[Sip] Expert review of draft-camarillo-sipping-user-database-01.txt: Revision required
Dean Willis <dean.willis@softarmor.com> Thu, 13 October 2005 23:28 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EQCV0-0004Er-Mf; Thu, 13 Oct 2005 19:28:34 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EQCUz-0004Em-BU for sip@megatron.ietf.org; Thu, 13 Oct 2005 19:28:33 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA03454 for <sip@ietf.org>; Thu, 13 Oct 2005 19:28:28 -0400 (EDT)
Received: from nylon.softarmor.com ([66.135.38.164]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EQCfa-0007ZR-Qz for sip@ietf.org; Thu, 13 Oct 2005 19:39:31 -0400
Received: from [192.168.2.103] ([12.5.186.28]) (authenticated bits=0) by nylon.softarmor.com (8.13.1/8.13.1) with ESMTP id j9DNXMxE018404 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Thu, 13 Oct 2005 18:33:23 -0500
Mime-Version: 1.0 (Apple Message framework v734)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <321D79D4-71D6-4959-8E25-4D7E2766342B@softarmor.com>
Content-Transfer-Encoding: 7bit
From: Dean Willis <dean.willis@softarmor.com>
Date: Thu, 13 Oct 2005 18:28:22 -0500
To: Sipping List <sip@ietf.org>, Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
X-Mailer: Apple Mail (2.734)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4b7d60495f1a7f2e853e8cbae7e6dbfc
Content-Transfer-Encoding: 7bit
Cc: Rohan Mahy <rohan@ekabal.com>, Allison Mankin <mankin@psg.com>
Subject: [Sip] Expert review of draft-camarillo-sipping-user-database-01.txt: Revision required
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
SIPPING Working Group: Please consider the following "P-header expert
review" and let us know if you have any issues with it or further
suggestions to make.
----------
Publication of draft-camarillo-sipping-user-database-01.txt as an
informational document defining P-headers has been requested. Under
the terms of RFC 3427, this requires addressing the following 7
requirements:
1. A designated expert (as defined in RFC 2434 [4]) MUST review the
proposal for applicability to SIP and conformance to these
guidelines. The Expert Reviewer will send email to the
Transport
Area Directors on this determination. The expert reviewer can
cite one or more of the guidelines that haven't been followed in
his/her opinion.
Dean Willis was selected as the designated expert for this review. As
per the current practice, the resulting review will have been
discussed in the SIP community via the SIPPING working group's
mailing list and evaluated for rough technical consensus before
reporting a conclusive positive review to the Area Directors.
2. The proposed extension MUST NOT define SIP option tags, response
codes, or methods.
The reviewed document defines one "P-header" without an option tag,
response code, or method, and therefore satisfies this requirement.
3. The function of the proposed header MUST NOT overlap with
current
or planned chartered extensions.
The proposed header provides for the communication of locally-valid
state information between two proxies in the IMS environment as
defined by 3GPP. It does not appear to relate in any significant way
to any ongoing, planned, proposed, or even whimsically discussed work
of the IETF known to the reviewer, and therefore satisfies this
requirement.
4. The proposed header MUST be of a purely informational nature,
and
MUST NOT significantly change the behavior of SIP entities which
support it. Headers which merely provide additional information
pertinent to a request or a response are acceptable. If the
headers redefine or contradict normative behavior defined in
standards track SIP specifications, that is what is meant by
significantly different behavior.
The proposed header conveys information about the back-end database
used by the originating proxy to a receiving proxy in the same IMS
operator domain. This prevents the receiving proxy from having to
repeat the resolution process used by the first proxy. In the absence
of this extension, the resulting call flow would be identical, but
would require one additional database operation. Consequently, the
proposed extension appears to be consistent with the intent of this
requirement.
5. The proposed header MUST NOT undermine SIP security in any
sense.
The Internet Draft proposing the new header MUST address
security
issues in detail as if it were a Standards Track document. Note
that, if the intended application scenario makes certain
assumptions regarding security, the security considerations only
need to meet the intended application scenario rather than the
general Internet case. In any case, security issues need to be
discussed for arbitrary usage scenarios (including the general
Internet case).
The proposed extension header, "P-User-Database" applies only in IMS
environments where the originating proxy (The P-CSCF) and the
terminating proxy (the S-CSCF) exist in a protected environment
sharing a mutual frame of reference to the database in question. The
security relationship between these elements is defined by the IMS
sprcifications.
The text given as the "Security Consideration" section of the
reviewed document follows:
"The P-User-Database defined in this document is to be used in an
environment where elements are trusted and where attackers are not
supposed to have access to the protocol messages between those
elements. Traffic protection between network elements is sometimes
achieved by using IPsec and sometimes by physically protecting the
network. In any case, the environment where the P-User-Database
header field will be used ensures the integrity and the
confidentiality of the contents of this header field."
While the above text is believed correct, this reviewer finds these
considerations to provide inadequate guidance to future readers of
this specification who may not be conversant with the characteristics
of IMS. No explicit reference to IMS is made by the reviewed
document, and the characteristics of IMS that make the proposed
extension viable are not elucidated by the reviewed document. This
could be corrected by an explicit reference to IMS specifications,
and by the inclusion in the revisions to the reviewed document of a
summary elucidation of the relevant characteristics of IMS:
* The "P-User-Database" header field is inserted by a proxy element
referred to as P-CSCF.
* The "P-User-Database" header field is consumed and removed by a
proxy element referred to as S-CSCF.
* Both P-CSCF and S-CSCF are under the administrative control of a
single operator, and share a common frame of reference to the
database indicated by the P-User-Database header field.
The preceding elucidations or equivalent material should be contained
in the "Applicability Statement" section of the final RFC.
* There is a slight security risk if the the P-User-Database header
field is allowed is allowed to propagate out of the domain bounded by
the administrative control of that operator. No user-sensitive
information would be revealed by such a breach, but this could result
in disclosure of information about the topology of the operator
network that goes beyond the level of disclosure explicit in SIP
messages without this extension. Consequently, operators my wish to
be diligent about removal of the P-User-Database header field before
sending a request containing it to other network operators or to user
equipment.
The preceding elucidation or equivalent material should be contained
in the "Security Considerations" section of the final RFC.
6. The proposed header MUST be clearly documented in an (Individual
or Working Group) Informational RFC, and registered with IANA.
The reviewed document is intended to become the informational RFC
required by this consideration. Acceptance of this document for
publication as an informational RFC will address this requirement.
7. An applicability statement in the Informational RFC MUST clearly
document the useful scope of the proposal, and explain its
limitations and why it is not suitable for the general use of
SIP
in the Internet.
The reviewed document contains an applicability statement. This
reviewer finds he current applicability statement inadequate, and has
discussed additional material earlier in this review that if added
should make the applicability statement adequate to address this
consideration.
Note: It has been suggested to this reviewer that the proposed
extension header field would benefit from the inclusion of extension
parameter syntax, which has become the common practice for SIP
extensions. Therefore it is suggested that the syntax be amended as
follows:
OLD:
P-User-Database = "P-User-Database" HCOLON database
NEW:
P-User-Database = "P-User-Database" HCOLON database
*( SEMI generic-param )
Further note:
The document makes explicit reference to RFC 2119, but does not
invoke any of the language of that RFC. For consistency with the
current practices relating to informational-track documents,
reference to RFC 2119 and the associated language definition section
should be removed from revisions to the reviewed document.
Conclusion: While the proposed extension header is consistent with
the requirements of RFC 3427, the document as reviewed fails to
satisfactorily address the "Applicability Statement" and "Security
Considerations" requirements of that RFC, requires two additional
content modifications (syntax change and removal of RFC 2119
references) and is therefore remanded to the author for revision.
--
Dean Willis
designated reviewer for draft-camarillo-sipping-user-database-01.txt
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip