IETF Logo Mail Archive

Re: [stir] AD Review: draft-ietf-stir-oob

"Peterson, Jon" <jon.peterson@team.neustar> Mon, 04 November 2019 21:59 UTC

Return-Path: <prvs=02119b51df=jon.peterson@team.neustar>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AA361209F2; Mon, 4 Nov 2019 13:59:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=team.neustar
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3lvjPoyKUPB; Mon, 4 Nov 2019 13:59:51 -0800 (PST)
Received: from mx0b-0018ba01.pphosted.com (mx0a-0018ba01.pphosted.com [67.231.149.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75D23120A7C; Mon, 4 Nov 2019 13:59:48 -0800 (PST)
Received: from pps.filterd (m0078666.ppops.net [127.0.0.1]) by mx0a-0018ba01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id xA4LrdBS026647; Mon, 4 Nov 2019 16:59:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.neustar; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=team-neustar; bh=UT+wAA7c1/y0fjJpQu8T1yUvQOBbjj7RfUU4Jllm0Vw=; b=afAPtQqGM06qSNxe+p6vMzwyJAjn24gEYCBYzDsIIOXQcN3Wn0sdYkjZ0kqyP6qXGH/E r/40k6/Rjc+Y2nlDKMUUeYy3LcRV9c/f9KiMzw+/NsH+iTn+xXuz+13huIwo0Uwu8x6S Yqf5rgNvTongql9NVGCva1Z8RokkIziO5LQ8rhHJBUjr9kchHLJ5PN7F4yP1pvAhSuNQ lM6u1/jp4LdgsdmeyY4klEfU+FDBui8NhWW5BpLCZLdJEXfvZV3inYLgcdt/xoR2U2M1 Ff8rTIgfh/yyg1oW0TalJV4gkD98qOus5skGAyUioswhAyoHjPPjSshxbaghkUp7e4Nd 1A==
Received: from stntexhc12.cis.neustar.com ([156.154.17.216]) by mx0a-0018ba01.pphosted.com with ESMTP id 2w15wyby90-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 04 Nov 2019 16:59:48 -0500
Received: from STNTEXMB101.cis.neustar.com ([fe80::a831:d3b4:fb4e:e45b]) by stntexhc12.cis.neustar.com ([::1]) with mapi id 14.03.0439.000; Mon, 4 Nov 2019 16:59:28 -0500
From: "Peterson, Jon" <jon.peterson@team.neustar>
To: Adam Roach <adam@nostrum.com>, "draft-ietf-stir-oob@ietf.org" <draft-ietf-stir-oob@ietf.org>, "stir@ietf.org" <stir@ietf.org>
Thread-Topic: AD Review: draft-ietf-stir-oob
Thread-Index: AQHVYhcNBkRDcL5QyEK8Xn0TyOOZ6qd74WSA
Date: Mon, 04 Nov 2019 21:59:27 +0000
Message-ID: <6E638C96-3818-4958-A4A5-5D687F343F6C@team.neustar>
References: <838e0acf-1d37-2986-15a2-a28aad674b1c@nostrum.com>
In-Reply-To: <838e0acf-1d37-2986-15a2-a28aad674b1c@nostrum.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.c.190715
x-originating-ip: [10.96.12.66]
Content-Type: text/plain; charset="utf-8"
Content-ID: <1B16B2648F157644B9704F0A817780B5@neustar.biz>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-11-04_11:2019-11-04,2019-11-04 signatures=0
X-Proofpoint-Spam-Reason: safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/PAhThxUD7R-mQmB_63dEvmRzKdg>
Subject: Re: [stir] AD Review: draft-ietf-stir-oob
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Nov 2019 21:59:58 -0000

Hey Adam,

The new version of -oob hopefully contains all of the fixes you recommended below. Thanks for those!

It also incorporates a bit of new language in the section about substitution attacks, which has come under increasing scrutiny in the industry these past months. Largely, it just enumerates some potential countermeasures and gives more detail on the attack itself.

I also added a little to the section on CPS discovery in response to other comments I've received.

With that, I hope this is in pretty good shape.

Thanks again,

Jon Peterson
Neustar, Inc.

On 9/2/19, 10:18 PM, "Adam Roach" <adam@nostrum.com> wrote:

    This is my AD review for draft-ietf-stir-oob. I will be requesting
    that it be put in IETF last call shortly.
    
    Thanks to everyone involved for taking the work to work out and document the
    thinking so far on an out-of-band mechanism. I have no substantive comments,
    and only a small number of editorial suggestions, below. Please treat 
    these as
    any other IETF last call comments.
    
    /a
    
    
    ---------------------------------------------------------------------------
    
    §1:
    
     >  do use SIP do not always carry SIP signaling end-to-end. Xalls from
    
    Nit: "Calls"
    
    ---------------------------------------------------------------------------
    
    §1:
    
     >  This specification therefore builds on the PASSporT [RFC8225]
     >  mechanism and the work of [RFC8224] to define a way that a PASSporT
     >  object created in the originating network of a call can reach the
     >  terminating network even when it cannot be carried end-to-end in-band
     >  in the call signaling.  This relies on a new service defined in this
     >  document called a Call Placement Service (CPS) that permits the
     >  PASSporT object to be stored during call processing and retrieved for
     >  verification purposes.
    
    This is still phrased as if the remainder of this document is a complete
    specification of mechanism rather than the more limited scope described
    in the paragraph that follows it. Perhaps:
    
    s/This specification/The techniques described in this document/
    s/define a way/describe a way/
    
    ---------------------------------------------------------------------------
    
    §5.2:
    
     >  A call originates with an enterprise PBX that has both Internet
     >  access and a built-in gateway to the PSTN, which communicates through
     >  traditional telephone signaling protocols.  The PBX immediately drops
     >  the call to the PSTN
    
    The colloquial use of "drops" in this context can be confusing. (I had to
    re-read to ensure that it meant "routes" rather than "aborts"). Perhaps
    "...immediately routes the call..."
    
    The same comment applies to §5.3.
    
    ---------------------------------------------------------------------------
    
    §5.3:
    
     >  If
     >  so, it can retrieve the PASSporT and, when it creates a SIP INVITE
     >  for this call, add a corresponding Identity header per [RFC8224].
    
    Nit: "...Identity header field..."
    
    ---------------------------------------------------------------------------
    
    §5.5:
    
     >  the SIP call with an Identity header.  As a fallback in case the call
    
    Nit: "...Identity header field."
    
    ---------------------------------------------------------------------------
    
    §6.2:
    
     >  This requires the retargeting entity to generated
     >  encrypted PASSporTs that show a secure chain of diversion:
    
    Nit: "...to generate..."
    
    ---------------------------------------------------------------------------
    
    §8.1:
    
     >  or more credentials that can be used to sign for that identity, be it
     >  a domain or a telephone number or something other identifier.  For
    
    Nit: "...or some other identifier."
    
     >  Identity header field value of the SIP request - though SIP would
     >  carry cleartext version rather than an encrypted version sent to the
    
    Nit: "...carry a cleartext..."
    
    ---------------------------------------------------------------------------
    
    §8.3:
    
     >  could receive a call with an Identity header, extract a PASSporT from
     >  the Identity header, and store that PASSporT at a CPS.
    
    Nit: "...Identity header field..." (twice)
    
    ---------------------------------------------------------------------------
    
    §9:
    
     >  As an rough example, we show a Call Placement Service implementation
    
    Nit: "...a rough..."
    
    ---------------------------------------------------------------------------
    
    §10:
    
     >  This document does not prescribe any single way to do service
     >  discovery for a CPS; it is envisioned that initial deployments will
     >  provision the location of the CPS at the AS and VS.
    
    Nit: expand the acronyms "AS" and "VS".

v2.23.0 | Report a Bug | By Email