IETF Logo Mail Archive

Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

pierce@numeracle.com Fri, 26 August 2022 17:12 UTC

Return-Path: <pierce@numeracle.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD928C14CE3F for <stir@ietfa.amsl.com>; Fri, 26 Aug 2022 10:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=numeracle-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgXMeGvFKcB7 for <stir@ietfa.amsl.com>; Fri, 26 Aug 2022 10:12:47 -0700 (PDT)
Received: from mail-oa1-x31.google.com (mail-oa1-x31.google.com [IPv6:2001:4860:4864:20::31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98268C1522AE for <stir@ietf.org>; Fri, 26 Aug 2022 10:12:47 -0700 (PDT)
Received: by mail-oa1-x31.google.com with SMTP id 586e51a60fabf-11dca1c9c01so2854695fac.2 for <stir@ietf.org>; Fri, 26 Aug 2022 10:12:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=numeracle-com.20210112.gappssmtp.com; s=20210112; h=thread-index:content-language:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc; bh=/fXmJkTHpZr+s2cPHDYeL1c6uai1+k53u8tMas724Sk=; b=Hj5v2mlg5rGFGPw3kBukXOgvYGrmoORToBbxFy+p0ME/C8Y8hM7kMOvlZM4K0xK9kM AXBAWbgzFDGy9SWmN9cEtp8uHm3IeeNi+318R/549ykEc1OsVg+VOEUSX8LffrsmUeld IRMGShT2kEr1o2mSyEhT1srm/NLHCMHpx3T52EpPR4lCYPj8W9p9dg7IPq3ZYy6T5dnb 6cyuvFTCm4XY4qFmBcIPh89S62Jd1X0lDCtAsZka0LPWz1fh6T7MvSEJvkxRlP4JlwR2 Z29bG1gneYQVOV9wlRfrmtLi91HS2UX/tZu51zLWwfu3sEW5yDi9ibpq+3pdFs7H/lMq CjjA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=thread-index:content-language:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc; bh=/fXmJkTHpZr+s2cPHDYeL1c6uai1+k53u8tMas724Sk=; b=pZoBkpdERv4BRJ1+JDO9r0Zuj/xzzTPtlpIGd0WLYc1B+ZHAZXQGEsoN4wVzszgiFJ Ki0cQ9hA2mmnayZhkfDyIYo+6R0zqyQphwMkN/pyfdBH8PSO11faY+aq3+dmKaF71xKs G5Geek4fo01VaF/38hPtK1+Cu8TLUyp1ZC1eC6hMUe+fIOr0IL7btmEW6uLgmNNHRsx/ lu5z+J/wQNACURM0bVyNZhZzqbmT6HJoAcBNOfMGE+eaEFHjWnkDlqDHMuBc04CsaHwI BoH/krAeoE2RwOKBC2f0jKLujGuc7iW/6bOh1/J9tpV+Oen1tadxbV7w49il8zpdnwwO GBCA==
X-Gm-Message-State: ACgBeo1s/3VPRh/kBow36v4vNg3xWLAaCYMx6RT2zCPYpcGJ+5srSna2 hWFWppiYTHYvUT/tEW65MBUi7g==
X-Google-Smtp-Source: AA6agR56z8UxrJ3bDT/vL8NSq5C1Zq9ZGqV3kxuNeapfkIadI9JVH2B4cEiRH2eAke+gVkX8BANmew==
X-Received: by 2002:a05:6870:3409:b0:10d:758a:684b with SMTP id g9-20020a056870340900b0010d758a684bmr2412434oah.125.1661533966101; Fri, 26 Aug 2022 10:12:46 -0700 (PDT)
Received: from NumeracleLegion ([2605:a601:ae1c:4300:c87e:a3a4:cf9a:639d]) by smtp.gmail.com with ESMTPSA id v188-20020acadec5000000b00342eade43d4sm1323231oig.13.2022.08.26.10.12.45 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Aug 2022 10:12:45 -0700 (PDT)
From: pierce@numeracle.com
To: 'Chris Wendt' <chris-ietf@chriswendt.net>
Cc: 'Christer Holmberg' <christer.holmberg=40ericsson.com@dmarc.ietf.org>, 'Robert Sparks' <rjsparks@nostrum.com>, 'Ben Campbell' <ben@nostrum.com>, 'IETF STIR Mail List' <stir@ietf.org>, 'STIR Chairs' <stir-chairs@ietf.org>
References: <166092541721.15611.12331275110612885444@ietfa.amsl.com> <73813D32-314D-4086-BEB9-F37D2887DB90@nostrum.com> <HE1PR07MB44416763F30C0ED896226CCD93729@HE1PR07MB4441.eurprd07.prod.outlook.com> <480cb290-d2a6-8652-5d91-452e3a182b20@nostrum.com> <HE1PR07MB444178AC33337F65512FD19B93729@HE1PR07MB4441.eurprd07.prod.outlook.com> <013c01d8b896$e818e360$b84aaa20$@numeracle.com> <E0631B6F-14FB-499D-BF68-2CE0BFC7237B@chriswendt.net>
In-Reply-To: <E0631B6F-14FB-499D-BF68-2CE0BFC7237B@chriswendt.net>
Date: Fri, 26 Aug 2022 12:12:45 -0500
Message-ID: <04b301d8b96f$0fc27420$2f475c60$@numeracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_04B4_01D8B945.26EC6C20"
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-us
Thread-Index: AQIL3xRkP4118VnhxbF4a2jbGtk3KwGLhVEuAafk4+4CvjRMSALb9+teApRNUf0Cv3C7gqzqAQ9w
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/yadEkUMM9E4Cuy4kk-oAkxEo8xI>
Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Aug 2022 17:12:51 -0000

Hi Chris,

 

My concern with the “sent to the authentication service” language is a nit.  Keeping or eliminating the language doesn’t change the protocol work in the draft.  That said, I’m going to reinforce what I’ve been saying on this assumption of an AS seeing VS errrors.

 

Couple of things on the RFC 8224 definition of authentication service.

 

   o  Authentication Service: A logical role played by a SIP entity that

      adds Identity headers to SIP requests.

 

I assume “SIP entity” implies a SIP UAC/UAS element.

 

Something worth noting here is an Authentication Service acts as a UAC.  In practice the UAS of most Authentication Service implementations will not see a REASON header coming back from the UAC of a Verification Service.

 

Section 6.1 says, “It is also possible that the authentication service role might be instantiated by an entity that acts as a redirect server, but that is left as a topic for future work.”
 
Everything before “, but that is left as a topic for future work“ is technically correct and worth noting because it casually notes what I assert is the dominant form of Authentication Service implementations.  This has material consequences.
 
Section 6.1.1 makes a mistake when it says:
 
6.1.1 <https://www.rfc-editor.org/rfc/rfc8224.html#section-6.1.1> .  Handling Repairable Errors
 
   Also, in some cases, a request signed by an authentication service
   will be rejected by the verification service on the receiving side,
   and the authentication service will receive a SIP 4xx status code in
   the backwards direction, such as a 438 ("Invalid Identity Header")
   response indicating a verification failure.
 
The part I highlighted in yellow is at least frequently incorrect.
 
Calls will routinely fail because of REASON headers with SIP 403, 436, 437, and 438 errors which the Authentication Service never receives, but which are received by UAs in the network which then kill otherwise valid calls because their SIP stacks have not been updated to recognize those codes but which do, however, recognize those are 4xx codes and therefore kill the calls because their SIP stacks do support RFC 3326 which suggests those calls can be killed because they have REASON to believe are unlikely to complete by reason of the 4xx category.
 
FCC mandates now require nearly all US voice service providers to authenticate calls by June 2023.  Given that the great majority of the 3,500 to 4,500 (or whatever the number is) US service providers will not directly implement authentication services on their network, the highlighted part is misleading and will (continue to) cause SIP call processing failures on calls that should otherwise complete regardless of the state of verification.
 
When “good” calls fail because of Verification Service 4xx errors in REASON headers, network operators are likely to do two things.
 
First, they will strip the offending REASON headers on inbound calls so that normal call processing can continue to complete as before.  The Sprint network did this.
 
Secondly, they will (if they’re diligent) investigate getting software updates on the vulnerable UAs so that the UAs know they should ignore those particular REASON headers (unless the UA is an Authentication Service).  Given those UAs can include originating mobile devices and IP PBXs, as well as VoIP-capable softswitches and CSCFs in the network, it is not a trivial second step.
 
The problem I’m complaining about (which is assuming an AS is receiving VS 4xx errors and acting on them) is serious enough I almost think it warrants its own discussion point in the I-D.
 
Service providers implementing STIR/SHAKEN need to be looking for those VS 4xx errors, but they most likely need to be looking for them on their Session Border Controller where they will most likely need to be stripping the ATIS-1000074 VS REASON headers unless they’ve update the SIP stacks on all of their, and their subscribers’, SIP “entities” to recognize those particular errors and handle them appropriately.
 
The main reason I am heartily in favor of this I-D is because adding “STIR” as a protocol in the REASON header should help all those existing UAs that currently support “SIP” and “Q.850” protocols to safely ignore Verification Service failure codes which are almost certainly meaningless to them.
 
Best regards,
 
Pierce

 

 

From: Chris Wendt <chris-ietf@chriswendt.net> 
Sent: Friday, August 26, 2022 6:35 AM
To: pierce@numeracle.com
Cc: Christer Holmberg <christer.holmberg=40ericsson.com@dmarc.ietf.org>; Robert Sparks <rjsparks@nostrum.com>; Ben Campbell <ben@nostrum.com>; IETF STIR Mail List <stir@ietf.org>; STIR Chairs <stir-chairs@ietf.org>
Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

 

Hi Pierce,

 

I think in the context of this specification, we really need to view authentication service as the RFC8224 defined authentication service.  Beyond that is industry and implementation specific.  Recall that ATIS-1000074 has same Reason header requirements, so I would claim that current implementations ignored this if they can’t support this functionality as a split SIP/HTTP based “authentication service” implementation as you are defining it.

 

-Chris





On Aug 25, 2022, at 11:25 AM, pierce@numeracle.com <mailto:pierce@numeracle.com>  wrote:

 

The text "in the next provisional or final responses sent to the authentication service" assumes the STI-AS will receive those responses and can do something with them. E.g., include them in a log.

 

This is not a good assumption.  Many (most?) AS/VS designs use an outboard server which is called using SIP INVITE or HTTPS and which responds using SIP 302 or HTTPS.  In both of those cases an AS may never see responses from verification services.

 

I recommend removing the language “sent to the authentication service” as being unnecessary and potentially misleading.

 

Pierce

 

 

From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org> > On Behalf Of Christer Holmberg
Sent: Thursday, August 25, 2022 9:41 AM
To: Robert Sparks <rjsparks@nostrum.com <mailto:rjsparks@nostrum.com> >; Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com> >; IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org> >
Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> >; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org> >
Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

 

Hi,

 

Yes, I meant Reasonse+STIR. It also seems I forgot the background information for my question in my previous e-mail. Sorry for that.

 

RFC 3326 says:

 

   "Initially, the Reason header field defined here appears to be most

   useful for BYE and CANCEL requests, but it can appear in any request

   within a dialog, in any CANCEL request and in any response whose

   status code explicitly allows the presence of this header field."

 

So, my reading it needs to be explicitly indicated for which SIP response status codes Reason can be included.

 

For example, RFC 6432, which defines the Reason Q.850 protocol says:

 

"This document allows SIP responses to carry Reason header fields as

   follows:

 

      Any SIP Response message, with the exception of a 100 (Trying),

      MAY contain a Reason header field with a Q.850 [Q.850] cause code."

 

Regards,

 

Christer

 

 

 

 

-----Original Message-----
From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org> > On Behalf Of Robert Sparks
Sent: torstai 25. elokuuta 2022 17.21
To: Christer Holmberg <christer.holmberg@ericsson.com <mailto:christer.holmberg@ericsson.com> >; Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com> >; IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org> >
Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> >; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org> >
Subject: Re: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

 

(Assuming you meant Reason+STIR below, and wearing no hats):

 

It isn't clear to me that there's a need to say anything more here than what RFC3326 says. Perhaps the text can be clear that this uses the rules for where the header can occur as RFC3326. I don't think we want something _different_, and I don't want to try to restate those rules in this document.

 

RjS

 

 

On 8/25/22 9:05 AM, Christer Holmberg wrote:

> Hi,

> 

> When the STIR protocol is used, in which SIP response codes can the Reason header(s) be included?

> 

> I can only find the following statement: "in the next provisional or final responses sent to the authentication service.".

> 

> That is not every explicit. If we want to allow Reason+SIP with *any* SIP response code it would be good to say so.

> 

> Regards,

> 

> Christer

> 

> -----Original Message-----

> From: stir <stir-bounces@ietf.org <mailto:stir-bounces@ietf.org> > On Behalf Of Ben Campbell

> Sent: maanantai 22. elokuuta 2022 2.50

> To: IETF STIR Mail List <stir@ietf.org <mailto:stir@ietf.org> >

> Cc: Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> >; STIR Chairs <stir-chairs@ietf.org <mailto:stir-chairs@ietf.org> >

> Subject: [stir] WGLC: draft-ietf-stir-identity-header-errors-handling-03.txt

> 

> Hi,

> 

> This starts a STIR working group last call for draft-ietf-stir-identity-header-errors-handling-03. Please send feedback tot he authors and the STIR list by September 7. Note that we added a couple of days to the WGLC period due to the US Labor Day holiday.      

> 

> As always,any constructive feedback, including feedback to the effect of “I’ve read this and it is ready to go” is helpful.

> 

> Thanks!

> 

> Ben (For the STIR chairs)

> 

> 

>> On Aug 19, 2022, at 11:10 AM, internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>  wrote:

>> 

>> 

>> A New Internet-Draft is available from the on-line Internet-Drafts directories.

>> This draft is a work item of the Secure Telephone Identity Revisited WG of the IETF.

>> 

>>         Title           : Identity Header Errors Handling

>>         Author          : Chris Wendt

>>   Filename        : draft-ietf-stir-identity-header-errors-handling-03.txt

>>   Pages           : 7

>>   Date            : 2022-08-19

>> 

>> Abstract:

>>    This document extends STIR and the Authenticated Identity Management

>>    in the Session Initiation Protocol (SIP) error handling procedures to

>>    include the mapping of verification failure reasons to STIR defined

>>    4xx codes so the failure reason of an Identity header field can be

>>    conveyed to the upstream authentication service when local policy

>>    dictates that the call should continue in the presence of a

>>    verification failure.  This document also defines procedures that

>>    enable enable a failure reason to be mapped to a specific Identity

>>    header for scenarios that use multiple Identity header fields where

>>    some may have errors and others may not and the handling of those

>>    situations is defined.

>> 

>> 

>> The IETF datatracker status page for this draft is:

>> https://datatracker.ietf.org/doc/draft-ietf-stir-identity-header-errors-handling/

>> 

>> There is also an htmlized version available at:

>> https://datatracker.ietf.org/doc/html/draft-ietf-stir-identity-header-errors-handling-03

>> 

>> A diff from the previous version is available at:

>> https://www.ietf.org/rfcdiff?url2=draft-ietf-stir-identity-header-errors-handling-03

>> 

>> 

>> Internet-Drafts are also available by rsync at rsync.ietf.org <http://rsync.ietf.org> ::internet-drafts

>> 

>> 

>> _______________________________________________

>> stir mailing list

>> stir@ietf.org <mailto:stir@ietf.org> 

>> https://www.ietf.org/mailman/listinfo/stir

> _______________________________________________

> stir mailing list

> stir@ietf.org <mailto:stir@ietf.org> 

> https://www.ietf.org/mailman/listinfo/stir

 

_______________________________________________

stir mailing list

stir@ietf.org <mailto:stir@ietf.org> 

https://www.ietf.org/mailman/listinfo/stir

v2.23.0 | Report a Bug | By Email