IETF Logo Mail Archive

Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones

Paul Kyzivat <paul.kyzivat@comcast.net> Fri, 23 December 2016 22:11 UTC

Return-Path: <paul.kyzivat@comcast.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32E65129485 for <sipcore@ietfa.amsl.com>; Fri, 23 Dec 2016 14:11:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=comcast.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20Dh6dQZap8b for <sipcore@ietfa.amsl.com>; Fri, 23 Dec 2016 14:11:31 -0800 (PST)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5BB129439 for <sipcore@ietf.org>; Fri, 23 Dec 2016 14:11:31 -0800 (PST)
Received: from resomta-ch2-14v.sys.comcast.net ([69.252.207.110]) by resqmta-ch2-09v.sys.comcast.net with SMTP id KY3UcbEGiuazMKY3mcK94P; Fri, 23 Dec 2016 22:11:30 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20161114; t=1482531090; bh=ocmYhRsptES4gMHAq1SmUUpabCINZ7f3BsMpEzcR5SI=; h=Received:Received:Subject:To:From:Message-ID:Date:MIME-Version: Content-Type; b=WAeh8bB1A6ifomz5YrncmymqZjav0l15Xp9IyPUioKk2LmRPfBeUwha/nTKe5eYln Yd0Nwbmo1CYeY8acOrXxvqFlYdqdlnCheeV0J1Juf4MHKkDlsem3XFoi65RMG3jpuw qHwuZSaXYthGxJIjF/vw5A+TeTpj9W0Caei67ia6db4gJFZr41y7jeQQqHgQoNV2Wk aLoS7z9fTvuGibR4EI+yIPoKqh8Pm5VTFCyHCyfnEofoHM7zKkEGRJHHFm8G49DaJ+ wLo4FZSof/JwmbVX4Jr7H7gd3RYDBlIlxi4SOUeKVI45XiIOxxSSxoQJU/jxZzdty4 MuhAtvBMxjL9Q==
Received: from [192.168.1.110] ([73.186.127.100]) by resomta-ch2-14v.sys.comcast.net with SMTP id KY3lcVhPv2qkOKY3mcMw6i; Fri, 23 Dec 2016 22:11:30 +0000
To: sipcore@ietf.org
References: <e42393d8-9ddb-78ba-78fe-34f04f6d672d@nostrum.com> <D48194CE.14EEA%christer.holmberg@ericsson.com> <CO2PR03MB2342255BB9ECDF579283A930B2920@CO2PR03MB2342.namprd03.prod.outlook.com> <2341DDCB-C96D-441B-A6CA-049A8149FB0B@edvina.net> <SN2PR03MB235007F2298CD2EEDC718363B2920@SN2PR03MB2350.namprd03.prod.outlook.com> <EBAB0160-CDD2-4821-9765-44EF10742728@edvina.net> <SN2PR03MB2350D22AA44D07FE21369CB0B2920@SN2PR03MB2350.namprd03.prod.outlook.com> <C871E653-CAE4-456E-B397-1CB0B182D847@edvina.net> <SN2PR03MB2350C16785A81C21DEC8A9E2B2950@SN2PR03MB2350.namprd03.prod.outlook.com>
From: Paul Kyzivat <paul.kyzivat@comcast.net>
Message-ID: <955f2fa5-887a-fb54-d694-134e4cdab5f6@comcast.net>
Date: Fri, 23 Dec 2016 17:11:29 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <SN2PR03MB2350C16785A81C21DEC8A9E2B2950@SN2PR03MB2350.namprd03.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-CMAE-Envelope: MS4wfIK/VWzE3mJ9vtuU7eNJza1SfsOSTln46OTI4E2Biv6OMmhRqxR/XgeO61epgFNafL/8VbtTXCUV+utDWdVZTwTrF8UsIFcALX/+wkgCsOXh/UC5m0ey yA4ngdGJLznjdrttfRcqFpUljGVt2dyfmGANILv5UmW86JOuLLFrndDEdla6P+R79yjDGdlMgXviGw==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/OXZbqZhNutt46TVxz7CT-QbZwo4>
Subject: Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Dec 2016 22:11:33 -0000

On 12/23/16 3:30 AM, Asveren, Tolga wrote:
> i- I agree with the need to “standardize” the “connection reuse per
> existing deployment semantics”.  I think what we are looking for is:
>
> -          Bidirectional connection reuse with TLS/server-side only
> certificate/UE authentication per SIP registration without RFC5626
>
> -          Bidirectional connection reuse with TCP over VPN, e.g. IPSec
>
> -          Bidirectional connection reuse with TCP when
> authentication/security is provided by L2

The problem in all of these cases is for the entity sending a request to 
be able to ascertain that the connection terminates on a device known to 
correspond to the URI used to address it.

Outbound was created to solve that problem. I have yet to see another 
"simpler" solution that provides that assurance.

As currently defined outbound can be used without redundancy if that is 
what you want to do. There is a requirement for the software to 
*support* use of redundancy, but deployments are free to configure 
without it. So I see no compelling reason to revise outbound for this 
purpose.

Maybe there is something simpler than outbound that will work. But it 
remains to be proposed.

	Thanks,
	Paul

> I am not sure what would be the best place to address these. It could be
> either happy-earballs or a new document. I would prefer the former and
> can provide text in either case.
>
>
>
> ii- The issue with SIP/UDP/DTLS is something quite different. It really
> is more about providing fast/practically feasible failover for DTLS
> connections (in addition to defining use of UDP/DTLS as a new transport
> for SIP but this part is relatively straightforward IMHO). In any case,
> let me use this opportunity to express my strong interest in this work
> one more time.
>
>
>
> Thanks,
>
> Tolga
>
>
>
> *From:*Olle E. Johansson [mailto:oej@edvina.net]
> *Sent:* Thursday, December 22, 2016 12:17 PM
> *To:* Asveren, Tolga <tasveren@sonusnet.com>
> *Cc:* Olle E Johansson <oej@edvina.net>; Christer Holmberg
> <christer.holmberg@ericsson.com>; Adam Roach <adam@nostrum.com>; SIPCORE
> <sipcore@ietf.org>; Ben Campbell <ben@nostrum.com>
> *Subject:* Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones
>
>
>
>
>
>     On 22 Dec 2016, at 18:08, Asveren, Tolga <tasveren@sonusnet.com
>     <mailto:tasveren@sonusnet.com>> wrote:
>
>
>
>     Thanks for the clarification.
>
>
>
>     i- I agree that connection re-use needs to be addressed as it would
>     be a normative change.
>
>     ii- Is it a mandate that mutual authentication needs to be used if
>     transport=tls? If so, that would require another normative change to
>     align with practical needs.
>
> The URI for the target and the cert for the UA server needs to match.
> It’s not mutual - two certs in the same TLS session, but that would also
>
> be one solution (there is a RFC for that). SIP Outbound permits reuse of
> the incoming connection and thus
>
> avoids this particular problem.
>
>
>
>     iii- I think both i-/ii- are relatively straightforward to address.
>     The more interesting/challenging aspect is how to failover DTLS
>     connections without a need for per-transaction state synchronization
>     and with the fewest round-trips possible.
>
> Connection reuse needs to be handled separately and needs to be
> something that is way more easy to implement than SIP outbound.
>
> We need something we can easily test and get it done soon, as I want
> more TLS on the SIP networks out there :-)
>
>
>
> The current way to handle this is connection reuse that breaks the RFCs,
> we have that implementation in Kamailio.
>
> If there is an open socket, TLS or TCP, we prefer to use it to make
> things work. I would love for this to be RFC compliant :-)
>
>
>
> /O
>
>
>
>     Thanks,
>
>     Tolga
>
>
>
>     *From:* Olle E. Johansson [mailto:oej@edvina.net]
>     *Sent:* Thursday, December 22, 2016 10:55 AM
>     *To:* Asveren, Tolga <tasveren@sonusnet.com
>     <mailto:tasveren@sonusnet.com>>
>     *Cc:* Olle E Johansson <oej@edvina.net <mailto:oej@edvina.net>>;
>     Christer Holmberg <christer.holmberg@ericsson.com
>     <mailto:christer.holmberg@ericsson.com>>; Adam Roach
>     <adam@nostrum.com <mailto:adam@nostrum.com>>; SIPCORE
>     <sipcore@ietf.org <mailto:sipcore@ietf.org>>; Ben Campbell
>     <ben@nostrum.com <mailto:ben@nostrum.com>>
>     *Subject:* Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and milestones
>
>
>
>
>
>         On 22 Dec 2016, at 16:34, Asveren, Tolga <tasveren@sonusnet.com
>         <mailto:tasveren@sonusnet.com>> wrote:
>
>
>
>         Olle,
>
>
>
>         I missed the point about why “practically possible failover”
>         needs to be solved both for TLS/DTLS (I am not arguing it would
>         be good to have a solution for both) and also what this issue in
>         general has something to do with client certificates.
>
>         Could you provide a bit more information/clarifications?
>
>
>
>     We’ve discussed it a number of times both here and on the SIP Forum
>     techwg mailing list. You can find summaries here:
>
>
>
>     http://www.slideshare.net/oej/sip-half-outbound-random-notes
>
>     http://www.slideshare.net/oej/sip-tls-security-in-a-peer-to-peer-world
>
>
>
>     In short, without SIP Outbound the client connection can’t be
>     re-used for outbound requests. Seems like there is a huge
>
>     resistance to implement SIP Outbound. We need a way for the client
>     to allow the server to reuse the inbound connection
>
>     for outbound requests even though there’s no TLS certificate
>     matching the URI on the client side.
>
>
>
>     We’ve had a lot of clients register with “;transport=tls” at SIPit
>     without a client cert - which means we can’t communicate
>
>     based on that registration.
>
>
>
>     Cheers,
>
>     /O
>
>
>
>
>         Thanks,
>
>         Tolga
>
>
>
>         *From:* Olle E. Johansson [mailto:oej@edvina.net]
>         *Sent:* Thursday, December 22, 2016 9:08 AM
>         *To:* Asveren, Tolga <tasveren@sonusnet.com
>         <mailto:tasveren@sonusnet.com>>
>         *Cc:* Olle E Johansson <oej@edvina.net <mailto:oej@edvina.net>>;
>         Christer Holmberg <christer.holmberg@ericsson.com
>         <mailto:christer.holmberg@ericsson.com>>; Adam Roach
>         <adam@nostrum.com <mailto:adam@nostrum.com>>; SIPCORE
>         <sipcore@ietf.org <mailto:sipcore@ietf.org>>; Ben Campbell
>         <ben@nostrum.com <mailto:ben@nostrum.com>>
>         *Subject:* Re: [sipcore] RESPONSE REQUESTED: SIPCORE work and
>         milestones
>
>
>
>
>
>             On 22 Dec 2016, at 14:50, Asveren, Tolga
>             <tasveren@sonusnet.com <mailto:tasveren@sonusnet.com>> wrote:
>
>
>
>             Regarding the interest in SIP/UDP/DTLS:
>
>             This is mainly based on prospect of larger scalability on
>             server side. There may/may not be an immediate need to
>             tweak/change things to make DTLS related processing
>             (hopefully just on the local stack level rather than on
>             on-the-wire protocol- with some supporting SIP enhancements)
>             more “failover friendly”. This issue requires more
>             analysis/discussion but does not sound unsolvable IMHO.
>
>         We will have to solve client connection reuse for both TLS and
>         DTLS sessions though. Unless you want to have
>
>         client certificates on all devices.
>
>
>
>         Adam as chair: SIP Client Connection Reuse is something we’ve
>         disussed under multiple names - “half outbound” or “why is
>         ;transport=tls”
>
>         deprecated” or “Why doesn’t SIP Outbound happen?”. Maybe that
>         deserves a milestone.
>
>
>
>         /O
>
>
>
>
>
>             Thanks,
>
>             Tolga
>
>
>
>             *From:* sipcore [mailto:sipcore-bounces@ietf.org] *On Behalf
>             Of *Christer Holmberg
>             *Sent:* Thursday, December 22, 2016 7:39 AM
>             *To:* Adam Roach <adam@nostrum.com
>             <mailto:adam@nostrum.com>>; 'SIPCORE' <sipcore@ietf.org
>             <mailto:sipcore@ietf.org>>
>             *Cc:* Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
>             *Subject:* Re: [sipcore] RESPONSE REQUESTED: SIPCORE work
>             and milestones
>
>
>
>             Hi,
>
>
>
>             I will obviously be actively involved in 4), and I also
>             agree that 5) should be done as it is a correction.
>
>
>
>             As far as the other potential work is concerned, 3) has the
>             highest priority for me, and I would actively participate in
>             that work.
>
>
>
>             I would review 1) and 2), but I would really like to see an
>             individual draft on 2) before we agree whether to create a
>             milestone for it. For example, I would like to see some
>             input on WHY to do it, and HOW it is intended to be deployed
>             etc. How does DTLS fit SIP? What are the advantages? OR, do
>             we want to specify DTLS-for-SIP simply because DTLS is “hot”?
>
>
>
>             Regards,
>
>
>
>             Christer
>
>
>
>             *From: *sipcore <sipcore-bounces@ietf.org
>             <mailto:sipcore-bounces@ietf.org>> on behalf of
>             "adam@nostrum.com <mailto:adam@nostrum.com>"
>             <adam@nostrum.com <mailto:adam@nostrum.com>>
>             *Date: *Tuesday 20 December 2016 at 22:27
>             *To: *"sipcore@ietf.org <mailto:sipcore@ietf.org>"
>             <sipcore@ietf.org <mailto:sipcore@ietf.org>>
>             *Cc: *Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>
>             *Subject: *[sipcore] RESPONSE REQUESTED: SIPCORE work and
>             milestones
>
>
>
>             [as chair]
>
>             Now that we have our new charter approved, I'd like the
>             working group to have a discussion about the specific work
>             items that we should take on in the short- to medium-term so
>             that we can revise our milestones appropriately. Based on
>             recent discussions on the mailing list, the following topics
>             have some mind-share behind them. What I'd like from
>             everyone with an interest in any of these topics is to
>             indicate (a) whether you are willing to actively review and
>             comment on documents on the topic; and (b) what priority
>             each task has relative to each other: there are five topics;
>             please indicate a unique priority from one (most important)
>             to five (least important) for each topic.
>
>              1. "Happy Eyeballs for SIP" (aka Happy Earballs), currently
>                 under discussion on the list.
>              2. "DTLS Transport for SIP", as proposed by Tolga Asveren's
>                 recent messages.
>              3. A mechanism for labeling the nature of SIP calls, with
>                 <draft-schulzrinne-sipcore-callinfo-spam> as a likely
>                 candidate draft.
>              4. Fixing Content-ID in SIP, as discussed
>                 in <https://www.ietf.org/mail-archive/web/sipcore/current/msg07245.html>
>                 <https://www.ietf.org/mail-archive/web/sipcore/current/msg07245.html>,
>                 with <draft-holmberg-sipcore-content-id> as a likely
>                 candidate draft.
>              5. Clarifications around SIP name-addr, with
>                 <draft-sparks-sipcore-name-addr-guidance> as a likely
>                 candidate draft
>
>
>             I will also note that we have already declared consensus on
>             adopting <draft-ietf-sipcore-status-unwanted> as a WG
>             document, and will be adding an associated milestone. I want
>             to take this opportunity to remind people that the document
>             is in WGLC, and your comments are strongly encouraged, the
>             earlier the better.
>
>             Please respond before the end of 2016. Thanks!
>
>             Thanks!
>
>             /a
>
>             _______________________________________________
>             sipcore mailing list
>             sipcore@ietf.org <mailto:sipcore@ietf.org>
>             https://www.ietf.org/mailman/listinfo/sipcore
>
>
>
>
>
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email