[Sip] Re: IESG Discuss Comments on Symmetric Response Routing
Jonathan Rosenberg <jdrosen@dynamicsoft.com> Mon, 30 June 2003 16:22 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04063 for <sip-archive@odin.ietf.org>; Mon, 30 Jun 2003 12:22:40 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5UGMDb05288 for sip-archive@odin.ietf.org; Mon, 30 Jun 2003 12:22:13 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19X1Pl-0001Mm-2q; Mon, 30 Jun 2003 12:22:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19X1PS-0001MF-8K for sip@optimus.ietf.org; Mon, 30 Jun 2003 12:21:57 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA04031 for <sip@ietf.org>; Mon, 30 Jun 2003 12:21:39 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19X1PQ-0002M3-00 for sip@ietf.org; Mon, 30 Jun 2003 12:21:40 -0400
Received: from [63.113.44.69] (helo=mail3.dynamicsoft.com) by ietf-mx with esmtp (Exim 4.12) id 19X1PE-0002L4-00 for sip@ietf.org; Mon, 30 Jun 2003 12:21:29 -0400
Received: from dynamicsoft.com ([63.113.46.50]) by mail3.dynamicsoft.com (8.12.8/8.12.1) with ESMTP id h5UGIfiB002055; Mon, 30 Jun 2003 12:18:42 -0400 (EDT)
Message-ID: <3F0062DC.2080401@dynamicsoft.com>
Date: Mon, 30 Jun 2003 12:18:36 -0400
From: Jonathan Rosenberg <jdrosen@dynamicsoft.com>
Organization: dynamicsoft
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: mankin@psg.com
CC: rohan@cisco.com, dwillis@dynamicsoft.com, sip@ietf.org, jon.peterson@neustar.biz, hardie@qualcomm.com, erik.nordmark@sun.com
References: <E19T29q-000CDd-EG@psg.com>
In-Reply-To: <E19T29q-000CDd-EG@psg.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [Sip] Re: IESG Discuss Comments on Symmetric Response Routing
Sender: sip-admin@ietf.org
Errors-To: sip-admin@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
My apologies for the delay. I managed to get in a revision to the draft before the deadline which addresses these comments. Until it appears in the archives, you can find it at: http://www.jdrosen.net/papers/draft-ietf-sip-symmetric-response-01.txt I also converted to xml while I was at it, so the general formatting should be better. Responses below. Allison Mankin wrote: > The IESG reviewed draft-ietf-sip-symmetric-response-00.txt and there were > two sets of Discuss comments. They do not seem too hard to address. In > addition, the FQDNs in the draft need to be changed to example.com. OK, fixed. I also changed public addresses to be within 192.0.2/24. The private addresses remain with 10/8. > > Below are the comments. They are also in the ID tracker. > > Allison > > Comments: > > Ted Hardie: > First, let me say that a large number of the issues I had > with the document turned out to be very well documented > in the IAB considerations section of the draft. A few > other issues: > > In Section 3: > > When the client sends the request, if the request is sent using UDP, > the client MUST be prepared to receive the response on the same > socket the request was sent on. Specifically, it MUST be prepared to > receive the response on the same IP address and port present in the > source IP address and source port of the request. For backwards > compatibility, the client MUST still be prepared to receive a > response on the port indicated in the sent-by field of the topmost > Via header field value, as specified in Section 18.1.1 of SIP [1]. > > > It seems pretty clear from the "on the same socket" that the following > sentence means the IP address and port present in the source IP > and port of the request _when it is sent_. I think it would be clearer, > though, to use phrasing like "it MUST be prepared to receive the > response on the same IP address and port it used to populate > the source IP address and source port of the request.". OK, I changed the wording to the text you suggest. I made this change everywhere the term "socket" was used, in order to be explicit about what is meant. > > Also in Section 3: > > To keep the binding fresh, the client SHOULD retransmit its INVITE every 20 > seconds or so. These retransmissions will need to take place even > after receiving a provisional response. > > based on the idea the one minute seems to be a common UDP binding lifetime. > Section 9.3 notes, however, that there is no way to determine the UDP binding > lifetime. Is there anyway to introduce a growing/shrinking algorithm > to this for cases where the binding lifetime is much longer (to avoid the > aggressiveness of 20 seconds for an arbitrary period of time) or to handle > the cases where the binding lifetime is shorter than 20+transmission time to > the NAT (since this has to handle the NAT being at some arbitrary place in > the topology). Yes. STUN describes a binary search algorithm for trying to detect the lifetime. That is not without peril as well, and the issues there are documented in STUN. I added the following text: <t> A UA MAY execute the binding lifetime discovery algorithm in Section 10.2 of <xref target="RFC 3489">RFC 3489</xref> to determine the actual binding lifetime in the NAT. If it is longer than 1 minute, the client SHOULD increase the interval for request retransmissions up to half of the discovered lifetime. If it is shorter than one minute, it SHOULD decrease the interval for request retransmissions to half of the discovered lifetime. Note that discovery of binding lifetimes can be unreliable. See Section 14.3 of <xref target="RFC3489">RFC 3489</xref>. </t> > > In the initial section of 9: > > The client can then perform an additional registration, > using this address in a Contact header. This would allow a client to > receive incoming requests, such as INVITE, on the socket through > which the registration was sent. > > As is noted below that point, there are cases in which the port binding > is only valid for the server to which the original registration was sent. > Will the Contact header "leak" that so that a direction connection between a > different sip agent (user or proxy) might attempt to use it? If so, a forward > pointer to the limitation might be useful here. This is possible with the Path extension to SIP (RFC 3327). That spec allows for servers between the client and the registrar to indicate that they need to be on the path of requests from the registrar to the client. Its a good idea to include a reference to that and a brief discussion. Here is what I added: <t> In many cases, the server to whom the registration is sent won't be the registrar itself, but rather, a proxy which then sends the request to the registrar. In such a case, any incoming requests for the client must traverse the proxy to whom the registration was directly sent. The <xref target="RFC3327">Path header extension to SIP</xref> allows the proxy to indicate that it must be on the path of such requests. </t> and this introduced some additional brittleness that I documented: <t>If the registrar and the server to whom the client sent its REGISTER request are not the same, the approach will only work if the server uses the <xref target="RFC3327">Path header field</xref>. There is not an easy and reliable way for the server to determine that the Path header should be used for a registration. Using Path when the address in the topmost Via header field is a private address will usually work, but may result in usage of Path when it is not actually needed. </t> > > I would personally consider the UNSAF document a normative reference, > but this is not a big deal. RFC 3424 is informational. I dont think you can have a normative reference to an informational document. As such, I have kept the UNSAF reference as informational. > > Erik Nordmark: > The security considerations section doesn't set a very good example. > It could easily be read as "we didn't look hard for security issues". > > Thus I'd like it to provide the reasoning that lead to thinking > that there are no added security issues. Presumably a paragraph or two would > suffice. OK. Here is the text I put in there: <t>When a server uses this specification, responses that it sends will now include the source port where the request came from. In some instances, the source address and port of a request are sensitive information. If they are sensitive, requests SHOULD be protected by using SIP over TLS <xref target="RFC3261"/>. In such a case, this specification does not provide any response routing functions (as these only work with TCP); it merely provides the client with information about the source port as seen by the server. </t> <t> It is possible that an attacker might try to disrupt service to a client by acting as a man-in-the-middle, modifying the rport parameter in a Via header in a request sent by a client. Removal of this parameter will prevent clients from behind NATs from receiving service. Addition of the parameter will generally have no impact. Of course, if an attacker is capable of launching a man-in-the-middle attack, there are many other ways of denying service, such as merely discarding the request. Therefore, this attack does not seem significant. </t> Thanks, Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Chief Scientist Parsippany, NJ 07054-2711 dynamicsoft jdrosen@dynamicsoft.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.dynamicsoft.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] IESG Discuss Comments on Symmetric Response… Allison Mankin
- [Sip] Re: IESG Discuss Comments on Symmetric Resp… Jonathan Rosenberg