IETF Logo Mail Archive

Re: [stir] Interop related topics for STIR

Alec Fenichel <alec.fenichel@transnexus.com> Tue, 13 July 2021 21:23 UTC

Return-Path: <alec.fenichel@transnexus.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 060583A1085 for <stir@ietfa.amsl.com>; Tue, 13 Jul 2021 14:23:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_HTML_ONLY=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=transnexus.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vfXkuoGWWLCZ for <stir@ietfa.amsl.com>; Tue, 13 Jul 2021 14:23:09 -0700 (PDT)
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10on2062.outbound.protection.outlook.com [40.107.94.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7374A3A1073 for <stir@ietf.org>; Tue, 13 Jul 2021 14:23:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=f7o4ZgHfuVrn8690FlrU8VUrFBlDPJo9YGj8bI5nfItUBCORM3lGuk6cuI6uyxwuZJRC2usA0rFWhrxer3uuIQc1c9NcHlWvjhhxaQIEykYo2Y4KcDcsMILQL93OPwaxMIWFM4dLGEefC1FbzKpF0mDPoU9aDP5WV5qQCOta0ANbcjs1UuKfVcKTfzCVcSxEdJBJVOVs2a1Cb/OH1V4Omgmb5/+yAboXCB4ka4MP6Tts3JsLj7WJHo2PI/SG0LR7JYRb0sz9WdFf2cdUnJJYsbC6h/kJmxIU7tKAvbphHys52xjRdNxliLqUbKeTm/DdQvMppWkdRXUI9rTYvqgTnw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=59stDSVij39cpmFlBOrpVOgvCX4+sL/cRkrH4/2FeIg=; b=Hb2rQV+YGULi9kvWN4SQ6eXim9p3PprKSW6FsydQeN/iNFgjelDdU7HhNEysOol0aiKd33oZ4ADCuFGDSRthWyprIVMRfO9B0LJs3uO140+Dz/sVZl2qK340XdlbLGfJXvg5ElSkzopPEywYP2I6uMFVL1T5Wy1UkWQdaJ4ODQ1YKa4wAxSzI0mla1sdx4RYiGyddZDiFm/gYld+aCGt1+4VFb4wYbOwdEdeqHIWBIy/p9CipOVTdEZLJogB3+QOmYQmMrxi1LM0YKG7JntICnPwddDnPP6BitTU+cMw311nniwGjo0MP5eqasE8uf4YhETY4AVFvz8ykKKkSUZNQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=transnexus.com; dmarc=pass action=none header.from=transnexus.com; dkim=pass header.d=transnexus.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transnexus.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=59stDSVij39cpmFlBOrpVOgvCX4+sL/cRkrH4/2FeIg=; b=Sp4L+cRQzcYOOzfiaoTYLbT4cXP936jGWovsIgr7GqERwwlPnM2lXjneyZig6SsSzmUai0c/mrJb5epLLvrer1q3u36Zv5bazYJJaGS15EnS+maeTRl+H4efM6ckEkA87XeCkHfcBuJTHA5v915oHWYkhrC5LAmBnnZYPXYyrT8=
Received: from BN6PR11MB3921.namprd11.prod.outlook.com (2603:10b6:405:81::20) by BN9PR11MB5499.namprd11.prod.outlook.com (2603:10b6:408:104::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4308.20; Tue, 13 Jul 2021 21:23:05 +0000
Received: from BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::e1b7:107a:1ba7:18f]) by BN6PR11MB3921.namprd11.prod.outlook.com ([fe80::e1b7:107a:1ba7:18f%7]) with mapi id 15.20.4308.027; Tue, 13 Jul 2021 21:23:05 +0000
From: Alec Fenichel <alec.fenichel@transnexus.com>
To: Chris Wendt <chris-ietf@chriswendt.net>, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
CC: IETF STIR Mail List <stir@ietf.org>, "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Roman Shpount <roman@telurix.com>
Thread-Topic: [stir] Interop related topics for STIR
Thread-Index: AQHXeBctfSHcANrmF0S3ERwuV+32XatBQZ0AgAAKbACAAAfxAIAAB0CAgAAODio=
Date: Tue, 13 Jul 2021 21:23:05 +0000
Message-ID: <BN6PR11MB392185B2787AE9F7AC8336C299149@BN6PR11MB3921.namprd11.prod.outlook.com>
References: <2C876D56-5E92-462F-890D-383076B91233@vigilsec.com> <CAD5OKxtE=W=wg8FDOC=yOqB6cHEAf5hoLWArvs6ysoeaWsxZMQ@mail.gmail.com> <8C2E746A-2B02-44CD-99F0-CA55C4051818@vigilsec.com> <CAD5OKxsQ+WO6zPcF49_DZV+DdxuNZJbSVWJtaRCTUqHAf2t80g@mail.gmail.com> <62682C90-8635-42B4-8D04-A89243ED54FF@vigilsec.com> <20E31A90-44D4-4F55-B67E-6106DC9D9763@team.neustar> <HE1PR07MB444105CF3A1F1E8C22553AD093149@HE1PR07MB4441.eurprd07.prod.outlook.com>, <DEA7B3ED-ABD9-4BE6-8CE7-207849B18D75@chriswendt.net>
In-Reply-To: <DEA7B3ED-ABD9-4BE6-8CE7-207849B18D75@chriswendt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: chriswendt.net; dkim=none (message not signed) header.d=none;chriswendt.net; dmarc=none action=none header.from=transnexus.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 471a4fb0-959a-4708-e4bc-08d94644675f
x-ms-traffictypediagnostic: BN9PR11MB5499:
x-microsoft-antispam-prvs: <BN9PR11MB5499A831C620A0E4A4C2A10E99149@BN9PR11MB5499.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: uUOxKGLdFflAl0Ug5MwI1Zd+8SNnt/w/H+F1ym4Tn5iz1QFY2Z9sGpKUZtsC+aGUQcHjoXa2Ks+DqQU+WNjBN8wkWryZIiLpEH1PrEvqxoLNz67wfzHln9/8aMFG1wLW5ZD3pdLcaV4thdDmqSD7hhkWHrgaUVY61bcyL7b6LqEcyUZIFDFrZoBPb13vicsYzhBDH0/u7swDCck++1AWsDvL7Kx2VTqyY354ohAaV7GfVx2+QrjAXBosDAFvU1nyaomqflkhNSyLj1QMxMIlRv0rKyUEud7mC5XQ15kQkA/gbhdLJidjFedjt3XAJTaqPjY3RvIHjdkwwOJZx8IlQFQ42E1NySQL/Ht5VQ9fzQXgoMxVhbhOgn7zKJOxnM+WkLxbEDF8PTPPQNFiE2B4paweXeFScKj5NP+Abo526Ny6LUOQwpfGOzxJjuwSYzyrYcvzWAlngkXwClY7tfMhsBJ1SVNDeCTqmH7jAAL3dMABW4CocbENzokjQbpWmuW7uIK2i11TEFynHBZdGMHK5VhE8Q0Sy9Vr2bJQa4MPpMpFfrDKd8Hs9uJLG7NxbCmhg1lO81rliZ6sB9vZnN25MA51zFspedx0LDXg4yeETwGv3gtGT9RfC3xIQl99+dxRd5tkmvK2NYcvTCPecThAeoLsfA34xVVQ6QbPy5Tm7y5i50T5jBIGZZ4tjunhY62+
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB3921.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(136003)(39830400003)(396003)(83380400001)(122000001)(4326008)(38100700002)(66446008)(110136005)(64756008)(66616009)(166002)(66556008)(66476007)(8936002)(76116006)(44832011)(33656002)(2906002)(55016002)(66946007)(66574015)(7696005)(966005)(6506007)(99936003)(186003)(26005)(71200400001)(5660300002)(86362001)(8676002)(52536014)(478600001)(54906003)(53546011)(9686003)(316002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4F5cTwGte5QH8ErCtvdoYknwZ2FfoYkxGwe94R6T8dHDZCUcQcsd9uSbB8eDZ/wuFVRx+dBzdUeqzGC1DW4oK0ZrtRtGn1KN9fM4CjmMjRqKw5HIaul8o+5fFoUADnw6qpqI30uBW8OavGTkG3bNKuDg/02GDrTl7LyGPnGfv5dKrcvgq2StJ9j9WzB9UuzZ3l7QfNKLbAYtuBmHTbFeOtb7uE+cJWYAHPxJBsD/hpOg7WtYOVpuEmf+nRAGxMYwWkQiMu2nkWwP+qVS4tQRhNrgsijIJ0uAbfs8mQfcZqKspDDrT/QSmv7yT90GXOPAYnGaNZFI05kEIMrdKXHGdmrtas1nCRiGvgoznLL/gQuzdxlk3V0z3IR0QV2kjbC5DNGPn13HnH85rKsusvmG2b4f7b8BNE5yG6yykVRhWXOyKYF7YB0HVJjX0G6UQd9VRO30JXAVfKgr2x95B2mC8D2Jz62Va3j/TobRmzLzzkuVnu1RRic88bDR2Eer1zFa77gBGOE728W7Vik0gSMzzPUECuWuH74g/Ow6KUUAiAGbjVtclMELdUiGatlaFLfwW5/l1hgPxC+7PbI0PO3t19tKCJ0/lwUXQ8TsOKqGeIKPK0yppT/aNQxd/J1NME5kD/zmklyoJTTQ97uGBdf2NTbK++4tRcp5Zmd9KdaWQZ7WkTES72RdkwQu95XvUAD/H6ezt80PfQkq1VTrZATxC44VbwsDGjxuW5DY/PQd7FyWJK7fZnph9DYA5Dn62Zs/4DOQWq12jL5zNlKPBTZjeDhfyCwVp9nzWt0k/yVGOHjWD6PEsxgPjKlKFkQn3Jeh6S+VNJNnl4ZHCbOng6h2q2MNMDThT9bV0Bn8/U7VeMz/ZcoXmeMfM9boxZ4KXvM/X1yM7lci2ahJ7OuyVhSmByy4hbzKJy3nloPzrtduWVdnWRdpGLRe7mg0YXSHJ1pnIJn03rDAPPyNLxZUYu4uIdyIa/ZciWK+Xkobj/i3e4u0Po/Ycm+Ve7v5wfZjcQVELglSyNeF3+1h2MKzKGNbGG18azrmzIxQ0+t3nkSFI9K8TIZt6ptK+ikXhvmVorR72wUaeHwH+oqMS9gbU+CMAndh0oTF0DwgUuHoxrIAm7Zm/2Na8GTTLhotmMJpDbLa/gGhRuYqZqNqJliPMQdBiXntm0M32cQTx0MTqfaN9SgyWW0BUzkQJALiQ9XEM/6I+Cfs0Ue+xQdc2ikBtVnFavb+JEziIq0OuamHm5HojRVSRAR5FFfDVaeMmpHqco/k+cX1Dc6PaU29dG3QU1cXX96dgd8GGQXTjc3jiX2rwVYcUHFekx2O9/IEAihHEjzuJaB48HOeYRoaS1fb1daxvg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="sha256"; boundary="_0C82A3B2-AB2F-3E40-88A6-4B5BDF087863_"
MIME-Version: 1.0
X-OriginatorOrg: transnexus.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB3921.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 471a4fb0-959a-4708-e4bc-08d94644675f
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jul 2021 21:23:05.4614 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8e2972a2-d21d-49ac-b005-18e8ceaadee3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NbFHF1X5RpcqTJCXWALY/MM38zBRFjC3uP11E1HBrEmuGrPrqWfErFcTdnUsODUWxlEaki/zfGa0LD23KsbW8SiA+pd4OZXMXnnxOlqiuyI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN9PR11MB5499
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/7C4HLWnm5VRClXegC3vJ1cyE0i8>
Subject: Re: [stir] Interop related topics for STIR
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 21:23:15 -0000

It would be beneficial to address number 3. It provides no value when full form PASSporTs are used. It makes the Identity header bigger. It also makes the generation of the Identity header more complicated when converting a call from TDM to SIP and using OOB or Extending SHAKEN over TDM (the two ATIS standards for TDM calls). I think all Identity header parameters should be optional if the PASSporT is in full form.

 

Sincerely,

 

Alec Fenichel

Senior Software Architect

alec.fenichel@transnexus.com

+1 (407) 760-0036

TransNexus

 

From: stir <stir-bounces@ietf.org> on behalf of Chris Wendt <chris-ietf@chriswendt.net>
Date: Tuesday, July 13, 2021 at 16:32
To: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
Cc: IETF STIR Mail List <stir@ietf.org>, Peterson, Jon <jon.peterson=40team.neustar@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Roman Shpount <roman@telurix.com>
Subject: Re: [stir] Interop related topics for STIR

Agree with Jon and Christer's comments, 1 we all agree on as discussed in meeting, but 2-3 and 5 are news to me, 2 is an important part of replay attack, could it be done in other ways, perhaps, but i think it’s a little late for that conversation at this point.  In US at least, there is a highly significant percentage of calls being signed as we speak, particularly after the June 30 deadline and these issues haven’t surfaced in IPNNI discussions, interop forums and real-world usage to my knowledge and i’ve been paying pretty close attention to this :)

 

-Chris



On Jul 13, 2021, at 4:03 PM, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org> wrote:

 

Hi,

 

Regarding 4), I agree with Jon. As I’ve said before, a SIP message can exceed 1300 bytes even without STIR. If the usage of TCP for SIP needs to be better explained, that belongs to 3261 (or, perhaps a generic TCP-for-SIP draft).

 

Regards,

 

Christer

 

From: stir <stir-bounces@ietf.org> On Behalf Of Peterson, Jon
Sent: tiistai 13. heinäkuuta 2021 22.35
To: Russ Housley <housley@vigilsec.com>; Roman Shpount <roman@telurix.com>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Interop related topics for STIR

 

 

I think 1 needs to be fixed as an errata; it’s an actual bug in the current spec.  From my perspective, 2 and 3 are more “it would be nice” sorts of issues that we’d explore if we had some more substantial motivations to do an rfc8224bis – I don’t think they are worth doing a bis for on their own merits, especially not given the current state of deployment. 4 is not really a STIR issue, just a 20-year-old SIP issue that STIR is the latest thing to exacerbate. And as for 5, I’m not sure what the issue is… elaborate?

 

Jon Peterson

Neustar, Inc.

 

From: stir <stir-bounces@ietf.org> on behalf of Russ Housley <housley@vigilsec.com>
Date: Tuesday, July 13, 2021 at 11:57 AM
To: Roman Shpount <roman@telurix.com>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Interop related topics for STIR

 

Roman:

 

Assuming that others agree with the way forward, it seems that 1-3 are the start of 8224bis, and it seems that 4 might be a new Operational Considerations in 8224bis.

 

Again, assuming agreement on the way forward, 8226bis should reflect real implementation.  That said, 8226 also envisions finer granularity than we have seen so far.

 

I think a STIR Torture Test document would be very valuable.

 

Russ

 

 

On Jul 13, 2021, at 2:41 PM, Roman Shpount <roman@telurix.com> wrote:

 

I am moving this into a new thread.

 

So far the following RFC8224 issues were identified:

 

1. Errata regarding quotes in ppt value (Errata ID: 6519). Need to verify that both ppt values with and without quotes are supported when Identity header is received

 

2. Date header is required. It should probably be optional since the information there is redundant when the Full-Form PASSportT is used. Several known implementations omit it.

 

3. Should it be possible to omit ident-info and ident-info-params when the Full-Form PASSportT is used? All implementations I have seen include it, but there are occasional mismatches.

 

4. When SIP message is over 1300 bytes, the request MUST be sent using a congestion-controlled transport protocol such as TCP (https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fprotect2.fireeye.com%2Fv1%2Furl%3Fk%3D903fe637-cfa4ded5-903fa6ac-86073b36ea28-33d90488cafd9ba9%26q%3D1%26e%3D0b2e7635-bc78-4316-8051-c8abb27c2107%26u%3Dhttps%253A%252F%252Furldefense.com%252Fv3%252F__https%253A%252Fdatatracker.ietf.org%252Fdoc%252Fhtml%252Frfc3261%252Asection-18.1.1__%253BIw%2521%2521N14HnBHF%2521oAy6J5s7jZgI4_5_yZuq0vQqaQNof-Hm5As08cXc4f_4q6Ey-LKdpEIAy_v4cJVm6QTc4w%2524&data=04%7C01%7Calec.fenichel%40transnexus.com%7C87f2f2871b514e9f5eb508d9463ce491%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C637618051421739187%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=iB8xdQ5rWsqe0mlFmq%2FUIv2RM2jkZohnnd06odfFU%2Fc%3D&reserved=0" rel="nofollow">https://datatracker.ietf.org/doc/html/rfc3261#section-18.1.1). Considering that the Identity header is typically around 1000 bytes, this requires all networks to start using reliable protocols which is not currently the case. There is a way to work around this for the private links where MTU is under vendor control, but for links over the public internet, this needs to be clearly stated and tested.

 

5. I do not think RFC8226 reflects the actual practices for STIR certificates.

 

We should also consider an informational document with STIR Torture test messages as well as BCP.

_____________
Roman Shpount

 

 

On Tue, Jul 13, 2021 at 1:57 PM Russ Housley <housley@vigilsec.com> wrote:

I think that a SIPIT would be a very good thing, but that is not and IRTF activity.  That said, I would be very happy to use this list to know about a SIPIT once it is organized.

Are there other interoperability or ops-orient topics about STIR that needed to be discussed?  If so, please start a thread.

 

 

_______________________________________________
stir mailing list
stir@ietf.org
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=04%7C01%7Calec.fenichel%40transnexus.com%7C87f2f2871b514e9f5eb508d9463ce491%7C8e2972a2d21d49acb00518e8ceaadee3%7C0%7C0%7C637618051421749185%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=XSPZmn3Nz4QdgxHh8pMXZlTX8mBXsIsFE1hhSEwz99Y%3D&reserved=0" rel="nofollow">https://www.ietf.org/mailman/listinfo/stir

 

v2.23.0 | Report a Bug | By Email