Re: [Sip] Connected-identity and changing the To header field ina response
Cullen Jennings <fluffy@cisco.com> Mon, 15 May 2006 13:31 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfdAR-0005RO-F5; Mon, 15 May 2006 09:31:23 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FfdAP-0005Qi-Uk for sip@ietf.org; Mon, 15 May 2006 09:31:21 -0400
Received: from sj-iport-4.cisco.com ([171.68.10.86]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FfdAO-0003l5-1n for sip@ietf.org; Mon, 15 May 2006 09:31:21 -0400
Received: from sj-dkim-6.cisco.com ([171.68.10.81]) by sj-iport-4.cisco.com with ESMTP; 15 May 2006 06:31:19 -0700
X-IronPort-AV: i="4.05,130,1146466800"; d="scan'208"; a="1806215645:sNHT38836950"
Received: from sj-core-4.cisco.com (sj-core-4.cisco.com [171.68.223.138]) by sj-dkim-6.cisco.com (8.12.11/8.12.11) with ESMTP id k4FDVIGi008135; Mon, 15 May 2006 06:31:18 -0700
Received: from vtg-um-e2k2.sj21ad.cisco.com (vtg-um-e2k2.cisco.com [171.70.93.54]) by sj-core-4.cisco.com (8.12.10/8.12.6) with ESMTP id k4FDVIsF013176; Mon, 15 May 2006 06:31:18 -0700 (PDT)
Received: from [10.43.1.79] ([10.61.65.86]) by vtg-um-e2k2.sj21ad.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 15 May 2006 06:31:17 -0700
In-Reply-To: <50B1CBA96870A34799A506B2313F26670896A542@ntht201e.siemenscomms.co.uk>
References: <50B1CBA96870A34799A506B2313F26670896A542@ntht201e.siemenscomms.co.uk>
Mime-Version: 1.0 (Apple Message framework v750)
Content-Type: text/plain; charset="ISO-8859-1"; delsp="yes"; format="flowed"
Message-Id: <1ABF640C-E57E-41FC-AF7B-C64E78A64EA2@cisco.com>
Content-Transfer-Encoding: quoted-printable
From: Cullen Jennings <fluffy@cisco.com>
Subject: Re: [Sip] Connected-identity and changing the To header field ina response
Date: Mon, 15 May 2006 05:48:17 +0200
To: Roland Jesske <roland.jesske@web.de>, "Christer Holmberg (JO/LMF)" <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.750)
X-OriginalArrivalTime: 15 May 2006 13:31:17.0772 (UTC) FILETIME=[D87A4CC0:01C67823]
DKIM-Signature: a=rsa-sha1; q=dns; l=18379; t=1147699878; x=1148563878; c=relaxed/simple; s=sjdkim6001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:Cullen=20Jennings=20<fluffy@cisco.com> |Subject:Re=3A=20[Sip]=20Connected-identity=20and=20changing=20the=20To=20header= 20field=20ina=20response; X=v=3Dcisco.com=3B=20h=3DXH+zhU807AfP85yiy9g/rH7tJbM=3D; b=qbywOUp5GxIxjhemqGNFBsAEcAg7yZ+vldKLfKrLgCaS80sZjdSvwJNY18ngTx0pZdCU5/yH ZOqxFey5okrG832tdX8Wai+8L2BfGVdnOHOKtcFeTKzkFlRWPpkopwaZ;
Authentication-Results: sj-dkim-6.cisco.com; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com verified; );
X-Spam-Score: 0.7 (/)
X-Scan-Signature: 2c6813ed945e40b4b5bea39da243c669
Cc: sip@ietf.org, John Elwell <john.elwell@siemens.com>, Jon Peterson <jon.peterson@neustar.biz>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
Can someone explain to me why it is that the TIP requirement can not be solved with the connected-identity draft? I do understand it may not be the way some people desire to solve this problem but first of all I am just trying to understand what parts of the requirements we can't meet with this. Thanks, Cullen On Apr 5, 2006, at 10:48 PM, Elwell, John wrote: > Roland, > > Yes, there was indeed a misunderstanding, but my draft was not > written with > TISPAN requirements in mind. It was written to solve the problem of > authenticated identity, or rather to extend the present concept of the > Identity header to mid-dialog requests and show how that can be > used to > solve certain problems. > > The Terminating Identity Presentation (TIP) requirement from TISPAN > needs to > be addressed by some other means. I don't think modifying the To > header is > appropriate. Whereas RFC 3261 anticipates deprecating fixed To/From > header > field URIs throughout a dialog (i.e., it anticipates that these > will be > allowed to change mid-dialog), it says nothing to warn of any > future removal > of the requirement that the To header field URI in the response be > the same > as that in the request. > > Therefore it seems that whatever solution you adopt for solving the > TISPAN > TIP problem, it would have little in common with the connected- > identity > draft. > > John > > >> -----Original Message----- >> From: Roland Jesske [mailto:roland.jesske@web.de] >> Sent: 05 April 2006 14:33 >> To: Christer Holmberg (JO/LMF); Elwell, John; Peterson, Jon; >> sip@ietf.org >> Subject: RE: [Sip] Connected-identity and changing the To >> header field ina response >> >> John, >> there it looks like a misunderstanding. Thought all >> requirements from IETF and TISPAN can be solved within your draft. >> >> As you saw he additional connected identity is a requirement >> comming from TISPAN and that was discussed in also in >> Vancover. In draft-sasaki-sipping-tispan-adhoc-summary-00.txt >> it is mentioned. >> >> Terminating Identification Presentation(TIP)- The working group >> requests that this requirement be better defined and >> documented. >> It is also suggested that TISPAN consider reading >> draft-rosenberg-sip-identity-privacy-00 as it may solve the >> problem of calling into an 800 number, getting an operator, and >> being able to call back that operator and still protect the >> privacy of the operator. >> In addition, work is progressing on >> draft-elwell-sip-connected-identity-00. >> >> So using the PAI does not need to go deeper into >> draft-rosenberg-sip-identity-privacy-00, but looking into your draft. >> And looking within your draft using the dialogUriChange >> element we thought we have the solution if this can be done >> within the final Response of the initial INVITE. >> >> Best Regards >> >> Roland >> >> >> >>> -----Ursprüngliche Nachricht----- >>> Von: "Elwell, John" <john.elwell@siemens.com> >>> Gesendet: 05.04.06 14:56:20 >>> An: sip@ietf.org >>> Betreff: RE: [Sip] Connected-identity and changing the To >> header field ina response >> >> >>> Christer, >>> >>> This "additional connected number" is not a requirement >> that I have been >>> trying to address. Was this among the requirements that >> TISPAN brought into >>> the IETF recently? >>> >>> John >>> >>>> -----Original Message----- >>>> From: Christer Holmberg (JO/LMF) >>>> [mailto:christer.holmberg@ericsson.com] >>>> Sent: 05 April 2006 08:34 >>>> To: Elwell, John; Peterson, Jon; sip@ietf.org >>>> Subject: RE: [Sip] Connected-identity and changing the To >>>> header field inaresponse >>>> >>>> >>>> Hi, >>>> >>>> In PSTN terms we are talking about that the TO header shall >>>> be mapped to >>>> the additional connected number, and that does NOT need to be >>>> authorized >>>> in the same way as the connected number. >>>> >>>> And, whether the interworking node sends this value to PSTN >>>> is of course >>>> based on local policy, based on trust etc. >>>> >>>> Regards, >>>> >>>> Christer >>>> >>>> >>>> ________________________________ >>>> >>>> From: Elwell, John [mailto:john.elwell@siemens.com] >>>> Sent: 5. huhtikuuta 2006 10:01 >>>> To: Peterson, Jon; sip@ietf.org >>>> Subject: RE: [Sip] Connected-identity and changing the To >> header field >>>> inaresponse >>>> >>>> >>>> Jon, >>>> >>>> Thanks for this excellent summary of the issue, which I fully >>>> agree with >>>> and which unfortunately seems to need restating at regular >>>> intervals. It >>>> appears that the chief motivation of those asking for >> something in the >>>> response is to facilitate interworking with PSTN (by >>>> including it in the >>>> 200 response so that it can be mapped directly to the >> PSTN "connected" >>>> message). As you say, such a response is always going to be >>>> unauthenticated, and I don't think that meets the >> requirements of PSTN >>>> interworking. Far better to figure out a way of using an >> authenticated >>>> connected identity in an UPDATE message for mapping to >> PSTN connected >>>> identity. >>>> >>>> Of course, in trusted networks there may be other means for >>>> ensuring the >>>> authenticity of an identity in a response, just as there is >>>> in a request >>>> using P-Asserted-Identity. Unfortunately RFC3325 is >> unclear on the use >>>> of PAI in responses, although in practice I think it is >> used and is >>>> probably OK if the last hop is secured by TLS so that previous >>>> authentication of the UAS can be relied on for making the >> assertion. I >>>> think if those trusted networks really need a solution >> for response >>>> identity, PAI would be a better avenue to explore (taking >> into account >>>> the risks). But not for the Internet. I am becoming more and more >>>> convinced that diluting the connected-identity draft with a weak >>>> solution for response identity would be the wrong way to go. >>>> >>>> John >>>> >>>> >>>> ________________________________ >>>> >>>> From: Peterson, Jon [mailto:jon.peterson@neustar.biz] >>>> Sent: 05 April 2006 02:05 >>>> To: Elwell, John; sip@ietf.org >>>> Subject: RE: [Sip] Connected-identity and changing the To header >>>> field in aresponse >>>> >>>> >>>> Yes, I was asked for clarification on this point after the >>>> meeting, and I'll be providing it here. As you surmised, it >>>> is not that >>>> RFC3261 relies on the addr-spec of the To or From header field for >>>> transaction identification, or something. In fact, I would have >>>> essentially the same concerns about any proposal that provided an >>>> additional header (say, a 'Connected-Party' header) in >> responses to >>>> dialog-forming requests which was understood to clobber >> the To header >>>> field and identify the AoR of the party who was reached after >>>> retargeting of the request took place. >>>> >>>> Starting with the goals of this approach: what sort of UAC >>>> decisions or behavior do we hope to enable through >> sending a response >>>> with a modified To header field? As far as I can >> understand, we either >>>> want to render this AoR to the user of a UAC (so the user >> can react in >>>> one way or another), or input the AoR to some sort of >> policy manager >>>> (e.g. blacklist/whitelist) that might make a decision >> about whether or >>>> not the session should continue -prior- to session >>>> establishment. If we >>>> don't care about this occurring prior to session establishment, of >>>> course, then we could go with the connected-identity >> draft as it is >>>> written today. >>>> >>>> A little refresher on my sipping-retarget draft: The core >>>> problem with any scheme for connected party is figuring >> out how you'd >>>> decide whether or not a particular respondent is authorized. >>>> This is the >>>> argument of 2.2.1 of sipping-retarget, the "unanticipated >> respondent" >>>> problem. When we think about what sorts of policy decisions >>>> we expect a >>>> human or automata to make when receiving a response with identity >>>> information, we have to acknowledge that the UAC has no >> way of knowing >>>> which respondents are or are not authorized to respond to the >>>> request in >>>> question. Since the UAC has no insight into any >> retargeting that has >>>> taken place, the UAC has to assume that virtually any >> response is a >>>> potentially legitimate one. As such, there is little room for any >>>> meaningful policy decision when receiving a response. >> This problem is >>>> further compounded by the fact that the UAS may have >> several possible >>>> legitimate AoRs it could claim (I have a UA that >> registers its contact >>>> address under 3 separate SIP services simultaneously), and of >>>> course the >>>> fact that AoRs may be pretty uninformative (e.g. >>>> sip:user31@freesipservice.example.com), all of which complicate >>>> authorization decisions. Solving this problem is on the same >>>> footing as >>>> solving the request-history problem set. >>>> >>>> With that background, the problems with providing this connected >>>> party information in responses (via the To header or what >>>> have you) are >>>> roughly as follows: >>>> >>>> a) The "unanticipated respondent" problem is especially an issue >>>> for response identity because not all responses are >> success responses. >>>> If you end up connecting to a party (receiving a 200), you can >>>> potentially rely on human factors to help you identify who you are >>>> talking to (after all, Carol can always answer Bob's phone >>>> regardless of >>>> who SIP thinks you connected to) and/or use the connected party >>>> information to change how you might address the party on the >>>> other side. >>>> With a 403 response, you are in a very different >> predicament - how is >>>> UAC or user behavior supposed to change based on the connected URI >>>> attributed to a 403, given the unanticipated respondent >> problem? For >>>> provisional responses, the issues become even worse - we >> then get into >>>> the wonders of forking, multiple provisional responses >> from multiple >>>> sources asserting different To header fields - in short, >> nothing which >>>> makes it any easier to render a "responding" AoR to a user, >>>> for example. >>>> Response identity, in so far as it deals with non-final, >>>> non-successful >>>> responses, opens up the "unconnected party" problem set. I >>>> think this is >>>> just the wrong framing of the problem. You want to know who you >>>> connected to, not who you didn't connect to. >>>> >>>> b) Getting a signature over the To header field in responses >>>> would be difficult. In full awareness of Mr. Elwell's >> note below that >>>> certain parties are interested in "(unauthenticated) identity in a >>>> response", if this information is going to be put to any >>>> purpose, cause >>>> any change in human or UAC behavior, I have a hard time seeing how >>>> anyone could defend it being unsecured. If you want a human or an >>>> automata to make a policy decision based on the AoR in >> the To header >>>> field of the response, some sort of response identity >>>> signature would be >>>> necessary to prevent obvious impersonation attacks >> designed to thwart >>>> authorization decisions. With all due respect to the authors of >>>> draft-cao-sip-response-identity/auth, I'm not sure this problem is >>>> readily solved. Making sure that an appropriate >> authentication service >>>> is in the path of responses is problematic, since responses must >>>> traverse exactly the same path as requests. I played around >>>> with this a >>>> lot in the early phases of SIP identity, and at the end >> of the day, I >>>> had to conclude that the only way to make this work was >> to eliminate >>>> retargeting. Since providing connected-identity in >> responses assumes >>>> that retargeting has taken place, it wouldn't exactly be >>>> getting off on >>>> the right foot. Constraining inbound request routing to a >> domain such >>>> that responses will traverse an authentication service, or >>>> forcing a UAS >>>> to participate in the Identity scheme, is likely to >> require mandatory >>>> option-tags or comparable mechanisms that will limit the >> applicability >>>> of response identity and more or less eliminate its >> opportunistic use. >>>> >>>> c) The inability to reject a response. Take the easiest case - >>>> let's say that the UAC receives a final success response, >> say a 200 >>>> response, with a modified To header field from a party that is >>>> blacklisted by UAC policy. What exactly is the UAC supposed >>>> to do? Send >>>> a 403? One cannot reject responses. Maybe a CANCEL? As >> section 9.1 of >>>> RFC3261 says, CANCEL "has no effect on requests that have already >>>> generated a final response." Drop the request on the floor? >>>> You'll just >>>> receive retransmissions. All you can do is ACK it, since the >>>> dialog has >>>> already been formed, and then send a BYE. In other words, >> a session >>>> -will- be established, there simply isn't an opportunity >> for policy to >>>> be put into effect prior to session establishment. Also, >> consider the >>>> need for the new responses defined in the sip-identity >> draft, like say >>>> the 438 response - if the UAC receives a 200 response with a >>>> potentially >>>> repairable error in the Identity header, how can it >> express that error >>>> to the UAS, since it can't send responses to a response? >>>> >>>> Given the above, why does the UAC need to know who has been >>>> reached in the response, rather than in a request after >> the dialog has >>>> been formed? As (c) illustrates, in the 200 response case a >>>> session will >>>> be established anyway, so sharing the identity of the >> connected party >>>> after session establishment doesn't actually miss some >> opportunity for >>>> applying policy - moreover, an UPDATE or similar request >> that provides >>>> the connected-identity information could be rejected by the >>>> session-originating UA in a manner that is helpful to the >>>> session-terminating UA (e.g., a 438 response could be >> sent). If we go >>>> with the mechanism in the connected-identity draft, problem (b) >>>> disappears, since request routing is far more malleable >> than response >>>> routing. Additionally, the connected-identity draft >> wisely does not >>>> attempt to solve "unconnected party" problems from (a), >> which are the >>>> least tractable of the unanticipated respondent problems. Rather, >>>> connected-identity provides an indication more along the >>>> lines of, "your >>>> dialog was established, however that might have happened, >> and this is >>>> who is on the other side". >>>> >>>> Furthermore, any solution that tried to put the >>>> connected-identity information into responses would be >> providing an >>>> imprimatur of legitimacy to those responses - presuming they had a >>>> signature, UACs would validate it, and provided it >> checked out, they >>>> would be tempted say "this is a legitimate response." >> Nothing could be >>>> further from the truth, as sipping-retarget illustrates. >> Legitimacy of >>>> responses cannot be determined by UACs in the absence of >>>> something like >>>> request-history. >>>> >>>> Finally, I like having one Identity header, and for the meaning >>>> of that Identity header to *always* be that it is a >> signature over the >>>> From header field issued by the domain identified by the host >>>> portion of >>>> the addr-spec of the From header field. The current >> connected-identity >>>> header draft provides that property. >>>> >>>> Jon Peterson >>>> NeuStar, Inc. >>>> >>>> -----Original Message----- >>>> From: Elwell, John [mailto:john.elwell@siemens.com] >>>> Sent: Monday, April 03, 2006 11:46 PM >>>> To: sip@ietf.org >>>> Subject: [Sip] Connected-identity and changing the To >>>> header field in aresponse >>>> >>>> >>>> >>>> During discussion of draft-elwell-connected-identity in >>>> Dallas, somebody put forward the opinion that it would be >> dangerous to >>>> change the To header field URI in a response (i.e., make >> it different >>>> from the From header field URI in the request). My >> assumption at the >>>> time was that it would undermine the transaction concept >> in SIP, yet >>>> reading what RFC3261 has to say about transactions, the value >>>> of the To >>>> header field URI in a response does not appear to be involved in >>>> coupling a response to a request. Therefore I assume the >> person who >>>> indicated the danger (which was not challenged at the >>>> meeting) has other >>>> reasons in mind. I would greatly appreciate opinions on >> the wisdom or >>>> otherwise of allowing the To header field URI to change. >> It seems that >>>> from discussion of connected-identity there is a desire from >>>> some parts >>>> of the community to include an (unauthenticated) identity in >>>> a response. >>>> >>>> John >>>> >>> >>> _______________________________________________ >>> Sip mailing list https://www1.ietf.org/mailman/listinfo/sip >>> This list is for NEW development of the core SIP Protocol >>> Use sip-implementors@cs.columbia.edu for questions on current sip >>> Use sipping@ietf.org for new developments on the application of sip >> >> >> _______________________________________________________________ >> SMS schreiben mit WEB.DE FreeMail - einfach, schnell und >> kostenguenstig. Jetzt gleich testen! http://f.web.de/?mc=021192 >> > > _______________________________________________ > Sip mailing list https://www1.ietf.org/mailman/listinfo/sip > This list is for NEW development of the core SIP Protocol > Use sip-implementors@cs.columbia.edu for questions on current sip > Use sipping@ietf.org for new developments on the application of sip _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Roland Jesske
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Paul Kyzivat
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Henry Sinnreich
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Dale.Worley