IETF Logo Mail Archive

Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01

Chris Wendt <chris-ietf@chriswendt.net> Mon, 11 July 2022 07:46 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22FECC14F749 for <stir@ietfa.amsl.com>; Mon, 11 Jul 2022 00:46:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.904
X-Spam-Level:
X-Spam-Status: No, score=-1.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IOXd8ePEU5g7 for <stir@ietfa.amsl.com>; Mon, 11 Jul 2022 00:46:06 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBC3AC14F734 for <stir@ietf.org>; Mon, 11 Jul 2022 00:46:06 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id f2so5850561wrr.6 for <stir@ietf.org>; Mon, 11 Jul 2022 00:46:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DqCBjpnBHqF/Oj3dm9GQ2B3wobya6uDdOL6heJNlUOc=; b=t+niaGJ43rxh2s4QQ7e891mIWqdD3/3EINP00YcbThoffFMLepKUuP3ruasrcdJiEr I3Kj7ZOWNn6WX9M2BL3ZfNI7GS7+Xwpi2S8jsJBIFBpIEqrA7DPmOHvijEtdQPxsVsE3 3ooEVY48vqmAYdjJYSOwc1FmQy2CQb82052Vfh5r38boor5dt4YeO5OPuWFDjfh7J2GI aUyasFDzbtWz3Lgcb0TGk5yI6JXJdlxi96/JiQiYw/CB9Zw9UqShmvfu8LYHDIGCxOLr 84+8TliAoJep4J+RYn+QLG1M6rBACnhde7SknbyDp8AU6w6Wmf6q5EMnO6uPFffbovjD qVpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=DqCBjpnBHqF/Oj3dm9GQ2B3wobya6uDdOL6heJNlUOc=; b=sTzYkcG1kMFCNELkln0hwa46EEN2SAFBiCc7Jwrg2xrmQKCfIUkC0rbwV9xQ3g+5h+ Lw1SfoPlQKyQxOQXQ/OIUoHR74iPhS9uLGNsqQlD2mrb3jnqjIj7jxqBhUeJ873BI+a2 /MZxte/4c8VUi6te7JHF5gfSpQsCGlMhPn0BvaHrOze1EvKUFC5A10cH3Kon73V/gK++ WbRM6s5kMbKdyDsXESRlKimOR65T3l8XuMArxNAzegwC4zjJpCs9FxIasUZHjFU5MXgc +BD3u4pElsOAqE2OXoLEwVEIZI+3GSBQnUBNSK7pbxW6dh7Ag8yjvNMwWIx8nRhDWvej 9c/A==
X-Gm-Message-State: AJIora96m0C3iGkO0o5n4ja7ME0aqMLFh6HK+8A4fsRK6plQwDVQfeN9 PnlvkBW7GuLTbnFDK/emp6yqDcMlyqh8v+29dXc=
X-Google-Smtp-Source: AGRyM1siPQr1KOunppGlYho/B4WT4bxUiy7ycfrU0E3wtl0P3dXSPwrdWT6YTqtI2UkN8OLss5Y2VQ==
X-Received: by 2002:a05:6000:1ac9:b0:21d:a85c:298b with SMTP id i9-20020a0560001ac900b0021da85c298bmr2297713wry.185.1657525564932; Mon, 11 Jul 2022 00:46:04 -0700 (PDT)
Received: from smtpclient.apple ([5.226.139.144]) by smtp.gmail.com with ESMTPSA id t1-20020adfeb81000000b0021d6e49e4ebsm5098355wrn.10.2022.07.11.00.46.04 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Jul 2022 00:46:04 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <HE1PR07MB4441E7A2F7AFA763EB84F7A793F89@HE1PR07MB4441.eurprd07.prod.outlook.com>
Date: Mon, 11 Jul 2022 08:46:03 +0100
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6F3423AC-6A16-490D-8317-18FE312E678C@chriswendt.net>
References: <HE1PR07MB444170B0B7F15E9D10E5FC4893F79@HE1PR07MB4441.eurprd07.prod.outlook.com> <F1611AE5-5249-4A3E-AD5A-2C00D3B72CA2@chriswendt.net> <HE1PR07MB4441E7A2F7AFA763EB84F7A793F89@HE1PR07MB4441.eurprd07.prod.outlook.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/0AhR-WtBc_Ym5jBpz9qkF0LYib0>
Subject: Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jul 2022 07:46:08 -0000

So, trying to parse the different threads on these topics i have released a -02 version that:

Adds IANA request for “ppl” parameter for PASSporT identifier
Cleans up the text around “STIR” as a protocol allowing for multiple reason-headers with same protocol name
Cleans up some of the compact form text and makes it the recommended form.

> On Apr 25, 2022, at 4:59 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> Hi,
> 
>  
> I took a look at draft-ietf-stir-identity-header-errors-handling-01, and I have some questions and comments.
>  
> ---
>  
>>> Q1: The draft uses a ppt parameter to associated a Reason header field with an Identity header field. That sounds very “clumsy” in my opinion. Also, how exactly is the parameter value compared with the PassPORT? Byte by byte? How does that work if you use a compact form?
>> 
>> Comparing as a JWT Base64 encoded string value whether full or compact.  We just needed a unique value that the AS (or originating side) would know about, so either full PASSporT or just the signature is unique enough for the AS to reference on which identity header passed in the INVITE caused the error.
> 
> Why not defining a dedicated "index" parameter? That would also act as an indicator that the AS supports the mechanism to begin with, which would also address the issue in Q5 (because the response with ppt would only be sent if the index is present in the request).
> 
> ---
>  
>>> Q2: Where is the ppt parameter defined? I see no Reason header field reason-extension defined for it, and no IANA registration.
>> 
>> This is the document that defines it, but yes i did now look that i should request IANA registeration as Header Field Parameters and Parameter Values.  I will add that request to the document.
> 
> Ok. But, you also need to include the syntax, as it is (I assume) a Reason header field reason-extension.
> 
> Another question is whether it should be called ppt. That already exists, and indicates a TYPE, which this parameter does not. Using a unique parameter name would cause less confusion.
> 
> Of course, if you used an index parameter in the request (see Q1) I guess you could use something similar in the response. "ppi" (pass port index), or something...
> 
> ---
>  
>>> Q3: The definition of the “STIR” protocol in Section 3 is very confusing.
>>>  
>>> For example, the text says:
>>>  
>>>   “This will differentiate current protocols, specifically
>>>    "SIP" which is currently in wide industry usage, from the [RFC8224]
>>>    defined error cause codes”
>>>  
>>> Differentiate SIP from what protocol? The error cause codes defined in 8224 are SIP cause codes, so what protocol does “STIR” refer to?
>>>  
>>> If the semantics of “STIR” is identical to “SIP”, with the only difference being that it allows you to use multiple Reason header fields with “STIR”, why not say so?
>> 
>> The intent is that STIR is another “protocol” just like Q.850 and SIP differentiate a class of reasons.  We are simply defining another type of reasons specific to STIR, so that existing
>> implementations aren’t confused.  We discussed this pretty extensively in past meetings as likely best option.
> 
> Than I think you can make the text much more simple. All you need to do is to say that the error is caused based on the procedures in RFC XXXX, and that SIP response codes are still used.
> 
> ---
>  
>>> Q4: The text says:
>>>  
>>>   “The "ppt" parameter
>>>    for the Reason header field is optional, but RECOMMENDED, in
>>>    particular for cases that a SIP INVITE contains multiple Identity
>>>    header fields.” 
>>>  
>>> And if it is not included? How will things work then?
>>  
>> The intent is that if you only have one identity header/identity header error you don’t need to include ppt.  I could clarify that and make it mandatory if you have more than one identity header.
>> 
>>> Q5: Section 7 says that the Authentication Server MUST remove the Reason header field from the response. But, what if the Authentication Server is an 8224-only implementation? In that case it might
>>> pass on the Reason header field. Section 10 does say something about the Reason header field being passed beyond the Authentication Server, but I am not sure whether it talks about the same case.
>> 
>> That is always the case for any specification that comes in the future.  I think we are early enough that scenarios for multiple identity headers is only starting to appear and would like to adopt
>> this in SHAKEN. This may be a good reason to adopt stronger language about using compact form/only signature as identifier.
> 
> As mentioned earlier, an index parameter could be used as an indicator that the AS supports the mechanism.
> 
> ---
> 
>>> Q6: The text talks about including the Reason header in a provisional response, in case local policy dictates that the session setup shall continue.
>>>  
>>> First, I am not sure whether that is how 3326 defines usage of Reason in provisional responses. It is used to help in forking scenarios, when final responses sent on different early dialogs are dropped by the forking proxy.
>>>  
>>> Second, there is no text on how this provisional response is created. Is the sender of the Reason header field going to generate a To tag? Does that mean the sender of the Reason header field is acting as a B2BUA?
>>  
>> First, this is the same scheme we already have defined in ATIS-1000074, but the provisional response is created just like any provisional response (so yeah, the UAS sending the provisional response would have add a To tag to complete the early dialog). 
>> As the response travels toward the UAC, it's going to arrive at a proxy who knows if and why verification failed (e.g., the IBCF, or maybe the STI-VS itself in the case where the verification API is SIP), and that proxy will add the proper Reason header(s).
> 
> Ok, so the verification proxy would not create the provisional response - it will only piggyback the Reason header(s) in a provisional response sent by the UAS?
> 
> 
> Regards,
> 
> Christer
> 
> 
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> _______________________________________________
> stir mailing list
> mailto:stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
>

v2.23.0 | Report a Bug | By Email