Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch

Ben Campbell <> Wed, 08 September 2010 21:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 604543A67FA for <>; Wed, 8 Sep 2010 14:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GWbGmNOnHBmg for <>; Wed, 8 Sep 2010 14:36:44 -0700 (PDT)
Received: from ( [IPv6:2001:470:1f03:266::2]) by (Postfix) with ESMTP id 62FBC3A6960 for <>; Wed, 8 Sep 2010 14:36:33 -0700 (PDT)
Received: from ( []) (authenticated bits=0) by (8.14.3/8.14.2) with ESMTP id o88LarDN040332 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Sep 2010 16:36:54 -0500 (CDT) (envelope-from
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset="us-ascii"
From: Ben Campbell <>
In-Reply-To: <>
Date: Wed, 08 Sep 2010 16:36:48 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Christer Holmberg <>
X-Mailer: Apple Mail (2.1081)
X-Mailman-Approved-At: Thu, 09 Sep 2010 08:57:29 -0700
Cc: Ted Hardie <>, The IETF <>, "" <>, "" <>, "" <>
Subject: Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Sep 2010 21:36:49 -0000

I wanted to make a quick response to one part of this discussion--see below:

On Aug 31, 2010, at 12:39 PM, Christer Holmberg wrote:

>>>> To highlight one particular aspect, RFC 4975 does not require
>>>> session-ids to be present, a fact noted both in the ABNF and in this
>>>> text:
>>>> 4. The session-id part is compared as case sensitive.  A URI without
>>>>  a session-id part is never equivalent to one that includes one.
>>>> A matching scheme which relies on a URI section which is not
>>>> guaranteed to be present has some interesting problems ahead of it. If
>>>> this effectively makes their use mandatory, that requires a change to
>>>> the fundamental ABNF and text.
>>> An MSRP URI in an SDP offer or answer for an MSRP session MUST include a
>>> session-id part, so I believe the comment is
>>> based on incorrect assumptions.
>> This is not indicated in the URI matching section
> We will clarify that sessmatch conformant UAs do not use MSRP URI matching in
> order to perform MSRP session matching.

In fact, RFC4975 does require an MSRP URI in and SDP offer or answer to include a session ID part. Unfortunately, it does so rather obliquely.

Section 6 contains the following language:

> The MSRP URI authority field identifies a participant in a particular
>    MSRP session.  If the authority field contains a numeric IP address,
>    it MUST also contain a port.  The session-id part identifies a
>    particular session of the participant.  The absence of the session-id
>    part indicates a reference to an MSRP host device, but does not refer
>    to a particular session at that device.  

Section 8.2, in the last paragraph, says the following about the rightmost URI placed in a path attribute in the SDP (Note that 4975 does not specify MSRP relay behavior, so only the rightmost URI is in scope)

> It MUST be assigned for this particular session, and MUST NOT duplicate
>    any URI in use for any other session in which the endpoint is
>    currently participating.  It SHOULD be hard to guess, and protected
>    from eavesdroppers.  This is discussed in more detail in 
> Section 14.

This, taken together, create a requirement for a session-ID for MSRP URIs used to identify a session in the SDP. I agree this should have been more strongly worded. An errata entry is probably in order.