[Sip] Few Doubts/comments in draft-ietf-sip-outbound-11

"Hulbut hulbut" <hulbut@gmail.com> Fri, 04 January 2008 16:19 UTC

Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1JApGb-0002NL-NY; Fri, 04 Jan 2008 11:19:29 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JApGa-0002ND-2i for sip-confirm+ok@megatron.ietf.org; Fri, 04 Jan 2008 11:19:28 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1JApGZ-0002N2-PK for sip@ietf.org; Fri, 04 Jan 2008 11:19:27 -0500
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1JAod8-0001qi-QY for sip@ietf.org; Fri, 04 Jan 2008 10:38:42 -0500
Received: from fg-out-1718.google.com ([72.14.220.158]) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1JAod7-0001oJ-SI for sip@ietf.org; Fri, 04 Jan 2008 10:38:42 -0500
Received: by fg-out-1718.google.com with SMTP id 16so3598619fgg.41 for <sip@ietf.org>; Fri, 04 Jan 2008 07:38:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type; bh=wxDhDyNFWBuAlCg9PxloWtFp97O9oZy8Sv1GP0ifAOc=; b=X9CiCZSCqvdtBSml21h1KIC7Ie0i7++gfy1NaQzE600Kji8SMGNzYH72O+RdZFX7g7KaRLdRmcFu170vn4oLR8N5C034bRVQjRJFg24eiNaECZpGk20c3qvEQ4HHsT18xgDzk7OMVI/Fyz+MzjlV4VCIaHOY3SR2rf1z7ZgML/I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=Xw0p95BVjJzQMvaLVyfXKcAloUsA/OjNjR5CGuSKgGXpIPKgFnWmD8jCHxEOF2ntHIxbJ3UsrSaqzCW8EheTgcnWyTyNXyOONOh/eXvRW5bbjX+AIFBzWNwQgIRCiEXoJu8C3QtzFH+uBnC0jJbkiW0PxBeZR4aS8JvXMmLnkR4=
Received: by 10.86.53.8 with SMTP id b8mr8136275fga.64.1199461121176; Fri, 04 Jan 2008 07:38:41 -0800 (PST)
Received: by 10.86.89.20 with HTTP; Fri, 4 Jan 2008 07:38:41 -0800 (PST)
Message-ID: <14b80930801040738r69009873kec9385762a3c9d2a@mail.gmail.com>
Date: Fri, 4 Jan 2008 21:08:41 +0530
From: "Hulbut hulbut" <hulbut@gmail.com>
To: rohan@ekabal.com
Subject: [Sip] Few Doubts/comments in draft-ietf-sip-outbound-11
MIME-Version: 1.0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: b22590c27682ace61775ee7b453b40d3
X-TMDA-Confirmed: Fri, 04 Jan 2008 11:19:27 -0500
Cc: fluffy@cisco.com, sip@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0754049537=="
Errors-To: sip-bounces@ietf.org

Hi Rohan,

I have following doubts in draft:

1) There is a typo (I think) in section 5.3

   If the flow in the flow token in the topmost Route header field value
   matches the source of the request, the request *in* an "outgoing"
   request.  For an "outgoing" request, the edge proxy just removes the
   Route header and continues processing the request.  Otherwise, this
   is an "incoming" request.

 Instead of "in" there should be "is"

2) Section 5.3(Forwarding Non-Register requests), evaluates inbound/outbound
on the basis of Flow token.

   If the flow in the flow token in the topmost Route header field value
   matches the source of the request, the request in an "outgoing"
   request.  For an "outgoing" request, the edge proxy just removes the
   Route header and continues processing the request.  Otherwise, this
   is an "incoming" request.

However in the mentioned decode algorithm, above mismatch will lead to
sending 403 forbidden.

   Example Algorithm:  To decode the flow token, take the flow
      identifier in the user portion of the URI and base64 decode it,
      then verify the HMAC is correct by recomputing the HMAC and
      checking that it matches.  If the HMAC is not correct, the proxy
      SHOULD send a 403 (Forbidden) response.  If the HMAC is correct
      then the proxy SHOULD forward the request on the flow that was
      specified by the information in the flow identifier.  If this flow
      no longer exists, the proxy SHOULD send a 430 (Flow Failed)
      response to the request.


I think inbound/outbound determination can be left to the proxy's own
implementation.
Regarding sending 403 response when HMAC mismatch happens, I am not clear
how will any request be sent to UEs
Considering an Edge proxy receives request from some other server
(authoritative server), the flow token in route header would be
pointing to UEs source address(or NAT mapped address) but the value which
Edge proxy will compute will be based on the source address of other server.
Thus, in case of inbound all requests will be rejected by 403 .


Please correct me !

Thanks
Hulbut
_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip