[sipcore] draft-kaplan-sip-secure-call-id-00
"Dale Worley" <dworley@nortel.com> Wed, 24 June 2009 21:18 UTC
Return-Path: <dworley@nortel.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 98A523A6D67 for <sipcore@core3.amsl.com>; Wed, 24 Jun 2009 14:18:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.724
X-Spam-Level:
X-Spam-Status: No, score=-6.724 tagged_above=-999 required=5 tests=[AWL=-0.125, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c07On7FvfmP2 for <sipcore@core3.amsl.com>; Wed, 24 Jun 2009 14:18:30 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 173463A6CF8 for <sipcore@ietf.org>; Wed, 24 Jun 2009 14:18:29 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n5OLH6028462 for <sipcore@ietf.org>; Wed, 24 Jun 2009 21:17:06 GMT
Received: from [47.16.90.165] ([47.16.90.165]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 24 Jun 2009 17:18:33 -0400
From: Dale Worley <dworley@nortel.com>
To: SIPCORE <sipcore@ietf.org>
Content-Type: text/plain
Organization: Nortel Networks
Date: Wed, 24 Jun 2009 17:18:32 -0400
Message-Id: <1245878312.3748.84.camel@victoria-pingtel-com.us.nortel.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.12.3 (2.12.3-5.fc8)
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 24 Jun 2009 21:18:33.0565 (UTC) FILETIME=[5460D0D0:01C9F511]
Subject: [sipcore] draft-kaplan-sip-secure-call-id-00
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2009 21:18:31 -0000
The difficulty with draft-kaplan-sip-secure-call-id-00 is that it provides no mechanism for a B2BUA or other device to switch from Call-Id-obscuring to Call-Id-preserving behavior, even when the SIP elements involved are trying to cooperate. For example, suppose I'm a SIP network provider with Acme Packet SBCs at the boundary of my network. Currently, the SBCs obscure Call-Ids for reasons of commercial secrecy. If I replace some or all of the UAs in the network with ones that generate Call-Ids according to the draft, nothing happens -- there's no way for the SBCs to detect that the Call-IDs conform to the draft, and change their behavior. My only option is to update *all* the UAs, then reconfigure the SBCs to not obscure Call-Ids. This is probably unworkable even in enterprise PBX systems, much less walled-garden service provider networks -- and yet we want the mechanism to work in open and nearly-open SIP networks. What the draft needs is not the current "negative criterion" that enables B2BUAs to detect Call-Ids that definitely do not conform to the draft, but a "positive criterion" that enables B2BUAs to detect Call-Ids that *do* conform to the draft. We did this sort of thing before, with the "magic cookie" z9hG4bK in the branch value to distinguish RFC 3261 from RFC 2453 messages. So let us define the "new" Call-Id format to be: callid = "+)puK>" 22*( %x41-5A ; "A"-"Z" / %x61-7A ; "a"-"z" / %x30-39 ; "0"-"9" / "_" / "." / "!" ) That provides 132 bits of randomness in 28 characters, and most likely a string of that format has never existed in the history of the world. So when a B2BUA sees a Call-Id of that format, it can trust that the value was generated properly and can avoid changing it. Dale
- [sipcore] draft-kaplan-sip-secure-call-id-00 Dale Worley
- Re: [sipcore] draft-kaplan-sip-secure-call-id-00 Hadriel Kaplan