IETF Logo Mail Archive

Re: [sipcore] draft-kaplan-sip-session-id-02

Hadriel Kaplan <HKaplan@acmepacket.com> Mon, 20 July 2009 00:55 UTC

Return-Path: <HKaplan@acmepacket.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 19BE328C161 for <sipcore@core3.amsl.com>; Sun, 19 Jul 2009 17:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cx8vf5lolfUh for <sipcore@core3.amsl.com>; Sun, 19 Jul 2009 17:55:53 -0700 (PDT)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 0A4C028C162 for <sipcore@ietf.org>; Sun, 19 Jul 2009 17:54:02 -0700 (PDT)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.375.2; Sun, 19 Jul 2009 20:54:01 -0400
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Sun, 19 Jul 2009 20:53:59 -0400
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: Dale Worley <dworley@nortel.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Date: Sun, 19 Jul 2009 20:53:59 -0400
Thread-Topic: [sipcore] draft-kaplan-sip-session-id-02
Thread-Index: AcoIqtSPtz9zA6BtTM6gsU7oe1O8AwAJuwTQ
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC3196CEBC847@mail>
References: <1245876685.3748.61.camel@victoria-pingtel-com.us.nortel.com> <C6A11A02FF1FBF438477BB38132E474104B236BB@EITO-MBX02.internal.vodafone.com> <40FB0FFB97588246A1BEFB05759DC8A00330040F@S4DE9JSAANI.ost.t-com.de> <C6A11A02FF1FBF438477BB38132E474104B23BFB@EITO-MBX02.internal.vodafone.com> <E6C2E8958BA59A4FB960963D475F7AC3196C795F9B@mail> <1247883283.4025.2.camel@victoria-pingtel-com.us.nortel.com>
In-Reply-To: <1247883283.4025.2.camel@victoria-pingtel-com.us.nortel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [sipcore] draft-kaplan-sip-session-id-02
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2009 00:55:54 -0000

Hi Dale,
The thing is they're really trying to solve different things, though I know I didn't do a good job explaining it at the last WG meeting. :(

The secure-call-id is trying to provide a real Call-ID value which middleboxes won't change - for middleboxes that change it for the specific purpose of privacy or topology-hiding.  And by that I mean a real Call-ID: useful for dialog matching, the dialog-events package, and any of the things a Call-ID value is used in (there are many, as you know).

People put Call-ID values in all sorts of things, and expect it to work end-to-end, and are "surprised" when something in the middle changed them.  So secure-call-id is trying to provide a Call-ID that won't be changed by those middleboxes.  It *will* still be changed by other B2BUA's, for example many IP-PBX's and App Servers change the Call-ID, and will continue doing so.  It's ok that they do - most of the applications which use Call-ID's are targeted to those IP-PBXs/App-Servers, and they have some other reasons for changing them.

Session-ID is for something different: a session identifier which crosses any form of middlebox including real/full B2BUA's, but is not used for the dialog-matching type things a Call-ID is used for.  When I tried to use it for some of those other things, I got feedback with concern that it was subverting the Call-ID mechanism - if a B2BUA changed the Call-ID then it was unwise of me to try to second-guess it and bypass its replacement.  I agreed with that concern, so Session-ID is for troubleshooting purposes only at this time.

So the two mechanisms are not at odds, nor are they alternatives for the same thing.

A middlebox which replaces Call-ID's *does* know if it's a secure-call-id.  If it has no '@', and no IP Addr/hostname format in it, it's sufficiently benign to not change.

-hadriel

> -----Original Message-----
> From: sipcore-bounces@ietf.org [mailto:sipcore-bounces@ietf.org] On Behalf
> Of Dale Worley
> 
> The Session-Id has a tremendous advantage over the "secure Call-Id":  In
> a system that is not tightly managed by a central authority, middleboxes
> have no way of knowing whether a UA is generating "secure Call-Ids" or
> not.  So they must replace all Call-Ids, subverting the UAs that are
> generating secure Call-Ids.  But (absent malice on the part of UAs),
> Session-Ids are known to be secure, and middleboxes know not to replace
> them.  So I think we should deprecate draft-kaplan-sip-secure-call-id in
> favor of draft-kaplan-sip-session-id.
> 
> Dale

v2.23.0 | Report a Bug | By Email