IETF Logo Mail Archive

Re: [stir] stir-06: Reality check on numbers (6.1.1)

"Peterson, Jon" <jon.peterson@neustar.biz> Tue, 15 December 2015 19:08 UTC

Return-Path: <jon.peterson@neustar.biz>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5F121AC41D for <stir@ietfa.amsl.com>; Tue, 15 Dec 2015 11:08:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.266
X-Spam-Level:
X-Spam-Status: No, score=-102.266 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 46MxTaD7e_Zo for <stir@ietfa.amsl.com>; Tue, 15 Dec 2015 11:08:52 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 416791AC417 for <stir@ietf.org>; Tue, 15 Dec 2015 11:08:52 -0800 (PST)
Received: from pps.filterd (m0078664.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.15.0.59/8.15.0.59) with SMTP id tBFJ8nfw032355; Tue, 15 Dec 2015 14:08:49 -0500
Received: from stntexhc11.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 1yrqn7pf31-7 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 15 Dec 2015 14:08:49 -0500
Received: from STNTEXMB10.cis.neustar.com ([169.254.5.186]) by stntexhc11.cis.neustar.com ([::1]) with mapi id 14.03.0158.001; Tue, 15 Dec 2015 14:08:44 -0500
From: "Peterson, Jon" <jon.peterson@neustar.biz>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>, "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: [stir] stir-06: Reality check on numbers (6.1.1)
Thread-Index: AQHRM+LG18nnTgIWl0uilUL6uehwmJ7GRYUAgAM/lACAAq48AIAAjBwA//9+gYA=
Date: Tue, 15 Dec 2015 19:08:44 +0000
Message-ID: <D295A284.1758E9%jon.peterson@neustar.biz>
References: <9C95CF4B-88BD-4EFF-9076-E59CF165E22D@standardstrack.com> <566AF294.6090001@alum.mit.edu> <949EF20990823C4C85C18D59AA11AD8BADE23BB6@FR712WXCHMBA11.zeu.alcatel-lucent.com> <D29595DF.17587A%jon.peterson@neustar.biz> <56706158.3080905@alum.mit.edu>
In-Reply-To: <56706158.3080905@alum.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.5.7.151005
x-originating-ip: [192.168.128.142]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <93F70B04F739684AA76AF4327C12D57A@neustar.biz>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2015-12-15_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 kscore.is_bulkscore=0 kscore.compositescore=1 compositescore=0.9 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.9 spamscore=0 urlsuspectscore=0.9 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1507310007 definitions=main-1512150308
Archived-At: <http://mailarchive.ietf.org/arch/msg/stir/GzK1wOBok9AOb42hj12XJc6ayXY>
Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Dec 2015 19:08:55 -0000


The use of service numbers in the From is a case where our text is
necessarily speculative. This gets into territory where it's unclear that
we even want the verification to work. If a callee in, say, Austria
receives a call from sip:611@foo.com (presumably they wouldn't see a
service number in the To), is it useful for the callee to know that the
call came from "611"? One can argue it isn't even particularly useful for
callees in America.


Does that mean we shouldn't allow service numbers in these fields? If they
are permitted in To and From in baseline SIP, we should at least have a
story about them. There is some use in signing the To field for service
numbers to prevent cut-and-paste attacks. On balance, I don't see any
decisive reason to forbid it. Again, the worst thing that can happen is
verification will fail, and if the number is weird, or has leaked into a
place where it shouldn't be, failure is probably the right thing.

Jon Peterson
Neustar, Inc.

On 12/15/15, 10:52 AM, "Paul Kyzivat" <pkyzivat@alum.mit.edu> wrote:

>On 12/15/15 1:30 PM, Peterson, Jon wrote:
>>
>> The canonicalization rules are not designed with the assumption that the
>> string inputted to the algorithm is an E.164 number. They are designed
>>to
>> be as flexible as possible given the presence of a dial string -
>> remembering that we canonicalize To as well as From. Ideally, everything
>> we deal with would follow the dictates of RFC3966, sure. We just proceed
>> with an abundance of caution.
>
>So, do you assume that a uri of sip:611@foo.com will be canonicalized
>the same way by everybody?
>
>I suppose everyone in the NANP might do so. But what about a recipient
>in some other locale?
>
>I guess the theory is that at the borders between domains numbers will
>be rewritten to be understandable in the receiving domain. If the number
>doesn't contain its country code then it presumably needs to be added at
>a country boundary to be understood. That works for numbers that
>correspond to E.164 numbers. But what about 611? There is no standard
>way to put a country code on it.
>
>	Thanks,
>	Paul
>
>> I would be happy to add some text saying that escaped characters should
>>be
>> removed as part of the canonicalization process.
>>
>> Jon Peterson
>> Neustar, Inc.
>>
>> On 12/13/15, 9:34 AM, "stir on behalf of DRAGE, Keith (Keith)"
>> <stir-bounces@ietf.org on behalf of keith.drage@alcatel-lucent.com>
>>wrote:
>>
>>> The international E.164 number can only be decimal digits.
>>>
>>> That therefore means that the country code, the national destination
>>> code, and the subscriber number, all of which are component parts of an
>>> international E.164 number, can only be decimal digits.
>>>
>>> That would imply that the only part that could contain such a character
>>> is a prefix to an E.164 number, or if the number is not an E.164
>>>number,
>>> such as a private dial plan.
>>>
>>> I'd note that RFC 3966 states: "All phone numbers MUST use the global
>>> form unless they cannot be represented as such."
>>>
>>> I suspect that "*", "#", etc have more usage in numbers that are
>>> dialstrings rather than telephone numbers.
>>>
>>> Regards
>>>
>>> Keith
>>>
>>> -----Original Message-----
>>> From: stir [mailto:stir-bounces@ietf.org] On Behalf Of Paul Kyzivat
>>> Sent: 11 December 2015 15:58
>>> To: stir@ietf.org
>>> Subject: Re: [stir] stir-06: Reality check on numbers (6.1.1)
>>>
>>> On 12/10/15 9:15 PM, Eric Burger wrote:
>>>> Section 6.1.1 on Canonicalization states:
>>>>         Once an implementation has identified a telephone number, it
>>>>must
>>>>         construct a number string.  Implementations MUST drop any
>>>>leading
>>>>         +'s, any internal dashes, parentheses or other non-numeric
>>>>         characters, excepting only the leading "#" or "*" keys used in
>>>>         some special service numbers (typically, these will appear
>>>>only
>>>> in
>>>>         the To header field value).  This MUST result in an ASCII
>>>>string
>>>>         limited to "#", "*" and digits without whitespace or visual
>>>>         separators.
>>>>
>>>> Survey time: does pound or star  EVER appear in a From field? E.164
>>>> does not allow it.
>>>
>>> pound isn't allowed at all in a sip uri, except via escaping.
>>>
>>> There is no mention of escaping (or unescaping) in the text. If there
>>>is
>>> the possibility of pound coming through then that is needed.
>>>
>>> Also, * and # (as well as A-D) are never valid in global numbers, but
>>>are
>>> valid within local numbers not just first, but anywhere in the number.
>>>So
>>> why is there special treatment for a *leading* star or pound?
>>>
>>> ISTM that canonicalization of dialstrings that represent local rather
>>> than global numbers is fraught with difficulty.
>>>
>>> 	Thanks,
>>> 	Paul
>>>
>>>
>>>
>>> _______________________________________________
>>> stir mailing list
>>> stir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/stir
>>>
>>> _______________________________________________
>>> stir mailing list
>>> stir@ietf.org
>>> https://www.ietf.org/mailman/listinfo/stir
>>
>>
>

v2.29.0 | Report a Bug | By Email | System Status