IETF Logo Mail Archive

Re: [sipcore] Updated 4244bis and new call flow document

Mary Barnes <mary.ietf.barnes@gmail.com> Mon, 26 July 2010 06:37 UTC

Return-Path: <mary.ietf.barnes@gmail.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA7FE3A69F6 for <sipcore@core3.amsl.com>; Sun, 25 Jul 2010 23:37:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.32
X-Spam-Level:
X-Spam-Status: No, score=-2.32 tagged_above=-999 required=5 tests=[AWL=0.278, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pKR4YujdBT85 for <sipcore@core3.amsl.com>; Sun, 25 Jul 2010 23:37:21 -0700 (PDT)
Received: from mail-iw0-f172.google.com (mail-iw0-f172.google.com [209.85.214.172]) by core3.amsl.com (Postfix) with ESMTP id CF8213A6A17 for <sipcore@ietf.org>; Sun, 25 Jul 2010 23:35:19 -0700 (PDT)
Received: by iwn38 with SMTP id 38so2717872iwn.31 for <sipcore@ietf.org>; Sun, 25 Jul 2010 23:34:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=Pa//1+yeuigPMFkLXFghfDO865jaFekClJgyKr+xFH0=; b=SbA9pJn0IeJ1BLoUaUN3EgIdyBhrYH/rDodOLlv5qu8MJLQkIB9oFdZFkyxmXzuniF Ka/H+r7pBmFQzUY/Jk+rtd8u6iL1GBBGmjy2aCxYFjrUSuWf6GgpAXfIdVnd52BFZG4J 1Oe7x7KNFyi5jkq9VdkiiKOr3oYo/LUVrvJ9Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=YVTFSOr0lKn8eqUF1LtLV2gaYoQTclDFtLV+dk641ofw8o9BIRHTa4MHXSAhORoMEo RzsN9gS17YXxQKrXyb4ukWW3s8kL7gI0VKtyOgxlvYjgWdgYovSbu8IP4U05Hql94Deh ErCgfAJ9uabdqoXR40n4BgxMs0N0BVgZ3u2ik=
MIME-Version: 1.0
Received: by 10.231.146.196 with SMTP id i4mr7505692ibv.110.1280126098642; Sun, 25 Jul 2010 23:34:58 -0700 (PDT)
Received: by 10.231.169.14 with HTTP; Sun, 25 Jul 2010 23:34:58 -0700 (PDT)
In-Reply-To: <EDC0A1AE77C57744B664A310A0B23AE214ADDBBD@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <AANLkTim-f7vZ1IFS3WhVS9G8Mg1dhueN8tevLb_xDRR1@mail.gmail.com> <AANLkTilRRmWt30XOp3VKn2Xtzv71-EDUfyyUSOb0J3Bk@mail.gmail.com> <9886E5FCA6D76549A3011068483A4BD4065E732E@S4DE8PSAAQB.mitte.t-com.de> <4C49951C.8050202@cisco.com> <EDC0A1AE77C57744B664A310A0B23AE214925C62@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com> <4C49A337.3010503@cisco.com> <EDC0A1AE77C57744B664A310A0B23AE214ADDBBD@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
Date: Mon, 26 Jul 2010 01:34:58 -0500
Message-ID: <AANLkTikt8DLrnnoBcGFHj6RbWi3t-wJmnNJknJ8tR71A@mail.gmail.com>
From: Mary Barnes <mary.ietf.barnes@gmail.com>
To: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
Content-Type: multipart/alternative; boundary="0016e64ec4cc6099c6048c449504"
Cc: "sipcore@ietf.org" <sipcore@ietf.org>, "R.Jesske@telekom.de" <R.Jesske@telekom.de>
Subject: Re: [sipcore] Updated 4244bis and new call flow document
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2010 06:37:23 -0000

Yes - the use of trust domain in this document is intended to be that
defined in RFC 3325.  The use of the term "responsible domain" is based on
core RFC 3261 - e.g., "....domains the proxy is configured to be responsible
for" as noted in section 16.4.

RFC 4244 did not introduce any new definitions or concepts wrt domains/trust
domains and relies entirely on RFC3261 and RFC3325 for these concepts. I
can't see that the text in RFC 4244bis contradicts with the usages of the
terms defined in those RFCs. But, I might be too familiar with the doc to
see that.

Thanks,
Mary.


On Mon, Jul 26, 2010 at 1:22 AM, DRAGE, Keith (Keith) <
keith.drage@alcatel-lucent.com> wrote:

> I suspect the text was meant to mean trust domain as in RFC 3325.
>
> Note that it is not necessarily the RFC 3325 trust domain (different
> headers can have different trust domains). But it does need to do a similar
> job to RFC 3324/3325 in defining the concept of the trust domain.
>
> regards
>
> Keith
>
> > -----Original Message-----
> > From: Paul Kyzivat [mailto:pkyzivat@cisco.com]
> > Sent: Friday, July 23, 2010 3:12 PM
> > To: DRAGE, Keith (Keith)
> > Cc: R.Jesske@telekom.de; sipcore@ietf.org
> > Subject: Re: [sipcore] Updated 4244bis and new call flow document
> >
> > Keith,
> >
> > You raise a good point. It forced me to go back and review
> > 3323 and 3325.
> >
> > 3323 defines a "privacy service" which the UAC can use to
> > assist it in obtaining privacy. The UAC is expected to
> > arrange for its requests to be routed through a privacy service.
> >
> > The notion of trust domain is introduced in 3325. It
> > introduces the "id"
> > privacy value, which is to be removed at the boundary of the
> > trust domain, but not before then. It doesn't say anything
> > about where privacy services exist in the network. Its my
> > assumption that there must be a privacy service on the
> > boundary of the trust domain that acts on the "id" privacy
> > type. But this is not explict. And even if this is implied,
> > its hard to say if it would be a full privacy service that
> > can be counted upon to act upon other privacy types in the request.
> >
> > Hence, a UAC that wishes "header" or "session" privacy has
> > nothing better to go on than 3323, which recommends that it
> > route its outbound request directly to a privacy service. If
> > that privacy service is compliant with 4244bis, it will
> > anonymize what is in the H-I header at that time. But then
> > any entries added downstream of that point will not be anonymized.
> >
> > So I think there really is something wrong with the referenced text.
> > If the use of "domain" was intended to be "trust domain" then
> > its dependent on 3325. If it was intended to mean "DNS
> > domain", then its still implying there is a privacy service
> > that will magically be traversed when leaving the DNS domain.
> >
> >       Thanks,
> >       Paul
> >
> > DRAGE, Keith (Keith) wrote:
> > > If we are going to talk about trust domains in the
> > document, then you will have to say what they are.
> > >
> > > For the RFC 3325 stuff there is most of a document that
> > talks about that. Moreover, you need to say what to "trust"
> > the next entity to do if you do not do it.
> > >
> > > To give some idea of what I mean. Statements like "I will
> > give you the identity if you do not reveal it to anyone
> > outside our area of trust" are slightly different to "I trust
> > you to implement the privacy that I otherwise would have done
> > so if I did not trust you".
> > >
> > > regards
> > >
> > > Keith
> > >
> > >> -----Original Message-----
> > >> From: sipcore-bounces@ietf.org
> > >> [mailto:sipcore-bounces@ietf.org] On Behalf Of Paul Kyzivat
> > >> Sent: Friday, July 23, 2010 2:12 PM
> > >> To: R.Jesske@telekom.de
> > >> Cc: sipcore@ietf.org
> > >> Subject: Re: [sipcore] Updated 4244bis and new call flow document
> > >>
> > >>
> > >>
> > >> R.Jesske@telekom.de wrote:
> > >>> Hi Mary,
> > >>> With regard to your question for comments/review, I went
> > >> thought the draft.
> > >>> For http://www.ietf.org/id/draft-ietf-sipcore-rfc4244bis-01.txt
> > >>>
> > >>> I have the following comments:
> > >>>
> > >>>
> > >>> 6.3.2.  Privacy in the History-Info Header
> > >>>
> > >>> ...
> > >>> If the requestor has indicated a priv-
> > >>>    value of "session" or "header" in the request, all History-Info
> > >>>    entries MUST be anonymized when the request leaves a
> > >> domain for which
> > >>>    the intermediary is responsible.
> > >>> ...
> > >>>
> > >>> In this section it is mentioned that the entries must be
> > >> anonymized when leaving the domain. I thought that if a trust
> > >> relationship between domains are existing and the following domain
> > >> secures the "privacy" then the information could be forwarded and
> > >> will then deleted by the succeeding domain before reaching the
> > >> terminating user.
> > >>> Some regulators are requesting to pass identities until the
> > >> last domain where it is possible to execute the privacy regarding
> > >> RFC3323. So I think this is a MAY based on domain policy.
> > And it is a
> > >> MUST when the succeeding network cannot guarantee the privacy.
> > >>> Or do I misunderstand the meaning of "domain for which the
> > >> intermediary is responsible"
> > >>
> > >> I'm not an expert on this, but ISTM that in the case you
> > describe the
> > >> request is not leaving the *trust* domain.
> > >>
> > >> But that does point out ambiguity in the text you quote.
> > That kind of
> > >> wording "domain for which the intermediary is responsible"
> > is usually
> > >> talking about *DNS* domains, not
> > >> *trust* domains. So maybe that should say:
> > >>
> > >>   ...
> > >>   If the requestor has indicated a priv-value of "session"
> > or "header"
> > >>   in the request, all History-Info entries MUST be
> > anonymized when the
> > >>   request leaves a *trust* domain for which the intermediary is
> > >>   responsible.
> > >>   ...
> > >>
> > >>    Thanks,
> > >>    Paul
> > >> _______________________________________________
> > >> sipcore mailing list
> > >> sipcore@ietf.org
> > >> https://www.ietf.org/mailman/listinfo/sipcore
> > >>
> >
> _______________________________________________
> sipcore mailing list
> sipcore@ietf.org
> https://www.ietf.org/mailman/listinfo/sipcore
>

v2.23.0 | Report a Bug | By Email