IETF Logo Mail Archive

Re: [stir] Review of draft-ietf-stir-rph-emergency-services

Chris Wendt <chris-ietf@chriswendt.net> Fri, 09 October 2020 14:18 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48AEA3A0838 for <stir@ietfa.amsl.com>; Fri, 9 Oct 2020 07:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.795
X-Spam-Level:
X-Spam-Status: No, score=-1.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ju2H3Q7oKp4t for <stir@ietfa.amsl.com>; Fri, 9 Oct 2020 07:18:21 -0700 (PDT)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBA793A0820 for <stir@ietf.org>; Fri, 9 Oct 2020 07:18:20 -0700 (PDT)
Received: by mail-qk1-x735.google.com with SMTP id d20so10697946qka.5 for <stir@ietf.org>; Fri, 09 Oct 2020 07:18:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=WiiubHnViXFKz2hRzbG2nC5v327LJ2IxvMoDClc6PNc=; b=pJiol0QKWqQwkbCtw4IkzKd/gxDro7DLHG2cQwHU2C4hgx55QGxgnSa3KiIkSQsal6 hDel+UJtoOYNKw4CqJ90U4A9QlhnYwNLD7R2RZZ+9eNV3+jJ6TcV97k9WkW5hi/jm8eP Fhcjd7knkVp2n7yJ6AJvV/orYVCaB44yhT2EhhdMWm6zyIyo/Cc5X17y6oSn7dxZjei3 oQYzWUbOhi5CjCuc31IDYSfwwRJDio63zBAZfILqUYS2jRIS+fKq4tAYrH6orM4/6kIg vOWeqJEevfxC5J4GYeSEzg54EvYK9dQ6cPliFsm1nxXJiPrqqfxzXqDy5k9PS4iIz6z6 DY0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=WiiubHnViXFKz2hRzbG2nC5v327LJ2IxvMoDClc6PNc=; b=JdXFtsrOKP5bJWRssyXUecsnQq0WXIqgQd0ZLckD2v48IL8lukRIHE8vjxQf3qPLPM tFMkl+AkisHDQHMZ64L7uDlPzFEoYM3riQAG7ysudrzFENrl29yMDW6xZ77PpTQuIP+d djzTUO2XTKBlT7fv0a0Ls33Gnih/N7OPeluHZKd47EnWaTk9k2I9ielgNki2kyTb422a RwHn/arJZvJ+ylMttEloynr5oAvUX0cx9JiSyOPXcRhUiPfK0FwUXfYlBPxFoU0nneri 1rW3eqtvys/O9jgWgqcsHCMv6+PU3c6JIYJCkqzZ14ZtcGmXnV4PG5AnWAR/CbGyqFh8 coFQ==
X-Gm-Message-State: AOAM531rSTXvi5kqJ9lY1Jqqau+L90HPJYozJkzw6bMGEAAIN7/Q8jmg h4wzvFqoVn1rhp8+L45Fft4bRQ==
X-Google-Smtp-Source: ABdhPJxwMpK7gII69dPEY+W8YETSb9R4T5p/SghWGzCRNW2sRQPyDHnR8qksvHSK/XSgpdq/RImpKQ==
X-Received: by 2002:a37:448a:: with SMTP id r132mr12461173qka.261.1602253099778; Fri, 09 Oct 2020 07:18:19 -0700 (PDT)
Received: from [192.168.0.153] (c-69-242-45-210.hsd1.pa.comcast.net. [69.242.45.210]) by smtp.gmail.com with ESMTPSA id h18sm6227843qkl.12.2020.10.09.07.18.18 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Oct 2020 07:18:19 -0700 (PDT)
From: Chris Wendt <chris-ietf@chriswendt.net>
Message-Id: <7E2BC364-2CCF-43EE-BFAF-9B9A29A2BE11@chriswendt.net>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5069A4E2-D974-452C-9392-AF84A76C8496"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
Date: Fri, 09 Oct 2020 10:18:18 -0400
In-Reply-To: <BYAPR02MB51892A7D03F185046E574BFFF32C0@BYAPR02MB5189.namprd02.prod.outlook.com>
Cc: Brian Rosen <br@brianrosen.net>, "draft-ietf-stir-rph-emergency-services@ietf.org" <draft-ietf-stir-rph-emergency-services@ietf.org>, "stir@ietf.org" <stir@ietf.org>
To: Jack Rickard <Jack.Rickard@metaswitch.com>
References: <BYAPR02MB51891E95480910389FE0FDC7F3400@BYAPR02MB5189.namprd02.prod.outlook.com> <AB059D94-9BCA-4794-BCD4-211D7E8E80F2@brianrosen.net> <BYAPR02MB5189BE4C40E7A72BCFC8BD03F35D0@BYAPR02MB5189.namprd02.prod.outlook.com> <959DCC43-1686-49D3-9195-719CF65C9EE9@brianrosen.net> <BYAPR02MB5189D7055FCD08B0F926B9ADF35A0@BYAPR02MB5189.namprd02.prod.outlook.com> <14ACD074-FD66-4161-AC7A-ADB07127BE2D@chriswendt.net> <BYAPR02MB51899B8CC1EE4AD094A7F40AF32F0@BYAPR02MB5189.namprd02.prod.outlook.com> <0D26A9F6-5559-4273-ACBA-9501E958DF22@chriswendt.net> <BYAPR02MB51892A7D03F185046E574BFFF32C0@BYAPR02MB5189.namprd02.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/sDKe4F1NTzp_YuEq7G3ntNnANG8>
Subject: Re: [stir] Review of draft-ietf-stir-rph-emergency-services
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 14:18:24 -0000

So, we had discussions with the experts on ‘rph’ and emergency services and agreed to do a 03 rev of this draft that does indeed modify the procedures to remove the ESOrig/ESCallback and incorporate the esnet.x value into the “auth” object array.  Hopefully this addresses the concerns and makes things a bit simpler.  Thanks for the input.

Please, to everyone, review and provide comments.

Thanks.

-Chris

> On Sep 3, 2020, at 9:28 AM, Jack Rickard <Jack.Rickard@metaswitch.com> wrote:
> 
> I agree with what you have said there, however Section 4.2 of 8443 also states that you should strip from the INVITE any 'Resource-Priority' header that isn't validated by the passports, which in this case would be the "esnet.x" header. This doesn't seem like a good behaviour to me, which is why I think "esnet" should go in the "auth" claim (as an signing service that didn't implement this would do anyway), at which point I don't see what utility the "ES*" claims provide.
>  
> Thanks,
> Jack
>  
> From: Chris Wendt <chris-ietf@chriswendt.net> 
> Sent: 02 September 2020 21:00
> To: Jack Rickard <Jack.Rickard@metaswitch.com>
> Cc: Brian Rosen <br@brianrosen.net>; draft-ietf-stir-rph-emergency-services@ietf.org; stir@ietf.org
> Subject: Re: [stir] Review of draft-ietf-stir-rph-emergency-services
>  
> Not sure why they would break anything.  I think the idea is that if you are doing emergency services you should not include “auth” key and value.  If you implement only 8443 and you only know what to do with “auth” and “auth” is not included in the PASSporT you are verifying, you must ignore other key values you don’t understand. Therefore the validation will fail and you should not try to provide any type of priority service with that call.  This is approach for all PASSporTs with newly defined claims and key values in general.  
>  
> -Chris
> 
> 
> On Sep 2, 2020, at 5:33 AM, Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>> wrote:
>  
> Hi Chris,
>  
> I'm still unconvinced about the ESorig and EScallback keys, I'm happy for them to be added as long as they don't break anything. The problem I see is with an intermediate that implements 8443 but not this spec: if "esnet.x" isn't in the auth claim the it should remove "esnet.x" from the 'Resource-Priority' header, which seems like a bad thing to me. Even with this spec it's not currently clear that you shouldn't do that as there's nothing overriding that text from 8443 currently.
>  
> As for compact form, I'm perfectly happy with it remaining unspecified, it just surprised me.
>  
> Thanks,
> Jack
>  
> From: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net>> 
> Sent: 25 August 2020 16:15
> To: Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>>
> Cc: Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>>; draft-ietf-stir-rph-emergency-services@ietf.org <mailto:draft-ietf-stir-rph-emergency-services@ietf.org>; stir@ietf.org <mailto:stir@ietf.org>
> Subject: Re: [stir] Review of draft-ietf-stir-rph-emergency-services
>  
> Hi Jack, 
>  
> I think we still want to keep “auth” and “ESorig/ESCallback” as separate and distinct key/value objects, i see your comments as maybe disagreement stylistically but didn’t see anything to suggest that it wouldn’t work.  The reasoning though is that “auth” is intended to be specific to priority services only, not extensible for other applications.  And the fact of the matter is key/values are cheap, no reason we can’t have new values and be explicit about the intent.  This document is specific to 911 and emergency services and to extend the key/values defined for ‘rph’ claim and ‘rph’ PASSporT extension.
>  
> I will make this clearer in the document and explicitly say that “auth” should not be used for emergency services purposes of using resource priority header.
>  
> I think it would also make sense to make it clear that that this document extends 8443 and linking the documents.
>  
> For compact form, we think it would confuse folks to add provisions for compact form or allow it for little gain, and therefore prefer to leave it undefined.
>  
> Thanks.
>  
> -Chris
> 
> 
> 
> On Aug 20, 2020, at 1:30 PM, Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>> wrote:
>  
> It's not clear that this spec relies on that, and I'm not sure that it should? To me it seems like this could be more widely applicable.
>  
> Would you be able to address, from a verification service's point of view, what it should do? I think that will clear up why "Esorig" and "EScallback" are useful above plain "auth".
> I think the spec would benefit from that section as well Section 4 of RFC 8443 and section 11 of draft-ietf-stir-passport-rcd-06 are both incredibly useful.
>  
> Thanks,
> Jack
>  
> From: Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> 
> Sent: 19 August 2020 14:40
> To: Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>>
> Cc: draft-ietf-stir-rph-emergency-services@ietf.org <mailto:draft-ietf-stir-rph-emergency-services@ietf.org>; stir@ietf.org <mailto:stir@ietf.org>
> Subject: Re: [stir] Review of draft-ietf-stir-rph-emergency-services
>  
> About 20% of the US has now upgraded to NG9-1-1, although most service providers haven’t yet.  The wireless carriers are moving towards it; testing is underway.  
> I will have a companion document in sipcore that handles the signaling aspects of this mechanism.  For the older E911 system, none of stir really helps because the existing system is built on the older Class 4 switches (“Selective Routers”).  All of this mechanism is for NG9-1-1 and the equivalent services in the rest of the world, based on IETF standards (RFC6881, RFC5222, and several others).  
> 
> 
> 
> 
> On Aug 19, 2020, at 7:19 AM, Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>> wrote:
>  
> Thanks, that's really useful, however, I'm not convinced.
>  
> For ESorig, as far as I know this isn't currently always the case, I am aware of situations where emergency calls just look like normal calls with a number of 911. I'm also still unclear about what affect this has, as you can currently already sign emergency calls using the standard mechanisms (barring the whole "urn:service:sos" tn which I don't believe is standardised for STIR yet?)  by putting "esnet.0" in the auth field of an rph passport.
>  
> For EScallback, if the sph and "rph.auth" claims cover theis entirely why is EScallback needed? I'm also still unclear what the verification service behaviour is here.
>  
> I'm still unclear as to how this spec helps with allowing and preventing malicious use of emergency calls. You can already put esnet resource priority pairs in the "rph.auth" claim and that seems to provide as much security as this does. I do agree the sph claim does provide value, however.
>  
> I did just realise that the esnet Resource Priority needs to be in the "rph.auth" claim or the logic from that rfc will kick in and remove it, as per:
> RFC 8443, section 4.2
>    In such scenarios, the SIP 'Resource-Priority' header field SHOULD be
>    stripped from the SIP request, and the network entities should treat
>    the call as an ordinary call.
>  
> I'll note that some of my questions and concerns haven't been addressed yet, I'm happy to resolve this first, just making a note so that they don't get lost/I don't forget about them.
> Jack
>  
> From: Brian Rosen <br@brianrosen.net <mailto:br@brianrosen.net>> 
> Sent: 18 August 2020 22:31
> To: Jack Rickard <Jack.Rickard@metaswitch.com <mailto:Jack.Rickard@metaswitch.com>>
> Cc: draft-ietf-stir-rph-emergency-services@ietf.org <mailto:draft-ietf-stir-rph-emergency-services@ietf.org>; stir@ietf.org <mailto:stir@ietf.org>
> Subject: Re: [stir] Review of draft-ietf-stir-rph-emergency-services
>  
> Let’s keep the two use cases separate: 
> ESorig is an emergency call (user to authority).
> EScallback is a call from authority to user.
>  
> For ESorg, the call is marked with a Request-URI of urn:service:sos.  The “To” field is ignored in routing and handling the call.  That’s how you know this is an emergency call.   For stir purposes, the From is an ordinary identifier, and gets treated in the normal way.  However, the rph value can only be used by a valid emergency call, and a valid emergency call is a Request URI of urn:service:sos, and a valid From.  So you don’t have any knowledge of emergency services identifiers, only the Request URI of urn:service:sos.   
>  
> For EScallback, the marking is a distinguished value in SIP Priority.  If a call has that value, it’s a call back.  The originating service provider knows who are the authorities who are allowed to place call backs, so the check is what is in SIP Priority, and one of the allowed authorities in From.  As a practical matter, in most cases, the call will be signed by the emergency authorities themselves, who will be able to get appropriate credentials for this purpose.  In most cases I’m aware of, the To in an emergency call won’t match the From in a Callback, but it’s possible for that to happen, and we want to allow it.
>  
> Esnet is a Resource Priority Header namespace, not a SIP Priority value.  We’re allowing emergency calls and call backs to use rph, and we’re protecting against malicious use of it.  So unless the call has urn:service:sos in Request URI, or the right SIP Priority in a call back (and from an authorized authority) they can’t use rph with the esnet namespace.  Generally, unless under attack, emergency calls go through even if there isn’t a passport.  Many networks won’t offer actual priority to emergency calls, but the emergency services networks (ESInets) will.  
>  
> If a call arrives anywhere with an rph using esnet, and isn’t an emergency call, with the appropriate passport,  any intermediary can refuse to give it any priority,  The emergency authorities may accept a call without a valid passport, but they might treat it with much more suspicion than they would any other call.
>  
> For call backs, the network may have special behavior.  For example, it may send the call to the device that placed the emergency call, rather than, for example, voice mail.  The network has to be able to trust that SIP Priority is set appropriately.  It will also have rph using esnet, and the network can grant it appropriate priority if it has that capability, and would not allow esnet otherwise.
>  
> The only value in covering other uses of SIP Priority is to protect against middle boxes modifying it.  We don’t really have use cases for that.  It probably wouldn’t hurt to allow it though.
>  
> Does that help?
>  
> Brian
>  
> 
> 
> 
> 
> 
> On Aug 14, 2020, at 1:21 PM, Jack Rickard <Jack.Rickard=40metaswitch.com@dmarc.ietf.org <mailto:Jack.Rickard=40metaswitch.com@dmarc.ietf.org>> wrote:
>  
> I have reviewed draft-ietf-stir-rph-emergency-services-02 and have some concerns and questions. I don't believe this spec is implementable in its current form.
>  
> Thanks,
> Jack
>  
> Why are "ESorig" and "EScallback" distinct?
> They seem to serve a very similar purpose with the only difference being whether orig or dest should be the emergency services. I don't believe there's any check that can be done to validate:
>    When using "ESorig" as the "rph" assertion value, the "orig" claim of
>    the PASSporT MUST represent the calling party number that initiates
>    the call to emergency services.
> This (and the equivalent statement for EScallback) don't seem possible to me to check (barring the standard orig/dest checking)..
> This would make the check "at least one of the parties should be the emergency services" enough to validate that this was a reasonable call.
>  
>  
> Why have them at all rather than just using auth?
> This is very possibly an issue with my understanding, but I'm not clear on why "ESorig" and "EScallback" even need to exist. "esnet.0" etc. are SIP Resource Priority headers, so should be included in the "auth" field anyway by the RPH spec. This spec appears to apply extra constraints (that a one of the callers must be the emergency services) for the "esnet" namespace but it's not clear why entirely separate claims are needed.
>  
> In a similar vein, what should a verifier do if it receives a call containing an invalid "ESorig" or "EScallback" value or the passport is invalid/untrusted, I'm assuming the behaviour is the same as for auth but this isn't clear. Although stripping the fact that this is an emergency call is potentially dangerous..
>  
>  
> Specify the type of the "ESorig" and "EScallback" claims.
> This specification currently doesn't specify the type of the new fields, there are only examples and this isn't enough. It looks like they both follow the same scheme as the rph "auth" claim, however "esnet,x" doesn't quite fit into that due to the comma and that x isn't a valid priority value.
>  
>  
> Why is sph limited to psap-callback? What should the verifier do if it isn't that? What should it do if it is?
> I'm not entirely clear on the purpose of the sph claim, however, it seems odd that it doesn't cover the full range of possible values for the SIP Priority Header. Is there a reason that it doesn't cover the "non-urgent", "normal", "urgent", or "emergency" values?
> There is also no verifier behaviour defined here, should the verifier remove the Priority header if it receives an invite with no passports signing for it? That seems dangerous to me but would be consistent with rph. Alternatively, what should the verifier do if it receives an invite with a valid passport claiming sph but with no Priority header should it add it in? I'm not sure the spec needs to be too prescriptive here, however some mention of verifier behaviour and the associated security considerations would be useful.
> 
> 
> Should the spec be stronger about the compact form?
> Section 3 currently states
>    The use of the compact form of PASSporT is not specified in this
>    document.
> However, a compact-form passport following this spec would be hard to verify as it introduces multiple possible rph variants, I think this spec could go further and say you shouldn't/mustn't.
> 
> 
> What is the requirement of these new parameters.
> As I understand it, the passport spec allows you to create a passport containing whatever JWT fields you want and verifiers should just ignore any fields they don't understand. Unless the "ppt" claim is set, which indicates that verifiers should discard it if they don't recognise that passport type. As this spec adds additional fields to an existing passport type it isn't immediately clear what the behaviour should be. Specifically, is an rph passport containing only "rph.ESorig" valid now (where it wouldn't be before because auth isn't present), is an rph passport containing no rph and only sph valid, and what does a non-rph passport with sph or ESorig set mean?
>  
> _______________________________________________
> stir mailing list
> stir@ietf.org <mailto:stir@ietf.org>
> https://www.ietf.org/mailman/listinfo/stir <https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fstir&data=02%7C01%7CJack.Rickard%40metaswitch.com%7Cfec57c0e64a34156473508d84f7aca06%7C9d9e56ebf6134ddbb27bbfcdf14b2cdb%7C1%7C0%7C637346736096811076&sdata=3BmcGhTMxrGQCmpjDQGV5sG0lCcYViU%2FxpjBJv3mlb0%3D&reserved=0>

v2.23.0 | Report a Bug | By Email