RGQhVU488lOrhrc6YFRbOwrfO3aBIRMIOA3HaGAkkzfJkepKzZOXYj t95u5voxuDhXzvpARqnhCitYr4a38IsAZ7Z4p5dOjS57/NitsTk35nz+UuUlrP/EGLYs +K5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=uiFzCq21yN3X2ADEbBlxLMe+bF6wZg7Gahz/e1rT+Ns=; b=K44aHFV6HSSWIrjYg/wlspB/aWnOpUS0z2K2IswA6dYLyU8S4pAgxD7cJD1W/zP1YO IptR5TVbhrl/C2YJJhHGYTgoI+RKPBwwokjY6FK6+GDutIVBsCaqgN8fWETajj/0Dh+S NwKtFZpGFvTut6E+lOUtUdVXNaWqLZkUQ+XSuhgJpVJF1tfCt2Fc628SgGc50HGk7g7W NHt83uKu7ed1N/YadHdnqenxPeW2IaNusRuFeN6osYftFdvMkn77Hn8/c0ZtTgJyMyPE zsXyS3SDNj/xZd5vLui9sGQvZr/j8mttEmVv9XkYC/BnQEp013qdZ8/bKcSeSEohqiRm UprQ==
X-Gm-Message-State: APjAAAXhSogF5NGVVHiAt2aeC9m186P6SH/OaC/I5IcfOmTe+RphANMk 8ruqweidCc2m8WRcAyxyShZ3i1YRI7c=
X-Google-Smtp-Source: APXvYqxTM+wy9VAFG/FPfxhdS0zoIuJm8Ou2IS+pBlSWMrpdMRQuu/fpoU34N1Em/2T0qsZTUDeFaw==
X-Received: by 2002:a05:6214:1312:: with SMTP id a18mr55687121qvv.241.1563916993388; Tue, 23 Jul 2019 14:23:13 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:70ce:3281:16a7:a4ae? ([2001:67c:370:128:70ce:3281:16a7:a4ae]) by smtp.gmail.com with ESMTPSA id t76sm21120503qke.79.2019.07.23.14.23.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 23 Jul 2019 14:23:13 -0700 (PDT)
From: Brian Rosen <br@brianrosen.net>
Message-Id: <E2206E75-7739-4304-B668-83B10525E3C6@brianrosen.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9B85C179-D4DC-4BA7-B201-065CF78C28B7"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 23 Jul 2019 17:23:09 -0400
In-Reply-To: <850aa083-2426-0e9b-b7e2-b6de6ccf0bbb@omnitor.se>
Cc: "Olle E. Johansson" <oej@edvina.net>, rum@ietf.org
To: Gunnar Hellström <gunnar.hellstrom@omnitor.se>
References: <8FB5F5A0-E3FE-40F8-A6D0-35D9002C6770@brianrosen.net> <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net> <850aa083-2426-0e9b-b7e2-b6de6ccf0bbb@omnitor.se>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/ojrBorSgqzS01oJ9FBRCGlVLIC4>
Subject: Re: [Rum] Let's get into it
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 21:23:18 -0000

Thanks.

I think when we bring in the WebRTC media specs, the SRTP stuff comes with it, so this text may leave.

I’ll look into separating the general requirements as you suggest but I’m not a fan of a one paragraph subsection.

Brian

> On Jul 23, 2019, at 5:20 PM, Gunnar Hellström <gunnar.hellstrom@omnitor.se> wrote:
> 
> Brian,
> 
> I agree with Olle.
> 
> For now, just a couple of minor comments.
> 
> 1:
> 
> Section 5. General requirements.
> 
> These requirements are not exactly general. Most of them are security related. Security interested readers might miss them under the current header.
> 
> I suggest to make two subsections under 5:
> 
> 5.1 General security requirements
> 
> 5.2 General coding requirements
> 
> (the last two lines)
> 
> 2:
> 
> Section 8:
> "All media streams between the RUE and another endpoint or relay
>    Provider MUST be exchanged using the secure real-time transport
>    protocol (SRTP) [RFC3550 <https://tools.ietf.org/html/rfc3550>] using DTLS [RFC5763 <https://tools.ietf.org/html/rfc5763>], [RFC5764 <https://tools.ietf.org/html/rfc5764>], except
>    that for backwards compatibility with older video endpoints, RTP MAY
>    be negotiated if SRTP negotiation fails.
> “
> I assume that the reference for SRTP should be RFC 3711.
> You may move the reference to RFC 3550 one line forwards, to after RTP.
> 
> 
> Good work
> 
> Gunnar
> 
> Den 2019-07-10 kl. 12:28, skrev Olle E. Johansson:
>> 
>> 
>>> On 9 Jul 2019, at 21:48, Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> wrote:
>>> 
>>> Please comment on anything.
>> 
>> Section 5:
>> 
>> "Both HTTPS and all SIP Transactions MUST use TLS 1.2”
>> 
>> “Transactions” doesn’t work well here. “Connections” would be better.
>> Instead of hard-coding a specific version of TLS you may want to point to the BCP by the UTA wg,
>> unless you anyway will update this profile from time to time.
>> 
>> " During the establishment of secure connections with a provider, the
>>    RUE MAY be asked by the server for a client certificate.  In that
>>    case it SHOULD provide a client certificate.  Providers MAY reject
>>    requests that fail to provide a recognized certificate.”
>> What’s in the client cert? How do you validate the client certs?
>> Section 6 doesn’t mentionSIP over WebSockets. I assume that would apply.
>> Since you are using phone numbers as identifiers, I from an EU standpoint
>> suggest disallowing all non-secure transports. Phone numbers are 
>> considered personal identifiers and are affected by the EU GDPR.
>> Section 6.2.1 forbids Route headers in initial INVITE requests. The example
>> in 6.2.2 has a very visible Route: header in the initial request.
>> Section 6.2.3 talks about an xCard without any references or comments
>> about trust for that information.
>> Section 6.2.4:
>> "The RUE MUST accept inbound calls sent to it by the proxy mentioned
>>    in the configuration.”
>> The proxy is found using DNS and may be a list created from NATPR/DNS SRV
>> records. What is the defintion of “the proxy” in this statement?
>> "If Multiple simultaneous RUE SIP registrations from different RUE
>>    devices with the same SIP URI exist, the Provider MUST parallel fork   the call to all registered RUEs so that they ring at the same time.
>>    The first RUE to reply with a 200 OK answers the call and the
>>    Provider MUST CANCEL other call branches.
>> "
>> Is this normative (you have many MUST here). If so - how does this
>> change the behaviour of RFC 3261?
>> Also, I think this texts forgets about SIP outbound. Since Outbound is a MUST,
>> you need to clarify the mix of parallell and serial forking that will happen.
>> Section 6.3:
>> "The RUE MUST support   REFER to enable call transfer.“
>> 
>> Which combination of REFER? I assume that “Mid call signaling” is “in-dialog transactions” in SIP lingo,
>> but REFER with or without Replaces? With or without subscription for updates?
>> 
>> Section 6.4:
>> 
>> " Relay Service URIs and User Address of Records (AoR) MUST resolve (in
>>    accord with [RFC3263 <https://tools.ietf.org/html/rfc3263>]) to globally routable IPv4 addresses.  The AoRs
>>    MAY also resolve to IPv6 addresses.”
>> How do you resolve a complete URI into an IP address? I guess you mean
>> the domain part that resolves to a list of addresses using DNS.
>> Why is IPv4 a MUST?
>> Section 8:
>> "All media streams between the RUE and another endpoint or relay
>>    Provider MUST be exchanged using the secure real-time transport
>>    protocol (SRTP) [RFC3550 <https://tools.ietf.org/html/rfc3550>] using DTLS [RFC5763 <https://tools.ietf.org/html/rfc5763>], [RFC5764 <https://tools.ietf.org/html/rfc5764>], except
>>    that for backwards compatibility with older video endpoints, RTP MAY
>>    be negotiated if SRTP negotiation fails.
>> “
>> 
>> How do you handle the risk of downgrade attacks here? That exception is dangerous
>> and maybe should be handled elsewhere, not in the client. 
>> 
>> 
>> Section 11.1
>> 
>> The example operator URI for red.example.net <http://red.example.net/> seems to lack “;user=dialstring”
>> 
>> Section 11.2
>> 
>> "outbound-proxies: (OPTIONAL) A list of URIs of SIP proxies to be
>>       used when sending requests to the Provider.  Multiple URIs
>>       identify alternative (redundant) paths to the Provider.
>> “
>> 
>> Outbound proxy is of course something you look up in DNS to get the list of
>> actual servers. Is there a need to have an additional list in this json format?
>> 
>> " ice-servers” - propably a bad name. I don’t remember seeing “ice server” as a term.
>> As turn servers are also STUN servers, I think “turn-servers” is better.
>> 
>> “credentials”: This is tricky indeed. Sending credentials in clear text like this,
>> even if it’s over HTTPS is an interesting approach in this age and time.
>> Regardless of that, make sure you consider OAuth/OpenID connect auth
>> for some services.
>> 
>> “lifetime”:; You are really not clear on what happens when the configuration
>> expires. Is the RUE forbidden to use anything here? What about emergency calls
>> - will they work even without configuration?
>> 
>> General:
>> 
>> You do not mention bundling of RTP streams, which may be beneficial here.
>> 
>> Good work!
>> 
>> /O
>> 
>> 
>> 
>> 
>> 
>> 
>> 
> -- 
> -----------------------------------------
> Gunnar Hellström
> Omnitor
> gunnar.hellstrom@omnitor.se <mailto:gunnar.hellstrom@omnitor.se>
> +46 708 204 288