Re: [VIPR] An alternative to the VIPR ticket
Michael Procter <michael@voip.co.uk> Thu, 13 October 2011 07:29 UTC
Return-Path: <michael@voip.co.uk>
X-Original-To: vipr@ietfa.amsl.com
Delivered-To: vipr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id 04FF021F87C5 for <vipr@ietfa.amsl.com>;
Thu, 13 Oct 2011 00:29:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.977
X-Spam-Level:
X-Spam-Status: No, score=-5.977 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQQCcNKSjSCX for
<vipr@ietfa.amsl.com>; Thu, 13 Oct 2011 00:29:48 -0700 (PDT)
Received: from na3sys009aog115.obsmtp.com (na3sys009aog115.obsmtp.com
[74.125.149.238]) by ietfa.amsl.com (Postfix) with SMTP id A8F8A21F8783 for
<vipr@ietf.org>; Thu, 13 Oct 2011 00:29:47 -0700 (PDT)
Received: from mail-vx0-f177.google.com ([209.85.220.177]) (using TLSv1) by
na3sys009aob115.postini.com ([74.125.148.12]) with SMTP;
Thu, 13 Oct 2011 00:29:47 PDT
Received: by mail-vx0-f177.google.com with SMTP id fl15so1098881vcb.36 for
<vipr@ietf.org>; Thu, 13 Oct 2011 00:29:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.220.176.139 with SMTP id be11mr174850vcb.181.1318490986732;
Thu, 13 Oct 2011 00:29:46 -0700 (PDT)
Received: by 10.220.1.132 with HTTP; Thu, 13 Oct 2011 00:29:46 -0700 (PDT)
In-Reply-To: <4E961A6B.2090603@acm.org>
References: <4E627AB4.7070806@acm.org> <4E961A6B.2090603@acm.org>
Date: Thu, 13 Oct 2011 08:29:46 +0100
Message-ID: <CAPms+wQL60xP3wNT71pNsyZtk5Or=qcjn=b0fgVcSgj5YjZ9bQ@mail.gmail.com>
From: Michael Procter <michael@voip.co.uk>
To: Marc Petit-Huguenin <petithug@acm.org>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "vipr@ietf.org" <vipr@ietf.org>
Subject: Re: [VIPR] An alternative to the VIPR ticket
X-BeenThere: vipr@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Verification Involving PSTN Reachability working group <vipr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vipr>,
<mailto:vipr-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/vipr>
List-Post: <mailto:vipr@ietf.org>
List-Help: <mailto:vipr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vipr>,
<mailto:vipr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2011 07:29:49 -0000
On 12 October 2011 23:53, Marc Petit-Huguenin <petithug@acm.org> wrote: > During the last conference call, this proposal was criticized as been a > significant change from the way SIP is processing TLS requests. My research > shows that it is not the case. [...] > So in conclusion, my proposal does not change what a normal SIP stack is doing, > because the specification does not say what a SIP stack should do with a client > certificate. What you describe is that the server side of the connection will need to validate a client certificate whatever happens, and changing the ticket to a certificate does not substantively change the validation process. It does force the ticket validation to the edge of your network though, which having the ticket in a header field doesn't. Since ticket validation is a new process introduced with ViPR, this may be a reasonable change. However, what is overlooked in this analysis is that the client side must present a different certificate on a per-call basis. Most implementations that I have seen tend to have a fairly statically configured certificate (or several, but not lots) that is valid for the duration of the process/between scheduled maintenance. Having the certificate change on a per-call basis is a change for these implementations. How significant a change depends on their architecture, but it is a change nonetheless. Why does this matter? With the ViPR ticket in a header field, I can route ViPR traffic out in much the same way as I route other SIP traffic. Granted it has an additional header, but that doesn't substantively change the job my egress points perform. With a ViPR certificate instead of a ticket, my egress points need to be sufficiently ViPR-aware to know to use a dynamically selected certificate, and how to get hold of that certificate. Not insurmountable problems, but ones that are introduced by changing to a certificate over a simple header field. There may be other problems (Jon seemed to jump on the change quite fast so he may have more reasons), but this is the one that struck me. I think this change warrants wider discussion before deciding whether to adopt or not. Regards, Michael
- [VIPR] An alternative to the VIPR ticket Marc Petit-Huguenin
- Re: [VIPR] An alternative to the VIPR ticket Marc Petit-Huguenin
- Re: [VIPR] An alternative to the VIPR ticket Michael Procter
- Re: [VIPR] An alternative to the VIPR ticket Marc Petit-Huguenin
- Re: [VIPR] An alternative to the VIPR ticket Peterson, Jon
- Re: [VIPR] An alternative to the VIPR ticket Marc Petit-Huguenin
- Re: [VIPR] An alternative to the VIPR ticket Peterson, Jon
- Re: [VIPR] An alternative to the VIPR ticket Dean Willis