Re: [Rum] Let's get into it

Brian Rosen <br@brianrosen.net> Wed, 07 August 2019 21:14 UTC

Return-Path: <br@brianrosen.net>
X-Original-To: rum@ietfa.amsl.com
Delivered-To: rum@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59733120059 for <rum@ietfa.amsl.com>; Wed, 7 Aug 2019 14:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=brianrosen-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l45h-Y5MWDvf for <rum@ietfa.amsl.com>; Wed, 7 Aug 2019 14:14:51 -0700 (PDT)
Received: from mail-qk1-x732.google.com (mail-qk1-x732.google.com [IPv6:2607:f8b0:4864:20::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FF2D12003F for <rum@ietf.org>; Wed, 7 Aug 2019 14:14:51 -0700 (PDT)
Received: by mail-qk1-x732.google.com with SMTP id s145so67038479qke.7 for <rum@ietf.org>; Wed, 07 Aug 2019 14:14:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brianrosen-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Yg8n56+taqFnUD0emWAzPzzp8nKgESOy3eNY1KIaHyk=; b=G67er/7ILy7H4TjLzAZZEfhdYJHDfBwyjLiuDEMGFj+FHmx62aEyJ2Yq/GvNqr9sgS AWCrYL4/riNbgEGg8BGQhD24LNYT/9kZqS8/bHoy3iwpAu9GPgIBotRmSBw7KidxfDLz m8TiptDh9/h8+x9JQQDtKdjlH8jxYy4/kLg4TaWlY1mGSQQf6GNrU03b2cyH0Bj2OWE8 Lvu9wUmaWh2JZOmvgBulSs8JT1G8kb8eRg8nll+Q7+aVrMhUd2rwukc+hXBhVA0KbDfT SXA8uXPqf5PM0qFWh+OpMpAQ/955B7eTgcIalJvSsb3U8utnyWa6thS6ZY3GwTlOhItt iYVQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Yg8n56+taqFnUD0emWAzPzzp8nKgESOy3eNY1KIaHyk=; b=N9wUYst7WNw9phxTL+P36hslnpMN6DOvR0rZajny2UL3gOV5wPx0MCoxDK1L2FOzcu Y18492sJfn1zJQ4hH8j0QOlnIfBROb/RXc+tfjEyAbmME9/fkoW3a6XmqjnHHDRXVL+4 dbrEiuiN1T4So40tg+g0K3ZCJlKBsskN3s39MYuRoDlBdWNURa2fS231TVXpBawVptTs pUnMHExVloJp5/IDjnbEVXFRCaHUmi/iI3YOXf1S8K9zKjqQMCHIqqEL4dJw4wHLDxm6 jlhiKIEdzr+cH/zxVHUMzHuoJbZz2tNHjgAMLPJpo8yRngBdylkuqxjzuGd/Aqgeiqeq RupQ==
X-Gm-Message-State: APjAAAWMXQN/jBzjtzpPnemzjTnFn2jaykms2a2Jzx8IdC9Q7DtkkyHF 0WiheGuRHK6b1rDFyopBkWDrbGZ0T8c=
X-Google-Smtp-Source: APXvYqz1rhq2KEnAxw1dqUsBwCdoDCk9bgD4fGo5X61TxiD3N4HW7IopeENyC47FfvGEinsd8ogBzg==
X-Received: by 2002:ae9:f809:: with SMTP id x9mr10422806qkh.86.1565212490255; Wed, 07 Aug 2019 14:14:50 -0700 (PDT)
Received: from brians-mbp-2369.lan (dynamic-acs-24-101-114-50.zoominternet.net. [24.101.114.50]) by smtp.gmail.com with ESMTPSA id 67sm39714699qkh.108.2019.08.07.14.14.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Aug 2019 14:14:49 -0700 (PDT)
From: Brian Rosen <br@brianrosen.net>
Message-Id: <64B406DC-4171-41EB-9171-A2AF7B78B409@brianrosen.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_576F8FD4-2E26-4631-A811-3C32A415726D"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 7 Aug 2019 17:14:48 -0400
In-Reply-To: <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net>
Cc: rum@ietf.org
To: "Olle E. Johansson" <oej@edvina.net>
References: <8FB5F5A0-E3FE-40F8-A6D0-35D9002C6770@brianrosen.net> <85828597-D024-4E7E-8876-F1C4753E6B7D@edvina.net>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rum/rqL7_6xZScLes5lOeMD1fOR3XkU>
Subject: Re: [Rum] Let's get into it
X-BeenThere: rum@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <rum.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rum>, <mailto:rum-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rum/>
List-Post: <mailto:rum@ietf.org>
List-Help: <mailto:rum-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rum>, <mailto:rum-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 21:14:54 -0000

Working on these comments.  I submitted a new version (-01)

I edited the doc to say the client cert is provisioned.  Given that it’s provisioned by the entity that the provides the server, do I need to say anything else about validating the cert?

I’m fine with requiring support for SIP-over-websockets (RFC7118), but is that a general goodness these days?

The general requirements require TLS for SIP, so I don’t think I need anything else for telephone number privacy, right?

6.2.1 says “Route headers MAY be included in one-stage dial-around calls and emergency calls.”  6.2.2 is one-stage-dial around, so it fits the exception for the SHOULD.

I added the reference to RFC6351 for xCard.   I think we should have a discussion of whether this mechanism should be retained.  The purpose was to deal with an objection from providers that if they supported this interface, anyone could download some random code claiming to meet it, and they wouldn’t have a clue where it came from or a way to contact anyone if it didn’t behave.  As you point out, there isn’t any way for the server to put any trust in the data.  The requirement for TLS covers eavesdropping, but it still could obtain PII.  I left the text for now, but we should discuss.

You said “The proxy is found using DNS and may be a list created from NATPR/DNS SRV records. What is the defintion of “the proxy” in this statement?”,  It seems obvious to me that the proxy URI is found in the configuration and the SRV resolves to an IP address (or addresses).  What is unclear?

Simultaneous ring is a pretty well known thing, which I think everyone does with parallel fork in one form or another.  There is only two MUSTs for the server (if there are multiple registrations, ring them all, and CANCEL any ringing UAs that didn’t answer). 3261 doesn’t discuss CANCEL when forking and I don’t see where we say anything that could be construed as violating anything I can see in 3261.  I’m at a loss to understand what I should change.

The reference to OUTBOUND also confuses me.  Yeah, you could get some forking when following Outbound, but that wouldn’t change this fork of independent registered UAs would it?  What text suggestion do you have?  I’m very happy to clarify anything unclear, but I don’t see the problem yet.

I added the RFC references to REFER, and included the 7647 update as well as explicit support for norefersub,

Could we have a discussion of whether we require support for IPv4.  I think we do, but are their other opinions?  I fixed “domain part”.

I replaced the media and SRTP sections with references to the WebRTC media specifications.  There is a significant problem where there are existing endpoints that simply can’t be upgraded to support SRTP video.  This may be less of a problem if the systems that support those endpoints anchor media in their SBCs.

The example operator URI in Section 11.1 doesn’t contain a number-which-is-not-an-E164, and thus doesn’t need user=dialstring.



> On Jul 10, 2019, at 6:28 AM, Olle E. Johansson <oej@edvina.net> wrote:
> 
> 
> 
>> On 9 Jul 2019, at 21:48, Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> wrote:
>> 
>> Please comment on anything.
> 
> Section 5:
> 
> "Both HTTPS and all SIP Transactions MUST use TLS 1.2”
> 
> “Transactions” doesn’t work well here. “Connections” would be better.
> Instead of hard-coding a specific version of TLS you may want to point to the BCP by the UTA wg,
> unless you anyway will update this profile from time to time.
> 
> " During the establishment of secure connections with a provider, the
>    RUE MAY be asked by the server for a client certificate.  In that
>    case it SHOULD provide a client certificate.  Providers MAY reject
>    requests that fail to provide a recognized certificate.”
> 
> What’s in the client cert? How do you validate the client certs?
> 
> Section 6 doesn’t mentionSIP over WebSockets. I assume that would apply.
> 
> 
> Since you are using phone numbers as identifiers, I from an EU standpoint
> suggest disallowing all non-secure transports. Phone numbers are 
> considered personal identifiers and are affected by the EU GDPR.
> 
> 
> Section 6.2.1 forbids Route headers in initial INVITE requests. The example
> in 6.2.2 has a very visible Route: header in the initial request.
> 
> Section 6.2.3 talks about an xCard without any references or comments
> about trust for that information.
> 
> Section 6.2.4:
> 
> "The RUE MUST accept inbound calls sent to it by the proxy mentioned
>    in the configuration.”
> 
> The proxy is found using DNS and may be a list created from NATPR/DNS SRV
> records. What is the defintion of “the proxy” in this statement?
> 
> "If Multiple simultaneous RUE SIP registrations from different RUE
>    devices with the same SIP URI exist, the Provider MUST parallel fork   the call to all registered RUEs so that they ring at the same time.
>    The first RUE to reply with a 200 OK answers the call and the
>    Provider MUST CANCEL other call branches.
> "
> Is this normative (you have many MUST here). If so - how does this
> change the behaviour of RFC 3261?
> Also, I think this texts forgets about SIP outbound. Since Outbound is a MUST,
> you need to clarify the mix of parallell and serial forking that will happen.
> 
> 
> Section 6.3:
> 
> "The RUE MUST support   REFER to enable call transfer.“
> 
> Which combination of REFER? I assume that “Mid call signaling” is “in-dialog transactions” in SIP lingo,
> but REFER with or without Replaces? With or without subscription for updates?
> 
> Section 6.4:
> 
> " Relay Service URIs and User Address of Records (AoR) MUST resolve (in
>    accord with [RFC3263 <https://tools.ietf.org/html/rfc3263>]) to globally routable IPv4 addresses.  The AoRs
>    MAY also resolve to IPv6 addresses.”
> 
> How do you resolve a complete URI into an IP address? I guess you mean
> the domain part that resolves to a list of addresses using DNS.
> Why is IPv4 a MUST?
> 
> Section 8:
> 
> "All media streams between the RUE and another endpoint or relay
>    Provider MUST be exchanged using the secure real-time transport
>    protocol (SRTP) [RFC3550 <https://tools.ietf.org/html/rfc3550>] using DTLS [RFC5763 <https://tools.ietf.org/html/rfc5763>], [RFC5764 <https://tools.ietf.org/html/rfc5764>], except
>    that for backwards compatibility with older video endpoints, RTP MAY
>    be negotiated if SRTP negotiation fails.
> “
> 
> How do you handle the risk of downgrade attacks here? That exception is dangerous
> and maybe should be handled elsewhere, not in the client. 
> 
> 
> Section 11.1
> 
> The example operator URI for red.example.net <http://red.example.net/> seems to lack “;user=dialstring”
> 
> Section 11.2
> 
> "outbound-proxies: (OPTIONAL) A list of URIs of SIP proxies to be
>       used when sending requests to the Provider.  Multiple URIs
>       identify alternative (redundant) paths to the Provider.
> “
> 
> Outbound proxy is of course something you look up in DNS to get the list of
> actual servers. Is there a need to have an additional list in this json format?
> 
> " ice-servers” - propably a bad name. I don’t remember seeing “ice server” as a term.
> As turn servers are also STUN servers, I think “turn-servers” is better.
> 
> “credentials”: This is tricky indeed. Sending credentials in clear text like this,
> even if it’s over HTTPS is an interesting approach in this age and time.
> Regardless of that, make sure you consider OAuth/OpenID connect auth
> for some services.
> 
> “lifetime”:; You are really not clear on what happens when the configuration
> expires. Is the RUE forbidden to use anything here? What about emergency calls
> - will they work even without configuration?
> 
> General:
> 
> You do not mention bundling of RTP streams, which may be beneficial here.
> 
> Good work!
> 
> /O
> 
> 
> 
> 
>