IETF Logo Mail Archive

Re: [sipcore] AD Evaluation of draft-ietf-sipcore-sip-push-11 - Other issues

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 22 August 2018 08:16 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33944120049 for <sipcore@ietfa.amsl.com>; Wed, 22 Aug 2018 01:16:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.311
X-Spam-Level:
X-Spam-Status: No, score=-4.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vU9qP3G36Uxg for <sipcore@ietfa.amsl.com>; Wed, 22 Aug 2018 01:16:17 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C2CC127148 for <sipcore@ietf.org>; Wed, 22 Aug 2018 01:16:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1534925774; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=wVpc9pdlvPROokRc5YzjzUWBRHM6aT1FeAGMjvCrJ8U=; b=DM/9hUBVCF2d2SBjf+eOdkPTjFG9CXt4uRSgFgY+dgM8FuHixXf/z3T/JEJhjQNv lKEPUOpP4yWLNKnU4J+FAu4WLyqZnSILtbdRCl8pYoLIpJMB/p9viFTmpzzT55h7 NDOnFBQP/loVB4URQprRSs0+hNXRO0OwztweiflW/Yc=;
X-AuditID: c1b4fb2d-223ff700000055ff-d5-5b7d1bce2e46
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 8C.CA.22015.ECB1D7B5; Wed, 22 Aug 2018 10:16:14 +0200 (CEST)
Received: from ESESBMB503.ericsson.se (153.88.183.170) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 22 Aug 2018 10:16:14 +0200
Received: from ESESBMB503.ericsson.se ([153.88.183.186]) by ESESBMB503.ericsson.se ([153.88.183.186]) with mapi id 15.01.1466.003; Wed, 22 Aug 2018 10:16:14 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Ben Campbell <ben@nostrum.com>
CC: "draft-ietf-sipcore-sip-push.all@ietf.org" <draft-ietf-sipcore-sip-push.all@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>
Thread-Topic: [sipcore] AD Evaluation of draft-ietf-sipcore-sip-push-11 - Other issues
Thread-Index: AdQu5bcp89vbqJBWSM+XUA6XcwBWJgKpMdGAABvaWwA=
Date: Wed, 22 Aug 2018 08:16:14 +0000
Message-ID: <D7A2F2B8.34EBC%christer.holmberg@ericsson.com>
References: <b1168d5b7c5440ef88f51aa796bb8337@ericsson.com> <F44C4ED7-2A47-42DC-906F-66183B224975@nostrum.com>
In-Reply-To: <F44C4ED7-2A47-42DC-906F-66183B224975@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
x-originating-ip: [153.88.183.157]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <F0AC9DF16B02894DACB92B99F8D63749@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrGIsWRmVeSWpSXmKPExsUyM2J7qe456dpog+NrzS3md55mt3iz7SSj Re/nhcwWX39sYnNg8Viy5CeTx6ydT1gCmKK4bFJSczLLUov07RK4Mtbums5ScCK04u3ZWWwN jP9cuhg5OCQETCRWnU/vYuTiEBI4yijx6fgtRgjnG6PEn+37mSCcZYwSz/fPZwfpYBOwkOj+ p93FyMkhIqAk8bx5KwtIDbPATkaJJy3b2UASwgLhEn/7nzFDFEVIbPg3hxXCtpI4uXM/WJxF QFXiSMdrFhCbV8BaYsXXWawg84UECiT+nQgCCXMK2EssWDANrJxRQEzi+6k1TCA2s4C4xK0n 88FsCQEBiSV7zjND2KISLx//A1slKqAnseHEbXaIuJLElt4tUL0GEu/PzWeGsK0lXnQ1s0LY 2hLLFr5mhjhHUOLkzCcsExglZiFZNwtJ+ywk7bOQtM9C0r6AkXUVo2hxanFxbrqRsV5qUWZy cXF+nl5easkmRmBsHtzyW3cH4+rXjocYBTgYlXh4fTlqo4VYE8uKK3MPMUpwMCuJ8D7fXBMt xJuSWFmVWpQfX1Sak1p8iFGag0VJnFdv1Z4oIYH0xJLU7NTUgtQimCwTB6dUA6N03MZnrVs+ aFpxiL5RMj9kuearyC3JA97209S2B6ckzM+s1OGZ83j3w5nMf61l8zYwZj0sXrdtca+owVcl j+/pc9t09F+3Wc7ZzvclhPvT8t2P9n76O1mSf/cDnt1qSh4FvpwWMzQdrm2YtX3t12Cj7783 HvY1XMpvHBuUU6/zLkFecdfGlWlKLMUZiYZazEXFiQDabfcmyQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/Q7HqQDATGoVubN07tBVPWzmIxeI>
Subject: Re: [sipcore] AD Evaluation of draft-ietf-sipcore-sip-push-11 - Other issues
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 08:16:19 -0000

Hi,

...

>>> - Please elaborate on the practical effect of supporting VAPID.
>> 
>> I am not sure how much information this document should contain. There
>>is already a reference, and the Security Considerations contains the
>>following paragraph:
>> 
>>   "[RFC8292] defines a mechanism which allows a proxy to create a
>>   identity itself to a PNS, by signing a JWT sent to the PNS using a
>>   key pair.  The public key serves as an identifier of the proxy, and
>>   can be used by devices to restrict push notifications to the proxy
>>   associated with the key."
>> 
>> (Later you have a comment on this paragraph, but it is editorial)
>
>I was asking about the impact on the SIP behavior. Do we expect the SIP
>client to do something with the capability indicator value? Maybe record
>the value pass it to the ³push" client? Only send a new register when the
>right VAPID related things happens in the push protocol?

VAPID is used to restrict the push notifications the SIP UA will receive
in the first place. But, once it does receive a push notification, there
is no special behaviour. It will send a REGISTER etc, using the normal
procedures.

---

>> 
>>> - " If the REGISTER response does not contain a a ¹sip.pnsreg¹
>>>feature- capability indicator, the UA SHOULD only send a
>>> re-registration REGISTER request when it receives a push notification
>>>(even if the UA is able to use a non-push mechanism for
>>> sending re-registration REGISTER requests).²
>>> 
>>> Why? That¹s normal SIP behavior for UAs that do not support this
>>>mechanism, so the registrar must be able to handle it.
>>> (If there¹s a good reason, please explain it in the draft.)
>> 
>> The registrar will for sure be able to handle it, but if the proxy is
>>anyway going to trigger REGISTER requests using push notifications, I
>>see no reason for the UA to trigger REGISTER requests "on its own².
>
>So the concern is additional unnecessary REGISTER requests?
>
>What happens if a binding is about to expire, but the client hasn¹t
>gotten a push notification? What if the clients network configuration
>changes in a way that forces adding or removing contacts; should it wait
>for a push notification to send a new REGISTER request? Can it terminate
>a binding proactively, or does it need to wait for that, too?

If the SIP UA has a good reason to send a non-push triggered REGISTER, it
can do so. That¹s why it is a SHOULD :)

As you indicate, the only reason for not sending non-push triggered
REGISTER requests is to avoid unnecessary requests, but nothing will break
if they are sent.

---

>> 
>>> - ³ NOTE: If the SIP UA application wants to use push notifications for
>>>  other purposes than to trigger re-registration requests, it needs to
>>>  be able to distinguish between the different purposes when receiving
>>>  push notifications.  Mechanisms for doing that are outside the scope
>>>  of this specification."
>>> 
>>> I can see keeping how you distinguish between SIP related
>>>notifications and other kinds of notifications. But what if the UA uses
>>> more than one SIP services that supports push notifications?
>> 
>> Each UA application will have a separate push notification
>>subscription, use separate registrations etc.
>> 
>> (Now, if a single UA handles multiple SIP services I see no reason from
>>a non-push scenario: when the UA receives a request it needs to figure
>>out to which service the request is "dispatched².)
>
>I was thinking in terms of a single UA application. Let¹s say it has
>successfully registered with service FOO and service BAR. They both
>support push. If it gets a push notification, how does it know which
>binding to refresh? Should it refresh both?

Yes. If you have multiple contacts (no matter whether they are for
different services, different IP versions, or something else) associated
with a single push notification subscription, a push notification will
request them all to refresh.

---

>>> - ³ If the contact of the most recent REGISTER
>>>  2xx response and Request-URI do not match, the proxy MUST reject the
>>>  SIP request with a 404 (Not Found) response.  This can happen if the
>>>  UA sends a re-registration REGISTER request with a new contact at the
>>>  same time the registrar forwards a SIP request towards a UA using the
>>>  previously registered contact in the Request-URI.²
>>> 
>>> Why doesn¹t the proxy forward using normal SIP procedures? It¹s
>>>entirely possible that an UAS address changes during an inbound
>>>transaction
>>> in normal SIP. Why is that different with push notifications? (this
>>>section seems to replace normal SIP request routing. That shouldn¹t
>>>happen
>>> without a really good reason. If normal SIP procedures are inadequate,
>>>please explain why.
>> 
>> In order for the proxy to forward the SIP request, it needs to be able
>>to match the R-URI of the request with the contact in the REGISTER
>>request/response.
>> 
>> Now, the proxy could of course not wait for the REGISTER response, and
>>simply forward the request when it receives a REGISTER request with a
>>contact that matches the R-URI. But, if the registrar for whatever
>>reason no longer accepts the registered contact, the proxy have
>>forwarded the request before the REGISTER response informs it about the
>>not-accepted contact.
>> 
>> But, as you say, that could happen with any proxy, so we could say that
>>the proxy forwards the request as soon as it receives a REGISTER request
>>with a matching contact. That would also be better from the
>>non-invite-transaction-timeout perspective, as the proxy does not need
>>to wait for the REGISTER response before it forwards the request.
>
>I see there¹s been some discussion of this, but for the record, my
>question was not about waiting for the response, it was about requiring
>the R-URI to match the contact from that particular REGISTER.
>
>For normal SIP, there¹s always the chance a client may change it¹s
>contact between the time the home proxy retargets the request and it
>arrives (or fails to arrive) at the client. Is that problem worse with
>push? (Maybe it is, if we assume that push clients do not proactively
>send new REGISTER requests when their contacts change)

It is not a problem with push. The proxy will forward the request using
the old contact, but that could happen also in non-push scenarios.

In a previous version of the draft, the proxy actually did check that the
contacts match, but Robert commented that we can remove it: the proxy will
forward the SIP request using normal proxy procedures.

---

>> 
>>> §6.2: Why does the UAC need to know the failure was due to push
>>>notification? What would it do differently than for other kinds of
>>> failures? (This seems like a privacy leak; does the recipient want the
>>>sender to know he or she is on a mobile
>>> device?)
>> 
>> I am not sure whether the information is very useful for the UAC, but
>>the "home proxy" may perhaps trigger different actions depending on what
>>response it receives.
>> 
>> Push can also be used on non-mobile devices, e.g., on tablets where one
>>wants to save battery.
>
>Regardless, it tells the sender something about the client¹s device that
>it did not already know. I think we need better justification than just
>saying the home proxy might need it; are there expected scenarios where
>it _will_ need it?

Ok, I will look into this.

---

>>>§11: ³ If the push notification related information carried in SIP
>>>could be
>>>  used by a malicious middleman to trigger push notifications towards a
>>>  device, operators MUST ensure that the SIP signalling is properly
>>>  secured from malicious middlemen, e.g., using encryption.²
>>> 
>>> This could use some elaboration. I think the sense of this is
>>>backwards. That is, the signaling MUST be secured unless
>>> there are factors that make it impossible for an active attacker to
>>>use the informaiton.
>> 
>> Isn't that what the text says? :)
>> 
>
>It changes the burden of proof. The original text suggests that they only
>need to secure the signaling if they think they the information could be
>used maliciously. My suggestion is to say they need to secure the
>signaling unless they are sure it cannot be used maliciously. These are
>not the same thing.

What about:

³Operators MUST ensure that the SIP signalling is properly secured, e.g.,
using encryption, from malicious middlemen, unless they are sure that the
signalling cannot be accessed and used maliciously (e.g., to trigger push
notifications towards a deice) by a middleman.²

---

>> 
>>> §12.5: The template contains a ³document² field, but the registration
>>>policy is ³expert review². Should this be ³specification required²?
>> 
>> "Document" (or "Reference") is used also for "expert review", isn't it?
>
>³Expert Review² does not necessarily require a document. ³Specification
>required² does.

There has to be some documentation for implementers. That could be a
document or a webpage.

So, perhaps we should then change to ³Specification required² - assuming
that also covers webpages.

---

>> 
>> Editorial Comments:
>> 
>>> - General:
>>> ‹ The draft has some readability issues. In particular, it pervasively
>>>uses long, convoluted sentences, lots of imbedded parenthetical
>>> phrases, improper comma placement, etc.
>>> ‹ The draft pervasively mixes registration procedures with the
>>>handling of inbound SIP requests. Please consider separating those into
>>> different sections. I realize there are interdependencies, but it¹s
>>>hard to follow as is.
>> 
>> I will look into it, but when it comes to comma placements etc it would
>>be very useful with input from an English speaker on how to fix it.
>> 
>>> - Abstract: s/awake/wake ; (or awaken)  (³awake² is not a verb. This
>>>repeats elsewhere in the draft. .)
>> 
>> Someone told me to use "awake". But, I can change it.
>
>Maybe they meant ³awaken²?

Perhaps.

So, ³awaken² is fine, but any instance of ³awake² should be ³wake²?

---

>> 
>>> §5.3.1: ³ If the proxy sends a SIP 555 (Push Notification Service Not
>>>Supported) response²
>>> It would be helpful to describe 555 before this.
>> 
>> Are you suggesting to move section 6 (Grammar) up?
>
>Not necessarily; just a brief mention that it¹s defined in this document.
>Or just a forward reference.

Ok. IF we decide to keep the 555 response code (you have a separate issue
on whether we need the push-specific response codes) I will fix it.

Thanks!

Regards,

Christer

>

v2.23.0 | Report a Bug | By Email