Re: [Sipping] I-D Action:draft-kaplan-sipping-pai-responses-00.txt
Hadriel Kaplan <HKaplan@acmepacket.com> Mon, 01 December 2008 15:43 UTC
Return-Path: <sipping-bounces@ietf.org>
X-Original-To: sipping-archive@optimus.ietf.org
Delivered-To: ietfarch-sipping-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 806A43A6AA6; Mon, 1 Dec 2008 07:43:54 -0800 (PST)
X-Original-To: sipping@core3.amsl.com
Delivered-To: sipping@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8BFE03A6AA6 for <sipping@core3.amsl.com>; Mon, 1 Dec 2008 07:43:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.545
X-Spam-Level:
X-Spam-Status: No, score=-2.545 tagged_above=-999 required=5 tests=[AWL=0.054, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2bgZ4wkom+5U for <sipping@core3.amsl.com>; Mon, 1 Dec 2008 07:43:51 -0800 (PST)
Received: from etmail.acmepacket.com (etmail.acmepacket.com [216.41.24.6]) by core3.amsl.com (Postfix) with ESMTP id 7CD643A67D9 for <sipping@ietf.org>; Mon, 1 Dec 2008 07:43:51 -0800 (PST)
Received: from mail.acmepacket.com (216.41.24.7) by etmail.acmepacket.com (216.41.24.6) with Microsoft SMTP Server (TLS) id 8.1.291.1; Mon, 1 Dec 2008 10:42:18 -0500
Received: from mail.acmepacket.com ([127.0.0.1]) by mail ([127.0.0.1]) with mapi; Mon, 1 Dec 2008 10:42:18 -0500
From: Hadriel Kaplan <HKaplan@acmepacket.com>
To: "Elwell, John" <john.elwell@siemens.com>, sipping <sipping@ietf.org>
Date: Mon, 01 Dec 2008 10:43:36 -0500
Thread-Topic: I-D Action:draft-kaplan-sipping-pai-responses-00.txt
Thread-Index: AclSSwAUefB1f4gPQCGcYR1WCXbbpQBRrEKQAA2bSyA=
Message-ID: <E6C2E8958BA59A4FB960963D475F7AC313776E1C73@mail>
References: <E6C2E8958BA59A4FB960963D475F7AC31374B1F20F@mail> <0D5F89FAC29E2C41B98A6A762007F5D0014F2EBD@GBNTHT12009MSX.gb002.siemens.net>
In-Reply-To: <0D5F89FAC29E2C41B98A6A762007F5D0014F2EBD@GBNTHT12009MSX.gb002.siemens.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
Cc: Cullen Jennings <fluffy@cisco.com>
Subject: Re: [Sipping] I-D Action:draft-kaplan-sipping-pai-responses-00.txt
X-BeenThere: sipping@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "SIPPING Working Group \(applications of SIP\)" <sipping.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/sipping>
List-Post: <mailto:sipping@ietf.org>
List-Help: <mailto:sipping-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipping>, <mailto:sipping-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: sipping-bounces@ietf.org
Errors-To: sipping-bounces@ietf.org
Maybe I don't understand what your update draft is trying to accomplish, or maybe I don't understand RFC 3325. They're written in English, but English is not my native language, so who knows. My belief is that your draft is trying to clarify that PAI can be used in other methods than INVITE, that a trusted UAC can insert it, and that it can be more and different URI schemes. It's not actually changing the fundamental definitions/scope of RFC 3325, right? So let's start with what RFC 3325 is about. For one, it's an Informational RFC for private use. For another, it actually does not say what methods a PAI can be inserted in or not - it only uses the word "message", and in fact says both requests and responses. It very clearly says that if a Proxy trusts a node, then it can believe the information as if it had authenticated the user itself. Are you suggesting your draft is going to remove that, or re-define that? For what purpose? This whole thing is about a private network deciding what "Trust" means to itself! But more importantly, RFC 3325 does not define a particular *instantiation* of a Spec(T). It gives an *example* of one, but that's it. If I decide for my network that all my PSTN Gateways and proxies trust each other, then that is my specific Spec(T). If you decide for your network that only proxies have a trust relationship, then that's your Spec(T). In my network, the PSTN gateways can certainly send back PAI in responses, because they're implicitly authenticated. In your network they can't, because they're outside of the trust domain. And the problem is...? That's why Keith doesn't need to give you any 3GPP use-case. It's not germane to the draft. 3GPP is simply one particular Spec(T). It very well could be a bad one (and I think it has some holes), but that's the nature of a private-use, privately-defined Spec(T) model to begin with, which is all RFC 3325 covers! -hadriel > -----Original Message----- > From: Elwell, John [mailto:john.elwell@siemens.com] > Sent: Monday, December 01, 2008 3:59 AM > To: Hadriel Kaplan; sipping > Cc: Cullen Jennings > Subject: RE: I-D Action:draft-kaplan-sipping-pai-responses-00.txt > > Hadriel, > > Thanks for writing this. However, in my opinion it still suffers from > the same problem that we had with update-pai-06 (where we just said that > the proxy must have authenticated the source of the response by some > means) and update-pai-05 (where we cited one possible circumstance where > authentication could be assumed, i.e., when an earlier request over the > same TLS connection had been digest-authenticated). We received > objections to 06 because it did not cite at least one example of how to > achieve authentication and we received objections to 05 because the > mechanism is broken (there could be an intermediary that terminates the > TLS connection, so there is no guarantee that the UA that was previously > authenticated is the same as the UA that sends the response). > > I think there are only two ways forward on this: > 1. Somebody comes up with some text that describes a plausible way of > achieving authentication using present mechanisms. For example, if my > understanding is correct, I think the 3GPP mechanism relies on using the > same credentials for authenticating the UA and the underlying transport, > and hence the broken behaviour I described above does not apply. I > really wanted somebody else to provide some text, and I had hoped Keith > would do this. > 2. We define a new mechanism. It has been stated that something based on > sip-outbound might be possible, but I don't really know what people have > in mind. As Cullen observes, this approach would most likely need to be > pursued in SIP rather than SIPPING. > > John _______________________________________________ Sipping mailing list https://www.ietf.org/mailman/listinfo/sipping This list is for NEW development of the application of SIP Use sip-implementors@cs.columbia.edu for questions on current sip Use sip@ietf.org for new developments of core SIP
- [Sipping] I-D Action:draft-kaplan-sipping-pai-res… Hadriel Kaplan
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Cullen Jennings
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Hadriel Kaplan
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Elwell, John
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Hadriel Kaplan
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Elwell, John
- Re: [Sipping] I-D Action:draft-kaplan-sipping-pai… Hadriel Kaplan