Re: [sipcore] 4244bis and privacy
Hans Erik van Elburg <ietf.hanserik@gmail.com> Thu, 25 June 2009 16:31 UTC
Return-Path: <ietf.hanserik@gmail.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4B1E63A68AE for <sipcore@core3.amsl.com>; Thu, 25 Jun 2009 09:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.368
X-Spam-Level:
X-Spam-Status: No, score=-2.368 tagged_above=-999 required=5 tests=[AWL=-0.138, BAYES_00=-2.599, HTML_MESSAGE=0.001, URI_HEX=0.368]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBjSh1RminXR for <sipcore@core3.amsl.com>; Thu, 25 Jun 2009 09:31:43 -0700 (PDT)
Received: from mail-ew0-f210.google.com (mail-ew0-f210.google.com [209.85.219.210]) by core3.amsl.com (Postfix) with ESMTP id 2FCEA3A6AB7 for <sipcore@ietf.org>; Thu, 25 Jun 2009 09:31:42 -0700 (PDT)
Received: by ewy6 with SMTP id 6so2441046ewy.37 for <sipcore@ietf.org>; Thu, 25 Jun 2009 09:30:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=Ueup5rMW2rx6WmSagRduFzoyf0KOGTQ0Dx5Ahlg67U8=; b=elXT99uXb1i+52uZ3lKkDB531RRWWwUZW5DBr6QzhFx/tzdaBEyctf2bsoqn0SBaPE wtBpv9avtDr3mOIJpwM5WpUCSxaQcG3l4IR+DZdgg7SIaH2KBhxjz4T2yJvFX0yJcUHh 4/e+uKCj01PcApCGPXW9BjzBlRGWWVIbeuw4k=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=I+orYTYwo5WuVYeD1LyzZ/k6aokma57G2TYdGTLkRrPbHjgDGuMolkS/BdNf8a076J 7+mmkY69okVaeOlOGEN/sM15TlYMnuhHcqxOHeyaV0KuxTao+e4ErOTWliYKVCdGcjXF psJzKIEzxLKHbmAxcWkfPsOW4hF/ozoRXgMCc=
MIME-Version: 1.0
Received: by 10.216.0.206 with SMTP id 56mr851740web.102.1245947451358; Thu, 25 Jun 2009 09:30:51 -0700 (PDT)
In-Reply-To: <1ECE0EB50388174790F9694F77522CCF1EB26254@zrc2hxm0.corp.nortel.com>
References: <CA9998CD4A020D418654FCDEF4E707DF0B168320@esealmw113.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EA7FE55@zrc2hxm0.corp.nortel.com> <CA9998CD4A020D418654FCDEF4E707DF0B168323@esealmw113.eemea.ericsson.se> <C0E80510684FE94DBDE3A4AF6B968D2D05EDBB6C@esealmw118.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EA809F4@zrc2hxm0.corp.nortel.com> <C0E80510684FE94DBDE3A4AF6B968D2D05EDC4E0@esealmw118.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EAD7773@zrc2hxm0.corp.nortel.com> <C0E80510684FE94DBDE3A4AF6B968D2D05F042EC@esealmw118.eemea.ericsson.se> <9ae56b1e0906250848l106e8a16j39fbca1ff3541c36@mail.gmail.com> <1ECE0EB50388174790F9694F77522CCF1EB26254@zrc2hxm0.corp.nortel.com>
Date: Thu, 25 Jun 2009 18:30:51 +0200
Message-ID: <9ae56b1e0906250930x4fc8138bi181b61acb266b4b0@mail.gmail.com>
From: Hans Erik van Elburg <ietf.hanserik@gmail.com>
To: Francois Audet <audet@nortel.com>
Content-Type: multipart/alternative; boundary="0016364ed9ae3f3d4e046d2ebfa3"
Cc: Ian Elz <ian.elz@ericsson.com>, sipcore@ietf.org, Shida Schubert <shida@agnada.com>
Subject: Re: [sipcore] 4244bis and privacy
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2009 16:31:46 -0000
Yes. /Hans Erik van Elburg On Thu, Jun 25, 2009 at 6:27 PM, Francois Audet <audet@nortel.com> wrote: > You mean "should not prohibit B to choose to deliver the identity of B to > C", right? > > ------------------------------ > *From:* Hans Erik van Elburg [mailto:ietf.hanserik@gmail.com] > *Sent:* Thursday, June 25, 2009 08:48 > *To:* Ian Elz > *Cc:* Barnes, Mary (RICH2:AR00); Christer Holmberg; Shida Schubert; > sipcore@ietf.org; Audet, Francois (SC100:3055) > *Subject:* Re: 4244bis and privacy > > Ok Ian, now I see what you mean. > You are saying that if A calls B which forwards to C, that A indicating > that privacy is required should not prohibit B to choose to deliver its > identity to C, right? > > I think I agree with you that this is a point that needs to be addressed by > 4244bis. > > Best Regards, > /Hans Erik van Elburg > > On Thu, Jun 25, 2009 at 5:12 PM, Ian Elz <ian.elz@ericsson.com> wrote: > >> Mary, >> >> I am a little concerned about one answer that you gave: >> >> >> If you have a Privacy header with a value of "none" and a H-I entry with >> Privacy header parameter with value "history" what is the privacy of the >> individual H-I entry? >> [MB] We did not explicitly address the "none" in RFC 4244, but the >> general statement is the privacy headers at the request level override >> any at the hi-entry level. [/MB] >> >> This means that if privacy is required for an individual H-I entry but >> the originating user included "Privacy:none" in the request then there >> is no option to include the real URI in the H-I entry. >> >> This occurs as RFC3323 states in section 4.3: "However, if the Privacy >> header value of 'none' is specified in a message, privacy services MUST >> NOT perform any privacy function and MUST NOT remove or modify the >> Privacy header." >> >> The only option for an intermediate node including a H-I entry where >> "Privacy:none" is specified and privacy for the H-I URI is required is >> to include an anonymous entry or not include the H-I entry. >> >> In your previous response you stated that we would violate RFC3323 if we >> specified additional behaviour for privacy explicitly stated with a URI >> -n the H-I entry. I don't believe that this is the case as RFC3323 only >> considered privacy in a two party scenario and did not consider third >> party identities being included in a message between two parties. H-I is >> not the only case where this occurs as the Referred-By header when >> included in the INVITE (or other request) which results from the REFER >> has the same issue. >> >> RFC4244 was the first time that there was a recognition that privacy for >> these individual third party identities may be required. To allow this >> explicit statement of privacy to be overridden by a generic statement >> which is applicable to a different user is counterintuitive. >> >> The original Privacy header is usually included by or on behalf of the >> originating user and should not be allowed to specify the privacy of the >> original called user, e.g. the 800 number, and prevent this identity >> being presented if this user does not have the same level of privacy. >> >> The real issue with the 800 scenario is as you have stated is that the >> answerer will not know the original called identity and will not be able >> to correctly handle the call. As more generic call centres are used >> which will answer calls on behalf of many different organizations using >> CTI and the original called identity to have to implement a generic >> system asking the caller who he originally called appear unprofessional, >> is inefficient and unproductive. >> >> We have an opportunity to allow presentation of specific identities and >> to solve this particular problem so we should take it. >> >> I hope that we can get some wider discussion on this issue so a more >> general consensus can be obtained. >> >> Regards >> >> Ian >> >> >> >> -----Original Message----- >> From: Mary Barnes [mailto:mary.barnes@nortel.com] >> Sent: 24 June 2009 17:27 >> To: Ian Elz >> Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; >> sipcore@ietf.org; Francois Audet >> Subject: RE: 4244bis and privacy >> >> Hi Ian, >> >> Responses inline below [MB]. >> >> Mary. >> >> -----Original Message----- >> From: Ian Elz [mailto:ian.elz@ericsson.com] >> Sent: Wednesday, June 24, 2009 10:37 AM >> To: Barnes, Mary (RICH2:AR00) >> Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; >> sipcore@ietf.org; Audet, Francois (SC100:3055) >> Subject: RE: 4244bis and privacy >> >> Mary, >> >> I was not proposing that we change the handling of H-I which is based >> upon local policy. If that causes an issue for a network operator then >> they can modify their local policy accordingly or arrange with the proxy >> vendor to modify their equipment to be more flexible with regards to >> policy. >> >> Can you clarify for me: >> >> If you have a Privacy header with either "session" or "header" doe this >> impact the H-I entries or will only a value of "history" impact the H-I >> entries? >> [MB] Yes, both "session" and "header" level privacy, consistent with RFC >> 3323, mandate that entries be anonymized or dropped, with the latter >> being the recommendation for "session" level privacy. RFC 4244 mandated >> that they be dropped and 4244bis recommends they be anonymized. The >> original intent for the value of "history" was for the tagging of the >> individual entries, but you end up getting the header level >> functionality as well. [/MB] >> >> If you have a Privacy header with a value of "none" and a H-I entry with >> Privacy header parameter with value "history" what is the privacy of the >> individual H-I entry? >> [MB] We did not explicitly address the "none" in RFC 4244, but the >> general statement is the privacy headers at the request level override >> any at the hi-entry level. [/MB] >> >> From reading RFC4244 a Privacy header with value "history" will >> effectively make all H-I entries private and there is currently no >> option to include a H-I Privacy header parameter with value "none". >> [MB] Correct, per my comment above. [/MB] >> >> H-I at present allows the inclusion of Privacy header parameters to >> explicitly express privacy for an individual H-I entry but a single node >> which includes a header "Privacy: history" makes all H-I entries private >> even if this is not the requirements for the specific URI. >> [MB] Correct, but the only node that should add the header is a node >> which is responsible for the domain associated with the Request URI in >> the incoming request or is authorized to do so. [/MB] >> >> I will admit that having worked in a telephony environment for a long >> time I am used to having privacy of identities set on a per number basis >> and the relative inflexibility of the IETF Privacy header is relatively >> restrictive as to specifying which identities may be presented and which >> not. >> [MB] Yes, this is an entirely different paradigm. I developed telephony >> s/w for over a decade and this is entirely different - it provides a lot >> more flexibility, which makes things far, far less deterministic than >> what you have in telephony switches where your routing and translations >> are configured for the most part, with just a few capabilities for >> controlling the privacy and it's a closed network. >> >> With RFC4244/4244bis, there MUST be a mechanism at the UAS or end >> application that can handle a request that doesn't have the appropriate >> information either because nodes didn't support History-Info or some >> random node in the network applied privacy (which I think is highly >> unlikely) - this is normative per section 5 of RFC 4244. So, the worst >> case scenario I see for this 800 service (which will get to the right >> UAS but without the exact 800 number that was dialed) is that it goes to >> a default ACD group/customer service agent, etc. who then needs to >> gather the appropriate information and in my experience this is often an >> IVR system these days. So, the service is not broken when privacy is >> applied in an undesireable manner, it's just not optimal. This is >> something that should be addressed in the target-uri draft which has all >> the details of how specific services use History-Info. >> One other thing to consider is that most networks that are emulating >> telephony type features use B2BUAs, which follow the UAS/UAC rules for >> the header rather than the proxy rules, noting that the UAC can set the >> Privacy header to whatever value it sees as appropriate for the request. >> [/MB] >> >> >> Regards >> >> Ian >> >> -----Original Message----- >> From: Mary Barnes [mailto:mary.barnes@nortel.com] >> Sent: 24 June 2009 15:48 >> To: Ian Elz >> Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; >> sipcore@ietf.org; Francois Audet >> Subject: RE: 4244bis and privacy >> >> Hi Ian, >> >> I do not believe we should do the "override" behavior as I think that >> violates RFC 3323, as the "history" is really a subset of the cases >> whereby a UAC or proxy would add "session" or "header" to the request. >> And, the latter two cases have the same (undesireable) result. I agree >> this impacts your services, but we can't mandate that proxies provide >> information that might violate their local policies and indeed a proxy's >> local policies can result in the information being anonymized (or >> removed if they can't anonymize) even in the "none" case. >> >> I do believe it's reasonable that we strongly recommend that the request >> level (versus specific hi-entries) not be used and if it is used, the >> consequence is that some services will not have the information they >> need - this was the gist of my previous response (to which I did not get >> any additional feedback). Now, we could add some text that the "none" >> case SHOULD be used (e.g., added by first hop proxy) if it is desired >> that the information not be subject to privacy restrictions. I do not >> think it is then particularly useful to add logic around the proxy then >> being able to tag the entries within their domain as subject to privacy. >> I think that conflicts with the intent of the request level "none". >> However, as I mention above, per the current text, a proxy can (based on >> local policy) remove entries - so a proxy can capture hi within their >> domain and not forward any of that information to the next hop in >> another domain - you already have that functionality. But, I think this >> introduces the general problem that you might be impacting other >> services further down the line, which I thought was the problem you were >> wanting to solve - not specifically your example service but, for >> example, in the case that someone is debugging and they want the entire >> history, so depending upon the service, this is also undesirable >> behavior. >> >> >> Regards, >> Mary. >> >> -----Original Message----- >> From: Ian Elz [mailto:ian.elz@ericsson.com] >> Sent: Wednesday, June 24, 2009 2:57 AM >> To: Barnes, Mary (RICH2:AR00) >> Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; >> sipcore@ietf.org; Audet, Francois (SC100:3055) >> Subject: RE: 4244bis and privacy >> >> >> Mary, >> >> [I have added the list to this thread for wider comment.] >> >> In the previous discussions I commented that in RFC4424 that a Privacy >> header with value "history" effectively makes all H-I entries private >> with the result that the H-I entries may be removed. >> >> There has now been a comprehensive discussion on indication of the >> initial 'target' to the final recipient for call handling purposes. >> >> The main use case related to a freephone example where the answering >> location may be a call centre where the original freephone number may be >> required for correct call handling. >> >> If you now consider the following example (modified from Francois' text >> in the latest draft - excuse any errors that I may have inserted) >> >> INVITE sip:sip:+18001234567@example.com<sip%3Asip%3A%2B18001234567@example.com> >> ;user=phone;p=x >> Privacy: history >> History-Info: >> <sip:+18001234567@example.com <sip%3A%2B18001234567@example.com>;user=phone;p=x>;index=1;rt;aor >> (1) >> History-Info: <sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> >> >;index=1.1;mp;aor >> (2) >> History-Info: <sip:bob@192.0.2.3 <sip%3Abob@192.0.2.3>>;index=1.1.1;rc >> (3) >> >> In this case due to the Privacy header all of the H-I entries are >> considered private and the +18001234567 will not be delivered to the >> final destination with the result that call handling may not be correct. >> The Privacy header may have been inserted by any of the nodes which >> routed the message and inserted a H-I entry. >> >> If however the H-I was allowed to include a header parameter of >> "?Privacy=none" in the H-I entry and that an explicit H-I entry privacy >> value would be considered to have precedence over a Privacy header with >> a value of "history" then the mapping of the +18001234567 could be >> explicitly specified as not private and may be passed on. >> >> Thus when the mapping from sip:+18001234567@example.com<sip%3A%2B18001234567@example.com>to >> sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> when H-I entry >> (2) above is included could >> also insert the Privacy header parameter in H-I entry (1). >> >> Thus the message would appear as follows: >> >> INVITE sip:sip:+18001234567@example.com<sip%3Asip%3A%2B18001234567@example.com>; >> user=phone;p=x >> Privacy: history >> History-Info: >> <sip:+18001234567@example.com?Privacy=none;user=phone;p=x>;index=1;rt;ao >> r >> History-Info: <sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> >> >;index=1.1;mp;aor >> History-Info: <sip:bob@192.0.2.3 <sip%3Abob@192.0.2.3>>;index=1.1.1;rc >> >> This would result in all the H-I entries except (1) being considered >> private with the result that the =1800... Number is passed for call >> handling purposes. >> >> This change is backward compatible with the existing implementation as >> any node using the existing functionality as defined in RFC4244 will >> continue to be supported. >> >> The alternative is to remove the ability to include the value "history" >> in the Privacy header and only allow this value in the Privacy header >> parameter. This alternative is not backward compatible. >> >> Without this change a single node in the message path which includes a >> header "Privacy: history" will prevent delivery of the aor and thus >> prevent proper call handling. >> >> Ian Elz >> >> >> >> -----Original Message----- >> From: Christer Holmberg >> Sent: 23 June 2009 19:40 >> To: 'Mary Barnes'; Francois Audet; Hans Erik van Elburg; Shida Schubert >> Cc: Ian Elz >> Subject: RE: 4244bis and privacy >> >> >> Hi, >> >> I include Ian, so he can comment to your resposne himself. >> >> Regards, >> >> Christer >> >> >> -----Original Message----- >> From: Mary Barnes [mailto:mary.barnes@nortel.com] >> Sent: Tuesday, June 23, 2009 9:40 PM >> To: Christer Holmberg; Francois Audet; Hans Erik van Elburg; Shida >> Schubert >> Subject: RE: 4244bis and privacy >> >> Here was the thread of response and the last comment was from Ian that >> he would consider the response: >> http://www.ietf.org/mail-archive/web/sip/current/msg26948.html >> >> And, there was not agreement on the "none" but rather to qualify the >> SHOULD NOT forward. However, in the sipcore-4244bis-00, rather than >> changing the text such that the headers SHOULD be removed, we recommend >> that they be anonymized (in section 4.3.3.3.1). That is entirely >> consistent with RFC 3324 and thus we have removed the recommendations to >> remove the headers entirely. However, that changed never got done in >> section 3.2, so we would need to change this: >> "Thus, the History- Info header >> SHOULD NOT be included in Requests where the requestor has indicated >> a priv-value of Session- or Header-level privacy." >> >> But, I'm really beginning to be of the mindset that we should just >> remove all the subsections of section 3 (i.e., leave the text in the >> upper level section), so we don't have to keep worrying about >> consistency. >> >> So, lets either fixt the text in 3.2 or remove altogether and then I >> think we are really at the point of needing to submit this version so >> folks that actually have an interest in it can review the updated >> document. >> >> Mary. >> >> -----Original Message----- >> From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] >> Sent: Tuesday, June 23, 2009 1:10 PM >> To: Barnes, Mary (RICH2:AR00); Audet, Francois (SC100:3055); Hans Erik >> van Elburg; Shida Schubert >> Subject: 4244bis and privacy >> >> >> Hi, >> >> Below is a comment/proposal which one of my collegues (Ian Elz) gave on >> the list a while ago, when the first version of 4244bis was submitted, >> but was not incorporated. Do you think it would be useful? >> >> ------- >> >> While the HI approach to target may solve the problem of being able to >> deliver the target URI to the final destination there is no guarantee >> that it will actually be delivered. >> >> The problem arises with how Privacy is defined for HI. >> >> 4424 defines a new Privacy value "history" which may be placed in either >> the Privacy header or as a header parameter to the HI entry. >> >> If one node uses the former option "Privacy: history" then this will >> make all headers private and will result in all HI entries being removed >> or made anonymous when the message containing the HI is delivered to the >> user. >> >> There is a simple solution to this and that is to also allow the use of >> the "none" Privacy value as a header parameter in the HI entry. This >> would explicitly state that no privacy is required to the HI entry and >> this would override a "history" value in the Privacy header. >> >> I pointed this out to Mary when the 4424bis draft was first published >> but the change has not been made in the latest draft. >> >> The change is backward compatible and would not cause an issue with any >> existing implementations. >> >> ------ >> >> Regards, >> >> Christer >> >> >> >> >> >
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Elwell, John
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Elwell, John
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Ian Elz