IETF Logo Mail Archive

Re: [stir] Making STIR SIP messages smaller

Roman Shpount <roman@telurix.com> Tue, 13 April 2021 03:21 UTC

Return-Path: <roman@telurix.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 648123A10BA for <stir@ietfa.amsl.com>; Mon, 12 Apr 2021 20:21:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DQ4smxDb88T for <stir@ietfa.amsl.com>; Mon, 12 Apr 2021 20:21:00 -0700 (PDT)
Received: from mail-oi1-x22d.google.com (mail-oi1-x22d.google.com [IPv6:2607:f8b0:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26B043A10B8 for <stir@ietf.org>; Mon, 12 Apr 2021 20:20:59 -0700 (PDT)
Received: by mail-oi1-x22d.google.com with SMTP id c16so15690502oib.3 for <stir@ietf.org>; Mon, 12 Apr 2021 20:20:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=dJRbQrRPdBuTUs2adCSQb5D0YN55K/EIYn1x112i9C4=; b=SSb4PxkGrEpprlN5TYAlhL59CTC9qJyWIIrltSC+UKxiNuEq0/fYpJC8nlaDqLbV6T Rp/FNhIWnWaT25O2t32pntaN43JDvTAtZIcn94eoJFza2mIrUODlb9YVLgOqBgOcz0YH atRciJsa4TL6hrps20nhbeDavUmOWROtvp8JKpHHmR7VO5TGLxfs/+A8v9l+NCz9cUvn kNCFDU0zEC0P/gwHwnFKJuxr/xPp4Y4gQpdoFX7pbGUsN6oyyQOtBCb4NUzixFwCSv5w vpJ0mub1sW39RxRDk+ypNqlcbM2cafxj903yVDJmYLuRk8mYgK6m50O8mzG+KbVH5yJ0 zW1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=dJRbQrRPdBuTUs2adCSQb5D0YN55K/EIYn1x112i9C4=; b=fZ3AnAoI26ZJHFZtv+t8vpMnWogx7gPfFBZ4AtOa3rwUPMG6aojiGkq1m4xvsiU47f IWhm1bhrWoZALT2OX/E9EWOdKrddScKnmGMXXI+hFoKcXxR8JKSae7J2aR1W3cBqwa+o w7/VzizVNPU3F2y7LMOtHEqH/s9j4tgf1mdHw5y0gi2sHScw0JQV4Zi52H6n+PMNUXGR il69BssLcejzwgIv8VNqTe3YOVJDW9Dm6YSL0n/H6/FMBshwDhAFVS9X0hP7xLfwYaNc vCFP3jzL25VsSEbXscwdSgFikq96Jyr6JEnidW54PYuckxwd/DlwirJYkqH3BfwcpsDJ e8vg==
X-Gm-Message-State: AOAM532X2vCBFAmLDlh/C3ONaEEMF4sUD2cVN1QLTSsY1YybR58a7WnV a9q3smJMIfAyLNfxbDPsHpg///MQdOGWBQ==
X-Google-Smtp-Source: ABdhPJyNtzRwEPkg08DeHtaXlKEzA3evdpbpaLCp6qJVVmXNtpvt4cL+HQmVhYrfpr+XRklviJYsLQ==
X-Received: by 2002:aca:d481:: with SMTP id l123mr1759537oig.25.1618284058111; Mon, 12 Apr 2021 20:20:58 -0700 (PDT)
Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com. [209.85.167.170]) by smtp.gmail.com with ESMTPSA id 24sm2586028oiq.11.2021.04.12.20.20.57 for <stir@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 20:20:57 -0700 (PDT)
Received: by mail-oi1-f170.google.com with SMTP id e66so367409oif.11 for <stir@ietf.org>; Mon, 12 Apr 2021 20:20:57 -0700 (PDT)
X-Received: by 2002:a54:4f8f:: with SMTP id g15mr1728679oiy.12.1618284056932; Mon, 12 Apr 2021 20:20:56 -0700 (PDT)
MIME-Version: 1.0
References: <adc8bd10-a04d-aff5-e03f-183f0d59c22c@petit-huguenin.org> <CAD5OKxvqYSRjaA_eR=nX4sNgTbAtQ3dSqqgAe0-y9EzbA-dRug@mail.gmail.com> <AM0PR07MB386063A2162B5C07319225D393739@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAD5OKxuyT4bmNBYgSMN-9M-c1Tr=gO1rQAg1D7xGSYx=bP9K3A@mail.gmail.com> <5308A309-85DC-4440-ABE9-6C1EEB4E0FEE@chriswendt.net> <CAD5OKxsRh5pgYbc6ULL2c7nCUuAfQiM=r78vxkd0WWg0veDkjA@mail.gmail.com> <E0562367-B7E8-4935-A71A-60D2C105F850@chriswendt.net> <BN6PR11MB39211A0A9BB35EB34E1789C599709@BN6PR11MB3921.namprd11.prod.outlook.com> <19194256-B61E-47D6-B1F6-5317F2F7BE90@chriswendt.net> <BN6PR11MB3921F5DBEA3719F5DB0C31BC99709@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxsswce0vHSZdc1UYS6ie2D7ut6ZDmc8MUX7Jnzyim9utQ@mail.gmail.com> <BN6PR11MB3921D6F56388B75A47599A2299709@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxuQ5iA7tW7kD-97KQVGhF_2uX5gQBP=0EEL4bK1+iX+FQ@mail.gmail.com> <BN6PR11MB392170A4D015C72F0E19C8BD994F9@BN6PR11MB3921.namprd11.prod.outlook.com>
In-Reply-To: <BN6PR11MB392170A4D015C72F0E19C8BD994F9@BN6PR11MB3921.namprd11.prod.outlook.com>
From: Roman Shpount <roman@telurix.com>
Date: Mon, 12 Apr 2021 23:20:45 -0400
X-Gmail-Original-Message-ID: <CAD5OKxt9SLPXoagnGYT7eX6mTcKn5i7q37mWZhWuz_Y3tsLunA@mail.gmail.com>
Message-ID: <CAD5OKxt9SLPXoagnGYT7eX6mTcKn5i7q37mWZhWuz_Y3tsLunA@mail.gmail.com>
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Chris Wendt <chris-ietf@chriswendt.net>, "stir@ietf.org Mail List" <stir@ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="0000000000005bf74205bfd21eb1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/Ea3ClRiQPjmU8inTxi5Uf7W6BUE>
Subject: Re: [stir] Making STIR SIP messages smaller
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 03:21:06 -0000

Alec,

You are correct about the "info" parameter. It is completely unnecessary if
a full Identity header is used.

You are also correct that we would probably be fine with complete Identity
instead of compact identity with extra headers. If we remove all redundant
and optional data, then generated INVITE would be 1.4K, or right on the
border of max allowed MTU size. Please note that if any codecs or "rcd"
would be added, the problem will reappear. The extra 180 bytes you are
mentioning would provide some safety buffer for extra codecs or headers.

As long as SIP INVITE is below the PDU, we should be fine, but with a
full-size Identity, it is always bigger than the 1300 bytes limit for UDP
set in RFC3261 (see https://tools.ietf.org/html/rfc3261#section-18.1.1). In
general, Identity makes the SIP INVITE message 50% bigger. I am surprised I
am the first person who raised this issue.

I can go into more details regarding the issues related to going over UDP
MTU size. The several main issues here:

1. If UDP and TCP are both enabled on a SIP trunk, a SIP message should be
sent over TCP if it is within the 200 bytes of the UDP MTU size or over
1300 bytes if MTU is unknown. If the SIP request fails over TCP, it should
then retried over UDP. This causes PDD. Please see
https://tools.ietf.org/html/rfc3261#section-18.1.1

2. A major US internet service provider is dropping all fragmented UDP
messages on a number of its routes. If the SIP message ends up going
through this provider when traversing the public Internet, calls start
failing. When fragmented UDP is sent over the private interconnects, it
usually works fine.

3. TCP is stateful. This causes redundancy and fail-over issues with a lot
of implementations. Also, TCP implementations are not thought through or
tested as well as UDP.

In any case, if we can avoid switching the transport protocol, the
implementation would be much more robust.
_____________
Roman Shpount


On Mon, Apr 12, 2021 at 10:31 PM Alec Fenichel <alec.fenichel@transnexus.com>
wrote:

> Roman,
>
>
>
> I’m not following how “info” would identify the header as containing a
> JWT. The “info” parameter contains a URL which could be used by a JWT or
> something else.
>
>
>
> I don’t disagree that some implementations have issues when MTU is
> exceeded because they either don’t support TCP or don’t handle
> fragmentation properly. That being said, I wouldn’t call it broken. In my
> experience, most implementations handle packet fragmentation as long as the
> packets arrive in order. If the packets arrive out of order, they are
> generally discarded but then they are retransmitted because a SIP ACK is
> never sent. Even over the internet, packets arrive in order the vast
> majority of the time, so retransmissions work well. At the end of the day,
> calls complete without issue.
>
>
>
> As far as TCP goes, I can only think of a one common network element that
> doesn’t support TCP (it actually does support TCP, but the TCP stack is
> broken, and the manufacturer doesn’t appear interested in fixing it).
> However, even that device doesn’t really count as it is a switch, so it was
> never intended to be used at the network edge. Fragmented UDP is used
> between the switch and the SBC (this isn’t a problem because packets almost
> always arrive in order over LAN connections and again, retransmission
> address anything that doesn’t). TCP can be used between the SBC and the SBC
> of the other network. Although again, I see fragmented UDP used more often
> than TCP.
>
>
>
> But not of that really matters, the point I am trying to make is that
> compact form PASSporTs don’t save that much space over full form PASSporTs.
> So given the increased brittleness, I don’t think compact form PASSporTs
> are worth it. Example:
>
>
>
> Full form (415 bytes):
>
>
>
> Identity:
> eyJhbGciOiJFUzI1NiIsInBwdCI6InNoYWtlbiIsInR5cCI6InBhc3Nwb3J0IiwieDV1IjoiaHR0cHM6Ly9jZXJ0aWZpY2F0ZXMuZXhhbXBsZS5jb20vZXhhbXBsZS5jcnQifQ.eyJhdHRlc3QiOiJBIiwiZGVzdCI6eyJ0biI6WyIxOTAzMjQ2OTEwMyJdfSwiaWF0IjoxNTg0OTgzNDAyLCJvcmlnIjp7InRuIjoiMTIwMTM3NzYwNTEifSwib3JpZ2lkIjoiNGFlYzk0ZTItNTA4Yy00YzFjLTkwN2ItMzczN2JhYzBhODBlIn0.EMfXHyowsI5s73KqoBzJ9pzrrwGFNKBRmHcx-YZ3DjPgBe4Mvqq9N-bThN1_HTWeSvbruAyet26fetRL1_bn1g
>
>
>
> Compact form (231 bytes, assuming \r\n newlines and “attest=A” is used to
> convey attestation)
>
>
>
> Session-ID: 4aec94e2-508c-4c1c-907b-3737bac0a80e
>
> Identity:
> ..EMfXHyowsI5s73KqoBzJ9pzrrwGFNKBRmHcx-YZ3DjPgBe4Mvqq9N-bThN1_HTWeSvbruAyet26fetRL1_bn1g;info=<
> https://certificates.example.com/example.crt
> >alg=ES256;ppt="shaken";attest=A
>
>
>
> So, for a SHAKEN PASSporT, it would save 184 bytes to use compact form.
> That isn’t nothing, but I don’t think it is worth it.
>
>
>
> Sincerely,
>
>
>
> Alec Fenichel
>
> Senior Software Architect
>
> alec.fenichel@transnexus.com
>
> +1 (407) 760-0036
>
> TransNexus
>
>
>
> *From: *Roman Shpount <roman@telurix.com>
> *Date: *Monday, April 12, 2021 at 21:17
> *To: *Alec Fenichel <alec.fenichel@transnexus.com>
> *Cc: *Chris Wendt <chris-ietf@chriswendt.net>, stir@ietf.org Mail List <
> stir@ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, Christer
> Holmberg <christer.holmberg@ericsson.com>
> *Subject: *Re: Making STIR SIP messages smaller
>
> Alec,
>
>
>
> I think the "info" header was required to identify the type of Identity
> header so that, in the future, you can switch to something different from
> JWT.
>
>
>
> I understand the desire to pass a lot of information, including "nam" and
> "rcd," when setting up the call. The problem is SIP over UDP was not
> designed to pass the unlimited amount of information. A lot of current
> deployments in the field support UDP only. If the INVITE message becomes
> bigger than the UDP MTU, these deployments break. If you need to pass
> additional data with the SIP call where you do not control the entire
> network along the way, it should be passed out-of-band. In the perfect
> world, we would be using SIPS right now, but this is not the case.
>
>
>
> The other solution would be to switch everything to passing Identity OOB,
> similar to PSTN, and only use the Identity header within a controlled
> network where its delivery can be guaranteed despite the size.
>
>
>
> As this solution stands right now, it is simply broken.
>
> _____________
> Roman Shpount
>
>
>
>
>
> On Mon, Apr 12, 2021 at 7:53 PM Alec Fenichel <
> alec.fenichel@transnexus.com> wrote:
>
> Roman,
>
>
>
> One of my concerns with switching to compact form is that every SIP device
> in the call path needs to support passing every single header used to
> convey signed information. If just a single header conveying signed
> information is lost or changed, then the PASSporT verification will fail.
> And every time you add a new header, the PASSporTs are unusable until every
> transit provider in the call path supports passing the new header.
>
>
>
> Also, it doesn’t work for TDM calls. OOB can get the PASSporT across the
> TDM, but it isn’t intended to get all the SIP headers conveying signed
> information across TDM.
>
>
>
> Finally, right now, we often include “rcd” “nam” claims in “shaken”
> PASSporTs. I don’t think you can include “rcd” information in a “shaken”
> PASSporT using compact form. The TSP doesn’t know that the display name was
> part of the PASSporT and would generate the wrong PASSporT causing the
> verification to fail. And you would lose the ability to use longer than 15
> character “rcd” “nam” claims because putting more than 15 characters is the
> From/PAI display name often results in it getting truncated during transit.
> This would break verification as described above.
>
>
>
> I think the Date header should be optional. I agree that we should stop
> duplicating information. But I think we should do this by only transmitting
> information in the PASSporT as opposed to only in SIP headers. I know using
> SIP headers would ultimately be smaller than PASSporTs, but I think it is
> too brittle.
>
>
>
> Hence my comment, I think we should make “info”, “alg”, and “ppt” all
> optional and we should not use any of them in the examples to promote
> implementations not to use them. The exception being when the example shows
> compact form PASSporTs, obviously they need to be included.
>
>
>
> Sincerely,
>
>
>
> Alec Fenichel
>
> Senior Software Architect
>
> alec.fenichel@transnexus.com
>
> +1 (407) 760-0036
>
> TransNexus
>
>
>
> *From: *Roman Shpount <roman@telurix.com>
> *Date: *Monday, April 12, 2021 at 19:00
> *To: *Alec Fenichel <alec.fenichel@transnexus.com>
> *Cc: *Chris Wendt <chris-ietf@chriswendt.net>, stir@ietf.org Mail List <
> stir@ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, Christer
> Holmberg <christer.holmberg@ericsson.com>
> *Subject: *Making STIR SIP messages smaller
>
> Alec,
>
>
>
> I agree that we need to figure out a way to make Identity headers smaller.
> As it stands right now, the Identity header with "shaken" PASSporT type
> adds around 600 bytes to an INVITE message. This makes typical SIP INVITE
> messages go from around 1K in size to 1.6K, which is bigger than the UDP
> MTU. Going over UDP MTU causes SIP trunks to either switch to TCP (in
> places where TCP was never used) or to experience sporadic call completion
> problems (when a call goes over an Internet service providers that does not
> deliver fragmented UDP messages). This is causing major breakage in SIP
> VoIP networks right now as STIR/SHAKEN is getting deployed. It is a big
> enough problem that we see a change in call completion statistics in the US.
>
>
>
> I would argue that instead of making info parameter optional, we need to
> make iat and attest claims SIP Identity header parameters and
> recommend switching to compact Identity header form. We can move origid
> into Session-ID header (RFC 7989). We should also make the Date header
> optional since it is redundant when iat is present. This should save around
> 300 bytes per message which should make INVITE messages less than the UDP
> MTU.
>
>
>
> I know this is very late in the process, but I simply do not see how the
> current implementation can be safely deployed in its current form.
>
>
>
> Best Regards,
>
> _____________
> Roman Shpount
>
>
>
>
>
> On Mon, Apr 12, 2021 at 5:39 PM Alec Fenichel <
> alec.fenichel@transnexus.com> wrote:
>
> I guess what I am trying to say is that I think we should remove ppt from
> the examples because as you say, people tend to code to examples and
> smaller Identity headers would be ideal.
>
>
>
> I don’t mean to hijack this thread, but I have been meaning to bring this
> up anyways and it is related. Is there a reason I’m just overlooking for
> requiring the “info” parameter when a full-form PASSporT is used? If not,
> can we make it optional? The reason I ask is that with OOB, the transit
> provider receives a PASSporT out-of-band and then needs to construct an
> Identity header. Because of the “info” parameter requirement, the transit
> provider must decode the PASSporT in order to determine the “info”
> parameter. This is the only reason that a transit provider needs to decode
> the PASSporT. This isn’t difficult so it doesn’t really matter, but I
> figured I’d ask about potentially making the “info” parameter optional.
> Also, it makes the Identity header smaller which is always a good thing.
>
>
>
> Sincerely,
>
>
>
> Alec Fenichel
>
> Senior Software Architect
>
> alec.fenichel@transnexus.com
>
> +1 (407) 760-0036
>
> TransNexus
>
>
>
>

v2.23.0 | Report a Bug | By Email