IETF Logo Mail Archive

Re: [stir] stir-06: Reality check on numbers (6.1.1)

"DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com> Wed, 16 December 2015 16:01 UTC

Return-Path: <keith.drage@alcatel-lucent.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F0EC1A0196 for <stir@ietfa.amsl.com>; Wed, 16 Dec 2015 08:01:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.31
X-Spam-Level:
X-Spam-Status: No, score=-6.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_45=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H_PGsE93OCKO for <stir@ietfa.amsl.com>; Wed, 16 Dec 2015 08:01:47 -0800 (PST)
Received: from smtp-fr.alcatel-lucent.com (fr-hpgre-esg-01.alcatel-lucent.com [135.245.210.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53B201A0469 for <stir@ietf.org>; Wed, 16 Dec 2015 08:01:30 -0800 (PST)
Received: from fr711usmtp1.zeu.alcatel-lucent.com (unknown [135.239.2.122]) by Websense Email Security Gateway with ESMTPS id 4DCAB551D999A; Wed, 16 Dec 2015 16:01:25 +0000 (GMT)
Received: from FR711WXCHHUB02.zeu.alcatel-lucent.com (fr711wxchhub02.zeu.alcatel-lucent.com [135.239.2.112]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id tBGG1Lvx006804 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 16 Dec 2015 17:01:28 +0100
Received: from FR712WXCHMBA11.zeu.alcatel-lucent.com ([169.254.7.213]) by FR711WXCHHUB02.zeu.alcatel-lucent.com ([135.239.2.112]) with mapi id 14.03.0195.001; Wed, 16 Dec 2015 17:01:00 +0100
From: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
To: Brian Rosen <br@brianrosen.net>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Thread-Topic: [stir] stir-06: Reality check on numbers (6.1.1)
Thread-Index: AQHRNCzE6AHd4lmGNku6EHrqWfhAdp7GgauQgAXSrACAAAXxAIAABKMAgAAX85D///WlgIAAOysQ///5CQCAABl34IAAEJsAgABHUYCAAJJyAIAAJQ3g
Date: Wed, 16 Dec 2015 16:01:00 +0000
Message-ID: <949EF20990823C4C85C18D59AA11AD8BADE251E5@FR712WXCHMBA11.zeu.alcatel-lucent.com>
References: <9C95CF4B-88BD-4EFF-9076-E59CF165E22D@standardstrack.com> <566AF294.6090001@alum.mit.edu> <949EF20990823C4C85C18D59AA11AD8BADE23BB6@FR712WXCHMBA11.zeu.alcatel-lucent.com> <D29595DF.17587A%jon.peterson@neustar.biz> <56706158.3080905@alum.mit.edu> <D295A284.1758E9%jon.peterson@neustar.biz> <949EF20990823C4C85C18D59AA11AD8BADE24A61@FR712WXCHMBA11.zeu.alcatel-lucent.com> <D295AFB2.175907%jon.peterson@neustar.biz> <949EF20990823C4C85C18D59AA11AD8BADE24B19@FR712WXCHMBA11.zeu.alcatel-lucent.com> <56709C6E.4070901@alum.mit.edu> <949EF20990823C4C85C18D59AA11AD8BADE24C0B@FR712WXCHMBA11.zeu.alcatel-lucent.com> <490BC8D0-A7FA-4D37-9E54-2B8500BFAA9F@gmail.com> <5670FB8B.9030602@alum.mit.edu> <D1F2A8C0-40A5-43ED-A73F-44D6C8C212C9@brianrosen.net>
In-Reply-To: <D1F2A8C0-40A5-43ED-A73F-44D6C8C212C9@brianrosen.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.239.27.39]
Content-Type: multipart/alternative; boundary="_000_949EF20990823C4C85C18D59AA11AD8BADE251E5FR712WXCHMBA11z_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/2LpfGbXr7H0lhxauVL1RM-Mft3M>
Cc: "stir@ietf.org" <stir@ietf.org>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 16:01:57 -0000

Apart from the issues of uniqueness of canonical form, one aspect of this that I do not understand how works, is that many of these numbers do not relate to a single user or a single organization, and that applies for many of these local service numbers.

This gets even worse with emergency numbers.

112 is mean to work for roaming users. So depending on whether I am in country A or country B, I will get the emergency service organization in country A or country B respectively. These are different users and should sign differently. Further depending on where I am in that country or the category or URN subtype I use, I may get an entirely different emergency organization, presumably with its own signing. Depending on PSAP load conditions, there may be overflow arrangements that take you to an entirely different organization.

So using this with a non-unique local service number to identify somehow the called party would seem to achieve little – at least tell me what it achieves.

I’d note in your mail you also seem to switch between calling and called direction. Are you trying to ensure that the calling user knows they have reached an emergency number, or that the calling user is known to the call taker (presumably not a service number problem). I think it is your last paragraph that is confusing me.

Keith

From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Brian Rosen
Sent: 16 December 2015 14:34
To: Paul Kyzivat
Cc: stir@ietf.org
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)

Please don’t do that.

It would be extremely valuable for calls to any of the n-1-1 numbers to be signed, and especially 9-1-1.

Read 1-1-2 for EU.

“Swatting” is a very serious problem, which can only reasonably be stopped by having some assurances of the callers identity.  It works today because the caller’s identity can be spoofed.

In fact, just because the called party can’t be canonicalized shouldn’t make the entire mechanism fail.  I think we should have canonicalization rules for service numbers, but even in the absence of canonicalization of the “To:”, the mechanism should still work as long as the To is not mangled by downstream elements.

It doesn’t have to be foolproof, it just has to work most of the time.  The call takers will take extra precautions if the mechanism fails occasionally, but if it rarely works, then it’s useless.

Brian

On Dec 16, 2015, at 12:50 AM, Paul Kyzivat <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:

On 12/15/15 8:34 PM, Eric Burger wrote:

And local arrangements are… local… out of scope. The PBX/AS/SBC will have to make To/From into something sensible. At that point, it is an E.164 number that STIR can deal with.

There is no point worrying about my phone saying “From: x74107”. You cannot get there from here unless you are inside my enterprise already, at which point you are not STIRing anyway.

Since you don't live in the US you may not know what 611 is. It is not a local number, like an internal extension on a PBX. It is a service number. It is among the family of N11 numbers, of which 911 is best known.

This discussion is, loosely, about most/all of the service numbers. 911 is extra special, and has customized treatments, so we should probably exclude it from this particular discussion.

There is in general no E.164 number that the service numbers can be transformed to for purposes of canonicalization.

The answer may be that these numbers can't be canonicalized, and calls to/from them cannot be signed.

                Thanks,
                Paul


On Dec 15, 2015, at 6:48 PM, DRAGE, Keith (Keith) <keith.drage@alcatel-lucent.com<mailto:keith.drage@alcatel-lucent.com>> wrote:

I am aware that for example, some PBX deployments do this.

But my understanding is that this is an entirely local arrangement within the PBX domain that such an arrangement applies, i.e. that a set of local numbers within the PBX map to a set of SIP URIs, and that that mapping is in this particular form, rather than to any other string of digits or alphanumeric characters.

No RFC defines such a mapping, and I would not expect that any other domain would be expected to be aware of this local arrangement, anymore than it might be expected to know the relationship between the PBX numbering plan and E.164 numbers.

I guess any such expectation is the crux of the matter, unless we are talking only about such a knowledge being critical for usage within the local domain, and that was not expressed within the mails.

Regards

Keith

-----Original Message-----
From: Paul Kyzivat [mailto:pkyzivat@alum.mit.edu]
Sent: 15 December 2015 23:04
To: DRAGE, Keith (Keith); Peterson, Jon; stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)

On 12/15/15 5:31 PM, DRAGE, Keith (Keith) wrote:

Well what was confusing was that the only way of reading the text in both your messages was that the example URI was prior to conversion to canonical form, i.e. if there were any URI parameters, they were still present. As none were specified, there could be none, and therefore the URI was a SIP URI pure and simple.

Yes, the intent was that these were prior to canonicalization. (After all, the results of canonicalization for the bis are not put into the URI.)

The simple fact is that URIs of the form sip:nnn@domain are very commonly used to represent phone numbers. And servers are very happy to conclude that they are numbers solely because the user part is all numeric, without the presence of user=phone.

I expect that a domain that wants to use all numeric user parts that are
*not* phone numbers might have great difficulty interoperating with other domains. Probably this isn't a problem in practice because:
- it just isn't done
- domains that handle phone numbers don't peer with domains that
  use non-phone-number URIs.

                Thanks,
                Paul


Keith

-----Original Message-----
From: Peterson, Jon [mailto:jon.peterson@neustar.biz]
Sent: 15 December 2015 19:57
To: DRAGE, Keith (Keith); Paul Kyzivat; stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)


Sorry if that was baffling, I thought we were entertaining a case
where
611 was intended to be a telephone number: say that instead of "foo", that URI contained a carrier's domain, and this happened to be the unhelpful way the carrier in question stored all telephone numbers in SIP URIs. In the case where "611" is instead in a tel URL, or there is a clear user=phone parameter to the SIP URI, it is a bit more obvious - but no less clear how to canonicalize it for international transport or something.

Jon Peterson
Neustar, Inc.

On 12/15/15, 11:45 AM, "DRAGE, Keith (Keith)"
<keith.drage@alcatel-lucent.com<mailto:keith.drage@alcatel-lucent.com>> wrote:


I'm lost.

sip:611@foo.com, before conversion to canonical form, is a SIP URI
belonging to foo.com<http://foo.com>. It is not a telephone number or a dial string.
Depending on how foo.com<http://foo.com> assigns its SIP URIs it might relate to a
dialstring 611 in foo.com<http://foo.com> land, but that is an entirely arbitrary
decision of foo.com<http://foo.com>, and nothing that should be verified anywhere as
a telephone number.

This might be a string that exists after conversion of a tel-URI or
dialstring to canonical form, but that is not what is being stated below.

As such it is outside the scope of STIR.

Keith




-----Original Message-----
From: Peterson, Jon [mailto:jon.peterson@neustar.biz]
Sent: 15 December 2015 19:09
To: Paul Kyzivat; DRAGE, Keith (Keith); stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)



The use of service numbers in the From is a case where our text is
necessarily speculative. This gets into territory where it's unclear
that we even want the verification to work. If a callee in, say,
Austria receives a call from sip:611@foo.com (presumably they
wouldn't see a service number in the To), is it useful for the callee
to know that the call came from "611"? One can argue it isn't even
particularly useful for callees in America.


Does that mean we shouldn't allow service numbers in these fields? If
they are permitted in To and From in baseline SIP, we should at least
have a story about them. There is some use in signing the To field
for service numbers to prevent cut-and-paste attacks. On balance, I
don't see any decisive reason to forbid it. Again, the worst thing
that can happen is verification will fail, and if the number is
weird, or has leaked into a place where it shouldn't be, failure is probably the right thing.

Jon Peterson
Neustar, Inc.

On 12/15/15, 10:52 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu<mailto:pkyzivat@alum.mit.edu>> wrote:


On 12/15/15 1:30 PM, Peterson, Jon wrote:


The canonicalization rules are not designed with the assumption
that the  string inputted to the algorithm is an E.164 number. They
are designed to  be as flexible as possible given the presence of a
dial string -  remembering that we canonicalize To as well as From.
Ideally, everything  we deal with would follow the dictates of
RFC3966, sure. We just proceed  with an abundance of caution.

So, do you assume that a uri of sip:611@foo.com will be
canonicalized the same way by everybody?

I suppose everyone in the NANP might do so. But what about a
recipient in some other locale?

I guess the theory is that at the borders between domains numbers
will be rewritten to be understandable in the receiving domain. If
the number doesn't contain its country code then it presumably needs
to be added at a country boundary to be understood. That works for
numbers that correspond to E.164 numbers. But what about 611? There
is no standard way to put a country code on it.

                Thanks,
                Paul


I would be happy to add some text saying that escaped characters
should be  removed as part of the canonicalization process.

Jon Peterson
Neustar, Inc.

On 12/13/15, 9:34 AM, "stir on behalf of DRAGE, Keith (Keith)"
<stir-bounces@ietf.org<mailto:stir-bounces@ietf.org> on behalf of keith.drage@alcatel-lucent.com<mailto:keith.drage@alcatel-lucent.com>>
wrote:


The international E.164 number can only be decimal digits.

That therefore means that the country code, the national
destination code, and the subscriber number, all of which are
component parts of an international E.164 number, can only be decimal digits.

That would imply that the only part that could contain such a
character  is a prefix to an E.164 number, or if the number is not
an
E.164 number,  such as a private dial plan.

I'd note that RFC 3966 states: "All phone numbers MUST use the
global form unless they cannot be represented as such."

I suspect that "*", "#", etc have more usage in numbers that are
dialstrings rather than telephone numbers.

Regards

Keith

-----Original Message-----
From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Paul
Kyzivat
Sent: 11 December 2015 15:58
To: stir@ietf.org<mailto:stir@ietf.org>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)

On 12/10/15 9:15 PM, Eric Burger wrote:

Section 6.1.1 on Canonicalization states:
        Once an implementation has identified a telephone
number, it must
        construct a number string.  Implementations MUST drop
any leading
        +'s, any internal dashes, parentheses or other non-numeric
        characters, excepting only the leading "#" or "*" keys
used in
        some special service numbers (typically, these will
appear only  in
        the To header field value).  This MUST result in an
ASCII string
        limited to "#", "*" and digits without whitespace or visual
        separators.

Survey time: does pound or star  EVER appear in a From field?
E.164 does not allow it.

pound isn't allowed at all in a sip uri, except via escaping.

There is no mention of escaping (or unescaping) in the text. If
there is  the possibility of pound coming through then that is
needed.

Also, * and # (as well as A-D) are never valid in global numbers,
but are  valid within local numbers not just first, but anywhere
in the number.
So
why is there special treatment for a *leading* star or pound?

ISTM that canonicalization of dialstrings that represent local
rather than global numbers is fraught with difficulty.

                Thanks,
                Paul



_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir





_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

_______________________________________________
stir mailing list
stir@ietf.org<mailto:stir@ietf.org>
https://www.ietf.org/mailman/listinfo/stir

v2.43.4 | Report a Bug | By Email | System Status