Re: [Sip] PING/PONG
Jonathan Rosenberg <jdrosen@cisco.com> Tue, 16 November 2004 19:48 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA04705 for <sip-web-archive@ietf.org>; Tue, 16 Nov 2004 14:48:22 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU9Lg-0006Cl-K2 for sip-web-archive@ietf.org; Tue, 16 Nov 2004 14:50:44 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU9Bt-0006Ed-Tc; Tue, 16 Nov 2004 14:40:37 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU96d-0005BT-UO for sip@megatron.ietf.org; Tue, 16 Nov 2004 14:35:12 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA03242 for <sip@ietf.org>; Tue, 16 Nov 2004 14:35:11 -0500 (EST)
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU98u-0005oJ-BG for sip@ietf.org; Tue, 16 Nov 2004 14:37:32 -0500
Received: from sj-core-3.cisco.com (171.68.223.137) by sj-iport-4.cisco.com with ESMTP; 16 Nov 2004 11:35:19 -0800
X-BrightmailFiltered: true
Received: from mira-sjc5-d.cisco.com (IDENT:mirapoint@mira-sjc5-d.cisco.com [171.71.163.28]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id iAGJYaYt012386; Tue, 16 Nov 2004 11:34:38 -0800 (PST)
Received: from [192.168.1.100] (sjc-vpn4-1387.cisco.com [10.21.85.106]) by mira-sjc5-d.cisco.com (MOS 3.4.6-GR) with ESMTP id AFT85026; Tue, 16 Nov 2004 11:34:29 -0800 (PST)
Message-ID: <419A5645.4080507@cisco.com>
Date: Tue, 16 Nov 2004 14:34:29 -0500
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christian Stredicke <Christian.Stredicke@snom.de>
Subject: Re: [Sip] PING/PONG
References: <B52FDDEC7CBE9D40B36FE900C9AD78B4176AB8@merenge.intern.snom.de>
In-Reply-To: <B52FDDEC7CBE9D40B36FE900C9AD78B4176AB8@merenge.intern.snom.de>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 31247fb3be228bb596db9127becad0bc
Content-Transfer-Encoding: 7bit
Cc: sip@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10ba05e7e8a9aa6adb025f426bef3a30
Content-Transfer-Encoding: 7bit
inline.
Christian Stredicke wrote:
> Hi Spencer!
>
> You just mentioned another way of keeping TCP connections alive. Thats
> good!
>
> So far we have:
>
> - CRLF (frequenly used today, but not indicated by user agent)
> - STUN (same as CRLF)
It is not the same. STUN solicits a response, which allows the client to
determine if the NAT binding has changed, and if the server is still alive.
> - PING/PONG or whatever (tbd, maybe superflous)
I am very much against SIP-based keepalives. This turns into a huge
scalability nightmare. It ends up being the dominant processing cost for
proxies along with the dominant percentage of the signaling bandwidth,
and it buys you nothing.
> - OPTIONS (big overhead, but compatible)
> - REGISTER (same as OPTIONS, but even bigger overhead)
> - TCP low-level (how can this be addressed by the application?)
> - No refreshing ("legacy device")
>
> Lets have a way to indicate these options and let the SBC decide what
> method it likes/supports.
Generally speaking, having multiple choices reduces interoperability. I
think we should pick a solution, and only describe multiple ones if
there is a compelling reason why multiple ones need to exist.
Its worth pointing out that there are several functions these various
keepalvies provide:
1. they keep nat bindings fresh
2. they allow the client to detect if its nat binding as seen by the
server has changed
3. they allow the client to determine if the server is still alive and
responding to messages
4. they allow the client to determine if the nat has dropped its binding
altogether, so that packets are just going into the ether
I *think* Bob is proposing another usage:
5. they allow the server to determine that the nat binding for the
client has changed, so it can update its registration to reflect the new
address
Using the keepalive to update the binding on the server introduces
security risks. If the keepalive is not authenticated, an attacker can
inject the keepalives with a falsified source IP address, and as a
result force incoming calls to be directed towards it. This is not
acceptable. Thus, any request which causes the server to update any kind
of bindings MUST be authenticated. I would rather not require the
keepalives to be authenticated, as this substantially increases the cost
of processing them. If you use unauthenticated STUN packets, the client
detects that its nat binding has changed, and then it can re-register
with a proper REGISTER, which can be authenticated and that can be used
to update the binding, thus avoiding the attack.
It is possible to use different mechanisms to address each of the 4
different issues above. An empty UDP packet or a CRLF on the TCP
connection can address the binding keepalive issue but not any of the
liveness checks. I strongly prefer a single solution that addresses all
of these.
-Jonathan R.
--
Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza
Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711
Cisco Systems
jdrosen@cisco.com FAX: (973) 952-5050
http://www.jdrosen.net PHONE: (973) 952-5000
http://www.cisco.com
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip
- [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Christer Holmberg (JO/LMF)
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Bob Penfield
- RE: [Sip] PING/PONG Christer Holmberg (JO/LMF)
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Bob Penfield
- RE: [Sip] PING/PONG Chris Boulton
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Steve Langstaff
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Chris Boulton
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Spencer Dawkins
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Klaus Darilion
- Re: [Sip] PING/PONG Jonathan Rosenberg
- [Sip] How to get old messages on archives!! vikram bhuskute
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Jonathan Rosenberg
- RE: [Sip] PING/PONG Steve Langstaff
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Charles Eckel
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks