IETF Logo Mail Archive

Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones

"Asveren, Tolga" <tasveren@sonusnet.com> Fri, 23 December 2016 08:30 UTC

Return-Path: <tasveren@sonusnet.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF1B1294AE for <sipcore@ietfa.amsl.com>; Fri, 23 Dec 2016 00:30:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sonusnetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0oUA0TN7zyv5 for <sipcore@ietfa.amsl.com>; Fri, 23 Dec 2016 00:30:48 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0050.outbound.protection.outlook.com [104.47.42.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1D1B1299A2 for <sipcore@ietf.org>; Fri, 23 Dec 2016 00:30:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=SonusNetworks.onmicrosoft.com; s=selector1-sonusnet-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=+feoqBbbRb3chWeDmLBoIaIFLQSlqZ4IE1wPNh8tjJE=; b=H+siJoqA4Qp/HOPgpYxNatgW1EbiJBFVuL5X85kSH+mzetYYjOLrSZk/vnLxsqxFpNnfkZ1XoTf5YtARB2YwiLtIuPIdBeRFFJsqpcpxsAH0x2ivydWZEnsPGzApHQXpWxE1icxe8xVNnhL1DhqN6T97uKRT55mOJ8c57cAnV8k=
Received: from SN2PR03MB2350.namprd03.prod.outlook.com (10.166.210.141) by SN2PR03MB2350.namprd03.prod.outlook.com (10.166.210.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.803.11; Fri, 23 Dec 2016 08:30:45 +0000
Received: from SN2PR03MB2350.namprd03.prod.outlook.com ([10.166.210.141]) by SN2PR03MB2350.namprd03.prod.outlook.com ([10.166.210.141]) with mapi id 15.01.0803.015; Fri, 23 Dec 2016 08:30:45 +0000
From: "Asveren, Tolga" <tasveren@sonusnet.com>
To: "Olle E. Johansson" <oej@edvina.net>
Thread-Topic: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones
Thread-Index: AQHSWv96++N6DRIq/E2cKGNWf6YDKaET6r4AgAAS3iCAAAYCAIAAF0yAgAAGmwCAABLYMIAAA+sAgADDHnA=
Date: Fri, 23 Dec 2016 08:30:44 +0000
Message-ID: <SN2PR03MB2350C16785A81C21DEC8A9E2B2950@SN2PR03MB2350.namprd03.prod.outlook.com>
References: <e42393d8-9ddb-78ba-78fe-34f04f6d672d@nostrum.com> <D48194CE.14EEA%christer.holmberg@ericsson.com> <CO2PR03MB2342255BB9ECDF579283A930B2920@CO2PR03MB2342.namprd03.prod.outlook.com> <2341DDCB-C96D-441B-A6CA-049A8149FB0B@edvina.net> <SN2PR03MB235007F2298CD2EEDC718363B2920@SN2PR03MB2350.namprd03.prod.outlook.com> <EBAB0160-CDD2-4821-9765-44EF10742728@edvina.net> <SN2PR03MB2350D22AA44D07FE21369CB0B2920@SN2PR03MB2350.namprd03.prod.outlook.com> <C871E653-CAE4-456E-B397-1CB0B182D847@edvina.net>
In-Reply-To: <C871E653-CAE4-456E-B397-1CB0B182D847@edvina.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=tasveren@sonusnet.com;
x-originating-ip: [73.29.18.75]
x-ms-office365-filtering-correlation-id: 51ab8c61-f27d-4119-063f-08d42b0dfd63
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:SN2PR03MB2350;
x-microsoft-exchange-diagnostics: 1; SN2PR03MB2350; 7:tllInRP02PCZs007FHjB/4FPKp8mzwK57SaIj2/C3H0b+6yfG7FnF9aQ1gVX2GptVUfwbHsIGAup74VlhxvJzV5saq+ZmDs7hA6iUvKGyxoUM60tMxEtr3tg7yXnIABtJ8P9up2S4evMHii9TKWs2t96pS1MKxisuxoe9lU8ywOGApUfYZocUBGqvqumllSlPZQDpjFh481THXsnjTLKSebasQ4ThxZtpOlQWeGAxJL1yqljB/BBMoAB7j/byoefYBBv7i1vX+SrrSTGoah5TmX6W0PT84auR9ig9L6uRoyetR9kvvfLwbZQ0JBjYH3QSTwrDeA1/5msBN8A7kjbB3bqrSFJyQmQDEv8cFbapXQhrbXB365HNGdKg1ZeU4nLvTkEBqzWYTvWztM/9189wvtLlQtBMSMVS8YOtHRS6UKqpG10vGLGApNi7SVvx6zOV7/siLhCTb5NRn+xck+kQQ==
x-microsoft-antispam-prvs: <SN2PR03MB23507E658E8A105BD08051BDB2950@SN2PR03MB2350.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(192374486261705)(100405760836317)(178636050973902)(21748063052155)(132712982866762);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123560025)(20161123564025)(20161123562025)(20161123555025)(6072148)(6047074); SRVR:SN2PR03MB2350; BCL:0; PCL:0; RULEID:; SRVR:SN2PR03MB2350;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(7916002)(39410400002)(39830400002)(39450400003)(51914003)(24454002)(377454003)(189002)(199003)(7736002)(551934003)(101416001)(6506006)(2950100002)(38730400001)(6916009)(2900100001)(6116002)(790700001)(93886004)(3846002)(102836003)(105586002)(4326007)(106116001)(229853002)(6436002)(50986999)(77096006)(25786008)(33656002)(106356001)(92566002)(7696004)(54356999)(606005)(99286002)(5660300001)(110136003)(86362001)(9686002)(76176999)(97736004)(122556002)(66066001)(3280700002)(8936002)(3660700001)(81156014)(81166006)(8676002)(76576001)(2906002)(19609705001)(189998001)(68736007)(7906003)(74316002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN2PR03MB2350; H:SN2PR03MB2350.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: sonusnet.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_SN2PR03MB2350C16785A81C21DEC8A9E2B2950SN2PR03MB2350namp_"
MIME-Version: 1.0
X-OriginatorOrg: sonusnet.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Dec 2016 08:30:45.0135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 29a671dc-ed7e-4a54-b1e5-8da1eb495dc3
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR03MB2350
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/AMsbh_Zmx_PtnP15Cn1XVPjR1lg>
Cc: Ben Campbell <ben@nostrum.com>, SIPCORE <sipcore@ietf.org>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2016 08:30:51 -0000

i- I agree with the need to “standardize” the “connection reuse per existing deployment semantics”.  I think what we are looking for is:

-          Bidirectional connection reuse with TLS/server-side only certificate/UE authentication per SIP registration without RFC5626

-          Bidirectional connection reuse with TCP over VPN, e.g. IPSec

-          Bidirectional connection reuse with TCP when authentication/security is provided by L2

I am not sure what would be the best place to address these. It could be either happy-earballs or a new document. I would prefer the former and can provide text in either case.

ii- The issue with SIP/UDP/DTLS is something quite different. It really is more about providing fast/practically feasible failover for DTLS connections (in addition to defining use of UDP/DTLS as a new transport for SIP but this part is relatively straightforward IMHO). In any case, let me use this opportunity to express my strong interest in this work one more time.

Thanks,
Tolga

From: Olle E. Johansson [mailto:oej@edvina.net]
Sent: Thursday, December 22, 2016 12:17 PM
To: Asveren, Tolga <tasveren@sonusnet.com>
Cc: Olle E Johansson <oej@edvina.net>; Christer Holmberg <christer.holmberg@ericsson.com>; Adam Roach <adam@nostrum.com>; SIPCORE <sipcore@ietf.org>; Ben Campbell <ben@nostrum.com>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones


On 22 Dec 2016, at 18:08, Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>> wrote:

Thanks for the clarification.

i- I agree that connection re-use needs to be addressed as it would be a normative change.
ii- Is it a mandate that mutual authentication needs to be used if transport=tls? If so, that would require another normative change to align with practical needs.
The URI for the target and the cert for the UA server needs to match. It’s not mutual - two certs in the same TLS session, but that would also
be one solution (there is a RFC for that). SIP Outbound permits reuse of the incoming connection and thus
avoids this particular problem.


iii- I think both i-/ii- are relatively straightforward to address. The more interesting/challenging aspect is how to failover DTLS connections without a need for per-transaction state synchronization and with the fewest round-trips possible.
Connection reuse needs to be handled separately and needs to be something that is way more easy to implement than SIP outbound.
We need something we can easily test and get it done soon, as I want more TLS on the SIP networks out there :-)

The current way to handle this is connection reuse that breaks the RFCs, we have that implementation in Kamailio.
If there is an open socket, TLS or TCP, we prefer to use it to make things work. I would love for this to be RFC compliant :-)

/O


Thanks,
Tolga

From: Olle E. Johansson [mailto:oej@edvina.net]
Sent: Thursday, December 22, 2016 10:55 AM
To: Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>>
Cc: Olle E Johansson <oej@edvina.net<mailto:oej@edvina.net>>; Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>>; Adam Roach <adam@nostrum.com<mailto:adam@nostrum.com>>; SIPCORE <sipcore@ietf.org<mailto:sipcore@ietf.org>>; Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones


On 22 Dec 2016, at 16:34, Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>> wrote:

Olle,

I missed the point about why “practically possible failover” needs to be solved both for TLS/DTLS (I am not arguing it would be good to have a solution for both) and also what this issue in general has something to do with client certificates.
Could you provide a bit more information/clarifications?

We’ve discussed it a number of times both here and on the SIP Forum techwg mailing list. You can find summaries here:

http://www.slideshare.net/oej/sip-half-outbound-random-notes
http://www.slideshare.net/oej/sip-tls-security-in-a-peer-to-peer-world

In short, without SIP Outbound the client connection can’t be re-used for outbound requests. Seems like there is a huge
resistance to implement SIP Outbound. We need a way for the client to allow the server to reuse the inbound connection
for outbound requests even though there’s no TLS certificate matching the URI on the client side.

We’ve had a lot of clients register with “;transport=tls” at SIPit without a client cert - which means we can’t communicate
based on that registration.

Cheers,
/O



Thanks,
Tolga

From: Olle E. Johansson [mailto:oej@edvina.net]
Sent: Thursday, December 22, 2016 9:08 AM
To: Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>>
Cc: Olle E Johansson <oej@edvina.net<mailto:oej@edvina.net>>; Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>>; Adam Roach <adam@nostrum.com<mailto:adam@nostrum.com>>; SIPCORE <sipcore@ietf.org<mailto:sipcore@ietf.org>>; Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones


On 22 Dec 2016, at 14:50, Asveren, Tolga <tasveren@sonusnet.com<mailto:tasveren@sonusnet.com>> wrote:

Regarding the interest in SIP/UDP/DTLS:
This is mainly based on prospect of larger scalability on server side. There may/may not be an immediate need to tweak/change things to make DTLS related processing (hopefully just on the local stack level rather than on on-the-wire protocol- with some supporting SIP enhancements) more “failover friendly”. This issue requires more analysis/discussion but does not sound unsolvable IMHO.
We will have to solve client connection reuse for both TLS and DTLS sessions though. Unless you want to have
client certificates on all devices.

Adam as chair: SIP Client Connection Reuse is something we’ve disussed under multiple names - “half outbound” or “why is ;transport=tls”
deprecated” or “Why doesn’t SIP Outbound happen?”. Maybe that deserves a milestone.

/O




Thanks,
Tolga

From: sipcore [mailto:sipcore-bounces@ietf.org] On Behalf Of Christer Holmberg
Sent: Thursday, December 22, 2016 7:39 AM
To: Adam Roach <adam@nostrum.com<mailto:adam@nostrum.com>>; 'SIPCORE' <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Cc: Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones

Hi,

I will obviously be actively involved in 4), and I also agree that 5) should be done as it is a correction.

As far as the other potential work is concerned, 3) has the highest priority for me, and I would actively participate in that work.

I would review 1) and 2), but I would really like to see an individual draft on 2) before we agree whether to create a milestone for it. For example, I would like to see some input on WHY to do it, and HOW it is intended to be deployed etc. How does DTLS fit SIP? What are the advantages? OR, do we want to specify DTLS-for-SIP simply because DTLS is “hot”?

Regards,

Christer

From: sipcore <sipcore-bounces@ietf.org<mailto:sipcore-bounces@ietf.org>> on behalf of "adam@nostrum.com<mailto:adam@nostrum.com>" <adam@nostrum.com<mailto:adam@nostrum.com>>
Date: Tuesday 20 December 2016 at 22:27
To: "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Cc: Ben Campbell <ben@nostrum.com<mailto:ben@nostrum.com>>
Subject: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones

[as chair]

Now that we have our new charter approved, I'd like the working group to have a discussion about the specific work items that we should take on in the short- to medium-term so that we can revise our milestones appropriately. Based on recent discussions on the mailing list, the following topics have some mind-share behind them. What I'd like from everyone with an interest in any of these topics is to indicate (a) whether you are willing to actively review and comment on documents on the topic; and (b) what priority each task has relative to each other: there are five topics; please indicate a unique priority from one (most important) to five (least important) for each topic.

  1.  "Happy Eyeballs for SIP" (aka Happy Earballs), currently under discussion on the list.
  2.  "DTLS Transport for SIP", as proposed by Tolga Asveren's recent messages.
  3.  A mechanism for labeling the nature of SIP calls, with <draft-schulzrinne-sipcore-callinfo-spam> as a likely candidate draft.
  4.  Fixing Content-ID in SIP, as discussed in <https://www.ietf.org/mail-archive/web/sipcore/current/msg07245.html><https://www.ietf.org/mail-archive/web/sipcore/current/msg07245.html>, with <draft-holmberg-sipcore-content-id> as a likely candidate draft.
  5.  Clarifications around SIP name-addr, with <draft-sparks-sipcore-name-addr-guidance> as a likely candidate draft

I will also note that we have already declared consensus on adopting <draft-ietf-sipcore-status-unwanted> as a WG document, and will be adding an associated milestone. I want to take this opportunity to remind people that the document is in WGLC, and your comments are strongly encouraged, the earlier the better.

Please respond before the end of 2016. Thanks!

Thanks!

/a
_______________________________________________
sipcore mailing list
sipcore@ietf.org<mailto:sipcore@ietf.org>
https://www.ietf.org/mailman/listinfo/sipcore

v2.23.0 | Report a Bug | By Email