IETF Logo Mail Archive

Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 31 October 2019 15:44 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635B11200F4; Thu, 31 Oct 2019 08:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kzvo9DsEf0RH; Thu, 31 Oct 2019 08:44:54 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on062b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C18512006F; Thu, 31 Oct 2019 08:44:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=YYzgorftnsGxu1Ib76qqZQOUQh33hepUHu5krJEyIHC61BXWefV2xIuKcI6YsRa7/TQIGEId+gst82q1i62VpdCpbmhzpFi2MfQOneu1uRNTVU12BrgmhRwP6GP9t3xVUHYuoFgS2SIhrJVbO1dSwyE5QSHYF0y5+fcrP0L9K2Z4ldpKeRFLSoLISV0ByLx9zATEFUqqwXvInEOYiMdWtok5vYKUPstC5pdDZU1LhLFEtrHEAgKPJEIuCSsOAu3gR9T9d+dZluuxRp1RxbdlxIMI6+5xYDOA9iCBNe7c9AWG9nCCaDh8MPjUOCVNuc59gAalPs7CtqSdNJlCMDMYfA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ypN5zKbJlL/VdRDrraCrOxJ6bWl6zWubTTO5VB9RCrc=; b=bHu/Eu+Nb6veMNmf0NvxijODtrPPTWNA26t9v6rFkP2o7BK8r0Q8WeVx2eE8Npe0y9ACcEakAcrQBjIFTuS1zk0WW5oCpArjFruyJ5zq55cDRDKoaEspBsjr/NPsy7l881TtjPyW/zKM5uCHw0hg9TjOzamZFf51q5QmnRzb/8Z5BcbP2gQ1/nuKzkXkvEP2lpWabAi/BcZ19WYFlQKdqzfF6nZ/pFsJaGrz4ml+IGWOmqpHStwSTehcUcF6WMuIKvTShW2HMQs7h2cAT6EQ6FODUYoWpiaqYww7UBrCR2J5QQ3ZB0s2Z5O6xciarCsr02GgJORiPzORdyA0c/kPdg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ypN5zKbJlL/VdRDrraCrOxJ6bWl6zWubTTO5VB9RCrc=; b=nsc+0VcsucmdI5mzXid+TCZckyTqEWOQEzTWiz9hNf6NXkh0PFQUP29KdBtgOJ96HZRyUHZPr9Kf51rK8LHt9R177JZrQc2Zq1vlXkdQwNdgkaEPxXaw9NMZJLNKs2e8Wc3PtyGVI7QEm5a6amB378QGniw040aCeqeo98Geudo=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB4220.eurprd07.prod.outlook.com (20.176.168.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2408.14; Thu, 31 Oct 2019 15:44:50 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5499:1231:e707:4cb7]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5499:1231:e707:4cb7%7]) with mapi id 15.20.2408.016; Thu, 31 Oct 2019 15:44:50 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
CC: "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-digest-scheme@ietf.org" <draft-ietf-sipcore-digest-scheme@ietf.org>, The IESG <iesg@ietf.org>, SIPCORE <sipcore@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>
Thread-Topic: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
Thread-Index: AQHVj+3+/XQWOAP0gUmCkUmQAngGd6d04liA///hPYCAACLmgIAAH3GA
Date: Thu, 31 Oct 2019 15:44:49 +0000
Message-ID: <4EEBC37C-3C1B-42A9-883B-571FAE867C31@ericsson.com>
References: <157245577700.32490.10990766778571550817.idtracker@ietfa.amsl.com> <CAGL6epJgyr_VUYgKCgxDcP5ObKWErtDCHxaX7JusUYPXu=a6jQ@mail.gmail.com> <a9ebadcc-36ae-4bdb-af69-05486eef2569@www.fastmail.com> <CAGL6ep+AK4BuGZ2Y1RMsomAYGLiy2NbEHgm5-941FLVKS6bY9Q@mail.gmail.com> <6ec209ae-72e9-4dd1-8d68-3ee1704f3d92@www.fastmail.com> <CAGL6epLQS9xqHybZLTk1qM4i_LaDWVk8-iF0-0e_osf271R_Rg@mail.gmail.com> <7B4921E1-66A3-4D6D-A943-8EC0F44195CC@ericsson.com> <CAGL6epLrJYPaaYwFQjP8Lk3Uc3PUogtfPyxE5FsoTMJs3GvsgA@mail.gmail.com> <4C17F34D-7046-4706-AE5C-FB7ADC4B1427@ericsson.com>
In-Reply-To: <4C17F34D-7046-4706-AE5C-FB7ADC4B1427@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1e.0.191013
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c43adb70-5a05-4d75-4af1-08d75e1943d6
x-ms-traffictypediagnostic: HE1PR07MB4220:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR07MB4220C99F55AA477A9F7E739093630@HE1PR07MB4220.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02070414A1
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(366004)(136003)(376002)(396003)(39860400002)(18543002)(199004)(189003)(25786009)(54906003)(54896002)(66476007)(66946007)(66556008)(64756008)(606006)(256004)(6306002)(966005)(486006)(6512007)(6116002)(446003)(66446008)(26005)(8936002)(66066001)(2906002)(476003)(99286004)(3846002)(236005)(14444005)(44832011)(86362001)(58126008)(110136005)(478600001)(8676002)(76116006)(6506007)(6246003)(53546011)(81166006)(71190400001)(6486002)(7736002)(102836004)(76176011)(81156014)(33656002)(5660300002)(4326008)(71200400001)(11346002)(186003)(36756003)(5070765005)(6436002)(14454004)(229853002)(2616005)(21615005)(316002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB4220; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wBGz61F5dA86DtTMsMB9rFVvY5MFi5+6trujs5shYL8bMIvBAP1nap7cnjiBrw5He8MgX/fRB2eicU4jMkQsiqRMS+yyXrvK1+GIRcpKx2slXErTlJjIh7sEpklTnygFwCKLp3id/N11blRFsz3qgTK7KLsE9NoXly40MEir5MeR4SYAInAiVZCsEmxIEY8doo7X1bUZ8fWaIOk0FPH6KOfYvol9YXZ4x2X8mtr52fH58mGlRJtcUZF+miViajB53QKg66JgAuLFy1DdMwIG0HMXkUg/qp7urE4XLg4HZ73Vn07h2UKZFWSN5V9VUHLyQFf3d28YeBkjCJ6EtBcaBznIuQN53weciDKZULI87frzwyLfbTsPe2Y/d1rmmht6F0F/kDAaWayrT0WnRbgOBK63K/9Gmol/SJgckSbYmoFwAgWvI0SWn5aH/aAMqyH16fJUKWveV9DkM5wfDtzBGHzbP+g78Xbk0OHos3hggLI=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_4EEBC37C3C1B42A9883B571FAE867C31ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c43adb70-5a05-4d75-4af1-08d75e1943d6
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Oct 2019 15:44:49.7347 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LCVB/gSGpZY7oM+sHKOS6yYA2ABp2wX+dquHZbEh4F+VmLcKCdGO71P/08Am9GKzc3v4czqgCKzDMXgu+OZTibEVK123KuPRAbyFzQFsnL4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB4220
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/ZZCy1WnKh88dbB37njQ5hPgZDh8>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Oct 2019 15:45:00 -0000

Hi,

Perhaps we could add some text about the IMS use-case, in order to explain the empty value?

Regards,

Christer

From: sipcore <sipcore-bounces@ietf.org> on behalf of Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
Date: Thursday, 31 October 2019 at 15.52
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Cc: "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-digest-scheme@ietf.org" <draft-ietf-sipcore-digest-scheme@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, Alexey Melnikov <aamelnikov@fastmail.fm>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)

Hi,

>This IMS behavior would have been in violation of RFC3261 which specified exactly 32 Hex characters.
>So, this change should not make much of a difference in this case.

In reality it probably doesn’t make a difference, but it would make the IMS procedures “aligned” with the IETF spec.

Regards,

Christer




On Thu, Oct 31, 2019 at 9:37 AM Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:

Hi,

The reason for the empty value comes from IMS and AKA, where you need to include the user id already in the initial REGISTER request (this seems to be missing from RFC 3310, but that’s a separate topic) in order for the server to create the challenge,  meaning that in the initial REGISTER request you include an Authorization header field with the username parameter carrying the IMS private user identity, the realm parameter and the uri parameter. At this point you obviously don’t yet have the response, so in IMS it is specified that the response parameter is inserted with an empty value.

WHY it was specified that way (instead of simply not including the response parameter) I don’t know, but I do know that it has been implemented and deployed that way for many years.

Regards,

Christer


From: sipcore <sipcore-bounces@ietf.org<mailto:sipcore-bounces@ietf.org>> on behalf of Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>
Date: Thursday, 31 October 2019 at 15.20
To: Alexey Melnikov <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>>
Cc: "sipcore-chairs@ietf.org<mailto:sipcore-chairs@ietf.org>" <sipcore-chairs@ietf.org<mailto:sipcore-chairs@ietf.org>>, "draft-ietf-sipcore-digest-scheme@ietf.org<mailto:draft-ietf-sipcore-digest-scheme@ietf.org>" <draft-ietf-sipcore-digest-scheme@ietf.org<mailto:draft-ietf-sipcore-digest-scheme@ietf.org>>, "iesg@ietf.org<mailto:iesg@ietf.org>" <iesg@ietf.org<mailto:iesg@ietf.org>>, "sipcore@ietf.org<mailto:sipcore@ietf.org>" <sipcore@ietf.org<mailto:sipcore@ietf.org>>
Subject: Re: [sipcore] Alexey Melnikov's No Objection on draft-ietf-sipcore-digest-scheme-12: (with COMMENT)

Done.

On Thu, Oct 31, 2019 at 9:13 AM Alexey Melnikov <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>> wrote:
On Thu, Oct 31, 2019, at 1:11 PM, Rifaat Shekh-Yusef wrote:
Hi Alexey,

I am fine with Paul's suggestion.
Are you ok with "32*LHEX"?
Yes!

Thank you,
Alexey

Regards,
 Rfaat


On Thu, Oct 31, 2019 at 7:22 AM Alexey Melnikov <aamelnikov@fastmail.fm<mailto:aamelnikov@fastmail.fm>> wrote:

Hi Rifaat,

On Wed, Oct 30, 2019, at 9:50 PM, Rifaat Shekh-Yusef wrote:
Thanks Alexey!

I am fine with the first two comments, and will fix these in the coming version of the document.

I am not sure I follow the 3rd one. Why do you see the need for a minimum number of hex digits?
You do say that the number of hex digits match the hash lenght, so it is probably Ok. However empty value is never valid (and I am worried it might hit some boundary condition bug in implementations), so prohibiting it in ABNF would be the best.

Best Regards,
Alexey

Regards,
 Rifaat



On Wed, Oct 30, 2019 at 1:16 PM Alexey Melnikov via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:
Alexey Melnikov has entered the following ballot position for
draft-ietf-sipcore-digest-scheme-12: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-sipcore-digest-scheme/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

I am agreeing with Alissa's DISCUSS.

Also, I have a few comments of my own:

1) Last para of Section 2.1:

2.1.  Hash Algorithms

   A UAS prioritizes which algorithm to use based on the ordering of the
   challenge header fields in the response it is preparing.

This looks either wrong or confusing to me. I think you are just saying here
that the order is decided by the server at this point.

   That
   process is specified in section 2.3 and parallels the process used in
   HTTP specified by [RFC7616].

So based on the above, my suggested replacement for both sentences:

   A UAS prioritizes which algorithm to use based on its policy,
   which is specified in section 2.3 and parallels the process used in
   HTTP specified by [RFC7616].

2) Last para of Section 2.4:

   If the UAC cannot respond to any of the challenges in the response,
   then it SHOULD abandon attempts to send the request unless a local
   policy dictates otherwise.

Is trying other non Digest algorithms covered by "SHOULD abandon"?
If yes, maybe you should make this clearer.

   For example, if the UAC does not have
   credentials or has stale credentials for any of the realms, the UAC
   will abandon the request.

3) In Section 2.7:

      request-digest = LDQUOT *LHEX RDQUOT

This now allows empty value. I suggest you specify a minimum number of hex
digits allowed in the ABNF. Or at least change "*LHEX" to "2*LHEX".

v2.23.0 | Report a Bug | By Email