Re: [sipcore] New Version Notification for draft-ibc-sipcore-sip-websocket-00 (previously draft-ibc-rtcweb-sip-websocket-00)

[Iñaki Baz Castillo <ibc@aliax.net>]

2011/12/2 Gilad Shaham <gilad@voxisoft.com>:
>> Said that, what do you exactly miss (related to sips) in the draft?
>> maybe an example flow? or perhaps a consideration that "in presence of
>> a sips URI the WebSocket transport must be secure which means "wss"
>> URI in the WebSocket connection"?
>>
> If using sips in the examples has a negative effect on clarity I understand,
> but it is a bcp and a recommendation, is it not? It should be clear that
> implementors would not rely solely on 'wss' for end-to-end-encryption, but
> rather use sips URI for that purpose, especially since the draft does
> recommend securing the traffic. In other words, I believe there should be at
> the very least text explaining that in the security considerations section.

Ok, it makes sense. We will add a text under the Security section
about the relationship between SIPS usage and WSS transport
requirement.




>> As explained in the draft, the JavaScript stack in WebSocket capable
>> web browsers has no way to determine the source IP:port from which a
>> WebSocket connection has been established, this is, the SIP UA running
>> within a JavaScript application in a web does not know its local
>> address. Therefore we've chosen 'anonymous.invalid' for Via
>> sentby-host value and for Contact in the initial REGISTER (once the
>> registration is done, the SIP UA would know its GRUU addresses).
>> Regardless GRUU is implemented in the registrar, the usage of Outbound
>> (RFC 5626) makes unnecessary for the SIP UA to know its local address.
>>
>> Of course, in case there is a hostname more appropriate than
>> 'anonymous.invalid' then we could propose it. Is there?
>
> The string did reminded me of the privacy extensions, since it's used in the
> From header, but I was more concerned there is something unspecified.
> Outbound still mandates a URI since the authoritative proxy will store that
> value to form the target set and therefore it seems as if the UA should be
> prepared to receive anonymous.invalid as target URI. Should that be the case
> or should the UA generate some kind of URI? It's just an example and it's
> possible it's easy to explain how it works, but my point is that this seems
> undefined.
>
> I agree that the URI should not be mandatory since it is due to javascript
> security limitations and it's certainly possible this transport would be
> used outside the browser. If you are looking for alternative hostnames,
> 'localhost' comes to mind, but I didn't really consider whether it's better,
> worse or equivalent.

Yes, using localhost would be another option, but it has a drawback in
case the WebSocket SIP UA does not use GRUU: in that case a remote
peer would see "localhost" as the target of of WS UA. If it sends a
REFER to a third participant containing "Refer-To:
<sip:alice@localhost;transport=ws>" then the third participant would
try to open a WS connection to itself. Well, as the draft states, GRUU
is required for SIP UA's using WebSocket transport, at least in web
browsers.

So I'm not sure wheter using "localhost" is better than using
"anonymous.invalid". Maybe it is better to use "invalid.domain"?

Thanks a lot.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>