IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

Chris Wendt <chris-ietf@chriswendt.net> Fri, 02 September 2022 15:06 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1A01C14CE2E for <stir@ietfa.amsl.com>; Fri, 2 Sep 2022 08:06:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.303
X-Spam-Level:
X-Spam-Status: No, score=-1.303 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_NOVOWEL=0.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjdicxoM2zJB for <stir@ietfa.amsl.com>; Fri, 2 Sep 2022 08:06:46 -0700 (PDT)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8DC97C14CE31 for <stir@ietf.org>; Fri, 2 Sep 2022 08:06:46 -0700 (PDT)
Received: by mail-qt1-x834.google.com with SMTP id x5so1647433qtv.9 for <stir@ietf.org>; Fri, 02 Sep 2022 08:06:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date; bh=F7YVllBRYHFzrqd1Bh8bSEIHHZtun/YIG/JiHnYTdAs=; b=cyS0UGdSkgobHe5/MsZIRRdxHIzHNsgOyEigvrvmXFHMISDtJFbXph14Xx+JjtkhSU e6eD6xRoIkF3OgyzSh7kH77BdatdE8Vj3HNy6RGhcTi770kObMJMryJ8UncHOhISYhXp t8LQV0TYD4PGlBaWq9P+VLKnz14ZB8ZkbUDdmGLVk9e/yTiUrI82iEQ6MpZ6lfvI+eQW 3Ev9/UfZ+gPYWVP0UkLSi2i/JDOr0sr+nxGNruiYGOoUY02cE9XmfVTzvJ+yhcGl7HtN rBhyY/tElRVoEyOMKTOT/ZtK8LS7Q0fl8Z3GVrogIic0qmGBbLq8Q/1bC17TUeDQVZg8 oDYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date; bh=F7YVllBRYHFzrqd1Bh8bSEIHHZtun/YIG/JiHnYTdAs=; b=JC+GHr6HHn9c+DzqeadHYe1xVqVbbzsb2nzeF5sQ2yRx680aaAWzy7nttYpkEoPir+ qcZfuGUkIeMqxbd3US8ZB3z7s8QkP5PvAxxMB6YABVVYmCTMsDFNRsJkQqcDes3WU43T Utot9gSKfBQ9y/NUeX0jqjocYjfzVZel8PxZUK2PORJbzil+cHkyMai8ZdEL24qEpsO9 ZOqbBLtt5DGr4Rf24Up8iGDTHeeGjV3qL3NNSP4c14gOvlRtb6amsQKqvQ/T6r2wcrbG SwsLcXVCeEGlLfRr/RH+jYwp+nxynRyCOdDTtR2aZm5bYIm8SAzJhtG92meAT+PxzYYq lzJw==
X-Gm-Message-State: ACgBeo3pUxXE8IpatNiTy1GenWRcvvSv1lbIlcEhmBLEuNiHbXZuXyND Dqp70fJV3gFfp2NHjUS/Kj5tr45z+vIPRDmO
X-Google-Smtp-Source: AA6agR5YfgGfv0eB7PDW4MFis4wNmvB24pL4vfRcbwmZDN5RrMOPMcz3pkk0G5GH5PxzJNs9gBxblw==
X-Received: by 2002:ac8:7f02:0:b0:343:6ca4:d895 with SMTP id f2-20020ac87f02000000b003436ca4d895mr27692615qtk.137.1662131204952; Fri, 02 Sep 2022 08:06:44 -0700 (PDT)
Received: from smtpclient.apple ([2601:41:c400:1ad:256f:6a8a:5eee:126d]) by smtp.gmail.com with ESMTPSA id r18-20020ac84252000000b0031ea864d3b2sm1125810qtm.30.2022.09.02.08.06.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Sep 2022 08:06:44 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <5326BB95-B369-4657-828B-25B256663AA0@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_96C91E49-BF15-43C5-B6FB-25748D4878FC"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Date: Fri, 02 Sep 2022 11:06:46 -0400
In-Reply-To: <BN0PR02MB8080C893E7C4059C3E71EE38D97B9@BN0PR02MB8080.namprd02.prod.outlook.com>
Cc: "pierce@numeracle.com" <pierce@numeracle.com>, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>, Robert Sparks <rjsparks@nostrum.com>, Ben Campbell <ben@nostrum.com>, IETF STIR Mail List <stir@ietf.org>, STIR Chairs <stir-chairs@ietf.org>
To: "DOLLY, MARTIN C" <md3135@att.com>
References: <166092541721.15611.12331275110612885444@ietfa.amsl.com> <73813D32-314D-4086-BEB9-F37D2887DB90@nostrum.com> <HE1PR07MB44416763F30C0ED896226CCD93729@HE1PR07MB4441.eurprd07.prod.outlook.com> <480cb290-d2a6-8652-5d91-452e3a182b20@nostrum.com> <HE1PR07MB444178AC33337F65512FD19B93729@HE1PR07MB4441.eurprd07.prod.outlook.com> <013c01d8b896$e818e360$b84aaa20$@numeracle.com> <E0631B6F-14FB-499D-BF68-2CE0BFC7237B@chriswendt.net> <BN0PR02MB8080C893E7C4059C3E71EE38D97B9@BN0PR02MB8080.namprd02.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/RI7gWqwAfagQC853qKMD_guzsA4>
Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Sep 2022 15:06:51 -0000

The purpose of this document is two fold, to bring the mechanism we use in 1000074 of reason header with STIR Error code (recall we didn’t want to end/block calls because of STIR errors by sending 4xx errors, we only wanted to notify the authentication service that and error occurred in verification) We also wanted to extend that mechanism for the use-case of multiple identity header errors, which isn’t mentioned in SHAKEN documents, but we needed a fix to the core reason header mechanism to support multiple reason headers with same protocol value in same SIP message.
Whether we explicitly take this back to IPNNI, i’m not sure, we certainly can and probably should for multiple identity header use-cases, but this was meant to be something that addressed something needed from pure STIR perspective, and certainly wouldn’t be a bad thing to reference from SHAKEN specs especially in cases of multiple identity header errors.  It is a bit of a corner case that more than one error occur for same call, but also something that is not impossible, and so the thought was that it is best to have a document to address it.

-Chris

> On Sep 1, 2022, at 10:34 AM, DOLLY, MARTIN C <md3135@att.com> wrote:
> 
> Chris,
>  
> Why don’t you just use the language from ATIS-1000074?
>  
> If not, I see this as very difficult to bring into IPNNI.
>  
> I appreciate your consideration.
>  
> Martin
>  
> From: stir <stir-bounces@ietf.org> On Behalf Of Chris Wendt
> Sent: Friday, August 26, 2022 7:35 AM
> To: pierce@numeracle.com
> Cc: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>; Robert Sparks <rjsparks@nostrum.com>; Ben Campbell <ben@nostrum.com>; IETF STIR Mail List <stir@ietf.org>; STIR Chairs <stir-chairs@ietf.org>
> Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
>  
> Hi Pierce,
>  
> I think in the context of this specification, we really need to view authentication service as the RFC8224 defined authentication service.  Beyond that is industry and implementation specific.  Recall that ATIS-1000074 has same Reason header requirements, so I would claim that current implementations ignored this if they can’t support this functionality as a split SIP/HTTP based “authentication service” implementation as you are defining it.
>  
> -Chris
> 
> 
> On Aug 25, 2022, at 11:25 AM, pierce@numeracle.com <mailto:pierce@numeracle.com> wrote:
>  
> The text "in the next provisional or final responses sent to the authentication service" assumes the STI-AS will receive those responses and can do something with them. E.g., include them in a log.
>  
> This is not a good assumption.  Many (most?) AS/VS designs use an outboard server which is called using SIP INVITE or HTTPS and which responds using SIP 302 or HTTPS.  In both of those cases an AS may never see responses from verification services.
>  
> I recommend removing the language “sent to the authentication service” as being unnecessary and potentially misleading.
>  
> Pierce
>  
>  
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> On Behalf Of Christer Holmberg
> Sent: Thursday, August 25, 2022 9:41 AM
> To: Robert Sparks <rjsparks@nostrum.com <mailto:rjsparks@nostrum.com>>; Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>; IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
> Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>>; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org>>
> Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
>  
> Hi,
>  
> Yes, I meant Reasonse+STIR. It also seems I forgot the background information for my question in my previous e-mail. Sorry for that.
>  
> RFC 3326 says:
>  
>    "Initially, the Reason header field defined here appears to be most
>    useful for BYE and CANCEL requests, but it can appear in any request
>    within a dialog, in any CANCEL request and in any response whose
>    status code explicitly allows the presence of this header field."
>  
> So, my reading it needs to be explicitly indicated for which SIP response status codes Reason can be included.
>  
> For example, RFC 6432, which defines the Reason Q.850 protocol says:
>  
> "This document allows SIP responses to carry Reason header fields as
>    follows:
>  
>       Any SIP Response message, with the exception of a 100 (Trying),
>       MAY contain a Reason header field with a Q.850 [Q.850] cause code."
>  
> Regards,
>  
> Christer
>  
>  
>  
>  
> -----Original Message-----
> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> On Behalf Of Robert Sparks
> Sent: torstai 25. elokuuta 2022 17.21
> To: Christer Holmberg <christer.holmberg@ericsson.com <mailto:christer.holmberg@ericsson.com>>; Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com>>; IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
> Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>>; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org>>
> Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
>  
> (Assuming you meant Reason+STIR below, and wearing no hats):
>  
> It isn't clear to me that there's a need to say anything more here than what RFC3326 says. Perhaps the text can be clear that this uses the rules for where the header can occur as RFC3326. I don't think we want something _different_, and I don't want to try to restate those rules in this document.
>  
> RjS
>  
>  
> On 8/25/22 9:05 AM, Christer Holmberg wrote:
> > Hi,
> > 
> > When the STIR protocol is used, in which SIP response codes can the Reason header(s) be included?
> > 
> > I can only find the following statement: "in the next provisional or final responses sent to the authentication service.".
> > 
> > That is not every explicit. If we want to allow Reason+SIP with *any* SIP response code it would be good to say so.
> > 
> > Regards,
> > 
> > Christer
> > 
> > -----Original Message-----
> > From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org>> On Behalf Of Ben Campbell
> > Sent: maanantai 22. elokuuta 2022 2.50
> > To: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org>>
> > Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>>; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org>>
> > Subject: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
> > 
> > Hi,
> > 
> > This starts a STIR working group last call for draft-ietf-stir-identity-header-errors-handling-03. Please send feedback tot he authors and the STIR list by September 7. Note that we added a couple of days to the WGLC period due to the US Labor Day holiday.      
> > 
> > As always,any constructive feedback, including feedback to the effect of “I’ve read this and it is ready to go” is helpful.
> > 
> > Thanks!
> > 
> > Ben (For the STIR chairs)
> > 
> > 
> >> On Aug 19, 2022, at 11:10 AM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org> wrote:
> >> 
> >> 
> >> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> >> This draft is a work item of the Secure Telephone Identity Revisited WG of the IETF.
> >> 
> >>         Title           : Identity Header Errors Handling
> >>         Author          : Chris Wendt
> >>   Filename        : draft-ietf-stir-identity-header-errors-handling-03.txt
> >>   Pages           : 7
> >>   Date            : 2022-08-19
> >> 
> >> Abstract:
> >>    This document extends STIR and the Authenticated Identity Management
> >>    in the Session Initiation Protocol (SIP) error handling procedures to
> >>    include the mapping of verification failure reasons to STIR defined
> >>    4xx codes so the failure reason of an Identity header field can be
> >>    conveyed to the upstream authentication service when local policy
> >>    dictates that the call should continue in the presence of a
> >>    verification failure.  This document also defines procedures that
> >>    enable enable a failure reason to be mapped to a specific Identity
> >>    header for scenarios that use multiple Identity header fields where
> >>    some may have errors and others may not and the handling of those
> >>    situations is defined.
> >> 
> >> 
> >> The IETF datatracker status page for this draft is:
> >> https://datatracker.ietf.org/doc/draft-ietf-stir-identity-header-errors-handling/ <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/draft-ietf-stir-identity-header-errors-handling/__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4hCieo9Q$>
> >> 
> >> There is also an htmlized version available at:
> >> https://datatracker.ietf.org/doc/html/draft-ietf-stir-identity-header-errors-handling-03 <https://urldefense.com/v3/__https:/datatracker.ietf.org/doc/html/draft-ietf-stir-identity-header-errors-handling-03__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4xuA3QC4$>
> >> 
> >> A diff from the previous version is available at:
> >> https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-identity-header-errors-handling-03 <https://urldefense.com/v3/__https:/www.ietf.org/rfcdiff?url2=draft-ietf-stir-identity-header-errors-handling-03__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4ABsgGbs$>
> >> 
> >> 
> >> Internet-Drafts are also available by rsync at rsync.ietf.org <https://urldefense.com/v3/__http:/rsync.ietf.org__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4X7NdPdU$>::internet-drafts
> >> 
> >> 
> >> _______________________________________________
> >> stir mailing list
> >> stir@ietf.org <mailto:stir@ietf.org>
> >> https://www.ietf.org/mailman/listinfo/stir <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/stir__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4VuX0JZI$>
> > _______________________________________________
> > stir mailing list
> > stir@ietf.org <mailto:stir@ietf.org>
> > https://www.ietf.org/mailman/listinfo/stir <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/stir__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4VuX0JZI$>
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/stir__;!!BhdT!j6ANu4WmhoYTjBJDWq-Ps2FI2j18o1npm8uLG-xb0-IjI8TdDuVvLCDoI25j3pfSz-jelNiAJKGvyQy4VuX0JZI$>

v2.23.0 | Report a Bug | By Email