AW: AW: AW: [Sipping-tispan] TISPAN requirements, first requiemen ts
"Jesske, R" <R.Jesske@t-com.net> Fri, 26 August 2005 06:03 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org)
by megatron.ietf.org with esmtp (Exim 4.32)
id 1E8XJm-0000z8-QR; Fri, 26 Aug 2005 02:03:58 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org)
by megatron.ietf.org with esmtp (Exim 4.32) id 1E8XJg-0000yx-Dj
for sipping-tispan@megatron.ietf.org; Fri, 26 Aug 2005 02:03:56 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1])
by ietf.org (8.9.1a/8.9.1a) with ESMTP id CAA19598
for <sipping-tispan@ietf.org>; Fri, 26 Aug 2005 02:03:51 -0400 (EDT)
Received: from tcmail33.telekom.de ([217.6.95.240])
by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E8XKJ-0000zY-Pu
for sipping-tispan@ietf.org; Fri, 26 Aug 2005 02:04:34 -0400
Received: from s4de8psaans.mitte.t-com.de by tcmail31.dmz.telekom.de with
ESMTP; Fri, 26 Aug 2005 08:03:40 +0200
Received: by S4DE8PSAANS.blf.telekom.de with Internet Mail Service
(5.5.2653.19) id <RMLS1S3P>; Fri, 26 Aug 2005 08:03:39 +0200
Message-Id: <E7666D92C64C2845AEF12636FF94F95202319EA7@S4DE8PSAAGQ.blf.telekom.de>
From: "Jesske, R" <R.Jesske@t-com.net>
To: pkyzivat@cisco.com
Subject: AW: AW: AW: [Sipping-tispan] TISPAN requirements, first requiemen ts
Date: Fri, 26 Aug 2005 08:03:38 +0200
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: 0.0 (/)
X-Scan-Signature: ce732c7d36989a1bd55104ba259c40a1
Content-Transfer-Encoding: quoted-printable
Cc: sipping-tispan@ietf.org, "Alexeitsev, D" <D.Alexeitsev@t-com.net>
X-BeenThere: sipping-tispan@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussion of requirements for SIP introduced by ETSI TISPAN
<sipping-tispan.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping-tispan>,
<mailto:sipping-tispan-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/sipping-tispan>
List-Post: <mailto:sipping-tispan@ietf.org>
List-Help: <mailto:sipping-tispan-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping-tispan>,
<mailto:sipping-tispan-request@ietf.org?subject=subscribe>
Sender: sipping-tispan-bounces@ietf.org
Errors-To: sipping-tispan-bounces@ietf.org
Comments inline Roland > -----Ursprüngliche Nachricht----- > Von: Paul Kyzivat [mailto:pkyzivat@cisco.com] > Gesendet: Freitag, 26. August 2005 06:36 > An: Jesske, Roland > Cc: Miguel.An.Garcia@nokia.com; sipping-tispan@ietf.org; > Alexeitsev, Denis > Betreff: Re: AW: AW: [Sipping-tispan] TISPAN requirements, > first requiements > > > I've tried to trim out what is no longer relevant. Further > comments inline. > > Paul > > Jesske, R wrote: > > Paul, > > I hope we do understand in future. Next Try. See below. > > > >>Either I don't understand you, or you don't understand me. > >> > >>RFC3325 is a way for some trusted element of the network that > >>knows the > >>source of the request to assert a trusted identity for the > >>source of the > >>message. It doesn't provide any authorization for anything. > > > > For the Marking of a call with a bypass allowance a network > element must include on behalf of the user this element so > that a Police-call is really a police call. > > I will try it with some flows: > > > > > > Police > > UA:A Proxy ACR UA:B > > -------------> -----------> -----------> > > F1:INVITE F2:INVITE F3:INVITE > > > > > > F1: INVITE > > No indications > > From: Anonymous > > > > F2: INVITE > > A indication is added indicating that this communication comes > > from a official authority (Police) > > From: Anonymous > > P-Asserted-Identity with privacy Id > > > > > > F3: INVITE > > ACR server forwards the communication due to the bypass indication > > From: Anonymous > > I'm still having trouble deciding who is responsible for what. > I presume Proxy is acting on behalf of the call initiator, > and makes the > authentication decisions that this is from the police. YES > > I presume that ACR is acting on behalf of the recipient B. It is > presented with the request asserting that the call is from > the Police, > and must make the authorization decision that ACR should be bypassed. YES > Presumably it must know that Police get this right, as > perhaps do Fire, > Operator, and maybe some others. > > If so, can one ACR implentation allow both Police and Fire, while > another allows only Police? I do not know if this is a requirement that is needed. I would say NO. > > This seems to require a taxonomy of types of callers as well as a > specification of which of those types are to be entitled to > bypass ACR. IF needed you are right. > > This certainly does seem to be an instance of role based > authentication > and authorization. I think it ought to be discussed as such. YES > > > PSTN PSTN/ISDN > > User A GW ACR UA:B > > -------------> -----------> -----------> > > F1:IAM F2:INVITE F3:INVITE > > > > F1: IAM: > > No Calling Party number is included > > Call is marked as restricted by the network > > > > F2: INVITE > > A indication is included that points to the fact that the call is > > Anonymous because of a network restriction > > From: Anonymous > > P-Asserted-Identity absent > > > > F3: INVITE > > ACR server forwards the communication due to the > indication that the communication is anonymous because of > network restriction > > From: Anonymous > > This case is a little different. While I can accept "police", "fire", > "operator", etc. as roles, I find it pretty difficult to accept "no > identity available" as a role. > > I think it would be better to not treat such calls as > anonymous at all. > Instead, I think some P-Asserted-ID value should be assigned to this > call. It can be something generic, but will still be an ID. YES that is OK for me. Like to provide an P-Asserted-ID unavailable@domain and add a parameter value like privacy=network or a new value. > > > Untrusted my network > > ProxyA Proxy B ACR UA:B > > -------------> -----------> > > F1:INVITE F2:INVITE > > > > > > F1: INVITE > > No indications > > From: Anonymous > > No P-Asserted-Identity > > > > F2: INVITE > > No indication will be added because the request comes from > an untrusted proxy > > From: Anonymous > > No Privacy > > > > ACR rejects the communication > > > > > > > >>Ultimately, the ACR service must be implemented near and on > behalf of > >>the recipient of the message. It isn't until there that it is > >>known that > >>there is any service to authorize. At that point, the P-Asserted-ID > >>header may be present, but that just says who the caller > is, not what > >>role the caller is playing. It seems that you want to do role based > >>authorization, where the role is "entitled-to-override-ACR". > >> > >>So how is this role determined? Surely the recipient can't > >>have a DB of > >>all values of P-Asserted-ID that are authorized. The > >>alternative seems > >>to be that the source inserts not just a simple > P-Asserted-ID with a > >>name, but rather also inserts some kind of role identification. > > > > > > That could be the way out. That such a indication shall be > bind to the P-Asserted identity and is included by the > originating network-entity. > > Because we bind the ACR service to the P-Asserted-Identity. > > I think it might be worth considering adding role parameters to > P-Asserted-ID. That is OK with me and solves most of the problems. > > But it still remains to at least enumerate the roles that are > entitled > to bypass ACR. OK > > > We reject the communication if a P-Asserted-Identity is > included and the priv value is "Id", "user","header" and /or > ""critical" and if the P-Asserted-Identity is absent. > > > > > >>I'm looking for more indication of what the expectations > are in this > >>regard. Is it the expectation that the source will annotate > >>every call > >>with an indication that the caller is permitted to override > >>ACR? > > > > > > Yes. > > > > > >>Or with > >>some other more generic categorization of caller type? > > > > > > That could be also a possibility. For solving the police > communications but it makes it not easy with the ISDN/PSTN > interworking. Because if we have such a caller type (What is > also another requirement) than we have to distinguish at the > Interworking Unit. Because some caller types can be mapped to > the Calling parties category and others must be mapped to the > network restriction indication. Within ISUP we have the Calling Party's Category "calling subscriber with priority" but that is normally used for Emergency cases where the call has priority over others. > > It sounds like there are further requirements - to represent certain > "network restriction indications". We have 4 restriction values in ISUP these are: presentation allowed presentation restricted address not available Restricted by the network The first two are mapped to Privvalues. > > Paul > _______________________________________________ Sipping-tispan mailing list Sipping-tispan@ietf.org https://www1.ietf.org/mailman/listinfo/sipping-tispan
- AW: AW: AW: [Sipping-tispan] TISPAN requirements,… Jesske, R
- AW: AW: AW: [Sipping-tispan] TISPAN requirements,… Jesske, R
- Re: AW: AW: AW: [Sipping-tispan] TISPAN requireme… Miguel Garcia
- Re: AW: AW: AW: [Sipping-tispan] TISPAN requireme… Paul Kyzivat