Re: [stir] Interop related topics for STIR

Chris Wendt <chris-ietf@chriswendt.net> Tue, 13 July 2021 20:29 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F8FF3A1933 for <stir@ietfa.amsl.com>; Tue, 13 Jul 2021 13:29:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.796
X-Spam-Level:
X-Spam-Status: No, score=-1.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NoTMS24-FWrM for <stir@ietfa.amsl.com>; Tue, 13 Jul 2021 13:29:01 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DFE43A1932 for <stir@ietf.org>; Tue, 13 Jul 2021 13:29:00 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id ck17so10553088qvb.9 for <stir@ietf.org>; Tue, 13 Jul 2021 13:29:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=7s+SCsRuuG8g6RO3JoVGhwtCXC41MOwrAurCbWXlXYI=; b=J1HUFP+C1t5H80tRrGw2p22mgsFYBz/5RFumKyIhqjp+3jMGPuagGSU6T+5R4EM6Zb Y4BK4U9xWH17cFc5jpDWQIFmk/OtMradx+DnXVCjFI3YCE5wh0wGAVLjD1yecV+zKwMA PYwrRXkyZosCg65LA/8XAPaabCxMBCIBQVSvRSgjTaf7Bqa6bk7VyAdIXSKgyXUV59Ic zGFPEhXWNXVhfYr++EvUR3uVgqGtxdA2s8on+HW273O2I43v/KqAw5PrG4dySbSo+WEu U+KvKvgecOUf57QFcomEojY3gideTUq2xHIqFkokl11N5Lto7lNKzVP1xMdKU4d75ziT DAUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=7s+SCsRuuG8g6RO3JoVGhwtCXC41MOwrAurCbWXlXYI=; b=MaauryX/LCnJa6+KcRXny/WaBymYb1H1EjbjvwEfqyFWzHJYdl9EsItyLdmLmXQsFC lfuqFa5YpQWpBprx7FsLuw/6vIHz6Du9pOSwguJVQmDNFknO3c2cYe5e+tFMwdwBiPIX eGuinEPFxJqdQtyRTiWJF7Va9gce6QqL893rRtGlC4d0DpNHqUClbrseNItU9MQ0vAqP 9U6KwmpcsYaO8+lUnAOVD7taySeI8LVDRifOVnXe0VrjszcpP1FvaKAzeYGRE0lHXZzp 5mrs0Qg9xkq598EWg/TLLvG5AG271MabZ4dsqVJOs2fZXHv7EYVgAbfs8qYE9j0sAxmB fr7Q==
X-Gm-Message-State: AOAM531Xk9FDCNRPvY/5xksOpAZboiCsazppdACap1vU2eCMxDWUKLJj p8cAEHIeoRfdECbRfgQmP9uGvA==
X-Google-Smtp-Source: ABdhPJw4q2fs/3pjgiTdATC9O/y/mx+61saXtIAOXRq8FYlVyF2NMPcDF02UQ6U3jjoA7wkIRX2GTw==
X-Received: by 2002:a05:6214:d49:: with SMTP id 9mr6896239qvr.30.1626208139315; Tue, 13 Jul 2021 13:28:59 -0700 (PDT)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id i15sm8274739qkk.51.2021.07.13.13.28.58 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 13 Jul 2021 13:28:58 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <DEA7B3ED-ABD9-4BE6-8CE7-207849B18D75@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_786B2587-09F3-49E8-8D5F-7AFC06AA19D5"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.100.0.2.22\))
Date: Tue, 13 Jul 2021 16:28:57 -0400
In-Reply-To: <HE1PR07MB444105CF3A1F1E8C22553AD093149@HE1PR07MB4441.eurprd07.prod.outlook.com>
Cc: "Peterson, Jon" <jon.peterson=40team.neustar@dmarc.ietf.org>, Russ Housley <housley@vigilsec.com>, Roman Shpount <roman@telurix.com>, IETF STIR Mail List <stir@ietf.org>
To: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
References: <2C876D56-5E92-462F-890D-383076B91233@vigilsec.com> <CAD5OKxtE=W=wg8FDOC=yOqB6cHEAf5hoLWArvs6ysoeaWsxZMQ@mail.gmail.com> <8C2E746A-2B02-44CD-99F0-CA55C4051818@vigilsec.com> <CAD5OKxsQ+WO6zPcF49_DZV+DdxuNZJbSVWJtaRCTUqHAf2t80g@mail.gmail.com> <62682C90-8635-42B4-8D04-A89243ED54FF@vigilsec.com> <20E31A90-44D4-4F55-B67E-6106DC9D9763@team.neustar> <HE1PR07MB444105CF3A1F1E8C22553AD093149@HE1PR07MB4441.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.100.0.2.22)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/CUj6I7w3mABUK9CeVfHwv1pdn10>
Subject: Re: [stir] Interop related topics for STIR
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jul 2021 20:29:07 -0000

Agree with Jon and Christer's comments, 1 we all agree on as discussed in meeting, but 2-3 and 5 are news to me, 2 is an important part of replay attack, could it be done in other ways, perhaps, but i think it’s a little late for that conversation at this point.  In US at least, there is a highly significant percentage of calls being signed as we speak, particularly after the June 30 deadline and these issues haven’t surfaced in IPNNI discussions, interop forums and real-world usage to my knowledge and i’ve been paying pretty close attention to this :)

-Chris

> On Jul 13, 2021, at 4:03 PM, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
>  
> Regarding 4), I agree with Jon. As I’ve said before, a SIP message can exceed 1300 bytes even without STIR. If the usage of TCP for SIP needs to be better explained, that belongs to 3261 (or, perhaps a generic TCP-for-SIP draft).
>  
> Regards,
>  
> Christer
>  
> From: stir <stir-bounces@ietf.org> On Behalf Of Peterson, Jon
> Sent: tiistai 13. heinäkuuta 2021 22.35
> To: Russ Housley <housley@vigilsec.com>om>; Roman Shpount <roman@telurix.com>
> Cc: IETF STIR Mail List <stir@ietf.org>
> Subject: Re: [stir] Interop related topics for STIR
>  
>  
> I think 1 needs to be fixed as an errata; it’s an actual bug in the current spec.  From my perspective, 2 and 3 are more “it would be nice” sorts of issues that we’d explore if we had some more substantial motivations to do an rfc8224bis – I don’t think they are worth doing a bis for on their own merits, especially not given the current state of deployment. 4 is not really a STIR issue, just a 20-year-old SIP issue that STIR is the latest thing to exacerbate. And as for 5, I’m not sure what the issue is… elaborate?
>  
> Jon Peterson
> Neustar, Inc.
>  
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> on behalf of Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>>
> Date: Tuesday, July 13, 2021 at 11:57 AM
> To: Roman Shpount <roman@telurix.com <mailto:roman@telurix.com>>
> Cc: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
> Subject: Re: [stir] Interop related topics for STIR
>  
> Roman:
>  
> Assuming that others agree with the way forward, it seems that 1-3 are the start of 8224bis, and it seems that 4 might be a new Operational Considerations in 8224bis.
>  
> Again, assuming agreement on the way forward, 8226bis should reflect real implementation.  That said, 8226 also envisions finer granularity than we have seen so far.
>  
> I think a STIR Torture Test document would be very valuable.
>  
> Russ
>  
>  
> 
> On Jul 13, 2021, at 2:41 PM, Roman Shpount <roman@telurix.com <mailto:roman@telurix.com>> wrote:
>  
> I am moving this into a new thread.
>  
> So far the following RFC8224 issues were identified:
>  
> 1. Errata regarding quotes in ppt value (Errata ID: 6519). Need to verify that both ppt values with and without quotes are supported when Identity header is received
>  
> 2. Date header is required. It should probably be optional since the information there is redundant when the Full-Form PASSportT is used. Several known implementations omit it.
>  
> 3. Should it be possible to omit ident-info and ident-info-params when the Full-Form PASSportT is used? All implementations I have seen include it, but there are occasional mismatches.
>  
> 4. When SIP message is over 1300 bytes, the request MUST be sent using a congestion-controlled transport protocol such as TCP (https://datatracker.ietf.org/doc/html/rfc3261#section-18.1.1 <https://protect2.fireeye.com/v1/url?k=903fe637-cfa4ded5-903fa6ac-86073b36ea28-33d90488cafd9ba9&q=1&e=0b2e7635-bc78-4316-8051-c8abb27c2107&u=https%3A%2F%2Furldefense.com%2Fv3%2F__https%3A%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Frfc3261%2Asection-18.1.1__%3BIw%21%21N14HnBHF%21oAy6J5s7jZgI4_5_yZuq0vQqaQNof-Hm5As08cXc4f_4q6Ey-LKdpEIAy_v4cJVm6QTc4w%24>). Considering that the Identity header is typically around 1000 bytes, this requires all networks to start using reliable protocols which is not currently the case. There is a way to work around this for the private links where MTU is under vendor control, but for links over the public internet, this needs to be clearly stated and tested.
>  
> 5. I do not think RFC8226 reflects the actual practices for STIR certificates.
>  
> We should also consider an informational document with STIR Torture test messages as well as BCP.
> _____________
> Roman Shpount
>  
>  
> On Tue, Jul 13, 2021 at 1:57 PM Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> wrote:
> I think that a SIPIT would be a very good thing, but that is not and IRTF activity.  That said, I would be very happy to use this list to know about a SIPIT once it is organized.
> Are there other interoperability or ops-orient topics about STIR that needed to be discussed?  If so, please start a thread.
>  
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir