IETF Logo Mail Archive

Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01

Chris Wendt <chris-ietf@chriswendt.net> Mon, 25 April 2022 16:51 UTC

Return-Path: <chris-ietf@chriswendt.net>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 27FF3C18513B for <stir@ietfa.amsl.com>; Mon, 25 Apr 2022 09:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.006
X-Spam-Level:
X-Spam-Status: No, score=0.006 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=chriswendt-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTa2wgbFRyTT for <stir@ietfa.amsl.com>; Mon, 25 Apr 2022 09:51:26 -0700 (PDT)
Received: from mail-qk1-x734.google.com (mail-qk1-x734.google.com [IPv6:2607:f8b0:4864:20::734]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5861BC1850E8 for <stir@ietf.org>; Mon, 25 Apr 2022 09:51:26 -0700 (PDT)
Received: by mail-qk1-x734.google.com with SMTP id g19so3242qkm.12 for <stir@ietf.org>; Mon, 25 Apr 2022 09:51:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chriswendt-net.20210112.gappssmtp.com; s=20210112; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vVjXRv7l8sPPSaHbL3MpZxCMlJ4Os9BBQd8np82YmUw=; b=Zk7yawIyO/Wav71eWJbgJSepyONg7aIc8olz0OcYeIGhqNoXcw6iWEPTQVtteCnbpL LxU1TA2q3e/aVv2zeFmt3Ms78eJjmh94nGTJ7KPdvE4/UFO9zK3ouPE+YDaPecqjheg+ 5R0i1imQFfkcHPsCGqc5OTZLxRAf805p7SsuuqGW/e7rkuBXW84HlGYBByzv75FhmFnX 3wy0fQnbgcd6z/vkBNq6JJyyUAH3uQMSTizDB1Y9ob01aOoequsM/TzNwiBkuhDsUHaC tbWohgIgJqUqOyNUXpRrB0R79xsZA5d2hbzOmrZBkvgDXnnxnwLC/e5P6M3myjsmplic RkdQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=vVjXRv7l8sPPSaHbL3MpZxCMlJ4Os9BBQd8np82YmUw=; b=60rxiLgWrW53EPXol5JpwXnBOdUSk6kN4knIPKLNwFAjejpJpEkU6r8ZZ59WxMgNeu qzwtOuFyKIwZmefNNqvFnRHljQCIWCB/kWNjGoBoNOWHOG1YNO4Hgy2uJ3kPT1jN7vQz Mv4puxx/v0ufIW4MXUgS7FJ2Qh26+WJaKg60ppqVsW/Tfs8GoBYHzJv7LOGL84F+ufMG lZy0GvWl69vGu8emGCMTjRHfjqXXE246CdbJZCUbZu7hZbjmj9hq+DQaTbwcBdm4Qt+H 9rMNhJRGWl451gRGC7zHG1KwIaQhTBXGWSetOAVP78fXJ8S9vnRPYn5IU72ZTU5TfP71 Yxfw==
X-Gm-Message-State: AOAM532C6uzDPlO4l7MBUwfEGPXojvHOhwjxidbHirpZ8d2gQY7WJaap txLtUbtb6NpbmOMLe8iTpjBwIjYrm8IRB+8o
X-Google-Smtp-Source: ABdhPJxMkGS3Z/EkoWBsZHIpr1dVtTaHdVzi0bw9H3dU4ozklhxbdacvtp+9B62JQkYGNXYPSQ8V+g==
X-Received: by 2002:a05:620a:85e:b0:69b:e5f5:df1c with SMTP id u30-20020a05620a085e00b0069be5f5df1cmr10649973qku.272.1650905485007; Mon, 25 Apr 2022 09:51:25 -0700 (PDT)
Received: from smtpclient.apple ([2601:41:c400:1ad:f5e6:5c90:c989:f447]) by smtp.gmail.com with ESMTPSA id y9-20020ac87c89000000b002f364b84040sm3009360qtv.34.2022.04.25.09.51.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Apr 2022 09:51:24 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\))
From: Chris Wendt <chris-ietf@chriswendt.net>
In-Reply-To: <HE1PR07MB4441E7A2F7AFA763EB84F7A793F89@HE1PR07MB4441.eurprd07.prod.outlook.com>
Date: Mon, 25 Apr 2022 12:51:23 -0400
Cc: IETF STIR Mail List <stir@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <00EA8CB8-2DB2-49CE-9D7E-B3AA4618912D@chriswendt.net>
References: <HE1PR07MB444170B0B7F15E9D10E5FC4893F79@HE1PR07MB4441.eurprd07.prod.outlook.com> <F1611AE5-5249-4A3E-AD5A-2C00D3B72CA2@chriswendt.net> <HE1PR07MB4441E7A2F7AFA763EB84F7A793F89@HE1PR07MB4441.eurprd07.prod.outlook.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.3696.80.82.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/sLAccD6ikJxQ2X3OvOQ03SQjSIw>
Subject: Re: [stir] Comments/questions on draft-ietf-stir-identity-header-errors-handling-01
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2022 16:51:28 -0000


> On Apr 25, 2022, at 11:59 AM, Christer Holmberg <christer.holmberg@ericsson.com> wrote:
> 
> Hi,
> 
>  
> I took a look at draft-ietf-stir-identity-header-errors-handling-01, and I have some questions and comments.
>  
> ---
>  
>>> Q1: The draft uses a ppt parameter to associated a Reason header field with an Identity header field. That sounds very “clumsy” in my opinion. Also, how exactly is the parameter value compared with the PassPORT? Byte by byte? How does that work if you use a compact form?
>> 
>> Comparing as a JWT Base64 encoded string value whether full or compact.  We just needed a unique value that the AS (or originating side) would know about, so either full PASSporT or just the signature is unique enough for the AS to reference on which identity header passed in the INVITE caused the error.
> 
> Why not defining a dedicated "index" parameter? That would also act as an indicator that the AS supports the mechanism to begin with, which would also address the issue in Q5 (because the response with ppt would only be sent if the index is present in the request).

We were trying to keep this simple, i guess i’d like to hear from others if we want to start from scratch on this.

> 
> ---
>  
>>> Q2: Where is the ppt parameter defined? I see no Reason header field reason-extension defined for it, and no IANA registration.
>> 
>> This is the document that defines it, but yes i did now look that i should request IANA registeration as Header Field Parameters and Parameter Values.  I will add that request to the document.
> 
> Ok. But, you also need to include the syntax, as it is (I assume) a Reason header field reason-extension.
> 
> Another question is whether it should be called ppt. That already exists, and indicates a TYPE, which this parameter does not. Using a unique parameter name would cause less confusion.
> 
> Of course, if you used an index parameter in the request (see Q1) I guess you could use something similar in the response. "ppi" (pass port index), or something...

Sure i can call it something else

> 
> ---
>  
>>> Q3: The definition of the “STIR” protocol in Section 3 is very confusing.
>>>  
>>> For example, the text says:
>>>  
>>>   “This will differentiate current protocols, specifically
>>>    "SIP" which is currently in wide industry usage, from the [RFC8224]
>>>    defined error cause codes”
>>>  
>>> Differentiate SIP from what protocol? The error cause codes defined in 8224 are SIP cause codes, so what protocol does “STIR” refer to?
>>>  
>>> If the semantics of “STIR” is identical to “SIP”, with the only difference being that it allows you to use multiple Reason header fields with “STIR”, why not say so?
>> 
>> The intent is that STIR is another “protocol” just like Q.850 and SIP differentiate a class of reasons.  We are simply defining another type of reasons specific to STIR, so that existing
>> implementations aren’t confused.  We discussed this pretty extensively in past meetings as likely best option.
> 
> Than I think you can make the text much more simple. All you need to do is to say that the error is caused based on the procedures in RFC XXXX, and that SIP response codes are still used.

ok

> 
> ---
>  
>>> Q4: The text says:
>>>  
>>>   “The "ppt" parameter
>>>    for the Reason header field is optional, but RECOMMENDED, in
>>>    particular for cases that a SIP INVITE contains multiple Identity
>>>    header fields.” 
>>>  
>>> And if it is not included? How will things work then?
>>  
>> The intent is that if you only have one identity header/identity header error you don’t need to include ppt.  I could clarify that and make it mandatory if you have more than one identity header.
>> 
>>> Q5: Section 7 says that the Authentication Server MUST remove the Reason header field from the response. But, what if the Authentication Server is an 8224-only implementation? In that case it might
>>> pass on the Reason header field. Section 10 does say something about the Reason header field being passed beyond the Authentication Server, but I am not sure whether it talks about the same case.
>> 
>> That is always the case for any specification that comes in the future.  I think we are early enough that scenarios for multiple identity headers is only starting to appear and would like to adopt
>> this in SHAKEN. This may be a good reason to adopt stronger language about using compact form/only signature as identifier.
> 
> As mentioned earlier, an index parameter could be used as an indicator that the AS supports the mechanism.

would rather recommend compact form, but curious what others think.

> 
> ---
> 
>>> Q6: The text talks about including the Reason header in a provisional response, in case local policy dictates that the session setup shall continue.
>>>  
>>> First, I am not sure whether that is how 3326 defines usage of Reason in provisional responses. It is used to help in forking scenarios, when final responses sent on different early dialogs are dropped by the forking proxy.
>>>  
>>> Second, there is no text on how this provisional response is created. Is the sender of the Reason header field going to generate a To tag? Does that mean the sender of the Reason header field is acting as a B2BUA?
>>  
>> First, this is the same scheme we already have defined in ATIS-1000074, but the provisional response is created just like any provisional response (so yeah, the UAS sending the provisional response would have add a To tag to complete the early dialog). 
>> As the response travels toward the UAC, it's going to arrive at a proxy who knows if and why verification failed (e.g., the IBCF, or maybe the STI-VS itself in the case where the verification API is SIP), and that proxy will add the proper Reason header(s).
> 
> Ok, so the verification proxy would not create the provisional response - it will only piggyback the Reason header(s) in a provisional response sent by the UAS?

I think either is possible depending on implementation

> 
> 
> Regards,
> 
> Christer
> 
> 
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
> _______________________________________________
> stir mailing list
> mailto:stir@ietf.org
> https://www.ietf.org/mailman/listinfo/stir
>

v2.23.0 | Report a Bug | By Email