Re: [sipcore] Benjamin Kaduk's No Objection on draft-ietf-sipcore-rejected-08: (with COMMENT)
Eric Burger <eburger@standardstrack.com> Thu, 20 June 2019 02:50 UTC
Return-Path: <eburger@standardstrack.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50BD5120301; Wed, 19 Jun 2019 19:50:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.89
X-Spam-Level:
X-Spam-Status: No, score=-1.89 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7rOKKjNDlgk5; Wed, 19 Jun 2019 19:50:47 -0700 (PDT)
Received: from biz221.inmotionhosting.com (biz221.inmotionhosting.com [198.46.93.79]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B65151202C5; Wed, 19 Jun 2019 19:50:47 -0700 (PDT)
Received: from [68.100.196.217] (port=51354 helo=[192.168.10.23]) by biz221.inmotionhosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <eburger@standardstrack.com>) id 1hdn9t-005wEK-MH; Wed, 19 Jun 2019 19:50:43 -0700
From: Eric Burger <eburger@standardstrack.com>
Message-Id: <8ABA9BE7-8516-4F10-9E58-ED6D23A352B1@standardstrack.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_4A3632C5-12E5-44D3-BA09-7B07CED67F80"; protocol="application/pgp-signature"; micalg="pgp-sha256"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 19 Jun 2019 22:50:40 -0400
In-Reply-To: <156030110472.5972.1062340244094112710.idtracker@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-sipcore-rejected@ietf.org, sipcore@ietf.org, sipcore-chairs@ietf.org
To: Benjamin Kaduk <kaduk@mit.edu>
References: <156030110472.5972.1062340244094112710.idtracker@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-0.2
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - biz221.inmotionhosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - standardstrack.com
X-Get-Message-Sender-Via: biz221.inmotionhosting.com: authenticated_id: eburger+standardstrack.com/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: biz221.inmotionhosting.com: eburger@standardstrack.com
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/YHoUWqV0Lfi5E77GJc8R-kiPokc>
Subject: Re: [sipcore] Benjamin Kaduk's No Objection on draft-ietf-sipcore-rejected-08: (with COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 02:50:49 -0000
> On Jun 11, 2019, at 8:58 PM, Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote: [snip] > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Do we want to give any references/examples for "some jurisdictions" or > "many jurisdictions”? I would prefer not to put it into an archival document. One might think the U.S. and Canada would be examples, but I cannot speak on behalf of the U.S. Government, Canadian Government, or any governmental department, agency, or commission. [snip] > Section 3.2.2 > > The payload contains two JSON values. The first JSON Web Token (JWT) > claim that MUST be present is the iat (issued at) claim [RFC7519]. > The "iat" MUST be set to the date and time of the issuance of the 608 > response. This mandatory component protects the response from replay > attacks. > > nit(?): Perhaps this protection is only "outside the scope of a narrow > window of time corresponding to the allowed RTT and any permitted time > skew", per Section 3.3. Given the ubiquity of using iat for just this purpose, I would offer it would be redundant to reiterate it here. Would it be OK with you to not go there here? > Call originators (at the UAC) can > use the information returned by the jCard to contact the intermediary > that rejected the call to appeal the intermediary's blocking of the > call attempt. What the intermediary does if the blocked caller > contacts the intermediary is outside the scope of this document. > > It seems like it is permissible for the intermediary to reject this new > call as well; can we get into some sort of recursion-like situation? That would be a major fail on the part of the intermediary. However, I do not think there is anything we can do about it. We certainly do not want to tell the intermediary operator they cannot protect themselves from, in this case, a TDoS attack. On the other hand, I do not think we can possibly require the intermediary operator to accept the call. That would be some magic Protocol Policing(tm) if we could! Because of the risks, I am not sure we even want to give guidance - such an operational issue seems outside the scope of the IETF. However, if the IESG or SIPCORE folks think otherwise, I can put in some language to that effect. [snip] I edited most all of your other comments in. Thanks!
- [sipcore] Benjamin Kaduk's No Objection on draft-… Benjamin Kaduk via Datatracker
- Re: [sipcore] Benjamin Kaduk's No Objection on dr… Eric Burger
- Re: [sipcore] Benjamin Kaduk's No Objection on dr… Benjamin Kaduk