IETF Logo Mail Archive

Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01

Chris Wendt <chris-ietf@chriswendt.net> Sun, 24 April 2022 20:49 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F3A33A1244 for <stir@ietfa.amsl.com>; Sun, 24 Apr 2022 13:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VyWQZomFf5_O for <stir@ietfa.amsl.com>; Sun, 24 Apr 2022 13:49:24 -0700 (PDT)
Received: from mail-qv1-xf2b.google.com (mail-qv1-xf2b.google.com [IPv6:2607:f8b0:4864:20::f2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7111C3A123E for <stir@ietf.org>; Sun, 24 Apr 2022 13:49:24 -0700 (PDT)
Received: by mail-qv1-xf2b.google.com with SMTP id q13so1471534qvk.3 for <stir@ietf.org>; Sun, 24 Apr 2022 13:49:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=UqXn+NIgqKefV/Ud6YH/mGwuIvKCh+J7xLajSpIfxfM=; b=tMy5/fILGGzIcOUzu7rmwI/5V0XSxHw/nbR+MvAN/XbSfet/yHQqcWeXySSUHoVYOd eTyZEFBngsyNXjvwSX+hidt2o419Sr/NQFRpZElggRY5ZyHVO7sd1Kx2HizRwDpF9VN8 pij3rmyD7p/oxyzy8DAbGDEqVYugXt4ObSNJk5TXYe3+QgMyXUBQjGafRVLxl2OKqHn7 o3S6yHNYZ5kitKx9GZrkviBiNJJ4L8v4t03JAbTaaMwN+CvgMEBVCLNWJEZDzFjXpkKz cwvHYz82KL9Xxmk5QJr4Nf3zizK4mtBZEFnm6VeP7HPoGwvWnA5EzBioNVO32r2qmk8D Vpmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=UqXn+NIgqKefV/Ud6YH/mGwuIvKCh+J7xLajSpIfxfM=; b=P53/HcjxwDhnqiMRaeT0vBTLVHd4u50mRFUqRLDUiV+ShtdFPlGjNWzcahmBJP0HP+ ATrieOAqNKj5DS9j4tZ0ovImP/5ow+c9dG5ZF5PU+1atDXOGZOpZuayzhMKZxBxstxOg 2pm2dgE0j/0/arOoO3rSQL0Cqldkg13rIz20BU7v7LMQ0j3kQdV/3F7tlMyNGvxicmUi 9bGkKCVuQ5opuTmV8K8RPg1kYkf62gF50rXBsG4wst+XezT0ywO3ftZ7wiW+VWEB/re+ H9NO76cwL2MMEF7KeSNoFxEe5c9dX2M98DfvZ5PcStUjcS9mM+3iYEeKackuwqgIQw/z HDNw==
X-Gm-Message-State: AOAM532akO7rz+OmYyL3cU332HuQcwXtQNxOtpwXsxQHqAlXYWDmE0Ks zzPslEcTpgavdTHljufKXBeTLw==
X-Google-Smtp-Source: ABdhPJy1zF3GSMu5ZuUHkmKweMvDWUr0Q5JLiUsjXlNgD8wODd5NpKwrqZSO+ZsNPrOr7O77MpRDKg==
X-Received: by 2002:a05:6214:5089:b0:446:3684:9666 with SMTP id kk9-20020a056214508900b0044636849666mr10565759qvb.39.1650833362914; Sun, 24 Apr 2022 13:49:22 -0700 (PDT)
Received: from smtpclient.apple (c-69-242-46-71.hsd1.pa.comcast.net. [69.242.46.71]) by smtp.gmail.com with ESMTPSA id 23-20020a370817000000b0069e71175d86sm3977999qki.109.2022.04.24.13.49.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Apr 2022 13:49:22 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <F1611AE5-5249-4A3E-AD5A-2C00D3B72CA2@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E8DDE044-C635-4BCA-8987-527541F15750"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
Date: Sun, 24 Apr 2022 16:49:21 -0400
In-Reply-To: <HE1PR07MB444170B0B7F15E9D10E5FC4893F79@HE1PR07MB4441.eurprd07.prod.outlook.com>
Cc: IETF STIR Mail List <stir@ietf.org>
To: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>
References: <HE1PR07MB444170B0B7F15E9D10E5FC4893F79@HE1PR07MB4441.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/iOsvJIWRaLWE_8u5yTZ3If8TO2M>
Subject: Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Apr 2022 20:49:29 -0000


> On Apr 22, 2022, at 4:49 PM, Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org> wrote:
> 
> Hi,
>  
> I took a look at draft-ietf-stir-identity-header-errors-handling-01, and I have some questions and comments.
>  
> ---
>  
> Q1: The draft uses a ppt parameter to associated a Reason header field with an Identity header field. That sounds very “clumsy” in my opinion. Also, how exactly is the parameter value compared with the PassPORT? Byte by byte? How does that work if you use a compact form?

Comparing as a JWT Base64 encoded string value whether full or compact.  We just needed a unique value that the AS (or originating side) would know about, so either full PASSporT or just the signature is unique enough for the AS to reference on which identity header passed in the INVITE caused the error.

>  
> ---
>  
> Q2: Where is the ppt parameter defined? I see no Reason header field reason-extension defined for it, and no IANA registration.

This is the document that defines it, but yes i did now look that i should request IANA registeration as Header Field Parameters and Parameter Values.  I will add that request to the document.

>  
> ---
>  
> Q3: The definition of the “STIR” protocol in Section 3 is very confusing.
>  
> For example, the text says:
>  
>    “This will differentiate current protocols, specifically
>    "SIP" which is currently in wide industry usage, from the [RFC8224]
>    defined error cause codes”
>  
> Differentiate SIP from what protocol? The error cause codes defined in 8224 are SIP cause codes, so what protocol does “STIR” refer to?
>  
> If the semantics of “STIR” is identical to “SIP”, with the only difference being that it allows you to use multiple Reason header fields with “STIR”, why not say so?

The intent is that STIR is another “protocol” just like Q.850 and SIP differentiate a class of reasons.  We are simply defining another type of reasons specific to STIR, so that existing implementations aren’t confused.  We discussed this pretty extensively in past meetings as likely best option.

>  
> ---
>  
> Q4: The text says:
>  
>    “The "ppt" parameter
>    for the Reason header field is optional, but RECOMMENDED, in
>    particular for cases that a SIP INVITE contains multiple Identity
>    header fields.” 
>  
> And if it is not included? How will things work then?
>  
> ---

The intent is that if you only have one identity header/identity header error you don’t need to include ppt.  I could clarify that and make it mandatory if you have more than one identity header.

>  
> Q5: Section 7 says that the Authentication Server MUST remove the Reason header field from the response. But, what if the Authentication Server is an 8224-only implementation? In that case it might pass on the Reason header field. Section 10 does say something about the Reason header field being passed beyond the Authentication Server, but I am not sure whether it talks about the same case.
>  
> ---

That is always the case for any specification that comes in the future.  I think we are early enough that scenarios for multiple identity headers is only starting to appear and would like to adopt this in SHAKEN. This may be a good reason to adopt stronger language about using compact form/only signature as identifier.

>  
> Q6: The text talks about including the Reason header in a provisional response, in case local policy dictates that the session setup shall continue.
>  
> First, I am not sure whether that is how 3326 defines usage of Reason in provisional responses. It is used to help in forking scenarios, when final responses sent on different early dialogs are dropped by the forking proxy.
>  
> Second, there is no text on how this provisional response is created. Is the sender of the Reason header field going to generate a To tag? Does that mean the sender of the Reason header field is acting as a B2BUA?
>  
> ---

First, this is the same scheme we already have defined in ATIS-1000074, but the provisional response is created just like any provisional response (so yeah, the UAS sending the provisional response would have add a To tag to complete the early dialog). As the response travels toward the UAC, it's going to arrive at a proxy who knows if and why verification failed (e.g., the IBCF, or maybe the STI-VS itself in the case where the verification API is SIP), and that proxy will add the proper Reason header(s).


>  
> I may have more comments/questions later, but I will start with these.
>  
> Regards,
>  
> Christer
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://www.ietf.org/mailman/listinfo/stir>

v2.23.0 | Report a Bug | By Email