Re: privacy without b2bua, was: Re: third alternative (was RE: [Sip] RE: Identity after reinvite)
Paul Kyzivat <pkyzivat@cisco.com> Wed, 24 November 2004 14:37 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27911 for <sip-web-archive@ietf.org>; Wed, 24 Nov 2004 09:37:31 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CWyKs-000147-DJ for sip-web-archive@ietf.org; Wed, 24 Nov 2004 09:41:34 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CWyEi-0006W5-Qb; Wed, 24 Nov 2004 09:35:12 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CWyDn-0006EL-Jr for sip@megatron.ietf.org; Wed, 24 Nov 2004 09:34:15 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA27738 for <sip@ietf.org>; Wed, 24 Nov 2004 09:34:13 -0500 (EST)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CWyHg-0000Ua-Cp for sip@ietf.org; Wed, 24 Nov 2004 09:38:16 -0500
Received: from sj-core-2.cisco.com (171.71.177.254) by sj-iport-2.cisco.com with ESMTP; 24 Nov 2004 06:37:07 -0800
Received: from flask.cisco.com (IDENT:mirapoint@flask.cisco.com [161.44.122.62]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id iAOEXeAC014943; Wed, 24 Nov 2004 06:33:41 -0800 (PST)
Received: from cisco.com (che-vpn-cluster-2-194.cisco.com [10.86.242.194]) by flask.cisco.com (MOS 3.4.6-GR) with ESMTP id ANG68930; Wed, 24 Nov 2004 09:33:39 -0500 (EST)
Message-ID: <41A49BC2.4020908@cisco.com>
Date: Wed, 24 Nov 2004 09:33:38 -0500
From: Paul Kyzivat <pkyzivat@cisco.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1) Gecko/20020826
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Jonathan Rosenberg <jdrosen@cisco.com>
Subject: Re: privacy without b2bua, was: Re: third alternative (was RE: [Sip] RE: Identity after reinvite)
References: <24EAE5D4448B9D4592C6D234CBEBD597089963@stntexch03.cis.neustar.com> <41A44526.3080703@cisco.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Content-Transfer-Encoding: 7bit
Cc: 'Cullen Jennings' <fluffy@cisco.com>, "'sip@ietf.org'" <sip@ietf.org>, 'David R Oran' <oran@cisco.com>, "Peterson, Jon" <jon.peterson@neustar.biz>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0
Content-Transfer-Encoding: 7bit
Jonathan - inline. Paul Jonathan Rosenberg wrote: > >> RFC3323 is about due for an update, I think, because the major functions >> that it provides can be performed without a B2BUA, thanks to new SIP >> mechanisms like GRUUs and session-policy. So while I agree that an >> anonymization service is the right approach to this problem, these days I >> think you can probably build an anonymization service without building a >> B2BUA. > > I believe this is probably true. Here's how I think it'd work: > > A client that wants to make an anonymous call contacts a TURN server > providing anonymization services. That server provides the client with > IP addresses and ports that it can use in its Via, contact, and SDP. The > From field is anonymized. A privacy header is inserted. The request is > sent via the TURN server to the user's outbound proxy. That proxy can > still authenticate the client, and even insert an identity header that > at least vouches that the client is a legit client that is just anonymous. While I buy the approach, I don't think what you are describing is a TURN server. It is a combination of a TURN server and a SIP anonymization server. And I don't even see how this can be viewed as one thing. The client has to contact a TURN server from the address/port it intends to use for media. For multiple media streams it needs to do this multiple times from different source ports. It also has to contact the sip anonymization server to set up the sip anonymization. Then it can proceed as you describe. Still seems like a good approach - but it requires additional servers / protocols, and extra work on the part of the client. I can see how some might find it easier to just send a sip request to a server that does all the work by magic. Paul > The provider of the anonymization server (turn in this case) can be > completely decoupled from the sip provider. That provides an excellent > level of anonymity compared to even a b2bua. The b2bua approach would > still allow the recipient to trace the IP address in the SDP and Contact > to the particular provider; this might not be sufficient (I don't recall > off hand if rfc3323 discusses this problme). > > It also means that there is no need to signal things like header or > media level privacy. The client simply chooses to obfuscate (using the > learned turn addresses) whatever fields it wishes to anonymize. This has > the impact of simplifying the privacy spec significantly. Indeed, it > would seem that it is hardly needed at all... _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- third alternative (was RE: [Sip] RE: Identity aft… Peterson, Jon
- third alternative (was RE: [Sip] RE: Identity aft… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Jonathan Rosenberg
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Paul Kyzivat
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Paul Kyzivat
- Re: third alternative (was RE: [Sip] RE: Identity… David R Oran
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- privacy without b2bua, was: Re: third alternative… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Paul Kyzivat
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: third alternative (was RE: [Sip] RE: Identity… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Paul Kyzivat
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Michael Thomas
- Re: privacy without b2bua, was: Re: third alterna… Dean Willis
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings