IETF Logo Mail Archive

Re: [stir] Making STIR SIP messages smaller

Roman Shpount <roman@telurix.com> Tue, 13 April 2021 01:17 UTC

Return-Path: <roman@telurix.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 389ED3A19FB for <stir@ietfa.amsl.com>; Mon, 12 Apr 2021 18:17:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=telurix-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XcAwjjtfExOS for <stir@ietfa.amsl.com>; Mon, 12 Apr 2021 18:17:17 -0700 (PDT)
Received: from mail-oi1-x233.google.com (mail-oi1-x233.google.com [IPv6:2607:f8b0:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB85A3A1A47 for <stir@ietf.org>; Mon, 12 Apr 2021 18:17:11 -0700 (PDT)
Received: by mail-oi1-x233.google.com with SMTP id c16so15448491oib.3 for <stir@ietf.org>; Mon, 12 Apr 2021 18:17:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/Ij0AgBqFtASY+/04p/SGYohuPGm6XQLV6fnP6ETruE=; b=CkfqB1eRy86iNjzEcZW5yWtympmCav0SUrOYauSBd0pOu18nbQt5Hpp9VqzZ0I5Pzp JhoNLpgiY6t3miky9mIkKH6g7PdDHM5jrUv50L42edYdCd2DyiqfwEeF6MYrlL+C+upe jrmsRGtrGd/69d51+6zBzsVtuypq/dLNTuUKD6Xhsm/+nrCWrUkXN6aN2fViebSYaCiz S0tSbr6d9D4lssllEiNB3yELcWOW4oYx65pV21FknwlF4W/84E9LesggrdZwIwS7zR/1 UBxYrFfRdVGeFjaVPRJgsUrjBAw9Mv2MW7OeUfDq5nYDj2SAiPSWI8/ShLe0Ft9leLBy BBQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/Ij0AgBqFtASY+/04p/SGYohuPGm6XQLV6fnP6ETruE=; b=FSxDBcLVwmaXJkcikVl3IfpYxNPYotlLg9Sio68HFuNyrsUlym8npGu0vmlUNRXfX6 rosjM5Rm9SCdhN1dUAoB+S2FwhsvvlJ8s+CD0iMTJ/iunBfcxfaGFGvUF488ubjEnx9h 4NzInOa/9qda3e8iYk9ZR9gpVu4Hbe6RE/h4TXsANfQPz7G4RSC7nTpm0Z+jUbiyYLMk kMBY66TSc7NPZIPzLF/SzU4i1W05k4Gv1Yel0qS+9stcilB5gkebpuXFSURMH9u2h++M nHHLCfqS/1rUfQ5JVdNfsnbH12m4jtNiaCoXFCM9/S9bRYdIOdVxsN1xgwnaE2ypK1pk wRGw==
X-Gm-Message-State: AOAM5302FxFQcXmpTKOx83EBODDLuGORXLTxBQPaWhYyW1tHJcvy7rKy BkByfYyLI24raHHQ5WUoyCEkth0HasLudQ==
X-Google-Smtp-Source: ABdhPJzzEo86tKAFYV8fHnXrHL806/hkUt+i8F5FoKy/h5wCgZm6vic4JFu1cuWJc4iF/E+na1Vukw==
X-Received: by 2002:aca:a842:: with SMTP id r63mr1487924oie.146.1618276627870; Mon, 12 Apr 2021 18:17:07 -0700 (PDT)
Received: from mail-ot1-f42.google.com (mail-ot1-f42.google.com. [209.85.210.42]) by smtp.gmail.com with ESMTPSA id w3sm1871887otg.78.2021.04.12.18.17.06 for <stir@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 12 Apr 2021 18:17:07 -0700 (PDT)
Received: by mail-ot1-f42.google.com with SMTP id f75-20020a9d03d10000b0290280def9ab76so9532752otf.12 for <stir@ietf.org>; Mon, 12 Apr 2021 18:17:06 -0700 (PDT)
X-Received: by 2002:a9d:6241:: with SMTP id i1mr19773211otk.13.1618276626383; Mon, 12 Apr 2021 18:17:06 -0700 (PDT)
MIME-Version: 1.0
References: <adc8bd10-a04d-aff5-e03f-183f0d59c22c@petit-huguenin.org> <CAD5OKxvqYSRjaA_eR=nX4sNgTbAtQ3dSqqgAe0-y9EzbA-dRug@mail.gmail.com> <AM0PR07MB386063A2162B5C07319225D393739@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAD5OKxuyT4bmNBYgSMN-9M-c1Tr=gO1rQAg1D7xGSYx=bP9K3A@mail.gmail.com> <5308A309-85DC-4440-ABE9-6C1EEB4E0FEE@chriswendt.net> <CAD5OKxsRh5pgYbc6ULL2c7nCUuAfQiM=r78vxkd0WWg0veDkjA@mail.gmail.com> <E0562367-B7E8-4935-A71A-60D2C105F850@chriswendt.net> <BN6PR11MB39211A0A9BB35EB34E1789C599709@BN6PR11MB3921.namprd11.prod.outlook.com> <19194256-B61E-47D6-B1F6-5317F2F7BE90@chriswendt.net> <BN6PR11MB3921F5DBEA3719F5DB0C31BC99709@BN6PR11MB3921.namprd11.prod.outlook.com> <CAD5OKxsswce0vHSZdc1UYS6ie2D7ut6ZDmc8MUX7Jnzyim9utQ@mail.gmail.com> <BN6PR11MB3921D6F56388B75A47599A2299709@BN6PR11MB3921.namprd11.prod.outlook.com>
In-Reply-To: <BN6PR11MB3921D6F56388B75A47599A2299709@BN6PR11MB3921.namprd11.prod.outlook.com>
From: Roman Shpount <roman@telurix.com>
Date: Mon, 12 Apr 2021 21:16:55 -0400
X-Gmail-Original-Message-ID: <CAD5OKxuQ5iA7tW7kD-97KQVGhF_2uX5gQBP=0EEL4bK1+iX+FQ@mail.gmail.com>
Message-ID: <CAD5OKxuQ5iA7tW7kD-97KQVGhF_2uX5gQBP=0EEL4bK1+iX+FQ@mail.gmail.com>
To: Alec Fenichel <alec.fenichel@transnexus.com>
Cc: Chris Wendt <chris-ietf@chriswendt.net>, "stir@ietf.org Mail List" <stir@ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, Christer Holmberg <christer.holmberg@ericsson.com>
Content-Type: multipart/alternative; boundary="00000000000076c5d105bfd0639b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/EvkgS8CdvTmdp7B9lZ03BTc7SiQ>
Subject: Re: [stir] Making STIR SIP messages smaller
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2021 01:17:23 -0000

Alec,

I think the "info" header was required to identify the type of Identity
header so that, in the future, you can switch to something different from
JWT.

I understand the desire to pass a lot of information, including "nam" and
"rcd," when setting up the call. The problem is SIP over UDP was not
designed to pass the unlimited amount of information. A lot of current
deployments in the field support UDP only. If the INVITE message becomes
bigger than the UDP MTU, these deployments break. If you need to pass
additional data with the SIP call where you do not control the entire
network along the way, it should be passed out-of-band. In the perfect
world, we would be using SIPS right now, but this is not the case.

The other solution would be to switch everything to passing Identity OOB,
similar to PSTN, and only use the Identity header within a controlled
network where its delivery can be guaranteed despite the size.

As this solution stands right now, it is simply broken.
_____________
Roman Shpount


On Mon, Apr 12, 2021 at 7:53 PM Alec Fenichel <alec.fenichel@transnexus.com>
wrote:

> Roman,
>
>
>
> One of my concerns with switching to compact form is that every SIP device
> in the call path needs to support passing every single header used to
> convey signed information. If just a single header conveying signed
> information is lost or changed, then the PASSporT verification will fail.
> And every time you add a new header, the PASSporTs are unusable until every
> transit provider in the call path supports passing the new header.
>
>
>
> Also, it doesn’t work for TDM calls. OOB can get the PASSporT across the
> TDM, but it isn’t intended to get all the SIP headers conveying signed
> information across TDM.
>
>
>
> Finally, right now, we often include “rcd” “nam” claims in “shaken”
> PASSporTs. I don’t think you can include “rcd” information in a “shaken”
> PASSporT using compact form. The TSP doesn’t know that the display name was
> part of the PASSporT and would generate the wrong PASSporT causing the
> verification to fail. And you would lose the ability to use longer than 15
> character “rcd” “nam” claims because putting more than 15 characters is the
> From/PAI display name often results in it getting truncated during transit.
> This would break verification as described above.
>
>
>
> I think the Date header should be optional. I agree that we should stop
> duplicating information. But I think we should do this by only transmitting
> information in the PASSporT as opposed to only in SIP headers. I know using
> SIP headers would ultimately be smaller than PASSporTs, but I think it is
> too brittle.
>
>
>
> Hence my comment, I think we should make “info”, “alg”, and “ppt” all
> optional and we should not use any of them in the examples to promote
> implementations not to use them. The exception being when the example shows
> compact form PASSporTs, obviously they need to be included.
>
>
>
> Sincerely,
>
>
>
> Alec Fenichel
>
> Senior Software Architect
>
> alec.fenichel@transnexus.com
>
> +1 (407) 760-0036
>
> TransNexus
>
>
>
> *From: *Roman Shpount <roman@telurix.com>
> *Date: *Monday, April 12, 2021 at 19:00
> *To: *Alec Fenichel <alec.fenichel@transnexus.com>
> *Cc: *Chris Wendt <chris-ietf@chriswendt.net>, stir@ietf.org Mail List <
> stir@ietf.org>, Marc Petit-Huguenin <marc@petit-huguenin.org>, Christer
> Holmberg <christer.holmberg@ericsson.com>
> *Subject: *Making STIR SIP messages smaller
>
> Alec,
>
>
>
> I agree that we need to figure out a way to make Identity headers smaller.
> As it stands right now, the Identity header with "shaken" PASSporT type
> adds around 600 bytes to an INVITE message. This makes typical SIP INVITE
> messages go from around 1K in size to 1.6K, which is bigger than the UDP
> MTU. Going over UDP MTU causes SIP trunks to either switch to TCP (in
> places where TCP was never used) or to experience sporadic call completion
> problems (when a call goes over an Internet service providers that does not
> deliver fragmented UDP messages). This is causing major breakage in SIP
> VoIP networks right now as STIR/SHAKEN is getting deployed. It is a big
> enough problem that we see a change in call completion statistics in the US.
>
>
>
> I would argue that instead of making info parameter optional, we need to
> make iat and attest claims SIP Identity header parameters and
> recommend switching to compact Identity header form. We can move origid
> into Session-ID header (RFC 7989). We should also make the Date header
> optional since it is redundant when iat is present. This should save around
> 300 bytes per message which should make INVITE messages less than the UDP
> MTU.
>
>
>
> I know this is very late in the process, but I simply do not see how the
> current implementation can be safely deployed in its current form.
>
>
>
> Best Regards,
>
> _____________
> Roman Shpount
>
>
>
>
>
> On Mon, Apr 12, 2021 at 5:39 PM Alec Fenichel <
> alec.fenichel@transnexus.com> wrote:
>
> I guess what I am trying to say is that I think we should remove ppt from
> the examples because as you say, people tend to code to examples and
> smaller Identity headers would be ideal.
>
>
>
> I don’t mean to hijack this thread, but I have been meaning to bring this
> up anyways and it is related. Is there a reason I’m just overlooking for
> requiring the “info” parameter when a full-form PASSporT is used? If not,
> can we make it optional? The reason I ask is that with OOB, the transit
> provider receives a PASSporT out-of-band and then needs to construct an
> Identity header. Because of the “info” parameter requirement, the transit
> provider must decode the PASSporT in order to determine the “info”
> parameter. This is the only reason that a transit provider needs to decode
> the PASSporT. This isn’t difficult so it doesn’t really matter, but I
> figured I’d ask about potentially making the “info” parameter optional.
> Also, it makes the Identity header smaller which is always a good thing.
>
>
>
> Sincerely,
>
>
>
> Alec Fenichel
>
> Senior Software Architect
>
> alec.fenichel@transnexus.com
>
> +1 (407) 760-0036
>
> TransNexus
>
>
>
>

v2.23.0 | Report a Bug | By Email