RE: [Sip] Connected-identity and changing the To header field ina response
"Elwell, John" <john.elwell@siemens.com> Wed, 05 April 2006 12:55 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FR7Xq-00078l-KV; Wed, 05 Apr 2006 08:55:34 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FR7Xp-00078g-1m for sip@ietf.org; Wed, 05 Apr 2006 08:55:33 -0400
Received: from mailgate.siemenscomms.co.uk ([195.171.110.225]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FR7Xo-0004mz-AJ for sip@ietf.org; Wed, 05 Apr 2006 08:55:33 -0400
Received: from CONVERSION-DAEMON.siemenscomms.co.uk by siemenscomms.co.uk (PMDF V6.0-24 #40642) id <0IX900D012LF1M@siemenscomms.co.uk> for sip@ietf.org; Wed, 05 Apr 2006 13:56:03 +0100 (BST)
Received: from ntht207e.uksgcs.siemenscomms.co.uk ([137.223.247.82]) by siemenscomms.co.uk (PMDF V6.0-24 #40642) with ESMTP id <0IX900C7X2LF50@siemenscomms.co.uk>; Wed, 05 Apr 2006 13:56:03 +0100 (BST)
Received: by ntht207e.uksgcs.siemenscomms.co.uk with Internet Mail Service (5.5.2657.72) id <FWM2LMZZ>; Wed, 05 Apr 2006 13:55:30 +0100
Content-return: allowed
Date: Wed, 05 Apr 2006 13:55:05 +0100
From: "Elwell, John" <john.elwell@siemens.com>
Subject: RE: [Sip] Connected-identity and changing the To header field ina response
To: "Christer Holmberg (JO/LMF)" <christer.holmberg@ericsson.com>, "Peterson, Jon" <jon.peterson@neustar.biz>, sip@ietf.org
Message-id: <50B1CBA96870A34799A506B2313F26670896A0CD@ntht201e.siemenscomms.co.uk>
MIME-version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-type: text/plain
Content-transfer-encoding: 7bit
X-Spam-Score: 0.5 (/)
X-Scan-Signature: 40161b1d86420e0807d771943d981d25
Cc:
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org
Christer, This "additional connected number" is not a requirement that I have been trying to address. Was this among the requirements that TISPAN brought into the IETF recently? John > -----Original Message----- > From: Christer Holmberg (JO/LMF) > [mailto:christer.holmberg@ericsson.com] > Sent: 05 April 2006 08:34 > To: Elwell, John; Peterson, Jon; sip@ietf.org > Subject: RE: [Sip] Connected-identity and changing the To > header field inaresponse > > > Hi, > > In PSTN terms we are talking about that the TO header shall > be mapped to > the additional connected number, and that does NOT need to be > authorized > in the same way as the connected number. > > And, whether the interworking node sends this value to PSTN > is of course > based on local policy, based on trust etc. > > Regards, > > Christer > > > ________________________________ > > From: Elwell, John [mailto:john.elwell@siemens.com] > Sent: 5. huhtikuuta 2006 10:01 > To: Peterson, Jon; sip@ietf.org > Subject: RE: [Sip] Connected-identity and changing the To header field > inaresponse > > > Jon, > > Thanks for this excellent summary of the issue, which I fully > agree with > and which unfortunately seems to need restating at regular > intervals. It > appears that the chief motivation of those asking for something in the > response is to facilitate interworking with PSTN (by > including it in the > 200 response so that it can be mapped directly to the PSTN "connected" > message). As you say, such a response is always going to be > unauthenticated, and I don't think that meets the requirements of PSTN > interworking. Far better to figure out a way of using an authenticated > connected identity in an UPDATE message for mapping to PSTN connected > identity. > > Of course, in trusted networks there may be other means for > ensuring the > authenticity of an identity in a response, just as there is > in a request > using P-Asserted-Identity. Unfortunately RFC3325 is unclear on the use > of PAI in responses, although in practice I think it is used and is > probably OK if the last hop is secured by TLS so that previous > authentication of the UAS can be relied on for making the assertion. I > think if those trusted networks really need a solution for response > identity, PAI would be a better avenue to explore (taking into account > the risks). But not for the Internet. I am becoming more and more > convinced that diluting the connected-identity draft with a weak > solution for response identity would be the wrong way to go. > > John > > > ________________________________ > > From: Peterson, Jon [mailto:jon.peterson@neustar.biz] > Sent: 05 April 2006 02:05 > To: Elwell, John; sip@ietf.org > Subject: RE: [Sip] Connected-identity and changing the To header > field in aresponse > > > Yes, I was asked for clarification on this point after the > meeting, and I'll be providing it here. As you surmised, it > is not that > RFC3261 relies on the addr-spec of the To or From header field for > transaction identification, or something. In fact, I would have > essentially the same concerns about any proposal that provided an > additional header (say, a 'Connected-Party' header) in responses to > dialog-forming requests which was understood to clobber the To header > field and identify the AoR of the party who was reached after > retargeting of the request took place. > > Starting with the goals of this approach: what sort of UAC > decisions or behavior do we hope to enable through sending a response > with a modified To header field? As far as I can understand, we either > want to render this AoR to the user of a UAC (so the user can react in > one way or another), or input the AoR to some sort of policy manager > (e.g. blacklist/whitelist) that might make a decision about whether or > not the session should continue -prior- to session > establishment. If we > don't care about this occurring prior to session establishment, of > course, then we could go with the connected-identity draft as it is > written today. > > A little refresher on my sipping-retarget draft: The core > problem with any scheme for connected party is figuring out how you'd > decide whether or not a particular respondent is authorized. > This is the > argument of 2.2.1 of sipping-retarget, the "unanticipated respondent" > problem. When we think about what sorts of policy decisions > we expect a > human or automata to make when receiving a response with identity > information, we have to acknowledge that the UAC has no way of knowing > which respondents are or are not authorized to respond to the > request in > question. Since the UAC has no insight into any retargeting that has > taken place, the UAC has to assume that virtually any response is a > potentially legitimate one. As such, there is little room for any > meaningful policy decision when receiving a response. This problem is > further compounded by the fact that the UAS may have several possible > legitimate AoRs it could claim (I have a UA that registers its contact > address under 3 separate SIP services simultaneously), and of > course the > fact that AoRs may be pretty uninformative (e.g. > sip:user31@freesipservice.example.com), all of which complicate > authorization decisions. Solving this problem is on the same > footing as > solving the request-history problem set. > > With that background, the problems with providing this connected > party information in responses (via the To header or what > have you) are > roughly as follows: > > a) The "unanticipated respondent" problem is especially an issue > for response identity because not all responses are success responses. > If you end up connecting to a party (receiving a 200), you can > potentially rely on human factors to help you identify who you are > talking to (after all, Carol can always answer Bob's phone > regardless of > who SIP thinks you connected to) and/or use the connected party > information to change how you might address the party on the > other side. > With a 403 response, you are in a very different predicament - how is > UAC or user behavior supposed to change based on the connected URI > attributed to a 403, given the unanticipated respondent problem? For > provisional responses, the issues become even worse - we then get into > the wonders of forking, multiple provisional responses from multiple > sources asserting different To header fields - in short, nothing which > makes it any easier to render a "responding" AoR to a user, > for example. > Response identity, in so far as it deals with non-final, > non-successful > responses, opens up the "unconnected party" problem set. I > think this is > just the wrong framing of the problem. You want to know who you > connected to, not who you didn't connect to. > > b) Getting a signature over the To header field in responses > would be difficult. In full awareness of Mr. Elwell's note below that > certain parties are interested in "(unauthenticated) identity in a > response", if this information is going to be put to any > purpose, cause > any change in human or UAC behavior, I have a hard time seeing how > anyone could defend it being unsecured. If you want a human or an > automata to make a policy decision based on the AoR in the To header > field of the response, some sort of response identity > signature would be > necessary to prevent obvious impersonation attacks designed to thwart > authorization decisions. With all due respect to the authors of > draft-cao-sip-response-identity/auth, I'm not sure this problem is > readily solved. Making sure that an appropriate authentication service > is in the path of responses is problematic, since responses must > traverse exactly the same path as requests. I played around > with this a > lot in the early phases of SIP identity, and at the end of the day, I > had to conclude that the only way to make this work was to eliminate > retargeting. Since providing connected-identity in responses assumes > that retargeting has taken place, it wouldn't exactly be > getting off on > the right foot. Constraining inbound request routing to a domain such > that responses will traverse an authentication service, or > forcing a UAS > to participate in the Identity scheme, is likely to require mandatory > option-tags or comparable mechanisms that will limit the applicability > of response identity and more or less eliminate its opportunistic use. > > c) The inability to reject a response. Take the easiest case - > let's say that the UAC receives a final success response, say a 200 > response, with a modified To header field from a party that is > blacklisted by UAC policy. What exactly is the UAC supposed > to do? Send > a 403? One cannot reject responses. Maybe a CANCEL? As section 9.1 of > RFC3261 says, CANCEL "has no effect on requests that have already > generated a final response." Drop the request on the floor? > You'll just > receive retransmissions. All you can do is ACK it, since the > dialog has > already been formed, and then send a BYE. In other words, a session > -will- be established, there simply isn't an opportunity for policy to > be put into effect prior to session establishment. Also, consider the > need for the new responses defined in the sip-identity draft, like say > the 438 response - if the UAC receives a 200 response with a > potentially > repairable error in the Identity header, how can it express that error > to the UAS, since it can't send responses to a response? > > Given the above, why does the UAC need to know who has been > reached in the response, rather than in a request after the dialog has > been formed? As (c) illustrates, in the 200 response case a > session will > be established anyway, so sharing the identity of the connected party > after session establishment doesn't actually miss some opportunity for > applying policy - moreover, an UPDATE or similar request that provides > the connected-identity information could be rejected by the > session-originating UA in a manner that is helpful to the > session-terminating UA (e.g., a 438 response could be sent). If we go > with the mechanism in the connected-identity draft, problem (b) > disappears, since request routing is far more malleable than response > routing. Additionally, the connected-identity draft wisely does not > attempt to solve "unconnected party" problems from (a), which are the > least tractable of the unanticipated respondent problems. Rather, > connected-identity provides an indication more along the > lines of, "your > dialog was established, however that might have happened, and this is > who is on the other side". > > Furthermore, any solution that tried to put the > connected-identity information into responses would be providing an > imprimatur of legitimacy to those responses - presuming they had a > signature, UACs would validate it, and provided it checked out, they > would be tempted say "this is a legitimate response." Nothing could be > further from the truth, as sipping-retarget illustrates. Legitimacy of > responses cannot be determined by UACs in the absence of > something like > request-history. > > Finally, I like having one Identity header, and for the meaning > of that Identity header to *always* be that it is a signature over the > From header field issued by the domain identified by the host > portion of > the addr-spec of the From header field. The current connected-identity > header draft provides that property. > > Jon Peterson > NeuStar, Inc. > > -----Original Message----- > From: Elwell, John [mailto:john.elwell@siemens.com] > Sent: Monday, April 03, 2006 11:46 PM > To: sip@ietf.org > Subject: [Sip] Connected-identity and changing the To > header field in aresponse > > > > During discussion of draft-elwell-connected-identity in > Dallas, somebody put forward the opinion that it would be dangerous to > change the To header field URI in a response (i.e., make it different > from the From header field URI in the request). My assumption at the > time was that it would undermine the transaction concept in SIP, yet > reading what RFC3261 has to say about transactions, the value > of the To > header field URI in a response does not appear to be involved in > coupling a response to a request. Therefore I assume the person who > indicated the danger (which was not challenged at the > meeting) has other > reasons in mind. I would greatly appreciate opinions on the wisdom or > otherwise of allowing the To header field URI to change. It seems that > from discussion of connected-identity there is a desire from > some parts > of the community to include an (unauthenticated) identity in > a response. > > John > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Roland Jesske
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Paul Kyzivat
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- RE: [Sip] Connected-identity and changing the To … Henry Sinnreich
- Re: [Sip] Connected-identity and changing the To … Cullen Jennings
- RE: [Sip] Connected-identity and changing the To … Elwell, John
- RE: [Sip] Connected-identity and changing the To … Drage, Keith (Keith)
- Re: [Sip] Connected-identity and changing the To … Dale.Worley