RE: [Sip] Connected-identity and changing the To header field ina response
"Elwell, John" <john.elwell@siemens.com> Mon, 15 May 2006 14:35 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfeAV-0006ng-P3; Mon, 15 May 2006 10:35:31 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfeAU-0006nb-P4 for sip@ietf.org; Mon, 15 May 2006 10:35:30 -0400
Received: from mailgate.siemenscomms.co.uk ([195.171.110.225] helo=bemg01.siemenscomms.co.uk) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FfeAR-0005ry-Qw for sip@ietf.org; Mon, 15 May 2006 10:35:30 -0400
Received: from CONVERSION-DAEMON.siemenscomms.co.uk by siemenscomms.co.uk (PMDF V6.0-24 #40642) id <0IZB003019U5Y9@siemenscomms.co.uk> for sip@ietf.org; Mon, 15 May 2006 15:34:56 +0100 (BST)
Received: from ntht207e.uksgcs.siemenscomms.co.uk ([137.223.247.82]) by siemenscomms.co.uk (PMDF V6.0-24 #40642) with ESMTP id <0IZB002CG9TGU9@siemenscomms.co.uk>; Mon, 15 May 2006 15:34:28 +0100 (BST)
Received: by ntht207e.uksgcs.siemenscomms.co.uk with Internet Mail Service (5.5.2657.72) id <K8GL11D6>; Mon, 15 May 2006 15:34:00 +0100
Content-return: allowed
Date: Mon, 15 May 2006 15:33:58 +0100
From: "Elwell, John" <john.elwell@siemens.com>
Subject: RE: [Sip] Connected-identity and changing the To header field ina response
To: Cullen Jennings <fluffy@cisco.com>, Roland Jesske <roland.jesske@web.de>, "Christer Holmberg (JO/LMF)" <christer.holmberg@ericsson.com>
Message-id: <50B1CBA96870A34799A506B2313F266708EB28C9@ntht201e.siemenscomms.co.uk>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-type: text/plain; charset="iso-8859-1"
Content-transfer-encoding: quoted-printable
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 3d48d865303330c98a6e90d450cf2ff2
Cc: sip@ietf.org, Jon Peterson <jon.peterson@neustar.biz>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
Cullen, I guess what I meant in my message below was the following. If for TIP there is a need to put the identity in a response to the INVITE request, then that should not be part of the Connected-Identity draft. However, if the existing mechanism in the Connected-Identity draft is sufficient to solve TIP, then that is fine by me. John > -----Original Message----- > From: Cullen Jennings [mailto:fluffy@cisco.com] > Sent: 15 May 2006 04:48 > To: Roland Jesske; Christer Holmberg (JO/LMF) > Cc: Elwell, John; Jon Peterson; sip@ietf.org > Subject: Re: [Sip] Connected-identity and changing the To > header field ina response > > > Can someone explain to me why it is that the TIP requirement can not > be solved with the connected-identity draft? I do understand it may > not be the way some people desire to solve this problem but first of > all I am just trying to understand what parts of the requirements we > can't meet with this. > > Thanks, Cullen > > > On Apr 5, 2006, at 10:48 PM, Elwell, John wrote: > > > Roland, > > > > Yes, there was indeed a misunderstanding, but my draft was not > > written with > > TISPAN requirements in mind. It was written to solve the problem of > > authenticated identity, or rather to extend the present > concept of the > > Identity header to mid-dialog requests and show how that can be > > used to > > solve certain problems. > > > > The Terminating Identity Presentation (TIP) requirement > from TISPAN > > needs to > > be addressed by some other means. I don't think modifying the To > > header is > > appropriate. Whereas RFC 3261 anticipates deprecating fixed > To/From > > header > > field URIs throughout a dialog (i.e., it anticipates that these > > will be > > allowed to change mid-dialog), it says nothing to warn of any > > future removal > > of the requirement that the To header field URI in the response be > > the same > > as that in the request. > > > > Therefore it seems that whatever solution you adopt for > solving the > > TISPAN > > TIP problem, it would have little in common with the connected- > > identity > > draft. > > > > John > > > > > >> -----Original Message----- > >> From: Roland Jesske [mailto:roland.jesske@web.de] > >> Sent: 05 April 2006 14:33 > >> To: Christer Holmberg (JO/LMF); Elwell, John; Peterson, Jon; > >> sip@ietf.org > >> Subject: RE: [Sip] Connected-identity and changing the To > >> header field ina response > >> > >> John, > >> there it looks like a misunderstanding. Thought all > >> requirements from IETF and TISPAN can be solved within your draft. > >> > >> As you saw he additional connected identity is a requirement > >> comming from TISPAN and that was discussed in also in > >> Vancover. In draft-sasaki-sipping-tispan-adhoc-summary-00.txt > >> it is mentioned. > >> > >> Terminating Identification Presentation(TIP)- The working group > >> requests that this requirement be better defined and > >> documented. > >> It is also suggested that TISPAN consider reading > >> draft-rosenberg-sip-identity-privacy-00 as it may solve the > >> problem of calling into an 800 number, getting an > operator, and > >> being able to call back that operator and still protect the > >> privacy of the operator. > >> In addition, work is progressing on > >> draft-elwell-sip-connected-identity-00. > >> > >> So using the PAI does not need to go deeper into > >> draft-rosenberg-sip-identity-privacy-00, but looking into > your draft. > >> And looking within your draft using the dialogUriChange > >> element we thought we have the solution if this can be done > >> within the final Response of the initial INVITE. > >> > >> Best Regards > >> > >> Roland > >> > >> > >> > >>> -----Ursprüngliche Nachricht----- > >>> Von: "Elwell, John" <john.elwell@siemens.com> > >>> Gesendet: 05.04.06 14:56:20 > >>> An: sip@ietf.org > >>> Betreff: RE: [Sip] Connected-identity and changing the To > >> header field ina response > >> > >> > >>> Christer, > >>> > >>> This "additional connected number" is not a requirement > >> that I have been > >>> trying to address. Was this among the requirements that > >> TISPAN brought into > >>> the IETF recently? > >>> > >>> John > >>> > >>>> -----Original Message----- > >>>> From: Christer Holmberg (JO/LMF) > >>>> [mailto:christer.holmberg@ericsson.com] > >>>> Sent: 05 April 2006 08:34 > >>>> To: Elwell, John; Peterson, Jon; sip@ietf.org > >>>> Subject: RE: [Sip] Connected-identity and changing the To > >>>> header field inaresponse > >>>> > >>>> > >>>> Hi, > >>>> > >>>> In PSTN terms we are talking about that the TO header shall > >>>> be mapped to > >>>> the additional connected number, and that does NOT need to be > >>>> authorized > >>>> in the same way as the connected number. > >>>> > >>>> And, whether the interworking node sends this value to PSTN > >>>> is of course > >>>> based on local policy, based on trust etc. > >>>> > >>>> Regards, > >>>> > >>>> Christer > >>>> > >>>> > >>>> ________________________________ > >>>> > >>>> From: Elwell, John [mailto:john.elwell@siemens.com] > >>>> Sent: 5. huhtikuuta 2006 10:01 > >>>> To: Peterson, Jon; sip@ietf.org > >>>> Subject: RE: [Sip] Connected-identity and changing the To > >> header field > >>>> inaresponse > >>>> > >>>> > >>>> Jon, > >>>> > >>>> Thanks for this excellent summary of the issue, which I fully > >>>> agree with > >>>> and which unfortunately seems to need restating at regular > >>>> intervals. It > >>>> appears that the chief motivation of those asking for > >> something in the > >>>> response is to facilitate interworking with PSTN (by > >>>> including it in the > >>>> 200 response so that it can be mapped directly to the > >> PSTN "connected" > >>>> message). As you say, such a response is always going to be > >>>> unauthenticated, and I don't think that meets the > >> requirements of PSTN > >>>> interworking. Far better to figure out a way of using an > >> authenticated > >>>> connected identity in an UPDATE message for mapping to > >> PSTN connected > >>>> identity. > >>>> > >>>> Of course, in trusted networks there may be other means for > >>>> ensuring the > >>>> authenticity of an identity in a response, just as there is > >>>> in a request > >>>> using P-Asserted-Identity. Unfortunately RFC3325 is > >> unclear on the use > >>>> of PAI in responses, although in practice I think it is > >> used and is > >>>> probably OK if the last hop is secured by TLS so that previous > >>>> authentication of the UAS can be relied on for making the > >> assertion. I > >>>> think if those trusted networks really need a solution > >> for response > >>>> identity, PAI would be a better avenue to explore (taking > >> into account > >>>> the risks). But not for the Internet. I am becoming more and more > >>>> convinced that diluting the connected-identity draft with a weak > >>>> solution for response identity would be the wrong way to go. > >>>> > >>>> John > >>>> > >>>> > >>>> ________________________________ > >>>> > >>>> From: Peterson, Jon [mailto:jon.peterson@neustar.biz] > >>>> Sent: 05 April 2006 02:05 > >>>> To: Elwell, John; sip@ietf.org > >>>> Subject: RE: [Sip] Connected-identity and changing the To header > >>>> field in aresponse > >>>> > >>>> > >>>> Yes, I was asked for clarification on this point after the > >>>> meeting, and I'll be providing it here. As you surmised, it > >>>> is not that > >>>> RFC3261 relies on the addr-spec of the To or From header > field for > >>>> transaction identification, or something. In fact, I would have > >>>> essentially the same concerns about any proposal that provided an > >>>> additional header (say, a 'Connected-Party' header) in > >> responses to > >>>> dialog-forming requests which was understood to clobber > >> the To header > >>>> field and identify the AoR of the party who was reached after > >>>> retargeting of the request took place. > >>>> > >>>> Starting with the goals of this approach: what sort of UAC > >>>> decisions or behavior do we hope to enable through > >> sending a response > >>>> with a modified To header field? As far as I can > >> understand, we either > >>>> want to render this AoR to the user of a UAC (so the user > >> can react in > >>>> one way or another), or input the AoR to some sort of > >> policy manager > >>>> (e.g. blacklist/whitelist) that might make a decision > >> about whether or > >>>> not the session should continue -prior- to session > >>>> establishment. If we > >>>> don't care about this occurring prior to session > establishment, of > >>>> course, then we could go with the connected-identity > >> draft as it is > >>>> written today. > >>>> > >>>> A little refresher on my sipping-retarget draft: The core > >>>> problem with any scheme for connected party is figuring > >> out how you'd > >>>> decide whether or not a particular respondent is authorized. > >>>> This is the > >>>> argument of 2.2.1 of sipping-retarget, the "unanticipated > >> respondent" > >>>> problem. When we think about what sorts of policy decisions > >>>> we expect a > >>>> human or automata to make when receiving a response with identity > >>>> information, we have to acknowledge that the UAC has no > >> way of knowing > >>>> which respondents are or are not authorized to respond to the > >>>> request in > >>>> question. Since the UAC has no insight into any > >> retargeting that has > >>>> taken place, the UAC has to assume that virtually any > >> response is a > >>>> potentially legitimate one. As such, there is little room for any > >>>> meaningful policy decision when receiving a response. > >> This problem is > >>>> further compounded by the fact that the UAS may have > >> several possible > >>>> legitimate AoRs it could claim (I have a UA that > >> registers its contact > >>>> address under 3 separate SIP services simultaneously), and of > >>>> course the > >>>> fact that AoRs may be pretty uninformative (e.g. > >>>> sip:user31@freesipservice.example.com), all of which complicate > >>>> authorization decisions. Solving this problem is on the same > >>>> footing as > >>>> solving the request-history problem set. > >>>> > >>>> With that background, the problems with providing this connected > >>>> party information in responses (via the To header or what > >>>> have you) are > >>>> roughly as follows: > >>>> > >>>> a) The "unanticipated respondent" problem is especially an issue > >>>> for response identity because not all responses are > >> success responses. > >>>> If you end up connecting to a party (receiving a 200), you can > >>>> potentially rely on human factors to help you identify > who you are > >>>> talking to (after all, Carol can always answer Bob's phone > >>>> regardless of > >>>> who SIP thinks you connected to) and/or use the connected party > >>>> information to change how you might address the party on the > >>>> other side. > >>>> With a 403 response, you are in a very different > >> predicament - how is > >>>> UAC or user behavior supposed to change based on the > connected URI > >>>> attributed to a 403, given the unanticipated respondent > >> problem? For > >>>> provisional responses, the issues become even worse - we > >> then get into > >>>> the wonders of forking, multiple provisional responses > >> from multiple > >>>> sources asserting different To header fields - in short, > >> nothing which > >>>> makes it any easier to render a "responding" AoR to a user, > >>>> for example. > >>>> Response identity, in so far as it deals with non-final, > >>>> non-successful > >>>> responses, opens up the "unconnected party" problem set. I > >>>> think this is > >>>> just the wrong framing of the problem. You want to know who you > >>>> connected to, not who you didn't connect to. > >>>> > >>>> b) Getting a signature over the To header field in responses > >>>> would be difficult. In full awareness of Mr. Elwell's > >> note below that > >>>> certain parties are interested in "(unauthenticated) > identity in a > >>>> response", if this information is going to be put to any > >>>> purpose, cause > >>>> any change in human or UAC behavior, I have a hard time > seeing how > >>>> anyone could defend it being unsecured. If you want a human or an > >>>> automata to make a policy decision based on the AoR in > >> the To header > >>>> field of the response, some sort of response identity > >>>> signature would be > >>>> necessary to prevent obvious impersonation attacks > >> designed to thwart > >>>> authorization decisions. With all due respect to the authors of > >>>> draft-cao-sip-response-identity/auth, I'm not sure this > problem is > >>>> readily solved. Making sure that an appropriate > >> authentication service > >>>> is in the path of responses is problematic, since responses must > >>>> traverse exactly the same path as requests. I played around > >>>> with this a > >>>> lot in the early phases of SIP identity, and at the end > >> of the day, I > >>>> had to conclude that the only way to make this work was > >> to eliminate > >>>> retargeting. Since providing connected-identity in > >> responses assumes > >>>> that retargeting has taken place, it wouldn't exactly be > >>>> getting off on > >>>> the right foot. Constraining inbound request routing to a > >> domain such > >>>> that responses will traverse an authentication service, or > >>>> forcing a UAS > >>>> to participate in the Identity scheme, is likely to > >> require mandatory > >>>> option-tags or comparable mechanisms that will limit the > >> applicability > >>>> of response identity and more or less eliminate its > >> opportunistic use. > >>>> > >>>> c) The inability to reject a response. Take the easiest case - > >>>> let's say that the UAC receives a final success response, > >> say a 200 > >>>> response, with a modified To header field from a party that is > >>>> blacklisted by UAC policy. What exactly is the UAC supposed > >>>> to do? Send > >>>> a 403? One cannot reject responses. Maybe a CANCEL? As > >> section 9.1 of > >>>> RFC3261 says, CANCEL "has no effect on requests that have already > >>>> generated a final response." Drop the request on the floor? > >>>> You'll just > >>>> receive retransmissions. All you can do is ACK it, since the > >>>> dialog has > >>>> already been formed, and then send a BYE. In other words, > >> a session > >>>> -will- be established, there simply isn't an opportunity > >> for policy to > >>>> be put into effect prior to session establishment. Also, > >> consider the > >>>> need for the new responses defined in the sip-identity > >> draft, like say > >>>> the 438 response - if the UAC receives a 200 response with a > >>>> potentially > >>>> repairable error in the Identity header, how can it > >> express that error > >>>> to the UAS, since it can't send responses to a response? > >>>> > >>>> Given the above, why does the UAC need to know who has been > >>>> reached in the response, rather than in a request after > >> the dialog has > >>>> been formed? As (c) illustrates, in the 200 response case a > >>>> session will > >>>> be established anyway, so sharing the identity of the > >> connected party > >>>> after session establishment doesn't actually miss some > >> opportunity for > >>>> applying policy - moreover, an UPDATE or similar request > >> that provides > >>>> the connected-identity information could be rejected by the > >>>> session-originating UA in a manner that is helpful to the > >>>> session-terminating UA (e.g., a 438 response could be > >> sent). If we go > >>>> with the mechanism in the connected-identity draft, problem (b) > >>>> disappears, since request routing is far more malleable > >> than response > >>>> routing. Additionally, the connected-identity draft > >> wisely does not > >>>> attempt to solve "unconnected party" problems from (a), > >> which are the > >>>> least tractable of the unanticipated respondent problems. Rather, > >>>> connected-identity provides an indication more along the > >>>> lines of, "your > >>>> dialog was established, however that might have happened, > >> and this is > >>>> who is on the other side". > >>>> > >>>> Furthermore, any solution that tried to put the > >>>> connected-identity information into responses would be > >> providing an > >>>> imprimatur of legitimacy to those responses - presuming > they had a > >>>> signature, UACs would validate it, and provided it > >> checked out, they > >>>> would be tempted say "this is a legitimate response." > >> Nothing could be > >>>> further from the truth, as sipping-retarget illustrates. > >> Legitimacy of > >>>> responses cannot be determined by UACs in the absence of > >>>> something like > >>>> request-history. > >>>> > >>>> Finally, I like having one Identity header, and for the meaning > >>>> of that Identity header to *always* be that it is a > >> signature over the > >>>> From header field issued by the domain identified by the host > >>>> portion of > >>>> the addr-spec of the From header field. The current > >> connected-identity > >>>> header draft provides that property. > >>>> > >>>> Jon Peterson > >>>> NeuStar, Inc. > >>>> > >>>> -----Original Message----- > >>>> From: Elwell, John [mailto:john.elwell@siemens.com] > >>>> Sent: Monday, April 03, 2006 11:46 PM > >>>> To: sip@ietf.org > >>>> Subject: [Sip] Connected-identity and changing the To > >>>> header field in aresponse > >>>> > >>>> > >>>> > >>>> During discussion of draft-elwell-connected-identity in > >>>> Dallas, somebody put forward the opinion that it would be > >> dangerous to > >>>> change the To header field URI in a response (i.e., make > >> it different > >>>> from the From header field URI in the request). My > >> assumption at the > >>>> time was that it would undermine the transaction concept > >> in SIP, yet > >>>> reading what RFC3261 has to say about transactions, the value > >>>> of the To > >>>> header field URI in a response does not appear to be involved in > >>>> coupling a response to a request. Therefore I assume the > >> person who > >>>> indicated the danger (which was not challenged at the > >>>> meeting) has other > >>>> reasons in mind. I would greatly appreciate opinions on > >> the wisdom or > >>>> otherwise of allowing the To header field URI to change. > >> It seems that > >>>> from discussion of connected-identity there is a desire from > >>>> some parts > >>>> of the community to include an (unauthenticated) identity in > >>>> a response. > >>>> > >>>> John > >>>> > >>> > >>> _______________________________________________ > >>> Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > >>> This list is for NEW development of the core SIP Protocol > >>> Use sip-implementors@cs.columbia.edu for questions on current sip > >>> Use sipping@ietf.org for new developments on the > application of sip > >> > >> > >> _______________________________________________________________ > >> SMS schreiben mit WEB.DE FreeMail - einfach, schnell und > >> kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 > >> > > > > _______________________________________________ > > Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > > This list is for NEW development of the core SIP Protocol > > Use sip-implementors@cs.columbia.edu for questions on current sip > > Use sipping@ietf.org for new developments on the application of sip > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Roland Jesske
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Paul Kyzivat
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Henry Sinnreich
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Dale.Worley