IETF Logo Mail Archive

Re: [sipcore] Adam Roach's Discuss on draft-ietf-sipcore-sip-push-21: (with DISCUSS and COMMENT) - the DISCUSS issues Part 2

Ben Campbell <ben@nostrum.com> Wed, 09 January 2019 19:27 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E531313105D; Wed, 9 Jan 2019 11:27:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.68
X-Spam-Level:
X-Spam-Status: No, score=-1.68 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IHMkC0EAXmdy; Wed, 9 Jan 2019 11:27:09 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92BE0131053; Wed, 9 Jan 2019 11:27:09 -0800 (PST)
Received: from [10.0.1.45] (cpe-70-122-203-106.tx.res.rr.com [70.122.203.106]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x09JR2Mg055196 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 9 Jan 2019 13:27:03 -0600 (CST) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1547062024; bh=hkmcVsmodAFp2lDSMVBixvau2IY+X407mVV3XGAoDQY=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=MEqgthwBS+pLroQys7uQCmktt4QR8jVTG6zdSd464vNdOfwQFBJSiwB0szsh6008R vhIDhhdmm8RmgLLwwDsqFseoVCkRdtfTGQiG/A5oS4STV5XbAM7WoAzJ7KsSm64win CMTZykFs+TxdR/ZQHIL9wJohiwY3d0VEDFBvIhcw=
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-122-203-106.tx.res.rr.com [70.122.203.106] claimed to be [10.0.1.45]
From: Ben Campbell <ben@nostrum.com>
Message-Id: <FE046CDD-438A-4822-829B-A5721EACB9F5@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_58E39ADA-A2EE-4BCC-8119-CC764B3FD489"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 09 Jan 2019 13:27:01 -0600
In-Reply-To: <HE1PR07MB316165F6D52E313281D15544938B0@HE1PR07MB3161.eurprd07.prod.outlook.com>
Cc: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>, "sipcore-chairs@ietf.org" <sipcore-chairs@ietf.org>, "draft-ietf-sipcore-sip-push@ietf.org" <draft-ietf-sipcore-sip-push@ietf.org>, "sipcore@ietf.org" <sipcore@ietf.org>, "br@brianrosen.net" <br@brianrosen.net>
To: Christer Holmberg <christer.holmberg@ericsson.com>
References: <HE1PR07MB316165F6D52E313281D15544938B0@HE1PR07MB3161.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/a97unhrU5joqvH1eJ83SfA6ompM>
Subject: Re: [sipcore] Adam Roach's Discuss on draft-ietf-sipcore-sip-push-21: (with DISCUSS and COMMENT) - the DISCUSS issues Part 2
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jan 2019 19:27:12 -0000


> On Jan 9, 2019, at 9:28 AM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> Hi,
> 
> I realized there were DISCUSS issues that I didn't address in my previous reply. I will address them in this reply.
> 
> §4.1:
> 
>>> For privacy and security reasons, the UA MUST NOT include the SIP URI
>>> parameters defined in this document in non-REGISTER request, to
>>> prevent the PNS information associated with the UA from reaching the
>>> remote peer.
>> 
>> This seems to ignore the availability of Contact URI parameters via RFC 3680 subscriptions. This would seem to impose a requirement on Registrars to
>> strip this information before making it available to any other party (which, in turn, requires that the system have explicit Registrar *and* Proxy support).
>> As far as I can tell, the system so far has not required explicit proxy support (and there's certainly no mechanism built-in that ensures that a proxy has any
>> special handling regarding this mechanism).
>> 
>> If the PNS information is sensitive, and cannot be allowed to leak out to other users, then we need some way to ensure the registrar has provided positive
>> confirmation that it will not do so before allowing it to come into possession of them.
> 
> Users aren't normally allowed to subscribe to the Contacts of other users, are they?

As far as I know, that’s an operational choice, not a requirement. One assumes that if 3680 is used, _someone_ is subscribing.


> And, if they were, I don't think the PNS information is the only information that would be considered sensitive.

True, but this draft should take responsibility for the data elements that it adds.

> 
> But, to answer your question, I don't know how to prevent that, other than adding text to the security considerations saying that operators must take this into consideration.

I’m on the fence as to whether we should expect the registrar to strip PNS, vs just mention that information can be leaked this way. The WG might need to think a bit harder about how sensitive the PNS really is. I think we were prohibiting it in non-REGISTER requests somewhat opportunistically (that is, because it was easy to do), not because we had really analyzed the privacy implications.

> 
> ---------------------------------------------------------------------------
> 
> §4.2:
> 
>>> The UA can do so by only including the pn-provider  SIP URI parameter
>>> in the SIP Contact header field URI of the REGISTER  request, but
>>> without including the pn-prid SIP URI parameter.
>> 
>> Unless I'm mistaken, this is a barrier to interoperation.
>> 
>> It's not 100% clear, but I suspect the intended implication is that the pn-provider parameter here will contain a single value? The syntax of the parameter
>> certainly seems to imply that. This seems to be a pretty big problem, since it presupposes that the client will know which PNSes the Proxy supports.
>> Consider, for example, an iOS client that can use any of RFC 8030, FCM, and APN (cf https://firebase.google.com/docs/cloud-messaging/ios/client).
>> If the client doesn't know a priori what the proxy supports (and this entire section only makes sense if that's true), then it won't know which of those
>> three services to indicate in its REGISTER request. If it guesses wrong, this mechanism simply fails.
>> 
>> I think you need a different discovery mechanism here -- either have one that has the client offering multiple PNS protocols and the proxy responding
>> with one, or have one in which the proxy indicates all of its supported services in a response, and the client chooses one to use in its next REGISTER message.
> 
> I suggest the first option, where the client can offer multiple PNS protocols (pn-provider values) and the proxy responds with one.
> 

Would that require the UA to preemptively register will all possible PNSs, even if it’s only going to use one?

> Regards,
> 
> Christer
>

v2.23.0 | Report a Bug | By Email