Re: [sipcore] privacy handling
Paul Kyzivat <pkyzivat@cisco.com> Tue, 31 August 2010 22:35 UTC
Return-Path: <pkyzivat@cisco.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D0A303A6872 for <sipcore@core3.amsl.com>; Tue, 31 Aug 2010 15:35:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.515
X-Spam-Level:
X-Spam-Status: No, score=-110.515 tagged_above=-999 required=5 tests=[AWL=0.084, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oqjofvLWe1lH for <sipcore@core3.amsl.com>; Tue, 31 Aug 2010 15:35:26 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 186EF3A6839 for <sipcore@ietf.org>; Tue, 31 Aug 2010 15:35:26 -0700 (PDT)
Authentication-Results: rtp-iport-2.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAO4gfUxAZnwN/2dsb2JhbACgWHGjGZwYgm6CSQSKEQ
X-IronPort-AV: E=Sophos;i="4.56,300,1280707200"; d="scan'208";a="154047709"
Received: from rtp-core-2.cisco.com ([64.102.124.13]) by rtp-iport-2.cisco.com with ESMTP; 31 Aug 2010 22:35:56 +0000
Received: from [161.44.174.142] (dhcp-161-44-174-142.cisco.com [161.44.174.142]) by rtp-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o7VMZunB008288; Tue, 31 Aug 2010 22:35:56 GMT
Message-ID: <4C7D83CC.5000908@cisco.com>
Date: Tue, 31 Aug 2010 18:35:56 -0400
From: Paul Kyzivat <pkyzivat@cisco.com>
User-Agent: Thunderbird 2.0.0.24 (Windows/20100228)
MIME-Version: 1.0
To: Mary Barnes <mary.ietf.barnes@gmail.com>
References: <CD5674C3CD99574EBA7432465FC13C1B21FFC79C01@DC-US1MBEX4.global.avaya.com> <4C7D3990.5010205@cisco.com> <AANLkTimiDwgpgJbDT0c_sVov_76YAcPoz4Or21acVHkD@mail.gmail.com> <4C7D730F.3060202@cisco.com> <AANLkTimUrGA6AM=p8azr=KmxVTgAG=_CvHq3dcaH9RPk@mail.gmail.com>
In-Reply-To: <AANLkTimUrGA6AM=p8azr=KmxVTgAG=_CvHq3dcaH9RPk@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "Worley, Dale R (Dale)" <dworley@avaya.com>, "SIPCORE (Session Initiation Protocol Core) WG" <sipcore@ietf.org>
Subject: Re: [sipcore] privacy handling
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Aug 2010 22:35:32 -0000
Mary Barnes wrote: > If the UAC adds an hi-entry and wants privacy, then yes it would need > to use a privacy service. However, if the privacy header is set for > that request, any HI entries added as the request is forward to the > destination would also be anonymized by a privacy service independent > of whether an element downstream might want to apply privacy to > specific HI entires. But, none of this is any different than using > the privacy service for any other requests. The response issue is no > different yet again than other headers that are subject to > privacy/anonymized. I'm not sure what you mean by anonymizing of > responses unless you're talking about whether or not the privacy > service has been stateful enough to restore the values. 3323 strongly recommends that a UAC desiring privacy establish a direct tls connection to the privacy service and send the request there. If so, and assuming all the interesting routing of the request happens further downstream, then its only the UAC's entry that will be anonymized. All the others will be added after the privacy service has forwarded the request. The only other thing the privacy service can do is anonymize the H-I in the response back to the UAC, so that the UAC won't have any indication where the request went. I guess an alternative is for the UAC to have some expectation that a privacy service will be present at the boundary between the caller's domain and some other domain, whatever that means. But 3323 doesn't specify any way to ensure that. Another point I just realized while reviewing 3323: when a privacy service acts on a privacy value, such as "Privacy:header", or "Privacy:history", it also removes that value from the Privacy header. So those actions are only performed *once*. If "Privacy:history" is included by the UAC, and is processed by the first proxy encountered, subsequently added H-I information will not be anonymized. (Unless "Privacy:history" is added *again* by a proxy after that.) Regarding responses, ISTM that often servers along the way want their identity exposed to those further downstream (e.g. the proxy for the AOR wanting the AOR exposed to the VM server), but may not want that stuff visible to the caller. That would call for anonymization of the response by something upstream of those things that want their identity hidden. To accomplish this, the UAS will have to had a Privacy header to the response, and there will have to be a privacy service on the path that will act on it. I think perhaps Dale had it right, that much of this can be resolved by abandoning passive voice for active voice, thus forcing the identification of the agent for each action. Thanks, Paul > Thanks, > Mary. > > On Tue, Aug 31, 2010 at 4:24 PM, Paul Kyzivat <pkyzivat@cisco.com> wrote: >> Mary, >> >> The implication of what you say is that if the UAC wants privacy for the >> H-I, then it must do something to ensure that the request goes through a >> privacy service, AND, that only those entries added prior to reaching the >> privacy service will be anonymized. If some element downstream from the UAC >> wants privacy for the information it adds, then it must ensure that the >> request will subsequently transit a privacy service. Anonymizing of >> responses is even more problematic. >> >> Are those realistic assumptions for practical use of H-I? (I don't know.) >> >> Thanks, >> Paul >> >> Mary Barnes wrote: >>> Paul, >>> >>> The intent of 4244/4244bis was to follow the same model as RFC 3323 >>> and use the concept of network-provided privacy. So, this should not >>> be anything different than the case where Header privacy is requested. >>> There is no assumption that the proxy is a privacy service. The >>> current text was written as if that was obvious (i.e., assumes you are >>> using a privacy service, etc. per RFC 3323 without saying such), but >>> clearly it's not. I think the best approach is to rewrite the privacy >>> section entirely using context and terminology consistent with RFC >>> 3323 I think that can also help with the domain issue since the >>> context of domain is exactly that used in RFC 3323 (with regards to >>> privacy). >>> >>> Mary. >>> >>> >>> On Tue, Aug 31, 2010 at 12:19 PM, Paul Kyzivat <pkyzivat@cisco.com> wrote: >>>> What Dale says would help. >>>> >>>> But I'm still concerned with which entities this requirement applies to. >>>> RFC 3323 is being cited for Privacy header processing. But it assigns >>>> responsibility for that to a privacy service, and makes the UAC/UAS >>>> responsible for ensuring that the request passes through such a service. >>>> IIUC 42444bis is assuming that every server that supports 4244bis is >>>> potentially a privacy service. >>>> >>>> I'll be happy to learn that I'm entirely wrong in that assumption. I'd >>>> like >>>> to understand how privacy of H-I is intended to work in real use cases, >>>> and >>>> where the privacy service(s) are located to make that happen. >>>> >>>> Thanks, >>>> Paul >>>> >>>> Worley, Dale R (Dale) wrote: >>>>> Mary Barnes writes (in the middle of a long exchange quoted below): >>>>>> That sentence is written within the context of core RFC 3261. We >>>>>> really didn't get into the RFC 3325 trust domain concept in RFC 4244 - >>>>>> in particular because RFC 3325 is informational. However, there is an >>>>>> UNLESS later in that section: >>>>>> >>>>>> "...,unless the processing entity knows a priori that it can rely on >>>>>> a >>>>>> downstream processing entity within its domain to apply the requested >>>>>> privacy or local policy allows the forwarding." >>>>> I think the problem can be fixed by deleting the phrase "within its >>>>> domain" (and also >>>>> "a priori", which doesn't add anything): >>>>> >>>>> "..., unless the processing entity knows that it can rely on a >>>>> downstream >>>>> processing >>>>> entity to apply the requested privacy ..." >>>>> >>>>> The crucial fact is "entity A knows that entity B will do it", not >>>>> whether >>>>> or how the >>>>> two entities are related to each other. And in practice, whether or not >>>>> "entity A knows ..." >>>>> is clearer than whether or not "entity A is in the same trust domain as >>>>> entity B", >>>>> and possibly clearer than "entity A is in the same SIP domain as entity >>>>> B" >>>>> -- >>>>> the latter two questions are fraught with definitional problems, whereas >>>>> the first >>>>> question is purely functional. >>>>> >>>>> Dale >>>>> ________________________________________ >>>>> From: sipcore-bounces@ietf.org [sipcore-bounces@ietf.org] On Behalf Of >>>>> Mary Barnes [mary.ietf.barnes@gmail.com] >>>>> Sent: Wednesday, August 25, 2010 2:18 PM >>>>> To: Paul Kyzivat >>>>> Cc: SIPCORE (Session Initiation Protocol Core) WG >>>>> Subject: Re: [sipcore] REMINDER: Re: WGLC: draft-ietf-sipcore-rfc4244bis >>>>> >>>>> Paul, >>>>> >>>>> In the context of 4244/-bis, the term domain is a DNS domain (per RFC >>>>> 3261) and not a SPEC-T Trust Domain per RFC 3325. However, the specific >>>>> terminology we are referring to is also in RFC 3261 in that a SIP entity >>>>> can >>>>> be responsible for multiple domains, which is not a Trust domain, but is >>>>> something that can be configured. That's the context meant in RFC >>>>> 4244/-bis. It is outside the scope of RFC 3261 (and thus RFC 4244/-bis) >>>>> as >>>>> to how those relationships are configured. It could certainly be done >>>>> using >>>>> the Trust domain model, but again, that's out of scope. >>>>> >>>>> If it helps, I can add in the terminology section that domain (and the >>>>> terminology around the domains for which an entity is responsible, etc. >>>>> ) is >>>>> used in the same context as RFC 3261, but I personally don't think that >>>>> should be necessary. >>>>> >>>>> Mary. >>>>> On Wed, Aug 25, 2010 at 1:01 PM, Paul Kyzivat >>>>> <pkyzivat@cisco.com<mailto:pkyzivat@cisco.com>> wrote: >>>>> >>>>> >>>>> Mary Barnes wrote: >>>>> Actually, I did respond to that message, per the following: >>>>> http://www.ietf.org/mail-archive/web/sipcore/current/msg03088.html >>>>> >>>>> (threading in the email archives is no better than my archiving method >>>>> for >>>>> emails). >>>>> >>>>> Hmm. I cannot find that one anywhere in my own archives, and I don't >>>>> recall seeing it. Don't know why. :-( >>>>> >>>>> That sentence is written within the context of core RFC 3261. We really >>>>> didn't get into the RFC 3325 trust domain concept in RFC 4244 - in >>>>> particular because RFC 3325 is informational. However, there is an >>>>> UNLESS >>>>> later in that section: >>>>> >>>>> "...,unless the processing entity knows a priori that it can rely on a >>>>> downstream processing entity within its domain to apply the requested >>>>> privacy or local policy allows the forwarding." >>>>> >>>>> So, I will include that same clause in the sentence you are concerned >>>>> about. >>>>> >>>>> That doesn't do it for me. I think one way or another you need to >>>>> address >>>>> whether "domain" means "DNS domain" or "trust domain". And if it means >>>>> "trust domain" then of course we need a ref to 3325. >>>>> >>>>> You seem to mean DNS domain, but the kinds of actions you are discussing >>>>> seem more related to 3323 and 3325. ISTM that if you mean DNS domain >>>>> then >>>>> you mean it based on an assumption that "DNS domain" = "trust domain". >>>>> >>>>> Thanks, >>>>> Paul >>>>> >>>>> Thanks, >>>>> Mary. >>>>> On Wed, Aug 25, 2010 at 11:51 AM, Mary Barnes >>>>> <mary.ietf.barnes@gmail.com<mailto:mary.ietf.barnes@gmail.com> >>>>> <mailto:mary.ietf.barnes@gmail.com<mailto:mary.ietf.barnes@gmail.com>>> >>>>> wrote: >>>>> >>>>> Sorry, I should have replied to that thread, but I didn't think >>>>> there was a change necessary. I'll reply now. >>>>> >>>>> Mary. >>>>> >>>>> On Wed, Aug 25, 2010 at 11:45 AM, Paul Kyzivat >>>>> <pkyzivat@cisco.com<mailto:pkyzivat@cisco.com> >>>>> <mailto:pkyzivat@cisco.com<mailto:pkyzivat@cisco.com>>> wrote: >>>>> >>>>> [as individual] >>>>> >>>>> There was some discussion on the -00 version back in July that >>>>> was not, AFAICT, addressed in the -01 version. There is a thread >>>>> emanating from mary's announcement of the -00 version. The >>>>> following is a hook into that thread: >>>>> >>>>> http://www.ietf.org/mail-archive/web/sipcore/current/msg03056.html >>>>> >>>>> It has to do with when privacy should be applied. >>>>> >>>>> Thanks, >>>>> Paul >>>>> >>>>> >>>>> Adam Roach wrote: >>>>> >>>>> >>>>> [as chair] >>>>> >>>>> As a reminder, we're just over halfway through this WGLC, >>>>> and have not yet seen any comments. Please take some time to >>>>> review this draft. >>>>> >>>>> /a >>>>> >>>>> On 8/16/10 4:29 PM, Adam Roach - SIPCORE Chair wrote: >>>>> >>>>> >>>>> [as chair] >>>>> >>>>> A major author of draft-ietf-sipcore-rfc4244bis-01 >>>>> believes that the document has no remaining open issues, >>>>> and is ready for evaluation. Today, we are starting a >>>>> two-week working group last call period. This last call >>>>> period ends on Tuesday, August 31st. >>>>> >>>>> The latest version of the document can be retrieved here: >>>>> >>>>> http://tools.ietf.org/html/draft-ietf-sipcore-rfc4244bis >>>>> >>>>> Any comments on the document should be sent to the >>>>> SIPCORE mailing list. >>>>> >>>>> /a >>>>> >>>>> _______________________________________________ >>>>> sipcore mailing list >>>>> sipcore@ietf.org<mailto:sipcore@ietf.org> >>>>> <mailto:sipcore@ietf.org<mailto:sipcore@ietf.org>> >>>>> >>>>> https://www.ietf.org/mailman/listinfo/sipcore >>>>> >>>>> >>>>> _______________________________________________ >>>>> sipcore mailing list >>>>> sipcore@ietf.org<mailto:sipcore@ietf.org> >>>>> <mailto:sipcore@ietf.org<mailto:sipcore@ietf.org>> >>>>> >>>>> https://www.ietf.org/mailman/listinfo/sipcore >>>>> >>>>> _______________________________________________ >>>>> sipcore mailing list >>>>> sipcore@ietf.org<mailto:sipcore@ietf.org> >>>>> <mailto:sipcore@ietf.org<mailto:sipcore@ietf.org>> >>>>> >>>>> https://www.ietf.org/mailman/listinfo/sipcore >>>>> >>>>> >>>>> >>>>> >>>>> >
- Re: [sipcore] privacy handling Worley, Dale R (Dale)
- Re: [sipcore] privacy handling Paul Kyzivat
- Re: [sipcore] privacy handling Mary Barnes
- Re: [sipcore] privacy handling Paul Kyzivat
- Re: [sipcore] privacy handling Mary Barnes
- Re: [sipcore] privacy handling Paul Kyzivat
- Re: [sipcore] privacy handling Hadriel Kaplan
- Re: [sipcore] privacy handling Paul Kyzivat
- Re: [sipcore] privacy handling Hadriel Kaplan
- Re: [sipcore] privacy handling Elwell, John
- Re: [sipcore] privacy handling Paul Kyzivat