Re: [stir] draft-kaplan-stir-ikes-out
"Anton Tveretin" <fas_vm@surguttel.ru> Tue, 13 August 2013 16:05 UTC
Return-Path: <fas_vm@surguttel.ru>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 62D9821F9DC9 for <stir@ietfa.amsl.com>; Tue, 13 Aug 2013 09:05:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.472
X-Spam-Level: **
X-Spam-Status: No, score=2.472 tagged_above=-999 required=5 tests=[BAYES_50=0.001, HELO_EQ_RU=0.595, HOST_EQ_RU=0.875, J_BACKHAIR_31=1, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb0WOCyeWs1h for <stir@ietfa.amsl.com>; Tue, 13 Aug 2013 09:05:41 -0700 (PDT)
Received: from mail.s86.ru (mail.s86.ru [217.8.80.233]) by ietfa.amsl.com (Postfix) with ESMTP id 346D611E8184 for <stir@ietf.org>; Tue, 13 Aug 2013 09:05:35 -0700 (PDT)
Received: by mail.s86.ru (Postfix, from userid 1116) id E241B51385A; Tue, 13 Aug 2013 22:05:28 +0600 (YEKT)
Received: from Gateway (unknown [151.252.74.183]) by mail.s86.ru (Postfix) with ESMTPA id AB3C4513817; Tue, 13 Aug 2013 22:05:25 +0600 (YEKT)
Message-ID: <2DC8CB8897ED4834B6920647F24DC5B6@Gateway>
From: Anton Tveretin <fas_vm@surguttel.ru>
To: Hadriel Kaplan <hadriel.kaplan@oracle.com>
References: <7D8ECCC0A7324280A8C243CAAB895C93@Gateway> <A20E82B2-7E29-4FC5-AFFE-AF3E5A785DD0@oracle.com>
Date: Tue, 13 Aug 2013 22:02:39 +0600
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6157
X-Antivirus: avast! (VPS 130813-0, 13.08.2013), Outbound message
X-Antivirus-Status: Clean
Cc: stir@ietf.org
Subject: Re: [stir] draft-kaplan-stir-ikes-out
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stir>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2013 16:05:47 -0000
I think we should discuss scenarios involving different networks first. Consider a SIP-> PSTN call. The gateway IMO should perform validation, and transcode IKES information. But caller might have only SIP AoR (e-mail-style) and no telephony-style number. So the caller becomes unknown. Also, it is unlikely that anyone will do validation on PSTN side. PSTN -> SIP. Probably IKES is not deployed on PSTN side. So the gateway should supply it. SIP -> PSTN -> SIP. The second gateway must recognize IKES even though it does no validation. Remember that caller might be unknown? I do not know whether SIP<->H.323 gateways exist. SIP->PSTN->H.323? IKES would be available to the callee, but not to gatekeepers, unless it is delivered with RAS. But it is GK that admits or not. So "do not admit unvalidated calls" policy implies that IKES is passed with RAS. Of course, scenarios as SIP->PSTN->H.323->PSTN->SIP->PSTN->H.323 are also possible, esp. if consider private networks. I think it is nothing wrong with covering other protocols. Or, should say RFC 2225 (IPOA) be approved by ITU? Everything in this message is under question (?). ----- Original Message ----- From: "Hadriel Kaplan" <hadriel.kaplan@oracle.com> To: "Anton Tveretin" <fas_vm@surguttel.ru> Cc: <stir@ietf.org> Sent: Monday, August 05, 2013 1:27 AM Subject: Re: [stir] draft-kaplan-stir-ikes-out On Aug 4, 2013, at 2:26 PM, "Anton Tveretin" <fas_vm@surguttel.ru> wrote: > Why should addresses be included into IKES? IMO that adds nothing but > extra work > for each validator. By "included" you mean included in the IKES-IF string encoded in the message itself, e.g. the LIKES-IF SIP header? It's only included that way in SIP and XMPP. It's included in them for two reasons: 1) To provide a quick match mechanism that can be performed before having to retrieve a cert/pub-key and performing public key crypto. If the canonical identities the verifier generates from the received To/From URIs don't match the ones in the LIKES-IF header, it knows it's a failure and not to bother checking the signature. If they match, then it goes and checks the signature. It's an optimization, but a useful optimization, especially for call-forwarding cases to figure out which destination identity to check the signature for. 2) To provide troubleshooting help. There's a concern that the "canonicalization" process performed by the signer and verifier domains might lead to different identities, resulting in a IKES verification failure when it should instead succeed. By having the signer insert its values into the new header, the admin of the receiving domain can figure out if his canonicalization policies are wrong or not. > Chapter 11 (error): in DSS1, call termination is done with 3 messages > (DISCONNECT/RELEASE/RELEASE COMPLETE). In H.225.0 call control, just one > (RELEASE COMPLETE). This error must be corrected. Yup, good catch - will do on next revision. > H.225.0 call control contains h323-uu-pdu, which coexists with > user-information, and thus it actually does not count to 131 bytes of ISDN > User-to-User IE. So I think it is possible to combine all ISDN (ISUP, > DSS1, H.225.0 CC). Yeah I knew H.225 could have its own - in fact one could just define new ASN definitions for real/defined fields for the IKES information. See below for more on that... > But, for H.323 it would be more critical to supply IKES in RAS (e.g. ARQ) > and H.501 messages IMO. Why is it critically important for RAS? > Yes, H.323 Forum might have a different opinion about H.323 dying. Anyway, > H.323 users deserve new features, practice shows that. Huh. I was under the impression is was on its last legs, even in video conferencing. (but then I don't personally focus on the video conferencing market, so I could be way off there) Regardless, I can certainly update the draft for H.323 usage, and I will remove the incorrect claim that its dead. Do you think it would be better to just remove H.323 from this draft completely, and let the relevant parts for H.323 be worked out in H-series docs by the ITU/whomever? That way we don't have to have any new ASN definitions for the IKES information in this IKES draft, for example. > And what about other networks, e.g. GSM? Right now the draft just says: "Other protocols wishing to support IKES need to define their own mapping to the values defined in this document." I didn't want to go and document one for every possible protocol in this one IKES document - I figure if IKES gets deployed and used then other protocol groups will do so in their own documentation, if they want to. Like for example BICC, IAX, etc. All I wanted to do was prove it could be done for other protocols, and in particular define how it could work for SIP and SS7/ISUP. Even the XMPP usage might be better off in a separate doc, in the IETF STOX working group or in an XSF XEP. -hadriel
- Re: [stir] draft-kaplan-stir-ikes-out Anton Tveretin
- Re: [stir] draft-kaplan-stir-ikes-out Hadriel Kaplan
- Re: [stir] draft-kaplan-stir-ikes-out Anton Tveretin
- Re: [stir] draft-kaplan-stir-ikes-out Hadriel Kaplan