Re: [sipcore] 4028bis: forking
Roman Shpount <roman@telurix.com> Tue, 02 June 2020 06:17 UTC
Return-Path: <roman@telurix.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84BF53A07FB for <sipcore@ietfa.amsl.com>; Mon, 1 Jun 2020 23:17:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JuugHjKMsDRB for <sipcore@ietfa.amsl.com>; Mon, 1 Jun 2020 23:17:05 -0700 (PDT)
Received: from mail-ot1-x329.google.com (mail-ot1-x329.google.com [IPv6:2607:f8b0:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BACF23A07F8 for <sipcore@ietf.org>; Mon, 1 Jun 2020 23:17:05 -0700 (PDT)
Received: by mail-ot1-x329.google.com with SMTP id s13so6644otd.7 for <sipcore@ietf.org>; Mon, 01 Jun 2020 23:17:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5kkC3P5ZBx+mRVl1IwjzQI6CHz2ytrS57s/ATOKb+O4=; b=mfN+LmcD/JTqN0UD6/pTUmKp8Kyl9be0vpb2aEchJiI52ML/GE2wiSnAQhkccmAKKA G12Zm1HxJvWXKrQx0grD5oAps41XQN2JtsgRKKdTzrbPiGDSXbDq2FsejFkXnDx0sy1R UkK7v9UVyVrO+U+yBjBADXocipOr3ANVAG0TF2IkEE5mXhI9yTqloa1Yl8qxiX/Wxpyy TsZkk1OetY4HTdOTDqi+p7c1TwDQewdoBZIkTwB6FL7H2P3ohzRoc5ng6ylPBoTEyaar k+uFSjPqNeh4HTaCCL6yF18FPKCqsr/xIqjrq7Ex1jwOIAMiv579EjJ+z1UI7Stb3FE8 Sd2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5kkC3P5ZBx+mRVl1IwjzQI6CHz2ytrS57s/ATOKb+O4=; b=m/SdQr3WZcFk6H3XEtDwT/rDJnjWNrfzOZ6EdvBM5iupCefb8FUalPaMZJKP27pL2e okGAKCS8EU+D9fJ3HSL8GgrigXoOuysw4fOVWvZeNJtTLW6Y9X3B+TZsVX3vhfsHke+1 PGVeiXl+PirgioYqZoNN2uzF34c5uBibAlSWxYOg4+N+um+mSdMSYOwBnCBY9D9ksVq5 tMiURlhj9tDvunkShBQbudzBs2vmQJah0viVtKjFkUVmIvdqcJrrKenmsccOThZfCV8m l+Hdo+iNWcWSa2Wy+RejnaMI3eqadVUuMp81FhnT/i/uOoPmsY3wNCvNnIcq6Y8e5HkI tGfw==
X-Gm-Message-State: AOAM530yshw5R44DSfnIlzRBlqJnYPiVHoD8u/0C38QUryMiBb0lmuuv UAW3StquhJgLphi/B9WPtyUmZFzZD38=
X-Google-Smtp-Source: ABdhPJzyL3XXdl8Vf8YCXzU1QswFZcUCGd/gsad7uMIOJMHBBb35ZLHd5Jjuuc9jiwSgzl3i8/CxuQ==
X-Received: by 2002:a9d:6d19:: with SMTP id o25mr179793otp.354.1591078624449; Mon, 01 Jun 2020 23:17:04 -0700 (PDT)
Received: from mail-ot1-f50.google.com (mail-ot1-f50.google.com. [209.85.210.50]) by smtp.gmail.com with ESMTPSA id p4sm428429oti.59.2020.06.01.23.17.03 for <sipcore@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 01 Jun 2020 23:17:03 -0700 (PDT)
Received: by mail-ot1-f50.google.com with SMTP id b18so10058112oti.1 for <sipcore@ietf.org>; Mon, 01 Jun 2020 23:17:03 -0700 (PDT)
X-Received: by 2002:a9d:5d08:: with SMTP id b8mr19106919oti.19.1591078622794; Mon, 01 Jun 2020 23:17:02 -0700 (PDT)
MIME-Version: 1.0
References: <87zh9rh3r6.fsf@hobgoblin.ariadne.com> <d11b3de6-9c51-91c0-125e-175d6ff15bc5@gmail.com> <CAD5OKxvDsa6fyEVfz2-zPOzSHLtNn9_MoaSgr+ucx6Ba-jPU3Q@mail.gmail.com> <e393d63d-806e-cdd5-ee43-37d6772954b0@gmail.com>
In-Reply-To: <e393d63d-806e-cdd5-ee43-37d6772954b0@gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Tue, 02 Jun 2020 02:16:51 -0400
X-Gmail-Original-Message-ID: <CAD5OKxswTcezuCetbFv6Ec90JNGoc4yoPvLsp_2j9HKaSGYPiw@mail.gmail.com>
Message-ID: <CAD5OKxswTcezuCetbFv6Ec90JNGoc4yoPvLsp_2j9HKaSGYPiw@mail.gmail.com>
To: OKUMURA Shinji <ietf.shinji@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>, "Dale R. Worley" <worley@ariadne.com>
Content-Type: multipart/alternative; boundary="0000000000001f17fd05a713dcc9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/NfwZpCwbaJRgXRkPgiTW8vht_gE>
Subject: Re: [sipcore] 4028bis: forking
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 06:17:08 -0000
Shinji, I have an issue with two of your proposals: 1. Proxy cannot add Session-Timer 2. Proxy cannot generate 422 response Both break session timer as it is implemented and used now. Best, _____________ Roman Shpount On Mon, Jun 1, 2020 at 9:51 PM OKUMURA Shinji <ietf.shinji@gmail.com> wrote: > Roman, > > Three(b, c, d) of my suggestions are the same as RFC4028. The last one(a) > also does not violate the RFC4028. Therefore, this situation can occur even > with the current regulations. > > And rules regarding Min-SE have not changed. Even without using the 422 > response, proxies can indicate the desired Min-SE to a UAS. So if there is > a security risk, it means that the RFC4028 has the same risk. > > Regards, > > Shinji > > On 2020/06/02 2:02, Roman Shpount wrote: > > Shinji, > > > > The main purposes of session timers is to allow SIP proxies to maintain > dialog state for billing and other purposes. Proxies are the main agents > that insert Session-Expires header. In most cases there is no reason for UA > to use session timers since they can normally monitor call presence without > it. Your proposal makes the most common use case for session timers > impossible. > > > > Min-SE exists mainly for the purpose of preventing badly behaving > proxies or UA from overload proxies on the call path or UAS. Not allowing > proxy to send 422 creates a big security risk. > > > > My general attitude is that parallel forking is broken for a lot of use > cases anyway, so it should be avoided. I do not think a lot of production > deployments are actually use parallel forking. Most of the UA would not > handle multiple 200 OK responses that can be created as a result of > parallel fork. Session timers are, on the other hand, are used a lot. So I > would prefer to live with broken or under-specified parallel forking vs > breaking session timers. > > > > Thank You, > > _____________ > > Roman Shpount > > > > > > On Mon, Jun 1, 2020 at 5:57 AM OKUMURA Shinji <ietf.shinji@gmail.com > <mailto:ietf.shinji@gmail.com>> wrote: > > > > Hi, > > > > I've not intended to suggest a common solution to the fork-issue. I > am interested in how the fork does not happen. It is related to the > behavior of proxies and a UAS in the 1st phase that you mention. My > suggestion is that a UAS and proxies SHOULD avoid returning 422 as much as > possible. > > > > Considering backward compatibility, rules are as follows. > > > > a) A UAC and proxies should not insert a Session-Expires header. > > b) A UAC and proxies may insert a Min-SE header or increase the > value of it. > > c) A UAS may insert a Session-Expires header into a 200 response. > > d) A proxy may insert a Session-Expires header into a 200 response, > but must not modify it. > > > > Of course legacy proxies will return 422, but this is unavoidable. > > In that case, the following rule may be useful. > > > > e) If a proxy increases the value of a Min-SE header and it becomes > greater than the value of a Session-Expires header, then a proxy should > increase the value of a Session-Expires header to the value of a Min-SE > header. > > > > However, this rule can be problematic in terms of backward > compatibility. > > > > Shinji > > > > On 2020/05/29 11:30, Dale R. Worley wrote: > > > OKUMURA Shinji <ietf.shinji@gmail.com <mailto: > ietf.shinji@gmail.com>> writes: > > >> As you point out, the other responses(407, 420, ...) cause the > same problem. > > >> But session-timer is essentially a kind of pre-condition, so I'd > like > > >> to avoid incoming calls to fail because of it. And I'd like to > sort > > >> out also the rules in early dialog. > > > > > >> On 2020/05/27 19:16, Christer Holmberg wrote: > > >>> A proxy rejecting a request is not unique to the session-timer. > > >>> > > >>> If Alice receives a 422 she can send a CANCEL (if other early > dialogs > > >>> have been established), and then a new initial INVITE. > > > > > > (This has a larger scope than just session-timers.) > > > > > > I don't know if the above writers intended this point, but > reading what > > > they have said suggests to me this possible behavior for proxies > (which > > > I don't recall seeing suggested): > > > > > > Note that 422 is one of a number of "pre-condition failure" > response > > > codes. Those have the properties (1) when they are generated, > they are > > > generated nearly immediately from the INVITE, and (2) the UAC can > adjust > > > the INVITE to prevent them. > > > > > > Suppose that if a proxy receives one of these "pre-condition > failure" > > > responses, it immediately (or with short delay on a human scale) > cancels > > > all remaining forks of the transaction and returns the failure > response > > > upstream. > > > > > > The effect is to split the "early dialog" phase into two > sub-phases, (1) > > > a very short phase where the forking of the INVITE effectively > probes > > > for proxies and UASs that object to the the INVITE for > "pre-condition" > > > reasons, and (2) a longer phase which resembles the current early > dialog > > > phase. > > > > > > There are probably refinements needed to make this work in all > cases. > > > > > > Dale > > > > > > > _______________________________________________ > > sipcore mailing list > > sipcore@ietf.org <mailto:sipcore@ietf.org> > > https://www.ietf.org/mailman/listinfo/sipcore > > >
- [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking Christer Holmberg
- Re: [sipcore] 4028bis: forking Paul Kyzivat
- Re: [sipcore] 4028bis: forking worley
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking Christer Holmberg
- Re: [sipcore] 4028bis: forking worley
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking Roman Shpount
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking Roman Shpount
- Re: [sipcore] 4028bis: forking OKUMURA Shinji
- Re: [sipcore] 4028bis: forking Roman Shpount