IETF Logo Mail Archive

Re: [sipcore] 4028bis: forking

Roman Shpount <roman@telurix.com> Tue, 02 June 2020 08:18 UTC

Return-Path: <roman@telurix.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F0D3A0993 for <sipcore@ietfa.amsl.com>; Tue, 2 Jun 2020 01:18:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y8y1xyiz1CfS for <sipcore@ietfa.amsl.com>; Tue, 2 Jun 2020 01:18:39 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32F133A0971 for <sipcore@ietf.org>; Tue, 2 Jun 2020 01:18:39 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id s21so2567710oic.9 for <sipcore@ietf.org>; Tue, 02 Jun 2020 01:18:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5xfxjcLyY6/nN32kxazJrNmClDdJlOcmSOyPL4MnD2c=; b=SEqjSFVrVtOysH80iHnqA6I4GrAZGcwYz3cWg3Fid6r60/r2IdDHDRIutA5FNHZ8eY xaNgT3PfFyWRXgDWxX8I8eH9p1Zhp/NUEA2lvU0RJiE9nYoAFo4RdMgpKdhpqdgGG6Zy AVTU0cXDN7C0TBiTmSHf0ofwJSL5GR1eeGpzTovJD5dXbwDbeIfFP3nfIw0L+dxdDqRr YKRlP9mWoSkZ3gKtIsdip/EjFZJ68Q9HyqvhosoK7DceI8KbSH2K31uwY8DRUjGFzi1E zbm59T1ILhGZtXVu0Ec3xYFqtOP1VRvZjdW1FO9lG2dZnh/CFgTmKThAA0uSFU4umdBY 2VBg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5xfxjcLyY6/nN32kxazJrNmClDdJlOcmSOyPL4MnD2c=; b=nulhYz/guwAjAJPt7vB05M2WtL9q46byLgsOLdjBoIdikzPNVZ9v9c9qQTpJnkpVkt mytpR0cG1xf3Dk/++K6sHP81fc/fz73kLKvrm3HUj2JKceiW4GXbab/YRhGjUfae3lh6 xoi2+o7tZjIxKBlghS9GQ23FZ0VpLQ+GxvfwJZLXk3uSmZpvcoMQfapPVswTltL3rLhG zLA6UdvyEBHFJOTELuO9pYtJP2u7MpWkFoNfzh9TpPWHKt9D3LF0s3O3gM8qUKTWMwz/ Kq5JPIfynGvFTsA1nyyZY3KpFrgyM8Jpc1GD4L8Ok4AiAV4xIFoAo9wKbnC+vaDqlEm+ XOmg==
X-Gm-Message-State: AOAM530WugClCrSfApeD1ZMjA79gk/c4zLY/dbzkHfeMxjqaHon5Ohai OI+k47oq1MLxjC5TyS6qm9IquyqtL8k=
X-Google-Smtp-Source: ABdhPJxIUYFKfeWyFBTh2RcUnAihNojg92DknjkPY7+ihHNmthij2618BAeYNNYw+4svna3/J14UtQ==
X-Received: by 2002:aca:1e0f:: with SMTP id m15mr2246257oic.23.1591085918254; Tue, 02 Jun 2020 01:18:38 -0700 (PDT)
Received: from mail-ot1-f41.google.com (mail-ot1-f41.google.com. [209.85.210.41]) by smtp.gmail.com with ESMTPSA id 8sm552633oot.0.2020.06.02.01.18.36 for <sipcore@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Jun 2020 01:18:37 -0700 (PDT)
Received: by mail-ot1-f41.google.com with SMTP id h7so10289977otr.3 for <sipcore@ietf.org>; Tue, 02 Jun 2020 01:18:36 -0700 (PDT)
X-Received: by 2002:a9d:604e:: with SMTP id v14mr8108691otj.39.1591085916228; Tue, 02 Jun 2020 01:18:36 -0700 (PDT)
MIME-Version: 1.0
References: <87zh9rh3r6.fsf@hobgoblin.ariadne.com> <d11b3de6-9c51-91c0-125e-175d6ff15bc5@gmail.com> <CAD5OKxvDsa6fyEVfz2-zPOzSHLtNn9_MoaSgr+ucx6Ba-jPU3Q@mail.gmail.com> <e393d63d-806e-cdd5-ee43-37d6772954b0@gmail.com> <CAD5OKxswTcezuCetbFv6Ec90JNGoc4yoPvLsp_2j9HKaSGYPiw@mail.gmail.com> <0734a24f-a069-1889-b4e0-bc27a39280f5@gmail.com>
In-Reply-To: <0734a24f-a069-1889-b4e0-bc27a39280f5@gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Tue, 02 Jun 2020 04:18:24 -0400
X-Gmail-Original-Message-ID: <CAD5OKxsBesrojnmmEQ2d-VZgtc4mcqXv8q96AgC4vvO2mo3gYQ@mail.gmail.com>
Message-ID: <CAD5OKxsBesrojnmmEQ2d-VZgtc4mcqXv8q96AgC4vvO2mo3gYQ@mail.gmail.com>
To: OKUMURA Shinji <ietf.shinji@gmail.com>
Cc: SIPCORE <sipcore@ietf.org>, "Dale R. Worley" <worley@ariadne.com>
Content-Type: multipart/alternative; boundary="000000000000d810e905a7158e74"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/ulQ9SwCXoS439sLEd5tDy9pXkQ8>
Subject: Re: [sipcore] 4028bis: forking
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Jun 2020 08:18:42 -0000

Shinji,

Proxies adding Session-Expires header is the primary reason for existence
of SIP Session Timers. This header is added almost exclusively by proxies
in order to maintain dialog state.

Because of this, your proposal makes no sense to me.

As I have said, I would much rather see parallel forking dropped from
supported scenarios.
_____________
Roman Shpount


On Tue, Jun 2, 2020 at 3:49 AM OKUMURA Shinji <ietf.shinji@gmail.com> wrote:

> Roman,
>
> > I have an issue with two of your proposals:
> >
> > 1. Proxy cannot add Session-Timer
> > 2. Proxy cannot generate 422 response
>
> I'm not suggesting that proxy cannot add Session-Timer. The use of "should
> not" may not have been appropriate. I think it is a requirement levels
> issue.
> How about rephrasing it as follows?
>
> "A UAC and proxies MAY add a Session-Expires header, but it is NOT
> RECOMMENDED."
>
> Obviously, legacy proxies add a Session-Expires header, so another proxy
> need to be prepared for that.
>
> Shinji
>
> On 2020/06/02 15:16, Roman Shpount wrote:
> > Shinji,
> >
> > I have an issue with two of your proposals:
> >
> > 1. Proxy cannot add Session-Timer
> > 2. Proxy cannot generate 422 response
> >
> > Both break session timer as it is implemented and used now.
> >
> > Best,
> > _____________
> > Roman Shpount
> >
> >
> > On Mon, Jun 1, 2020 at 9:51 PM OKUMURA Shinji <ietf.shinji@gmail.com
> <mailto:ietf.shinji@gmail.com>> wrote:
> >
> >     Roman,
> >
> >     Three(b, c, d) of my suggestions are the same as RFC4028. The last
> one(a) also does not violate the RFC4028. Therefore, this situation can
> occur even with the current regulations.
> >
> >     And rules regarding Min-SE have not changed. Even without using the
> 422 response, proxies can indicate the desired Min-SE to a UAS. So if there
> is a security risk, it means that the RFC4028 has the same risk.
> >
> >     Regards,
> >
> >     Shinji
> >
> >     On 2020/06/02 2:02, Roman Shpount wrote:
> >      >    Shinji,
> >      >
> >      > The main purposes of session timers is to allow SIP proxies to
> maintain dialog state for billing and other purposes. Proxies are the main
> agents that insert Session-Expires header. In most cases there is no reason
> for UA to use session timers since they can normally monitor call presence
> without it. Your proposal makes the most common use case for session timers
> impossible.
> >      >
> >      > Min-SE exists mainly for the purpose of preventing badly behaving
> proxies or UA from overload proxies on the call path or UAS. Not allowing
> proxy to send 422 creates a big security risk.
> >      >
> >      > My general attitude is that parallel forking is broken for a lot
> of use cases anyway, so it should be avoided. I do not think a lot of
> production deployments are actually use parallel forking. Most of the UA
> would not handle multiple 200 OK responses that can be created as a result
> of parallel fork. Session timers are, on the other hand, are used a lot. So
> I would prefer to live with broken or under-specified parallel forking vs
> breaking session timers.
> >      >
> >      > Thank You,
> >      > _____________
> >      > Roman Shpount
> >      >
> >      >
> >      > On Mon, Jun 1, 2020 at 5:57 AM OKUMURA Shinji <
> ietf.shinji@gmail.com <mailto:ietf.shinji@gmail.com> <mailto:
> ietf.shinji@gmail.com <mailto:ietf.shinji@gmail.com>>> wrote:
> >      >
> >      >     Hi,
> >      >
> >      >     I've not intended to suggest a common solution to the
> fork-issue. I am interested in how the fork does not happen. It is related
> to the behavior of proxies and a UAS in the 1st phase that you mention. My
> suggestion is that a UAS and proxies SHOULD avoid returning 422 as much as
> possible.
> >      >
> >      >     Considering backward compatibility, rules are as follows.
> >      >
> >      >     a) A UAC and proxies should not insert a Session-Expires
> header.
> >      >     b) A UAC and proxies may insert a Min-SE header or increase
> the value of it.
> >      >     c) A UAS may insert a Session-Expires header into a 200
> response.
> >      >     d) A proxy may insert a Session-Expires header into a 200
> response, but must not modify it.
> >      >
> >      >     Of course legacy proxies will return 422, but this is
> unavoidable.
> >      >     In that case, the following rule may be useful.
> >      >
> >      >     e) If a proxy increases the value of a Min-SE header and it
> becomes greater than the value of a Session-Expires header, then a proxy
> should increase the value of a Session-Expires header to the value of a
> Min-SE header.
> >      >
> >      >     However, this rule can be problematic in terms of backward
> compatibility.
> >      >
> >      >     Shinji
> >      >
> >      >     On 2020/05/29 11:30, Dale R. Worley wrote:
> >      >      > OKUMURA Shinji <ietf.shinji@gmail.com <mailto:
> ietf.shinji@gmail.com> <mailto:ietf.shinji@gmail.com <mailto:
> ietf.shinji@gmail.com>>> writes:
> >      >      >> As you point out, the other responses(407, 420, ...)
> cause the same problem.
> >      >      >> But session-timer is essentially a kind of pre-condition,
> so I'd like
> >      >      >> to avoid incoming calls to fail because of it. And I'd
> like to sort
> >      >      >> out also the rules in early dialog.
> >      >      >
> >      >      >> On 2020/05/27 19:16, Christer Holmberg wrote:
> >      >      >>> A proxy rejecting a request is not unique to the
> session-timer.
> >      >      >>>
> >      >      >>> If Alice receives a 422 she can send a CANCEL (if other
> early dialogs
> >      >      >>> have been established), and then a new initial INVITE.
> >      >      >
> >      >      > (This has a larger scope than just session-timers.)
> >      >      >
> >      >      > I don't know if the above writers intended this point, but
> reading what
> >      >      > they have said suggests to me this possible behavior for
> proxies (which
> >      >      > I don't recall seeing suggested):
> >      >      >
> >      >      > Note that 422 is one of a number of "pre-condition
> failure" response
> >      >      > codes.  Those have the properties (1) when they are
> generated, they are
> >      >      > generated nearly immediately from the INVITE, and (2) the
> UAC can adjust
> >      >      > the INVITE to prevent them.
> >      >      >
> >      >      > Suppose that if a proxy receives one of these
> "pre-condition failure"
> >      >      > responses, it immediately (or with short delay on a human
> scale) cancels
> >      >      > all remaining forks of the transaction and returns the
> failure response
> >      >      > upstream.
> >      >      >
> >      >      > The effect is to split the "early dialog" phase into two
> sub-phases, (1)
> >      >      > a very short phase where the forking of the INVITE
> effectively probes
> >      >      > for proxies and UASs that object to the the INVITE for
> "pre-condition"
> >      >      > reasons, and (2) a longer phase which resembles the
> current early dialog
> >      >      > phase.
> >      >      >
> >      >      > There are probably refinements needed to make this work in
> all cases.
> >      >      >
> >      >      > Dale
> >      >      >
> >      >
> >      >     _______________________________________________
> >      >     sipcore mailing list
> >      > sipcore@ietf.org <mailto:sipcore@ietf.org> <mailto:
> sipcore@ietf.org <mailto:sipcore@ietf.org>>
> >      > https://www.ietf.org/mailman/listinfo/sipcore
> >      >
> >
>

v2.23.0 | Report a Bug | By Email