IETF Logo Mail Archive

Re: [sipcore] Proposal for a new SIP transport (WebSocket)

Iñaki Baz Castillo <ibc@aliax.net> Tue, 01 November 2011 17:27 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2548511E8094 for <sipcore@ietfa.amsl.com>; Tue, 1 Nov 2011 10:27:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.344
X-Spam-Level:
X-Spam-Status: No, score=-2.344 tagged_above=-999 required=5 tests=[AWL=-0.267, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_24=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YnTeJYycPrwt for <sipcore@ietfa.amsl.com>; Tue, 1 Nov 2011 10:27:34 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 578671F0C44 for <sipcore@ietf.org>; Tue, 1 Nov 2011 10:27:34 -0700 (PDT)
Received: by vws5 with SMTP id 5so7132364vws.31 for <sipcore@ietf.org>; Tue, 01 Nov 2011 10:26:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.35.70 with SMTP id f6mr384491vdj.84.1320168089658; Tue, 01 Nov 2011 10:21:29 -0700 (PDT)
Received: by 10.220.184.6 with HTTP; Tue, 1 Nov 2011 10:21:29 -0700 (PDT)
In-Reply-To: <4EB0060A.5020106@alum.mit.edu>
References: <CALiegf=_8GuvEHPR=rFA3Urtj0WxzRFQ4W=_dxkCDKZMbHL_aw@mail.gmail.com> <CALiegf=pRjgBUpLxm3e7CopwSrS8e9BekKdF5ZZEW04S29-XnA@mail.gmail.com> <4EAEE023.6010600@alum.mit.edu> <CALiegfnqsGrSVCe0OgdaH6sMW2QkXkZ_TJg0SzVTE=EY9usyLw@mail.gmail.com> <4EAEFC94.3050207@alum.mit.edu> <CALiegfk1Annk8-W8K=A8h9nEq_4Lj0neepA59-NmDRk7RLXroQ@mail.gmail.com> <4EB0060A.5020106@alum.mit.edu>
Date: Tue, 01 Nov 2011 18:21:29 +0100
Message-ID: <CALiegfkAeMWrpF1=GDfBm55uOOhsqGuK_gyVBrr0Pa74PyphAg@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: sipcore@ietf.org
Subject: Re: [sipcore] Proposal for a new SIP transport (WebSocket)
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Nov 2011 17:27:35 -0000

2011/11/1 Paul Kyzivat <pkyzivat@alum.mit.edu>:
>> Ok. So I will leave "sips" schema which in the context of WebSocket
>> transport requires WebSocket over TLS ("wss" schema in the WebSocket
>> URI connection of the client).
>
> And adjust examples and rules to be compliant with sips usage.

Sure.



>> Ok. IMHO "sips" is just impossible to work since a proxy adding a
>> "sips" schema must use a domain in the Record-Route, and such domain
>> could resolve to multiple NAPTR/SRV/A/AAAA records, so we loose the
>> pach for in-dialog requests and that's critical when Outbound is being
>> used. However this is another history out of the scope here.
>
> Reports on problems trying to implement sips are welcome.

Yes, sorry, let's discuss about it in a new future thread.




>> Let's assume that:
>>
>> - A SIP Websocket client is a real client (not a proxy or server).
>> - The spec will require Outbound so ;received and ;rport is 100%
>> useless (even more when the server cannot try the IP in
>> ;received/;rport for sending a response in case the connection is
>> closed since a WebSocket client does not listen for incoming
>> connections).
>
> I think you are saying that those are useless with outbound in general, so
> the remedy you are suggesting could be abstracted to all uses of outbound.
> Is that right?

Well, in case of SIP over UDP/TCP/TLS usage of ;received param is
indeed useless. But in case of SIP over WebSocket is not just useless
but also dangerous as it reveals to the WS client the IP of a possible
TCP/HTTP load-balancer before the WebSocket SIP server. Such internal
IP is hidden for the WS client during the WebSocket handshake (an HTTP
GET request + 101 response).



>> So IMHO it's clear that ;received is useless in SIP over WebSocket,
>> and it can reveal server internal infrastructure to the client. So,
>> what can we do here? IMHO the SIP WebSocket server/proxy should be
>> able not to set the ;received param given the above rationale.
>
> Why is this internal structure more important to hide in the websocket case
> than in other cases? Is this just for the paranoid?

I'm not involved in HTTP scenarios but I got some interesting replies
about this subject in Hyby WG (WebSocket WG):

  http://www.ietf.org/mail-archive/web/hybi/current/msg09091.html

Some text in that thread:
------------------------------
Yes, the problem comes from the fact that a protocol that is used across
a number of intermediaries would suddenly transport sensible information.
Internal IP addresses *are* sensible information to a number of companies.
Whether this makes sense or not is not our problem, these companies don't
want their internal networks to be unveiled to outers and they have their
reasons for this. Now if your usual WS server emits its address in every
response and the reverse-proxy that is placed in front of it does not
change it, all of your clients will get this information they don't need.

> BTW it would be really great a simple "Connection-Source" header in
> the HTTP 101 response during the WS handshake. Examples:
>
>   Connetion-Source: 34.67.123.94:26745
>
>   Connection-Source: [20a:12::3dde:190:ed5]:19443

Same problem, you'll divulgate the IP:port of the reverse-proxy to clients
and the number of reverse-proxies. It can even be used by attackers to
detect that they managed to crash one of them because after a specific
request, they use another one.

An HTTP chain very commonly involves these components :

  [client]----[proxy]-------//// net ////-------[rproxy]------[server]

The proxy commonly is on the client's network in enterprises, or at
the ISP's for home or mobile users. The "net" may involve a number of
transparent intermediaries, but that's not that much common though.
The reverse proxy (rproxy) generally is on the server side. It's in
fact common to see a long chain of many of them. 3-5 are not uncommon
these days, though some of them may be transparent. I have not even
represented NAT devices such as firewalls or some L4 load balancers
which often don't rewrite the source IP but change the source port.
------------------------------



> One of the justifications for SBCs is so that they can do "topology hiding".
> Are you just asking for a special case of this?

Well, IMHO "topolgy hiding" means that the SBC hides leg-A details into leg-B.
What I'm suggesting is that the server (the SIP WebSocket server)
should not reveal to the client sensible information about internal IP
addresses of the provider TCP/HTTP load-balancers located in server
side. IMHO the thread above (the link) justifies that with good
rationale.

However I don't think that omitting the ;received stuff in the SIP
WebSocket server is something critical. As said before, ;received is
useless in SIP over WebSocket: it's a connection oriented protocol so
responses are sent using the same connection, and in case such
connection is closed responses cannot be sent to the WS client since
the WS client does not liste for incoming connections. The same occurs
with SIP TCP natted clients, but in this last case revealing the
;received IP is not a risk.


Regards.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email