IETF Logo Mail Archive

Re: sipping-retarget (was RE: [Sip] RE: Question to Identity draf t)

Paul Kyzivat <pkyzivat@cisco.com> Thu, 21 April 2005 13:21 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DObcu-0000dl-9l; Thu, 21 Apr 2005 09:21:52 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DObcq-0000dg-00 for sip@megatron.ietf.org; Thu, 21 Apr 2005 09:21:49 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA28080 for <sip@ietf.org>; Thu, 21 Apr 2005 09:21:46 -0400 (EDT)
Received: from rtp-iport-1.cisco.com ([64.102.122.148]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DOboG-000781-ID for sip@ietf.org; Thu, 21 Apr 2005 09:33:37 -0400
Received: from rtp-core-1.cisco.com (64.102.124.12) by rtp-iport-1.cisco.com with ESMTP; 21 Apr 2005 09:32:52 -0400
X-IronPort-AV: i="3.92,120,1112587200"; d="scan'208"; a="45550514:sNHT34114796"
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id j3LDLFRi023960; Thu, 21 Apr 2005 09:21:36 -0400 (EDT)
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 21 Apr 2005 09:21:27 -0400
Received: from cisco.com ([161.44.79.173]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Thu, 21 Apr 2005 09:21:26 -0400
Message-ID: <4267A8D6.4000205@cisco.com>
Date: Thu, 21 Apr 2005 09:21:26 -0400
From: Paul Kyzivat <pkyzivat@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Francois Audet <audet@nortel.com>
Subject: Re: sipping-retarget (was RE: [Sip] RE: Question to Identity draf t)
References: <1ECE0EB50388174790F9694F77522CCF01F98045@zrc2hxm0.corp.nortel.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 21 Apr 2005 13:21:26.0727 (UTC) FILETIME=[057F3D70:01C54675]
X-Spam-Score: 0.8 (/)
X-Scan-Signature: 3f3e54d3c03ed638c06aa9fa6861237e
Content-Transfer-Encoding: 7bit
Cc: "'fluffy@cisco.com'" <fluffy@cisco.com>, 'IETF SIP List' <sip@ietf.org>, 'Fries Steffen' <steffen.fries@siemens.com>, "'Peterson, Jon'" <jon.peterson@neustar.biz>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org

While I think there are many cases where redirection is the best way to 
do retargetting, I fear that *forcing* the use of redirection may be 
counterproductive. Such a requirement seems likely to encourage the 
introduction of B2BUAs so that forwarding may be done without disclosing 
the identity of the new target.

	Paul

Francois Audet wrote:
> It looks like this time, we are going somewhere.
> 
> See below.
> 
>     -----Original Message-----
>     *From:* Peterson, Jon [mailto:jon.peterson@neustar.biz]
>     *Sent:* Wednesday, April 20, 2005 17:12
>     *To:* Audet, Francois [SC100:9T51:EXCH]; Fries Steffen; fluffy@cisco.com
>     *Cc:* IETF SIP List
>     *Subject:* RE: sipping-retarget (was RE: [Sip] RE: Question to
>     Identity draft)
> 
>      
>     The idea of providing a 'Connected' header and signing it is the
>     subject of 2.2.1 of sipping-retarget. It was in fact the strawman
>     against which the unanticipated respondent problem was defined.
>     Namely, 2.2.1 is concerned with the fact that impersonation is
>     difficult to even define when it comes to response identity, because
>     there is no concept of a unique impersonatable respondent, and
>     consequently it is impossible for the UAC to know who is actually
>     authorized to respond - it must assume that virtually anyone could
>     legitimately be answering. It is possible to detect an impersonation
>     of a particular someone; very difficult, and most likely
>     self-defeating, to try to detect the impersonation of virtually
>     anyone. I'm not sure how your points below (in the first part)
>     provide us with any traction on this issue.
> 
> I think the solution to this is to have a redirection to the ultimate 
> retargeting endpoint. Let me get to that at the end of the email.
> 
>     Regarding your flow for sipping-certs, a few comments. First of all,
>     yes, Alice could include her certificate in an INVITE, thereby
>     obviating 4 and 5 (and 11 and 12). I don't think sipping-certs meant
>     to rule that out; the point is, before one sends a request, it is
>     useful to be able to look up the cert in a repository rather than
>     just sending an INVITE without SDP or something - the same
>     principle clearly does not apply to receiving a request, wherein the
>     request itself can always provide the caller's cert.  
> 
> Good. That's exactly what I wanted to hear.  This idea of having 
> SUBSCRIBEs sent at session setup by the responder (before sending a 
> response) was bothering me quite a bit.
>  
> Of course, having them available already through Certs, because Bob or 
> Carol already know Alice, is even better.
> 
>     More importantly, I think the promise of a certs-like approach lies
>     in what happens in step 2. If the cert store has access to Bob's
>     location service, the cert store may be able to anticipate that
>     Alice needs to talk to Carol right now, not Bob. If that's the case,
>     maybe sending back a NOTIFY with Bob's cert isn't the right thing to
>     do in this instance.
> 
> In certain cases, perhaps Bob could send his own certificate, plus 
> Carol's and any other's it might forward to in the immediate future.
> But, this is not applicable to all scenarios. I can see a lot of cases 
> where this is just plain impossible, and we need a solution for those 
> cases too.
>  
> Imagine that Bob is a service (like a group list) that dispatches to 
> many different individuals, randomly, or to a bunch of agents that do 
> not share the same cert (e.g., a bunch of insurance company agents, a 
> group of geographically dispersed people in a virtual call center for 
> customer support, etc.). These call center applications will happen all 
> the time, in fact, it seems to me to be a prime candidate to moving from 
> PSTN to SIP because of the increase flexibility in customizing their 
> application (and for reducing cost). Their requirement will often be "I 
> need to encrypt media" and "I need to authenticate the originator". Now, 
> I know you will respond that you could try to anticipate who will 
> respond, but this is just not the way these services operate. The 
> routing decision is made real-time (seconds count) based on the status 
> of the agents (when they hang-up). With forking, it is even worst.
>  
> To add even more complexity, imagine that Carol is a PSTN user. The 
> network may be using a bunch of PSTN gateways. It may even use a bunch 
> of different service providers to terminate PSTN calls. The algorithm 
> for distributing the calls is their own. It will again not be possible 
> to predict who will answer.
>  
> This the types of scenarios that I want to make sure we support, and why 
> I think we must have some sort of connected identity.
> 
>     The whole point of having things like SUBSCRIBE/NOTIFY in the SIP
>     protocol is to allow the network to adapt to changing conditions in
>     real time. If Bob is no longer the person that you're going to reach
>     when you call Bob, and your request will only work for Bob (e.g.,
>     you're going to encrypt it with Bob's public key), the cert store
>     should be able to tell you that this isn't going to work, and
>     potentially give you some idea of who you will reach. To be clear,
>     I'm not suggesting that sipping-certs provides a mechanism for this
>     today - but I am arguing that the fundamental -approach- of
>     sipping-certs allows for this sort of functionality, and that this
>     could potentially eliminate surprise 493 responses.
> 
> Yes: sometimes it will work. Other times it won't, as you point out 
> below and as I did above.
> 
>     Of course, even if a cert store has access to a location service, it
>     may be in no position to tell you who is going to pick up the call.
>     It may be that Bob has populated his location service with 5
>     different URIs, targeting any one of which might result in a
>     completed call or not. In these cases we are in a genuine quandry.
>     Encrypting an SDP body five different times, and including all five
>     in a message, is no fun, let alone discovering the certificates of
>     the five targets. This is a generic forking problem, though, and it
>     taps into the heart of the question of whether or not redirection or
>     retargeting is preferable architecturally. Encrypting to multiple
>     targets has always been one of forking's known drawbacks.
> 
> Sequential forking is also quite problematic. You could imagine doing 
> these certificate fetching many times before finding the right one.
>  
> I don't understand what is wrong with "forcing" a redirection at the end 
> of many retargetings. It seems to me that retargeting in the network is 
> here to stay. But, we have the power to force a redirection for the 
> unanticipated respondent problem, at least in the context of identity. 
> When the respondent figures out that he wants its identity to be known 
> to the initiator regardless of retargeting, he could force this 
> redirection. Incidently, this is why I tought that a 3XX response code 
> would be more appropriate than a 493: the reason is that he wants to 
> session to be reinitiated/redirected directly to itself, not through a 
> bunch of retargeting entities.
>  
> Now, of course, the sender also needs to be able to not go through with 
> a call if the unanticipated answerer is not the suitable.  If we mandate 
> the use of 3XX/493 (by the responder) for retargeting when identity is 
> required, then we avoid the problem of the unanticipated responder 
> accepting the call (followed by the sender clearing it after answer 
> which is quite ugly). That 3XX would have an identity and the cert. I 
> like the fact that this solution works well with both the connected 
> identity problem and with the sRTP & S/MIME problem.
>  
>  
>  
>  
> 
>     Jon Peterson
>     NeuStar, Inc.
> 
>         -----Original Message-----
>         *From:* Francois Audet [mailto:audet@nortel.com]
>         *Sent:* Tuesday, April 19, 2005 5:43 PM
>         *To:* Peterson, Jon; 'Fries Steffen'; 'fluffy@cisco.com'
>         *Cc:* 'IETF SIP List'
>         *Subject:* RE: sipping-retarget (was RE: [Sip] RE: Question to
>         Identity draft)
> 
> 
>         OK, forget about the idea I was proposing, and instead let's
>         try to achieve it using the something along the lines of the
>         identity draft.
> 
>         What about the connected number information being essentially
>         the same mechanism as what you have for the Calling identity,
>         but provided in the response?
> 
>         Something like a new "Connected header" (or perhaps Contact
>         would be sufficient, I'm not sure), followed by the
>         Identity and Identity-Info? The Identity-Info header could
>         have something like https://biloxy.example.com.
> 
>         The unanticipated respondent problem would be easier to deal
>         with because:
>         - In a lot of case, Bob and Carol (the retargetter and retargettee)
>           could have the same certification authority, so Alice's
>         decision to
>           proceed or not with the call may not require going fetching the
>           yet another certificate.
>         - Maybe we have "Require: connected-identity" header if we need the
>           identity.
>         - Yes, if the SDP was encrypted (because of sRTP or whatever),
>         it would
>           cause another session to be re-established because of the 493 (or
>           other appropriate rejection code).
> 
>         Would that be a good way to solve the Connected number problem?
> 
>         Now, moving to the next problem, the encrypted SDP.
> 
>         Alice wants to call Bob and have secure media (because she is
>         afraid of hackers
>         tapping in).  In fact, she essentially wants all her media
>         encrypted, regardless of
>         who she talks too, even strangers. She does not have Bob in her
>         contact list, as she
>         is calling him for the first time. She also doesn't know Carol,
>         his assistant to whom the
>         call will be retargetted.
> 
>         In the example above, the sequence would be this:
> 
>         1 - Alice sends SUBSCRIBE to Bob to fetch his certificate
>         because she doesn't have it.
>         2 - Bob sends NOTIFY to Alice with his certificate.
>         3 - Alice sends INVITE to Bob, with SDP encrypted using Bob's
>         key, along with her Identity
>         4 - Bob doesnt' have Alice's certificate, so he sends SUBSCRIBE
>         to Alice to fetch her cert.
>         5 - Alice sends NOTIFY to Bob with her certificate.
>         6 - Bob retargets to Carol (forwards the INVITE to Carol).
>         7 - Carol responds with 493, since she can't decode the SDP, and
>         includes her Contact
>             and her Identity.
>         8 - Alice sends SUBSCRIBE to Carol to get her cert.
>         9 - Carol sends NOTIFY to Alice with her cert.
>         10 - Alice sends INVITE to Alice with her Identity, encrypted
>         with Carol's key.
>         11 - Carol sends Alice a SUBSCRIBE to get her certificate.
>         12 - Alice sends NOTIFY to Carol with her certificate.
>         13 - Carol sends 200 OK to Alice, with SDP encrypted using
>         Alice's key.
> 
>         This is way too complicated and will take forever to complete a
>         call. And in my mind,
>         lots (if not the majority) of calls would look like this in
>         environments where
>         unanticipated respondents are typical (which is the case for a
>         lot of
>         businesses).
> 
>         Couldn't this be avoided if not only was Identity used in both
>         directions
>         (solving the unanticipated respondent problem), and if Alice and
>         Carol also
>         included their user certificate (for the purposed of sRTP) in
>         the INVITE and
>         493? Instead of a 10 roundtrip session setup, it would be a 2
>         roundtrip
>         session setup.
> 
>         Of course, in the case of people who know each other, Alice
>         would have subscribed to
>         Bob and Carol's certificate, so none of this would happen: it
>         would be a 1 round-trip
>         session setup. In other words, I DO like the Certs draft, and it
>         should be used
>         whenever possible.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
> This list is for NEW development of the core SIP Protocol
> Use sip-implementors@cs.columbia.edu for questions on current sip
> Use sipping@ietf.org for new developments on the application of sip

_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email