Re: MUSTs and SHOULDs [was RE: [Sipping] new draft on overload control in SIP]
Dean Willis <dean.willis@softarmor.com> Tue, 28 February 2006 23:12 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEE1W-0002EF-Q2; Tue, 28 Feb 2006 18:12:54 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FEE1V-0002Cr-0s for sipping@ietf.org; Tue, 28 Feb 2006 18:12:53 -0500
Received: from nylon.softarmor.com ([66.135.38.164]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FEE1U-0004DZ-GW for sipping@ietf.org; Tue, 28 Feb 2006 18:12:53 -0500
Received: from [64.101.172.193] ([64.101.172.193]) (authenticated bits=0) by nylon.softarmor.com (8.13.1/8.13.1) with ESMTP id k1SND3PP020723 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Tue, 28 Feb 2006 17:13:04 -0600
In-Reply-To: <17412.1185.997488.872953@rautu.tutpro.com>
References: <087601c63c08$5f912330$c5f0200a@amer.cisco.com> <4403B526.4070008@cisco.com> <17412.1185.997488.872953@rautu.tutpro.com>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <A9268477-2947-4430-AD17-79CA7B7A646A@softarmor.com>
Content-Transfer-Encoding: 7bit
From: Dean Willis <dean.willis@softarmor.com>
Subject: Re: MUSTs and SHOULDs [was RE: [Sipping] new draft on overload control in SIP]
Date: Tue, 28 Feb 2006 17:12:47 -0600
To: Juha Heinanen <jh@tutpro.com>
X-Mailer: Apple Mail (2.746.2)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 33cc095b503da4365ce57c727e553cf1
Cc: "'Vijay K. Gurbani'" <vkg@lucent.com>, 'SIPPING LIST' <sipping@ietf.org>, Dan Wing <dwing@cisco.com>
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Errors-To: sipping-bounces@ietf.org
On Feb 28, 2006, at 2:06 AM, Juha Heinanen wrote: > Jonathan Rosenberg writes: > >> I agree completely with Dan here. I've done this in various >> places, but >> its very difficult to do. The point though, is that ultimately, >> implementors do what they want and/or can get away with. > > this major vendor has OFFICIAL policy that they don't accept bug > reports > against SHOULD and MAY violations. it ha nothing to do with > implementors > who write the code. i have got an impression that the implementors of > this major company are not ALLOWED to fix such bugs even if they want > to. You have my blessing to call them idiots, even if I happen to work there. Of course, I doubt you ever needed my blessing for that . . . What's the Finnish word for idiot, anyhow? I'm sure I've overheard it in some of those standards discussions after I've said something "controversial", but it would be nice to know. One can never know too many insults, they're such handy words. Seriously, we have historically badly over-used the requirements language of RFC 2119. We've often used it to describe how things normally work. It should be used only to explain the consequences of deviations from normalcy. Note that simply saying "MUST do X" or "SHOULD do Y" doesn't really explain these consequences. IMHO, each usage of 2119 language outside of a "pure requirements document" (and arguably even in those) needs to be accompanied by justification. MUST: If you deviate from this, the indicated dire consequences are very likely to occur, and no work-around or alternative is defined. The default dire consequences here are "protocol simply won't work", but usually more is needed. SHOULD: If you deviate from this (which you might need to do for some use cases), you need to take care of some extra points (described here), or the indicated dire consequences are very likely to occur. MAY: Here's some extra stuff you might choose to do, if you've dealt with the consequences, which including making sure that the other affected elements are prepared to deal with this optional behavior. If you fail to verify that other affected elements are prepared to deal with the optionality, you must be prepared to deal with them either ignoring the optionality, rejecting the request, or failing in an unpredictable way, possibly catastrophic. Good example, from draft-ietf-sipping-uri-services-05.txt: Attackers may attempt to send a URI-list containing URIs whose host parts route to the victims of the DoS attack. These victims do not need to be SIP nodes; they can be non-SIP endpoints or even routers. If this attack is successful, the result is that an attacker can flood with traffic a set of nodes, or a single node, without needing to generate a high volume of traffic itself. There are several measures that need to be taken to prevent this type of attack. The first one is keeping unauthorized users from using URI-list services. So, URI-list services MUST NOT perform any request explosion for an unauthorized user. URI-list services MUST authenticate users and check whether they are authorized to request the service before performing any request fan-out. This actually places one requirement, redundantly using a MUST and a MUST NOT with opposing descriptions, backed up by a description of what will go wrong if you fail to meet the requirement -- susceptibility to a range of attacks. Bad example from draft-ietf-sipping-uri-list-message-05.txt: A UAC that wants to create a multiple-recipient MESSAGE request MUST create a MESSAGE request according to RFC 3428 [8] Section 4. The UAC SHOULD populate the Request-URI with the SIP or SIPS URI of the MESSAGE URI-list service. In addition to the regular instant message body, the UAC SHOULD add a URI-list body whose Content-Disposition type is 'recipient-list', specifed in the Framework and Security Considerations for SIP URI-list Services [11]. This body contains a URI-list with the recipients of the MESSAGE. The URI-list body MAY also include the 'capacity' extension to the URI-list specified in Section 4.1. The UAC MUST also include the 'recipient-list-message' option-tag, defined in Section 5, in a Require header field. Let's look at the "requirements" in the above. MUST #1 (create a message request): Why MUST we create a message request? What failure of interoperability occurs if we don't create a message request? We're really trying to say that this service only understands MESSAGE requests as defined in RFC 3428, and that it won't work if you were to use some other kind of request. SHOULD #1 (populate the request URI): What are the alternatives? What would we want to put in the request URI other than the URI of the target? What happens if we were to put something else here, and how would we compensate if we did? Really, we're not trying to define a requirement here -- we're just describing a use case. SHOULD #2 (add a URI-list body): Again, what are the alternatives? We're not defining any here. We're just trying to describe a use case. MAY #1 (also include the 'capacity' extension): Why would we want to do that? Fortunately, the "why" is defined in the referenced section 4.1. But are we stating an aspect of optionality that affects interoperability? Nope. We're just describing some information that, if present in the request, will be used in processing the request at the recipient, and if it's not there, it won't be. MUST #2 (also include the 'recipient-list-message" option tag): It would be nice to say WHY we do this, although we use this in SIP so much we seem to expect the reader to know. In short, we're using the extension-negotiation mechanism of SIP to make sure that the recipient understands this extension. If we include the option-tag, then a recipient of this request will reject the request with an informative error if it does not understand the extension. My suggested rewrite: A UAC that wants to create a multiple-recipient MESSAGE request creates a MESSAGE request according to RFC 3428 [8] Section 4. The UAC populates the Request-URI with the SIP or SIPS URI of the MESSAGE URI-list service. In addition to the regular instant message body, the UAC adds a URI-list body whose Content-Disposition type is 'recipient-list', specifed in the Framework and Security Considerations for SIP URI-list Services [11]. This body contains a URI-list with the recipients of the MESSAGE. The URI-list body may also include the 'capacity' extension to the URI-list specified in Section 4.1. The UAC MUST also include the 'recipient-list-message' option-tag, defined in Section 5, in a Require header field. Note that the only 2119 language retained here is the final MUST on extension negotiation. And only the hope that the negotiation mechanism is well-understood justifies our not saying more here. Were I to re-write this again, I would change the closing sentence to be: The UAC MUST also include the 'recipient-list-message' option-tag (defined in Section 5) in a Require header field, which will result in rejection of this request by any UAS that does not implement this extension. Now, Miguel didn't take all my suggestions. Instead, he produced the following in -07 A UAC that wants to create a multiple-recipient MESSAGE request creates a MESSAGE request that MUST be formatted according to RFC 3428 [8] Section 4. The UAC populates the Request-URI with the SIP or SIPS URI of the MESSAGE URI-list service. In addition to the regular instant message body, the UAC adds a URI-list body whose Content-Disposition type is 'recipient-list', specified in the Framework and Security Considerations for SIP URI-list Services [11]. This body contains a URI-list with the recipients of the MESSAGE. Target URIs in this body MAY also be tagged with the 'capacity' and 'anonymize' attributes specified in the XML Format Extension for Representing Capacity Attributes in Resource Lists [12]. The UAC MUST also include the 'recipient-list-message' option-tag, defined in Section 5, in a Require header field. He still has two MUSTs that one has to dereference (but there ARE references given), and a MAY (which is also referenced). All the 2119 language that doesn't have a real functional requirement attached to it has been removed. While it's not as pretty as mine (opinion), it's at least testable for compliance, and the important aspects of the "required" behavior can at least be extracted from the specification. -- Dean _______________________________________________ Sipping mailing list https://www1.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors@cs.columbia.edu for questions on current sip Use sip@ietf.org for new developments of core SIP
- [Sipping] new draft on overload control in SIP Jonathan Rosenberg
- Re: [Sipping] new draft on overload control in SIP James M. Polk
- RE: [Sipping] new draft on overload control in SIP Samir Srivastava
- RE: [Sipping] new draft on overload control in SIP Darshan Bildikar
- Re: [Sipping] new draft on overload control in SIP Tom-PT Taylor
- Re: [Sipping] new draft on overload control in SIP Jonathan Rosenberg
- RE: [Sipping] new draft on overload control in SIP Fernando BERRETTA
- Re: [Sipping] new draft on overload control in SIP Jonathan Rosenberg
- Re: [Sipping] new draft on overload control in SIP Vijay K. Gurbani
- Re: [Sipping] new draft on overload control in SIP Juha Heinanen
- Re: [Sipping] new draft on overload control in SIP Marc Petit-Huguenin
- MUSTs and SHOULDs [was RE: [Sipping] new draft on… Dan Wing
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Jonathan Rosenberg
- Re: [Sipping] new draft on overload control in SIP Juha Heinanen
- MUSTs and SHOULDs [was RE: [Sipping] new draft on… Juha Heinanen
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Juha Heinanen
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Paul Kyzivat
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Vijay K. Gurbani
- identity privacy in SIP, was: Re: [Sipping] new d… Jonathan Rosenberg
- RE: MUSTs and SHOULDs [was RE: [Sipping] new draf… Dan Wing
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Vijay K. Gurbani
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Dean Willis
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Dean Willis
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Miguel Garcia
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Aki Niemi
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Pete Cordell
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Spencer Dawkins
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Dale R. Worley
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Dean Willis
- Re: MUSTs and SHOULDs [was RE: [Sipping] new draf… Miguel Garcia
- Re: [Sipping] new draft on overload control in SIP Jonathan Rosenberg
- Re: [Sipping] new draft on overload control in SIP Jonathan Rosenberg