IETF Logo Mail Archive

Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 14 July 2022 15:04 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6402BC16ECC0 for <stir@ietfa.amsl.com>; Thu, 14 Jul 2022 08:04:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.69
X-Spam-Level:
X-Spam-Status: No, score=-7.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MLRfQmB6bxO for <stir@ietfa.amsl.com>; Thu, 14 Jul 2022 08:04:36 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80042.outbound.protection.outlook.com [40.107.8.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78A05C14792E for <stir@ietf.org>; Thu, 14 Jul 2022 08:04:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OhfJrUnNdsqzMGlvXZCp0owKD2x4M4KFKM1A508bC40BxcYPdemcQpRKEQZUtqwoH4gKq6fve9XSIiDBHMi1o8HcqDaT4r7mQI4ReQvop9ZOz29WHcEgUpdFLmD4etf0XOCDuivgTrvcVzGoMipIc8WoIMD1ZeZAfMbrMyVMrnadhiTMXiszwcKOiXisDRulDzuyAvQF7o5rg+npsCgGjIqR8kWmW+B7hmbZV99JEPR5JCHq3/uFJzpSYbka89yb6PqG6YS3ZGlzEO5kf0TUjoLazH2qzpLWJ8IdOJEPrp0ul1h3jVoaBMpcgXF3YDmes4VgM5OyWzvGet6tedt7pQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=M7BGDLj/zgO9BbtPdVa7kuJyv465p8+hoZfpbRNh/2s=; b=SOEQIl9acdaMKaFIwO22BlmA5b6mrLazI6DtBrSl/Rkk2vI8qNVdn0sZFPpFIZxfU+nbpFKffbOsJ6mECj2xOj4oXa1YJfydoWaXK29ZR+zskCfmq9LeDhe3zBkk0L5qAB0+a6NqSmR/b1iH7hFIBFvtVJo8oW0wfWTnpGJBM0SnTjqVaFdHEKKb2d1rSvXXIPt1rRIAZlFtPXSgmc8MOeXPfcNeR6+trzkQwa6Jz5Nxci7iloTRuegh5xpCOhZQ0c+uk5+Xm8LLH3JFiMmOyRjhKUP3q6dHkA82ugv6QGXWcaAl4H0IlBLTHeIK9qGxXC3wmA8Ua9kHLfUTPpuYXw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=M7BGDLj/zgO9BbtPdVa7kuJyv465p8+hoZfpbRNh/2s=; b=ncBsTVVELEEFn+4V2vzMCia8PDolIjatYy7zQCJ9sZVhjjx3d+9Dw+xi2A3GGvzHYlZ0PVu2HjPbMETvqF5DdeuTyMbTPC8o/8SLziVqhiLs4XXDWR0YBNRQZuUnfYSbTxdyRR+YuWGToyvmzn6MRdRB2YW33WBNL+y9MrAnie4=
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com (2603:10a6:7:9f::27) by AM6PR07MB5400.eurprd07.prod.outlook.com (2603:10a6:20b:8a::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5438.13; Thu, 14 Jul 2022 15:04:32 +0000
Received: from HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::d020:2d2a:6208:6d0a]) by HE1PR07MB4441.eurprd07.prod.outlook.com ([fe80::d020:2d2a:6208:6d0a%3]) with mapi id 15.20.5458.007; Thu, 14 Jul 2022 15:04:31 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Chris Wendt <chris-ietf@chriswendt.net>
CC: IETF STIR Mail List <stir@ietf.org>
Thread-Topic: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01
Thread-Index: AdhWg1tZ5dXHxQwJSDC3JQ4KnX1FngBmWqOAACcoiSAPEDdGgACmJQUw
Date: Thu, 14 Jul 2022 15:04:31 +0000
Message-ID: <HE1PR07MB4441C11148F33FE38A7C5A5693889@HE1PR07MB4441.eurprd07.prod.outlook.com>
References: <HE1PR07MB444170B0B7F15E9D10E5FC4893F79@HE1PR07MB4441.eurprd07.prod.outlook.com> <F1611AE5-5249-4A3E-AD5A-2C00D3B72CA2@chriswendt.net> <HE1PR07MB4441E7A2F7AFA763EB84F7A793F89@HE1PR07MB4441.eurprd07.prod.outlook.com> <6F3423AC-6A16-490D-8317-18FE312E678C@chriswendt.net>
In-Reply-To: <6F3423AC-6A16-490D-8317-18FE312E678C@chriswendt.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c75bc57-dfcd-4988-a5c6-08da65aa281c
x-ms-traffictypediagnostic: AM6PR07MB5400:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: epLhbeGifoN2r7q8ukyQbpOJkEta9nEQ79yegsCnclV9Hy/8ZnCrdf1k+tPjaGTLcwJej9IZQz2qmoZgEp26f559hpwsH2LCNWF0+LyVjoUf5ZAbMhRwDVgd6t3h26Q67Sx7m7tFNl9toDHK/+8TiWEEmtdd+GQaPNw/B7XyIJ5JXuE+By6mozlruqJE4L5mZB4Z5OL4Ldrx8t3NTIXUUuAgke/fG9THh+xZcVqg7XIn9dwJCgcb5SYASHDVL0h8iCo5GsSMCIunrF4NtscEM2gdIOdpEAExVBt/QGg519vY1t8WO+q2GpeNRsDoCVTnjq+GB20QL3RFJQJWhSGYkRN/RJ68hViFRNzuHFvJjiWhpjXfsLpZzTf13otuK3LnqAtvz0PvLBuq6VVT/YUhlbjU66YDyGUoZ5JgLlGvv3uJyYGbLIAKQL72lbkORM2dZNE0VIQjlvtoW0S5gfxtBLjU5dNo3oXRvI97sj6bE+GJzQzbbkCpOhgRCoXHbnH38HXwr6Y8TmQ9fJVnhpwYh9XrsJrIAl0VzJDhK3ViqtVd6LevcPkUv1Px3dbZKcPwA1Wg3HqTnP4SnuTiv8nw9R0dZEF3FP7C/D/580k8OCeoV8R83/GVd33v+K/JHQwTEPcvs3UQyZ542mHv7WOYmz/SM6Ghb4f0Qma74C86H6a6socx7p3rqMka/4zPx0nVjTkLTEIRfcJKuNNw3BiFx8NhqbKqq6KJCZTpIum0vtcwISNqCnUjdKMWdwPZ25yRF/DI2KJofcrBNNPxoNDqZ6O2f9khqLbAMrNXRf+SI2tmBZqcdoWZQT7pOKukwSNYDfwvaesyu2aNjRJdMGxqGQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB4441.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(376002)(136003)(39860400002)(396003)(346002)(366004)(38100700002)(82960400001)(38070700005)(71200400001)(478600001)(33656002)(966005)(41300700001)(7696005)(26005)(4326008)(9686003)(66446008)(76116006)(316002)(6916009)(66946007)(66476007)(64756008)(186003)(8676002)(66556008)(66574015)(5660300002)(122000001)(6506007)(55016003)(44832011)(2906002)(8936002)(52536014)(53546011)(83380400001)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: VbJpyK8nL0Zkx07o1xJkOey28vG/HImFRYF+keQ+noMSFrkzate12zd1fXn3h3D7A5QZZPNjuiyqoB4pye6N6TCLcxmrkuY2hxyblAw9/TZi2jhISiUNjH5+uV+TqulByZBjgMjTIDfOvs2ofZs6Da/8R5AKMiomL0+UU6j13ZNXu1uHaW2BsnRisbKBAJUS7KaevAZAHUXMsnnTDWFh5s15bFLsRQnx5qz4TwJbqzgCKFJtcf8cx4frGsfoGyqaWfb4Z6hYCYpGku6ObYxZpTslS2MEHVARbWOaMVhIZxYSwCOVrp3Z6uc4E6JK/xOKMvYNsDt13/4gf108R2d5wYqnTs+v7khUEW1Q60RUvQCyOiJ569mvg1wgA+v+B1gMnLuYaufPsQ1kBZTvfEJmmNwXmvdKQWRubm2phAkgZkR4yU+sBV/9mHfY29+IYzUzRrA6C/XrfuvXr7i2YVUesDz3MK2w8y1KtX/1Q527aNqG6jiNyFTuV12YafZqv4C8L3I/ayTHA9ixDUhYGNt8PqN84Weurpg80alk+vVcjuZLphdTy2JvvQsLQELTZB2y5D4gEb1f92JJ9nHO0VUCJHsJecB1TCS9bss4GQWOQLIFz/5FW7rtQUSQMkevjg+ds45yKO8NhDQi/SvKzoIYrwnvKyaCEcUzCOOC6KEOWcPLB8nSbCPKvmBkfE1ZVEmdRCx7iU8/YiA6fB2dCJ7+CcQmJziHrVdg26Zy+Wmvj+ww7xYdW94/MHYMMcN11R5EjQ+uoDBz1blbgAkMnmX6k1m9ofYZP5yt6Zmv0Q+kBwGP5UuqFO9xOnyVmju2cmdX9LOvXc1Zn0/d/bSCshdkozlEyHsoG18zm/F++wYJeqib51Uk+cRO5iuwMzx1jsea39QDOrx7qFKdSw8sb1VlueORhYfJJEoFwy/1oAONeIfpZ23YzjHHk530kv5PM6ohboW78esSjmiG8Ka6hYIy858LUEG6XtExUn1lDYH7vK4wDdF7IVnm4l+zX8HNie2lHcCMsoV7pwGg9+wbyXD7HfKO83bA3TKWTJ3fHcaMVWRF+4wm+UFxDgPjTtxkIlR2czoZhnYzV0fcFBrlyO5nZO3Q8tzGOn5uOY47kMFIuj0BaqNNV7FfPd4WJLQyXcninq10z6s5i3RZKAVCeXlurrgC6s2mregC2nj0LcfuX3XB7QCJmdwQhg2ohe1D5eYfFkINBUd7twVWTsZ+fNNd6sdfmP8D1159UbTOcWDRA1fJB9SIOiEDviYIjCow9M09X2hTvM2DiORSPVHsZDzxKHjtvgV7WklbkKBLXr65WTdWv31rJzgPnvRUAFK4/shuoe7S6zhdq1DFyYt4oD3a4g7CjDDMWltoNvgC/A5qC+82AJAiO54jfwtnX5Ah+rHZrWkwNUEydvmKY4T4CVv2asBYjmQIsAmHqcgHCEDJW6CIRIPNoYLbIGwUWxvi84YjbO0hkQTxTZDet0F+NEx8OdfWWtC8Ub7fRJR8niaNAjc4qKuO5YPdr3NqC++bHF9c5LICvDLUZMZrcKK7KRxJXsUAXqu87nb13eB5nxx5EYmimIyYmwLJIx6M7OHPSG26K5cetsWhKnn7Zp7jRcpR+w==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB4441.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c75bc57-dfcd-4988-a5c6-08da65aa281c
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jul 2022 15:04:31.7533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: lO0qDezqH2fkAT/0I9bkhz5Z108olscahnf12K4Lr9An7GsrMxgS4oyiwdy6MuYIMJLUfdj1ksz/kYNl5i61Odj3iZu6TwN6TK9bAK+Iye8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5400
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/svTAV-g8SIQEujvo3Y_R7yMTQ2I>
Subject: Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jul 2022 15:04:41 -0000

Hi,

I still think it would be good to have an explicit indicator in the request to indicate that the mechanism is supported by the sender of the Identity header field, and only then would the mechanism be used in responses.

Regards,

Christer

-----Original Message-----
From: Chris Wendt <chris-ietf@chriswendt.net> 
Sent: maanantai 11. heinäkuuta 2022 10.46
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: IETF STIR Mail List <stir@ietf.org>
Subject: Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01

So, trying to parse the different threads on these topics i have released a -02 version that:

Adds IANA request for “ppl” parameter for PASSporT identifier Cleans up the text around “STIR” as a protocol allowing for multiple reason-headers with same protocol name Cleans up some of the compact form text and makes it the recommended form.

> On Apr 25, 2022, at 4:59 PM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> Hi,
> 
>  
> I took a look at draft-ietf-stir-identity-header-errors-handling-01, and I have some questions and comments.
>  
> ---
>  
>>> Q1: The draft uses a ppt parameter to associated a Reason header field with an Identity header field. That sounds very “clumsy” in my opinion. Also, how exactly is the parameter value compared with the PassPORT? Byte by byte? How does that work if you use a compact form?
>> 
>> Comparing as a JWT Base64 encoded string value whether full or compact.  We just needed a unique value that the AS (or originating side) would know about, so either full PASSporT or just the signature is unique enough for the AS to reference on which identity header passed in the INVITE caused the error.
> 
> Why not defining a dedicated "index" parameter? That would also act as an indicator that the AS supports the mechanism to begin with, which would also address the issue in Q5 (because the response with ppt would only be sent if the index is present in the request).
> 
> ---
>  
>>> Q2: Where is the ppt parameter defined? I see no Reason header field reason-extension defined for it, and no IANA registration.
>> 
>> This is the document that defines it, but yes i did now look that i should request IANA registeration as Header Field Parameters and Parameter Values.  I will add that request to the document.
> 
> Ok. But, you also need to include the syntax, as it is (I assume) a Reason header field reason-extension.
> 
> Another question is whether it should be called ppt. That already exists, and indicates a TYPE, which this parameter does not. Using a unique parameter name would cause less confusion.
> 
> Of course, if you used an index parameter in the request (see Q1) I guess you could use something similar in the response. "ppi" (pass port index), or something...
> 
> ---
>  
>>> Q3: The definition of the “STIR” protocol in Section 3 is very confusing.
>>>  
>>> For example, the text says:
>>>  
>>>   “This will differentiate current protocols, specifically
>>>    "SIP" which is currently in wide industry usage, from the [RFC8224]
>>>    defined error cause codes”
>>>  
>>> Differentiate SIP from what protocol? The error cause codes defined in 8224 are SIP cause codes, so what protocol does “STIR” refer to?
>>>  
>>> If the semantics of “STIR” is identical to “SIP”, with the only difference being that it allows you to use multiple Reason header fields with “STIR”, why not say so?
>> 
>> The intent is that STIR is another “protocol” just like Q.850 and SIP 
>> differentiate a class of reasons.  We are simply defining another type of reasons specific to STIR, so that existing implementations aren’t confused.  We discussed this pretty extensively in past meetings as likely best option.
> 
> Than I think you can make the text much more simple. All you need to do is to say that the error is caused based on the procedures in RFC XXXX, and that SIP response codes are still used.
> 
> ---
>  
>>> Q4: The text says:
>>>  
>>>   “The "ppt" parameter
>>>    for the Reason header field is optional, but RECOMMENDED, in
>>>    particular for cases that a SIP INVITE contains multiple Identity
>>>    header fields.” 
>>>  
>>> And if it is not included? How will things work then?
>>  
>> The intent is that if you only have one identity header/identity header error you don’t need to include ppt.  I could clarify that and make it mandatory if you have more than one identity header.
>> 
>>> Q5: Section 7 says that the Authentication Server MUST remove the 
>>> Reason header field from the response. But, what if the Authentication Server is an 8224-only implementation? In that case it might pass on the Reason header field. Section 10 does say something about the Reason header field being passed beyond the Authentication Server, but I am not sure whether it talks about the same case.
>> 
>> That is always the case for any specification that comes in the 
>> future.  I think we are early enough that scenarios for multiple identity headers is only starting to appear and would like to adopt this in SHAKEN. This may be a good reason to adopt stronger language about using compact form/only signature as identifier.
> 
> As mentioned earlier, an index parameter could be used as an indicator that the AS supports the mechanism.
> 
> ---
> 
>>> Q6: The text talks about including the Reason header in a provisional response, in case local policy dictates that the session setup shall continue.
>>>  
>>> First, I am not sure whether that is how 3326 defines usage of Reason in provisional responses. It is used to help in forking scenarios, when final responses sent on different early dialogs are dropped by the forking proxy.
>>>  
>>> Second, there is no text on how this provisional response is created. Is the sender of the Reason header field going to generate a To tag? Does that mean the sender of the Reason header field is acting as a B2BUA?
>>  
>> First, this is the same scheme we already have defined in ATIS-1000074, but the provisional response is created just like any provisional response (so yeah, the UAS sending the provisional response would have add a To tag to complete the early dialog). 
>> As the response travels toward the UAC, it's going to arrive at a proxy who knows if and why verification failed (e.g., the IBCF, or maybe the STI-VS itself in the case where the verification API is SIP), and that proxy will add the proper Reason header(s).
> 
> Ok, so the verification proxy would not create the provisional response - it will only piggyback the Reason header(s) in a provisional response sent by the UAS?
> 
> 
> Regards,
> 
> Christer
> 
> 
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> _______________________________________________
> stir mailing list
> mailto:stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
>

v2.23.0 | Report a Bug | By Email