third alternative (was RE: [Sip] RE: Identity after reinvite)
"Peterson, Jon" <jon.peterson@neustar.biz> Tue, 16 November 2004 22:47 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA04754 for <sip-web-archive@ietf.org>; Tue, 16 Nov 2004 17:47:20 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CUC8v-0005qM-8a for sip-web-archive@ietf.org; Tue, 16 Nov 2004 17:49:45 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CUBvh-0003Ry-2U; Tue, 16 Nov 2004 17:36:05 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CUBUp-0004jh-Kl for sip@megatron.ietf.org; Tue, 16 Nov 2004 17:08:19 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA26816 for <sip@ietf.org>; Tue, 16 Nov 2004 17:08:17 -0500 (EST)
Received: from oak.neustar.com ([209.173.53.70]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CUBX7-0003KU-7o for sip@ietf.org; Tue, 16 Nov 2004 17:10:41 -0500
Received: from stntimc1.va.neustar.com (stntimc1.neustar.com [10.31.13.11]) by oak.neustar.com (8.12.8/8.11.0) with ESMTP id iAGM7l10032325; Tue, 16 Nov 2004 22:07:47 GMT
Received: by stntimc1.cis.neustar.com with Internet Mail Service (5.5.2657.72) id <T32L8J2W>; Tue, 16 Nov 2004 17:07:47 -0500
Message-ID: <7927C67249E4AD43BC05B539AF0D129801AF4379@stntexch04.cis.neustar.com>
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: 'Cullen Jennings' <fluffy@cisco.com>, Jonathan Rosenberg <jdrosen@cisco.com>
Subject: third alternative (was RE: [Sip] RE: Identity after reinvite)
Date: Tue, 16 Nov 2004 17:07:41 -0500
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2657.72)
Content-Type: text/plain; charset="ISO-8859-1"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 386e0819b1192672467565a524848168
Cc: sip@ietf.org, Paul H Kyzivat <pkyzivat@cisco.com>
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Sender: sip-bounces@ietf.org
Errors-To: sip-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cf3becbbd6d1a45acbe2ffd4ab88bdc2
I would like to suggest a third alternative: 3) Change nothing about in To/From. Requests in the backwards direction in a dialog may go through the authentication service of the domain indicated in the host portion of the From header of the request. If that is not possible, do not supply request identity for such messages. While this seem like a non-starter in retargeting cases, requests get retargeted for a reason. If the dialog-forming request was appropriately delivered to the domain indicated in the Request-URI (biloxi.example.com), and that domain chose to forward the request to another domain (chicago.example.com), it did so because some entity was authorized to add the chicago URI as a contact for the biloxi URI. In other words, this approach views retargeting as if the callee's UA were actually registered at biloxi "through" chicago, and that when the UA receives a dialog-forming request, it is the To header that determines who should assert identity for new requests in the backwards direction. In cases where the user contacted at chicago does not possess credentials to authenticate themselves to biloxi, I think it would be fair to say that requests in the backwards direction should not get an Identity header. To go any further, I think, requires us to solve the response identity problem. This approach is, I think, forward-compatible with any reasonable solution to the response identity problem, though. The primary challenge of this approach is insuring that requests in the backwards direction will actually go through the authentication service of biloxi.com, since in many cases they ordinarily might not. If biloxi.com Record-Routes its auth service in the dialog-forming request, this would provide the right assurance (and seems plausible from a deployment perspective); however, if chicago.com also Record-Routes itself, for example, then the callee will not be able to form a direct TLS connection to biloxi.com. It is also possible that the callee's UA could force a Route header to connect to biloxi.com first, but this requires the callee's UA to be identity-aware, which is undesirable when sip-identity is applied opportunistically. But it isn't immediately clear how this is any different from normal cases of request identity outside the scope of a dialog. There are any number of possible reasons why the calling UA might not be able to connect directly via TLS to its auth service (including interposing intermediaries and/or the inability of the UA to force a Route through their auth service), and the draft currently just says that we shouldn't provide Identity when we cannot get the needed relationship between the UA and auth service. I've gotten a lot of feedback (from Paul, Kumiko and others) that we should try to weaken the requirement for direct TLS, and I intend to add some text to the next version about some specific ways in which it is still acceptable to provide identity even if a direct TLS connection cannot be formed. Certain forms of weakness there could be beneficial to this approach. Jon Peterson NeuStar, Inc. > -----Original Message----- > From: Cullen Jennings [mailto:fluffy@cisco.com] > Sent: Tuesday, November 16, 2004 9:30 AM > To: Jonathan Rosenberg; Jon Peterson > Cc: Paul H Kyzivat; sip@ietf.org > Subject: Re: [Sip] RE: Identity after reinvite > > > On 11/16/04 12:05 AM, "Jonathan Rosenberg" <jdrosen@cisco.com> wrote: > > > The solution, which rfc3261 warns of, is that a UA has to > put its actual > > identity in the From field URI, not what it saw in the To > field of the > > original request. This will break all compatibility with > rfc2543, but > > will work with other rfc3261 compliant endpoints, since the > URI is no > > longer used for dialog identification. > > At this point, I really see two paths forward for the connected party > problem. > > 1) We do as suggested above and allow everything in the From > and To other > than the tags to be changed in a Re-INVITE or UPDATE. > > 2) We create a new thing that is like invite with replaces > but add a new tag > that is called say "subsumes". So if A and B have a dialog, > or early dialog, > and one of them wants to change a From. The UA sends an > INVITE for a new > dialog, indicates it replaces the old dialog, and indicates > that it subsumes > it. The subsumes flag would mean that any existing media session, qos > reservations, etc did not change and got moved to the new dialog. > > _______________________________________________ Sip mailing list https://www1.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use sip-implementors@cs.columbia.edu for questions on current sip Use sipping@ietf.org for new developments on the application of sip
- third alternative (was RE: [Sip] RE: Identity aft… Peterson, Jon
- third alternative (was RE: [Sip] RE: Identity aft… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Jonathan Rosenberg
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Paul Kyzivat
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- Re: third alternative (was RE: [Sip] RE: Identity… Paul Kyzivat
- Re: third alternative (was RE: [Sip] RE: Identity… David R Oran
- RE: third alternative (was RE: [Sip] RE: Identity… Peterson, Jon
- privacy without b2bua, was: Re: third alternative… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Paul Kyzivat
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: third alternative (was RE: [Sip] RE: Identity… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Paul Kyzivat
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings
- Re: privacy without b2bua, was: Re: third alterna… Michael Thomas
- Re: privacy without b2bua, was: Re: third alterna… Dean Willis
- Re: privacy without b2bua, was: Re: third alterna… Jonathan Rosenberg
- Re: privacy without b2bua, was: Re: third alterna… Cullen Jennings