RE: sipping-retarget (was RE: [Sip] RE: Question to Identity draf t)
"Francois Audet" <audet@nortel.com> Thu, 21 April 2005 04:36 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DOTQa-0008S4-PF; Thu, 21 Apr 2005 00:36:36 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1DOTQY-0008Rz-1c for sip@megatron.ietf.org; Thu, 21 Apr 2005 00:36:34 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id AAA29372 for <sip@ietf.org>; Thu, 21 Apr 2005 00:36:31 -0400 (EDT)
Received: from zcars04f.nortelnetworks.com ([47.129.242.57]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1DOTbt-0002mi-Do for sip@ietf.org; Thu, 21 Apr 2005 00:48:18 -0400
Received: from zrtpd0jn.us.nortel.com (zrtpd0jn.us.nortel.com [47.140.202.35]) by zcars04f.nortelnetworks.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id j3L4Zv304300; Thu, 21 Apr 2005 00:35:57 -0400 (EDT)
Received: by zrtpd0jn.us.nortel.com with Internet Mail Service (5.5.2653.19) id <JJ896AA6>; Thu, 21 Apr 2005 00:35:58 -0400
Message-ID: <1ECE0EB50388174790F9694F77522CCF01F98045@zrc2hxm0.corp.nortel.com>
From: Francois Audet <audet@nortel.com>
To: "'Peterson, Jon'" <jon.peterson@neustar.biz>, 'Fries Steffen' <steffen.fries@siemens.com>, "'fluffy@cisco.com'" <fluffy@cisco.com>
Subject: RE: sipping-retarget (was RE: [Sip] RE: Question to Identity draf t)
Date: Thu, 21 Apr 2005 00:35:45 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-Spam-Score: 1.5 (+)
X-Scan-Signature: 4bbdb236f788407ff689fcae8109fe34
Cc: 'IETF SIP List' <sip@ietf.org>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0861665912=="
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
It looks like this time, we are going somewhere. See below. -----Original Message----- From: Peterson, Jon [mailto:jon.peterson@neustar.biz] Sent: Wednesday, April 20, 2005 17:12 To: Audet, Francois [SC100:9T51:EXCH]; Fries Steffen; fluffy@cisco.com Cc: IETF SIP List Subject: RE: sipping-retarget (was RE: [Sip] RE: Question to Identity draft) The idea of providing a 'Connected' header and signing it is the subject of 2.2.1 of sipping-retarget. It was in fact the strawman against which the unanticipated respondent problem was defined. Namely, 2.2.1 is concerned with the fact that impersonation is difficult to even define when it comes to response identity, because there is no concept of a unique impersonatable respondent, and consequently it is impossible for the UAC to know who is actually authorized to respond - it must assume that virtually anyone could legitimately be answering. It is possible to detect an impersonation of a particular someone; very difficult, and most likely self-defeating, to try to detect the impersonation of virtually anyone. I'm not sure how your points below (in the first part) provide us with any traction on this issue. I think the solution to this is to have a redirection to the ultimate retargeting endpoint. Let me get to that at the end of the email. Regarding your flow for sipping-certs, a few comments. First of all, yes, Alice could include her certificate in an INVITE, thereby obviating 4 and 5 (and 11 and 12). I don't think sipping-certs meant to rule that out; the point is, before one sends a request, it is useful to be able to look up the cert in a repository rather than just sending an INVITE without SDP or something - the same principle clearly does not apply to receiving a request, wherein the request itself can always provide the caller's cert. Good. That's exactly what I wanted to hear. This idea of having SUBSCRIBEs sent at session setup by the responder (before sending a response) was bothering me quite a bit. Of course, having them available already through Certs, because Bob or Carol already know Alice, is even better. More importantly, I think the promise of a certs-like approach lies in what happens in step 2. If the cert store has access to Bob's location service, the cert store may be able to anticipate that Alice needs to talk to Carol right now, not Bob. If that's the case, maybe sending back a NOTIFY with Bob's cert isn't the right thing to do in this instance. In certain cases, perhaps Bob could send his own certificate, plus Carol's and any other's it might forward to in the immediate future. But, this is not applicable to all scenarios. I can see a lot of cases where this is just plain impossible, and we need a solution for those cases too. Imagine that Bob is a service (like a group list) that dispatches to many different individuals, randomly, or to a bunch of agents that do not share the same cert (e.g., a bunch of insurance company agents, a group of geographically dispersed people in a virtual call center for customer support, etc.). These call center applications will happen all the time, in fact, it seems to me to be a prime candidate to moving from PSTN to SIP because of the increase flexibility in customizing their application (and for reducing cost). Their requirement will often be "I need to encrypt media" and "I need to authenticate the originator". Now, I know you will respond that you could try to anticipate who will respond, but this is just not the way these services operate. The routing decision is made real-time (seconds count) based on the status of the agents (when they hang-up). With forking, it is even worst. To add even more complexity, imagine that Carol is a PSTN user. The network may be using a bunch of PSTN gateways. It may even use a bunch of different service providers to terminate PSTN calls. The algorithm for distributing the calls is their own. It will again not be possible to predict who will answer. This the types of scenarios that I want to make sure we support, and why I think we must have some sort of connected identity. The whole point of having things like SUBSCRIBE/NOTIFY in the SIP protocol is to allow the network to adapt to changing conditions in real time. If Bob is no longer the person that you're going to reach when you call Bob, and your request will only work for Bob (e.g., you're going to encrypt it with Bob's public key), the cert store should be able to tell you that this isn't going to work, and potentially give you some idea of who you will reach. To be clear, I'm not suggesting that sipping-certs provides a mechanism for this today - but I am arguing that the fundamental -approach- of sipping-certs allows for this sort of functionality, and that this could potentially eliminate surprise 493 responses. Yes: sometimes it will work. Other times it won't, as you point out below and as I did above. Of course, even if a cert store has access to a location service, it may be in no position to tell you who is going to pick up the call. It may be that Bob has populated his location service with 5 different URIs, targeting any one of which might result in a completed call or not. In these cases we are in a genuine quandry. Encrypting an SDP body five different times, and including all five in a message, is no fun, let alone discovering the certificates of the five targets. This is a generic forking problem, though, and it taps into the heart of the question of whether or not redirection or retargeting is preferable architecturally. Encrypting to multiple targets has always been one of forking's known drawbacks. Sequential forking is also quite problematic. You could imagine doing these certificate fetching many times before finding the right one. I don't understand what is wrong with "forcing" a redirection at the end of many retargetings. It seems to me that retargeting in the network is here to stay. But, we have the power to force a redirection for the unanticipated respondent problem, at least in the context of identity. When the respondent figures out that he wants its identity to be known to the initiator regardless of retargeting, he could force this redirection. Incidently, this is why I tought that a 3XX response code would be more appropriate than a 493: the reason is that he wants to session to be reinitiated/redirected directly to itself, not through a bunch of retargeting entities. Now, of course, the sender also needs to be able to not go through with a call if the unanticipated answerer is not the suitable. If we mandate the use of 3XX/493 (by the responder) for retargeting when identity is required, then we avoid the problem of the unanticipated responder accepting the call (followed by the sender clearing it after answer which is quite ugly). That 3XX would have an identity and the cert. I like the fact that this solution works well with both the connected identity problem and with the sRTP & S/MIME problem. Jon Peterson NeuStar, Inc. -----Original Message----- From: Francois Audet [mailto:audet@nortel.com] Sent: Tuesday, April 19, 2005 5:43 PM To: Peterson, Jon; 'Fries Steffen'; 'fluffy@cisco.com' Cc: 'IETF SIP List' Subject: RE: sipping-retarget (was RE: [Sip] RE: Question to Identity draft) OK, forget about the idea I was proposing, and instead let's try to achieve it using the something along the lines of the identity draft. What about the connected number information being essentially the same mechanism as what you have for the Calling identity, but provided in the response? Something like a new "Connected header" (or perhaps Contact would be sufficient, I'm not sure), followed by the Identity and Identity-Info? The Identity-Info header could have something like https://biloxy.example.com <https://biloxy.example.com> . The unanticipated respondent problem would be easier to deal with because: - In a lot of case, Bob and Carol (the retargetter and retargettee) could have the same certification authority, so Alice's decision to proceed or not with the call may not require going fetching the yet another certificate. - Maybe we have "Require: connected-identity" header if we need the identity. - Yes, if the SDP was encrypted (because of sRTP or whatever), it would cause another session to be re-established because of the 493 (or other appropriate rejection code). Would that be a good way to solve the Connected number problem? Now, moving to the next problem, the encrypted SDP. Alice wants to call Bob and have secure media (because she is afraid of hackers tapping in). In fact, she essentially wants all her media encrypted, regardless of who she talks too, even strangers. She does not have Bob in her contact list, as she is calling him for the first time. She also doesn't know Carol, his assistant to whom the call will be retargetted. In the example above, the sequence would be this: 1 - Alice sends SUBSCRIBE to Bob to fetch his certificate because she doesn't have it. 2 - Bob sends NOTIFY to Alice with his certificate. 3 - Alice sends INVITE to Bob, with SDP encrypted using Bob's key, along with her Identity 4 - Bob doesnt' have Alice's certificate, so he sends SUBSCRIBE to Alice to fetch her cert. 5 - Alice sends NOTIFY to Bob with her certificate. 6 - Bob retargets to Carol (forwards the INVITE to Carol). 7 - Carol responds with 493, since she can't decode the SDP, and includes her Contact and her Identity. 8 - Alice sends SUBSCRIBE to Carol to get her cert. 9 - Carol sends NOTIFY to Alice with her cert. 10 - Alice sends INVITE to Alice with her Identity, encrypted with Carol's key. 11 - Carol sends Alice a SUBSCRIBE to get her certificate. 12 - Alice sends NOTIFY to Carol with her certificate. 13 - Carol sends 200 OK to Alice, with SDP encrypted using Alice's key. This is way too complicated and will take forever to complete a call. And in my mind, lots (if not the majority) of calls would look like this in environments where unanticipated respondents are typical (which is the case for a lot of businesses). Couldn't this be avoided if not only was Identity used in both directions (solving the unanticipated respondent problem), and if Alice and Carol also included their user certificate (for the purposed of sRTP) in the INVITE and 493? Instead of a 10 roundtrip session setup, it would be a 2 roundtrip session setup. Of course, in the case of people who know each other, Alice would have subscribed to Bob and Carol's certificate, so none of this would happen: it would be a 1 round-trip session setup. In other words, I DO like the Certs draft, and it should be used whenever possible.
_______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- RE: sipping-retarget (was RE: [Sip] RE: Question … Francois Audet
- RE: sipping-retarget (was RE: [Sip] RE: Question … Francois Audet
- Re: sipping-retarget (was RE: [Sip] RE: Question … Paul Kyzivat
- RE: sipping-retarget (was RE: [Sip] RE: Question … Francois Audet
- RE: sipping-retarget (was RE: [Sip] RE: Question … Francois Audet