Re: [sipcore] 4244bis and privacy
Hans Erik van Elburg <ietf.hanserik@gmail.com> Thu, 25 June 2009 15:49 UTC
Return-Path: <ietf.hanserik@gmail.com>
X-Original-To: sipcore@core3.amsl.com
Delivered-To: sipcore@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A527A3A687F for <sipcore@core3.amsl.com>; Thu, 25 Jun 2009 08:49:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.414
X-Spam-Level:
X-Spam-Status: No, score=-2.414 tagged_above=-999 required=5 tests=[AWL=-0.184, BAYES_00=-2.599, HTML_MESSAGE=0.001, URI_HEX=0.368]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1crtFHQuPoN4 for <sipcore@core3.amsl.com>; Thu, 25 Jun 2009 08:49:52 -0700 (PDT)
Received: from mail-ew0-f210.google.com (mail-ew0-f210.google.com [209.85.219.210]) by core3.amsl.com (Postfix) with ESMTP id D212A3A6839 for <sipcore@ietf.org>; Thu, 25 Jun 2009 08:49:51 -0700 (PDT)
Received: by ewy6 with SMTP id 6so2389940ewy.37 for <sipcore@ietf.org>; Thu, 25 Jun 2009 08:48:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=7fQadmFlc3eEyd/5SosgYBgWxDO6FlV95s5Ycxsa0Ps=; b=hkwj16dpqJ+pGQZDT9GmlDUYqWritip/mlBkORPMigz6jFOffbs90TGcqc/+82zyFb 27GuZx/lmqkKaB8wqJza7Z9YwpOFcSlt8Rm5sz/BI/PwVFRjaEKGzW+7sycb47kfCV4V fjJPrkvAwUFjvwAsZ/rj2sDl1rxvOH77F0ZCg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=T9UdjAJK/5MmMXcXKdpxRN18sVhCiKFtyb0DWg27KboK1iH4QjmMDrPI8xGWCqGkzP HjXkrvtwoMyh+kp0DDon+4YGgxo/KPn/ElG0/ho5OC1+bC0c/gJzhn3JbRerh/8+RfI8 nvQSOTeAIPWyTRSKJk1aQplYz921D5/hLxptE=
MIME-Version: 1.0
Received: by 10.216.19.17 with SMTP id m17mr770671wem.187.1245944898685; Thu, 25 Jun 2009 08:48:18 -0700 (PDT)
In-Reply-To: <C0E80510684FE94DBDE3A4AF6B968D2D05F042EC@esealmw118.eemea.ericsson.se>
References: <CA9998CD4A020D418654FCDEF4E707DF0B168320@esealmw113.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EA7FE55@zrc2hxm0.corp.nortel.com> <CA9998CD4A020D418654FCDEF4E707DF0B168323@esealmw113.eemea.ericsson.se> <C0E80510684FE94DBDE3A4AF6B968D2D05EDBB6C@esealmw118.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EA809F4@zrc2hxm0.corp.nortel.com> <C0E80510684FE94DBDE3A4AF6B968D2D05EDC4E0@esealmw118.eemea.ericsson.se> <1ECE0EB50388174790F9694F77522CCF1EAD7773@zrc2hxm0.corp.nortel.com> <C0E80510684FE94DBDE3A4AF6B968D2D05F042EC@esealmw118.eemea.ericsson.se>
Date: Thu, 25 Jun 2009 17:48:18 +0200
Message-ID: <9ae56b1e0906250848l106e8a16j39fbca1ff3541c36@mail.gmail.com>
From: Hans Erik van Elburg <ietf.hanserik@gmail.com>
To: Ian Elz <ian.elz@ericsson.com>
Content-Type: multipart/alternative; boundary="0016364c76ff188d3a046d2e277d"
Cc: sipcore@ietf.org, Shida Schubert <shida@agnada.com>
Subject: Re: [sipcore] 4244bis and privacy
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/sipcore>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jun 2009 15:49:55 -0000
Ok Ian, now I see what you mean. You are saying that if A calls B which forwards to C, that A indicating that privacy is required should not prohibit B to choose to deliver its identity to C, right? I think I agree with you that this is a point that needs to be addressed by 4244bis. Best Regards, /Hans Erik van Elburg On Thu, Jun 25, 2009 at 5:12 PM, Ian Elz <ian.elz@ericsson.com> wrote: > Mary, > > I am a little concerned about one answer that you gave: > > > If you have a Privacy header with a value of "none" and a H-I entry with > Privacy header parameter with value "history" what is the privacy of the > individual H-I entry? > [MB] We did not explicitly address the "none" in RFC 4244, but the > general statement is the privacy headers at the request level override > any at the hi-entry level. [/MB] > > This means that if privacy is required for an individual H-I entry but > the originating user included "Privacy:none" in the request then there > is no option to include the real URI in the H-I entry. > > This occurs as RFC3323 states in section 4.3: "However, if the Privacy > header value of 'none' is specified in a message, privacy services MUST > NOT perform any privacy function and MUST NOT remove or modify the > Privacy header." > > The only option for an intermediate node including a H-I entry where > "Privacy:none" is specified and privacy for the H-I URI is required is > to include an anonymous entry or not include the H-I entry. > > In your previous response you stated that we would violate RFC3323 if we > specified additional behaviour for privacy explicitly stated with a URI > -n the H-I entry. I don't believe that this is the case as RFC3323 only > considered privacy in a two party scenario and did not consider third > party identities being included in a message between two parties. H-I is > not the only case where this occurs as the Referred-By header when > included in the INVITE (or other request) which results from the REFER > has the same issue. > > RFC4244 was the first time that there was a recognition that privacy for > these individual third party identities may be required. To allow this > explicit statement of privacy to be overridden by a generic statement > which is applicable to a different user is counterintuitive. > > The original Privacy header is usually included by or on behalf of the > originating user and should not be allowed to specify the privacy of the > original called user, e.g. the 800 number, and prevent this identity > being presented if this user does not have the same level of privacy. > > The real issue with the 800 scenario is as you have stated is that the > answerer will not know the original called identity and will not be able > to correctly handle the call. As more generic call centres are used > which will answer calls on behalf of many different organizations using > CTI and the original called identity to have to implement a generic > system asking the caller who he originally called appear unprofessional, > is inefficient and unproductive. > > We have an opportunity to allow presentation of specific identities and > to solve this particular problem so we should take it. > > I hope that we can get some wider discussion on this issue so a more > general consensus can be obtained. > > Regards > > Ian > > > > -----Original Message----- > From: Mary Barnes [mailto:mary.barnes@nortel.com] > Sent: 24 June 2009 17:27 > To: Ian Elz > Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; > sipcore@ietf.org; Francois Audet > Subject: RE: 4244bis and privacy > > Hi Ian, > > Responses inline below [MB]. > > Mary. > > -----Original Message----- > From: Ian Elz [mailto:ian.elz@ericsson.com] > Sent: Wednesday, June 24, 2009 10:37 AM > To: Barnes, Mary (RICH2:AR00) > Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; > sipcore@ietf.org; Audet, Francois (SC100:3055) > Subject: RE: 4244bis and privacy > > Mary, > > I was not proposing that we change the handling of H-I which is based > upon local policy. If that causes an issue for a network operator then > they can modify their local policy accordingly or arrange with the proxy > vendor to modify their equipment to be more flexible with regards to > policy. > > Can you clarify for me: > > If you have a Privacy header with either "session" or "header" doe this > impact the H-I entries or will only a value of "history" impact the H-I > entries? > [MB] Yes, both "session" and "header" level privacy, consistent with RFC > 3323, mandate that entries be anonymized or dropped, with the latter > being the recommendation for "session" level privacy. RFC 4244 mandated > that they be dropped and 4244bis recommends they be anonymized. The > original intent for the value of "history" was for the tagging of the > individual entries, but you end up getting the header level > functionality as well. [/MB] > > If you have a Privacy header with a value of "none" and a H-I entry with > Privacy header parameter with value "history" what is the privacy of the > individual H-I entry? > [MB] We did not explicitly address the "none" in RFC 4244, but the > general statement is the privacy headers at the request level override > any at the hi-entry level. [/MB] > > From reading RFC4244 a Privacy header with value "history" will > effectively make all H-I entries private and there is currently no > option to include a H-I Privacy header parameter with value "none". > [MB] Correct, per my comment above. [/MB] > > H-I at present allows the inclusion of Privacy header parameters to > explicitly express privacy for an individual H-I entry but a single node > which includes a header "Privacy: history" makes all H-I entries private > even if this is not the requirements for the specific URI. > [MB] Correct, but the only node that should add the header is a node > which is responsible for the domain associated with the Request URI in > the incoming request or is authorized to do so. [/MB] > > I will admit that having worked in a telephony environment for a long > time I am used to having privacy of identities set on a per number basis > and the relative inflexibility of the IETF Privacy header is relatively > restrictive as to specifying which identities may be presented and which > not. > [MB] Yes, this is an entirely different paradigm. I developed telephony > s/w for over a decade and this is entirely different - it provides a lot > more flexibility, which makes things far, far less deterministic than > what you have in telephony switches where your routing and translations > are configured for the most part, with just a few capabilities for > controlling the privacy and it's a closed network. > > With RFC4244/4244bis, there MUST be a mechanism at the UAS or end > application that can handle a request that doesn't have the appropriate > information either because nodes didn't support History-Info or some > random node in the network applied privacy (which I think is highly > unlikely) - this is normative per section 5 of RFC 4244. So, the worst > case scenario I see for this 800 service (which will get to the right > UAS but without the exact 800 number that was dialed) is that it goes to > a default ACD group/customer service agent, etc. who then needs to > gather the appropriate information and in my experience this is often an > IVR system these days. So, the service is not broken when privacy is > applied in an undesireable manner, it's just not optimal. This is > something that should be addressed in the target-uri draft which has all > the details of how specific services use History-Info. > One other thing to consider is that most networks that are emulating > telephony type features use B2BUAs, which follow the UAS/UAC rules for > the header rather than the proxy rules, noting that the UAC can set the > Privacy header to whatever value it sees as appropriate for the request. > [/MB] > > > Regards > > Ian > > -----Original Message----- > From: Mary Barnes [mailto:mary.barnes@nortel.com] > Sent: 24 June 2009 15:48 > To: Ian Elz > Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; > sipcore@ietf.org; Francois Audet > Subject: RE: 4244bis and privacy > > Hi Ian, > > I do not believe we should do the "override" behavior as I think that > violates RFC 3323, as the "history" is really a subset of the cases > whereby a UAC or proxy would add "session" or "header" to the request. > And, the latter two cases have the same (undesireable) result. I agree > this impacts your services, but we can't mandate that proxies provide > information that might violate their local policies and indeed a proxy's > local policies can result in the information being anonymized (or > removed if they can't anonymize) even in the "none" case. > > I do believe it's reasonable that we strongly recommend that the request > level (versus specific hi-entries) not be used and if it is used, the > consequence is that some services will not have the information they > need - this was the gist of my previous response (to which I did not get > any additional feedback). Now, we could add some text that the "none" > case SHOULD be used (e.g., added by first hop proxy) if it is desired > that the information not be subject to privacy restrictions. I do not > think it is then particularly useful to add logic around the proxy then > being able to tag the entries within their domain as subject to privacy. > I think that conflicts with the intent of the request level "none". > However, as I mention above, per the current text, a proxy can (based on > local policy) remove entries - so a proxy can capture hi within their > domain and not forward any of that information to the next hop in > another domain - you already have that functionality. But, I think this > introduces the general problem that you might be impacting other > services further down the line, which I thought was the problem you were > wanting to solve - not specifically your example service but, for > example, in the case that someone is debugging and they want the entire > history, so depending upon the service, this is also undesirable > behavior. > > > Regards, > Mary. > > -----Original Message----- > From: Ian Elz [mailto:ian.elz@ericsson.com] > Sent: Wednesday, June 24, 2009 2:57 AM > To: Barnes, Mary (RICH2:AR00) > Cc: Christer Holmberg; Hans Erik van Elburg; Shida Schubert; > sipcore@ietf.org; Audet, Francois (SC100:3055) > Subject: RE: 4244bis and privacy > > > Mary, > > [I have added the list to this thread for wider comment.] > > In the previous discussions I commented that in RFC4424 that a Privacy > header with value "history" effectively makes all H-I entries private > with the result that the H-I entries may be removed. > > There has now been a comprehensive discussion on indication of the > initial 'target' to the final recipient for call handling purposes. > > The main use case related to a freephone example where the answering > location may be a call centre where the original freephone number may be > required for correct call handling. > > If you now consider the following example (modified from Francois' text > in the latest draft - excuse any errors that I may have inserted) > > INVITE sip:sip:+18001234567@example.com<sip%3Asip%3A%2B18001234567@example.com> > ;user=phone;p=x > Privacy: history > History-Info: > <sip:+18001234567@example.com <sip%3A%2B18001234567@example.com>;user=phone;p=x>;index=1;rt;aor > (1) > History-Info: <sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> > >;index=1.1;mp;aor > (2) > History-Info: <sip:bob@192.0.2.3 <sip%3Abob@192.0.2.3>>;index=1.1.1;rc > (3) > > In this case due to the Privacy header all of the H-I entries are > considered private and the +18001234567 will not be delivered to the > final destination with the result that call handling may not be correct. > The Privacy header may have been inserted by any of the nodes which > routed the message and inserted a H-I entry. > > If however the H-I was allowed to include a header parameter of > "?Privacy=none" in the H-I entry and that an explicit H-I entry privacy > value would be considered to have precedence over a Privacy header with > a value of "history" then the mapping of the +18001234567 could be > explicitly specified as not private and may be passed on. > > Thus when the mapping from sip:+18001234567@example.com<sip%3A%2B18001234567@example.com>to > sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> when H-I entry > (2) above is included could > also insert the Privacy header parameter in H-I entry (1). > > Thus the message would appear as follows: > > INVITE sip:sip:+18001234567@example.com<sip%3Asip%3A%2B18001234567@example.com>; > user=phone;p=x > Privacy: history > History-Info: > <sip:+18001234567@example.com?Privacy=none;user=phone;p=x>;index=1;rt;ao > r > History-Info: <sip:bob@biloxi.example.com <sip%3Abob@biloxi.example.com> > >;index=1.1;mp;aor > History-Info: <sip:bob@192.0.2.3 <sip%3Abob@192.0.2.3>>;index=1.1.1;rc > > This would result in all the H-I entries except (1) being considered > private with the result that the =1800... Number is passed for call > handling purposes. > > This change is backward compatible with the existing implementation as > any node using the existing functionality as defined in RFC4244 will > continue to be supported. > > The alternative is to remove the ability to include the value "history" > in the Privacy header and only allow this value in the Privacy header > parameter. This alternative is not backward compatible. > > Without this change a single node in the message path which includes a > header "Privacy: history" will prevent delivery of the aor and thus > prevent proper call handling. > > Ian Elz > > > > -----Original Message----- > From: Christer Holmberg > Sent: 23 June 2009 19:40 > To: 'Mary Barnes'; Francois Audet; Hans Erik van Elburg; Shida Schubert > Cc: Ian Elz > Subject: RE: 4244bis and privacy > > > Hi, > > I include Ian, so he can comment to your resposne himself. > > Regards, > > Christer > > > -----Original Message----- > From: Mary Barnes [mailto:mary.barnes@nortel.com] > Sent: Tuesday, June 23, 2009 9:40 PM > To: Christer Holmberg; Francois Audet; Hans Erik van Elburg; Shida > Schubert > Subject: RE: 4244bis and privacy > > Here was the thread of response and the last comment was from Ian that > he would consider the response: > http://www.ietf.org/mail-archive/web/sip/current/msg26948.html > > And, there was not agreement on the "none" but rather to qualify the > SHOULD NOT forward. However, in the sipcore-4244bis-00, rather than > changing the text such that the headers SHOULD be removed, we recommend > that they be anonymized (in section 4.3.3.3.1). That is entirely > consistent with RFC 3324 and thus we have removed the recommendations to > remove the headers entirely. However, that changed never got done in > section 3.2, so we would need to change this: > "Thus, the History- Info header > SHOULD NOT be included in Requests where the requestor has indicated > a priv-value of Session- or Header-level privacy." > > But, I'm really beginning to be of the mindset that we should just > remove all the subsections of section 3 (i.e., leave the text in the > upper level section), so we don't have to keep worrying about > consistency. > > So, lets either fixt the text in 3.2 or remove altogether and then I > think we are really at the point of needing to submit this version so > folks that actually have an interest in it can review the updated > document. > > Mary. > > -----Original Message----- > From: Christer Holmberg [mailto:christer.holmberg@ericsson.com] > Sent: Tuesday, June 23, 2009 1:10 PM > To: Barnes, Mary (RICH2:AR00); Audet, Francois (SC100:3055); Hans Erik > van Elburg; Shida Schubert > Subject: 4244bis and privacy > > > Hi, > > Below is a comment/proposal which one of my collegues (Ian Elz) gave on > the list a while ago, when the first version of 4244bis was submitted, > but was not incorporated. Do you think it would be useful? > > ------- > > While the HI approach to target may solve the problem of being able to > deliver the target URI to the final destination there is no guarantee > that it will actually be delivered. > > The problem arises with how Privacy is defined for HI. > > 4424 defines a new Privacy value "history" which may be placed in either > the Privacy header or as a header parameter to the HI entry. > > If one node uses the former option "Privacy: history" then this will > make all headers private and will result in all HI entries being removed > or made anonymous when the message containing the HI is delivered to the > user. > > There is a simple solution to this and that is to also allow the use of > the "none" Privacy value as a header parameter in the HI entry. This > would explicitly state that no privacy is required to the HI entry and > this would override a "history" value in the Privacy header. > > I pointed this out to Mary when the 4424bis draft was first published > but the change has not been made in the latest draft. > > The change is backward compatible and would not cause an issue with any > existing implementations. > > ------ > > Regards, > > Christer > > > > >
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy R.Jesske
- Re: [sipcore] 4244bis and privacy Mary Barnes
- Re: [sipcore] 4244bis and privacy Elwell, John
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Ian Elz
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Elwell, John
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Francois Audet
- Re: [sipcore] 4244bis and privacy Hans Erik van Elburg
- Re: [sipcore] 4244bis and privacy Ian Elz