Re: [Stox] SIPS URIs and SIP/XMPP gateways - WAS: review: stox-core-04

Robert Sparks <rjsparks@nostrum.com> Mon, 30 September 2013 13:37 UTC

Return-Path: <rjsparks@nostrum.com>
X-Original-To: stox@ietfa.amsl.com
Delivered-To: stox@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A87F521F9B6A for <stox@ietfa.amsl.com>; Mon, 30 Sep 2013 06:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.078
X-Spam-Level:
X-Spam-Status: No, score=-102.078 tagged_above=-999 required=5 tests=[AWL=-0.348, BAYES_00=-2.599, SARE_MLH_Stock1=0.87, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aGJK9s8pR5Yu for <stox@ietfa.amsl.com>; Mon, 30 Sep 2013 06:37:12 -0700 (PDT)
Received: from shaman.nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9F3B621F9AD2 for <stox@ietf.org>; Mon, 30 Sep 2013 06:37:10 -0700 (PDT)
Received: from unnumerable.local (pool-71-170-125-188.dllstx.fios.verizon.net [71.170.125.188]) (authenticated bits=0) by shaman.nostrum.com (8.14.3/8.14.3) with ESMTP id r8UDb568057074 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=OK); Mon, 30 Sep 2013 08:37:06 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
Message-ID: <52497E86.5020302@nostrum.com>
Date: Mon, 30 Sep 2013 08:37:10 -0500
From: Robert Sparks <rjsparks@nostrum.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Peter Saint-Andre <stpeter@stpeter.im>
References: <E44893DD4E290745BB608EB23FDDB7620A0CE34A@008-AM1MPN1-042.mgdnok.nokia.com> <52458C47.1010702@nostrum.com> <5245AEE7.4010000@stpeter.im> <5248DA2D.7080809@stpeter.im>
In-Reply-To: <5248DA2D.7080809@stpeter.im>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Received-SPF: pass (shaman.nostrum.com: 71.170.125.188 is authenticated by a trusted mechanism)
Cc: salvatore.loreto@ericsson.com, fluffy@cisco.com, Markus.Isomaki@nokia.com, Jon Peterson <jon.peterson@neustar.biz>, stox@ietf.org
Subject: Re: [Stox] SIPS URIs and SIP/XMPP gateways - WAS: review: stox-core-04
X-BeenThere: stox@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: SIP-TO-XMPP Working Group discussion list <stox.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stox>, <mailto:stox-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/stox>
List-Post: <mailto:stox@ietf.org>
List-Help: <mailto:stox-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stox>, <mailto:stox-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Sep 2013 13:37:28 -0000

On 9/29/13 8:55 PM, Peter Saint-Andre wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 9/27/13 10:14 AM, Peter Saint-Andre wrote:
>> On 9/27/13 7:46 AM, Robert Sparks wrote:
>>> (Adding Jon)
>>> Peter - is there nothing in XMPP that lets a client say "I want
>>> this to use secure transports only - have it fail rather than
>>> use an insecure transport anywhere along its delivery path?"
>> No. That doesn't mean we don't need it (although in general people
>> have thought we *wouldn't* need it if we could just define an
>> end-to-end encryption method that solve all the relevant use
>> cases).
>>
>>> That's the primary property you should discuss. Without putting
>>> a lot of thinking into it, I suspect that if you _don't_ have a
>>> way to express that available (which is what I'm taking away from
>>> your last sentence), the right guidance in the document is to
>>> refuse to gateway a SIP request that expresses that requirement.
>> Indeed, that seems correct.
>>
>> Thanks for the guidance.
> Here is proposed text:
>
>     As specified in Section 26.4.4 of [RFC3261], a To header or a
>     Request-URI containing a SIPS URI is used to indicate that all hops
>     in a communication path need to be protected using Transport Layer
>     Security [RFC5246].  Because XMPP lacks a way to signal that all hops
>     need to be encrypted, if the To header or Request-URI of a SIP
>     message is a SIPS URI then the SIP-to-XMPP gateway MUST NOT translate
>     the SIP message into an XMPP stanza and MUST NOT route it to the
>     destination XMPP server.
wfm. You might also talk about not using sips when going XMPP->SIP.
If you haven't found it already, see also RFC5630.

RjS
>
> Peter
>
> - -- 
> Peter Saint-Andre
> https://stpeter.im/
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBAgAGBQJSSNotAAoJEOoGpJErxa2pAbMQALNKvkSDQLr5yj/4GBaR0qep
> AMI3pFQ9DdjYPQHaNt/OZRJ22K0XfSbRTEHPRsuld1r2vmMLKRoCh6dxc35TGCYw
> 5DyolpraQfPE+3zBvlLONtisIbTxNeha20taL6Sbb67pnLJ8xPArn/yHY56Pwq30
> PRcffweaNEBlIB26nGiEKshTn/zdmhls59lW6tM+1NuO0DsYdydtO8Ikm4PjLFST
> GoEihN06Uttw3Jgt08kl1q6fsy3GAjsUaikItjijuKGhQG598YQTE7SbKqxo5mwX
> h5FT+mdTsGO9lPvPg/+MqMAcXFZOHFbixHMNK/kHmDnnDBbq3EOyDj7Jtn5RuSbw
> OSgz0vXtmJnCrWkMHMmZtJdS9ixYu3/FEbolagjGte2Ug+1atO8kJPn0zXgZsMk2
> qg3eK2SpRjWrT7aB8mC9Pquj0YSL6KXUDW4G7it16XGd0mome0FqdNjBWXmnBEfK
> 5C7vGTXbp9xswLPki/ga3i9dM1scSnKOsL16MaTOysAyNZAelcwB7Xgds5AJGN5g
> qJ/sLpzTagC1njDulceHHnTYqS9gnkeR1lBcnBsuS6baDtWBcHDfI8vdpu5qQm8k
> 1QTDnkFjTBeij3PF1SCcP8M2bIYJhwnaaC0Vp8SmygvgaWiD4ttJinC6PlBuY9MQ
> guqUK2QaJI+SvnADH69K
> =aHme
> -----END PGP SIGNATURE-----