Re: [Sip] PING/PONG
Jonathan Rosenberg <jdrosen@cisco.com> Tue, 16 November 2004 19:48 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA04705 for <sip-web-archive@ietf.org>; Tue, 16 Nov 2004 14:48:22 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU9Lg-0006Cl-K2 for sip-web-archive@ietf.org; Tue, 16 Nov 2004 14:50:44 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU9Bt-0006Ed-Tc; Tue, 16 Nov 2004 14:40:37 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CU96d-0005BT-UO for sip@megatron.ietf.org; Tue, 16 Nov 2004 14:35:12 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA03242 for <sip@ietf.org>; Tue, 16 Nov 2004 14:35:11 -0500 (EST)
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CU98u-0005oJ-BG for sip@ietf.org; Tue, 16 Nov 2004 14:37:32 -0500
Received: from sj-core-3.cisco.com (171.68.223.137) by sj-iport-4.cisco.com with ESMTP; 16 Nov 2004 11:35:19 -0800
X-BrightmailFiltered: true
Received: from mira-sjc5-d.cisco.com (IDENT:mirapoint@mira-sjc5-d.cisco.com [171.71.163.28]) by sj-core-3.cisco.com (8.12.10/8.12.6) with ESMTP id iAGJYaYt012386; Tue, 16 Nov 2004 11:34:38 -0800 (PST)
Received: from [192.168.1.100] (sjc-vpn4-1387.cisco.com [10.21.85.106]) by mira-sjc5-d.cisco.com (MOS 3.4.6-GR) with ESMTP id AFT85026; Tue, 16 Nov 2004 11:34:29 -0800 (PST)
Message-ID: <419A5645.4080507@cisco.com>
Date: Tue, 16 Nov 2004 14:34:29 -0500
From: Jonathan Rosenberg <jdrosen@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.3) Gecko/20040910
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Christian Stredicke <Christian.Stredicke@snom.de>
Subject: Re: [Sip] PING/PONG
References: <B52FDDEC7CBE9D40B36FE900C9AD78B4176AB8@merenge.intern.snom.de>
In-Reply-To: <B52FDDEC7CBE9D40B36FE900C9AD78B4176AB8@merenge.intern.snom.de>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 31247fb3be228bb596db9127becad0bc
Content-Transfer-Encoding: 7bit
Cc: sip@ietf.org
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10ba05e7e8a9aa6adb025f426bef3a30
Content-Transfer-Encoding: 7bit
inline. Christian Stredicke wrote: > Hi Spencer! > > You just mentioned another way of keeping TCP connections alive. Thats > good! > > So far we have: > > - CRLF (frequenly used today, but not indicated by user agent) > - STUN (same as CRLF) It is not the same. STUN solicits a response, which allows the client to determine if the NAT binding has changed, and if the server is still alive. > - PING/PONG or whatever (tbd, maybe superflous) I am very much against SIP-based keepalives. This turns into a huge scalability nightmare. It ends up being the dominant processing cost for proxies along with the dominant percentage of the signaling bandwidth, and it buys you nothing. > - OPTIONS (big overhead, but compatible) > - REGISTER (same as OPTIONS, but even bigger overhead) > - TCP low-level (how can this be addressed by the application?) > - No refreshing ("legacy device") > > Lets have a way to indicate these options and let the SBC decide what > method it likes/supports. Generally speaking, having multiple choices reduces interoperability. I think we should pick a solution, and only describe multiple ones if there is a compelling reason why multiple ones need to exist. Its worth pointing out that there are several functions these various keepalvies provide: 1. they keep nat bindings fresh 2. they allow the client to detect if its nat binding as seen by the server has changed 3. they allow the client to determine if the server is still alive and responding to messages 4. they allow the client to determine if the nat has dropped its binding altogether, so that packets are just going into the ether I *think* Bob is proposing another usage: 5. they allow the server to determine that the nat binding for the client has changed, so it can update its registration to reflect the new address Using the keepalive to update the binding on the server introduces security risks. If the keepalive is not authenticated, an attacker can inject the keepalives with a falsified source IP address, and as a result force incoming calls to be directed towards it. This is not acceptable. Thus, any request which causes the server to update any kind of bindings MUST be authenticated. I would rather not require the keepalives to be authenticated, as this substantially increases the cost of processing them. If you use unauthenticated STUN packets, the client detects that its nat binding has changed, and then it can re-register with a proper REGISTER, which can be authenticated and that can be used to update the binding, thus avoiding the attack. It is possible to use different mechanisms to address each of the 4 different issues above. An empty UDP packet or a CRLF on the TCP connection can address the binding keepalive issue but not any of the liveness checks. I strongly prefer a single solution that addresses all of these. -Jonathan R. -- Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza Director, Service Provider VoIP Architecture Parsippany, NJ 07054-2711 Cisco Systems jdrosen@cisco.com FAX: (973) 952-5050 http://www.jdrosen.net PHONE: (973) 952-5000 http://www.cisco.com _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Christer Holmberg (JO/LMF)
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Bob Penfield
- RE: [Sip] PING/PONG Christer Holmberg (JO/LMF)
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Bob Penfield
- RE: [Sip] PING/PONG Chris Boulton
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Steve Langstaff
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Chris Boulton
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Spencer Dawkins
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Klaus Darilion
- Re: [Sip] PING/PONG Jonathan Rosenberg
- [Sip] How to get old messages on archives!! vikram bhuskute
- RE: [Sip] PING/PONG Christian Stredicke
- Re: [Sip] PING/PONG Jonathan Rosenberg
- RE: [Sip] PING/PONG Steve Langstaff
- RE: [Sip] PING/PONG Christian Stredicke
- RE: [Sip] PING/PONG Steve Langstaff
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Charles Eckel
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks
- Re: [Sip] PING/PONG Jonathan Rosenberg
- Re: [Sip] PING/PONG Robert Sparks