[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sip] Re: IESG Discuss Comments on Symmetric Response Routing
My apologies for the delay. I managed to get in a revision to the
draft before the deadline which addresses these comments. Until it
appears in the archives, you can find it at:
http://www.jdrosen.net/papers/draft-ietf-sip-symmetric-response-01.txt
I also converted to xml while I was at it, so the general formatting
should be better. Responses below.
Allison Mankin wrote:
The IESG reviewed draft-ietf-sip-symmetric-response-00.txt and there were
two sets of Discuss comments. They do not seem too hard to address. In
addition, the FQDNs in the draft need to be changed to example.com.
OK, fixed. I also changed public addresses to be within 192.0.2/24.
The private addresses remain with 10/8.
Below are the comments. They are also in the ID tracker.
Allison
Comments:
Ted Hardie:
First, let me say that a large number of the issues I had
with the document turned out to be very well documented
in the IAB considerations section of the draft. A few
other issues:
In Section 3:
When the client sends the request, if the request is sent using UDP,
the client MUST be prepared to receive the response on the same
socket the request was sent on. Specifically, it MUST be prepared to
receive the response on the same IP address and port present in the
source IP address and source port of the request. For backwards
compatibility, the client MUST still be prepared to receive a
response on the port indicated in the sent-by field of the topmost
Via header field value, as specified in Section 18.1.1 of SIP [1].
It seems pretty clear from the "on the same socket" that the following
sentence means the IP address and port present in the source IP
and port of the request _when it is sent_. I think it would be clearer,
though, to use phrasing like "it MUST be prepared to receive the
response on the same IP address and port it used to populate
the source IP address and source port of the request.".
OK, I changed the wording to the text you suggest. I made this change
everywhere the term "socket" was used, in order to be explicit about
what is meant.
Also in Section 3:
To keep the binding fresh, the client SHOULD retransmit its INVITE every 20
seconds or so. These retransmissions will need to take place even
after receiving a provisional response.
based on the idea the one minute seems to be a common UDP binding lifetime.
Section 9.3 notes, however, that there is no way to determine the UDP binding
lifetime. Is there anyway to introduce a growing/shrinking algorithm
to this for cases where the binding lifetime is much longer (to avoid the
aggressiveness of 20 seconds for an arbitrary period of time) or to handle
the cases where the binding lifetime is shorter than 20+transmission time to
the NAT (since this has to handle the NAT being at some arbitrary place in
the topology).
Yes. STUN describes a binary search algorithm for trying to detect the
lifetime. That is not without peril as well, and the issues there are
documented in STUN. I added the following text:
<t>
A UA MAY execute the binding lifetime discovery algorithm in Section
10.2 of <xref target="RFC 3489">RFC 3489</xref> to determine the
actual binding lifetime in the NAT. If it is longer than 1
minute, the client SHOULD increase the interval for request
retransmissions up to half of the discovered lifetime. If it is
shorter than one minute, it SHOULD decrease the interval for request
retransmissions to half of the discovered lifetime. Note that
discovery of binding lifetimes can be unreliable. See Section 14.3 of
<xref target="RFC3489">RFC 3489</xref>.
</t>
In the initial section of 9:
The client can then perform an additional registration,
using this address in a Contact header. This would allow a client to
receive incoming requests, such as INVITE, on the socket through
which the registration was sent.
As is noted below that point, there are cases in which the port binding
is only valid for the server to which the original registration was sent.
Will the Contact header "leak" that so that a direction connection between a
different sip agent (user or proxy) might attempt to use it? If so, a forward
pointer to the limitation might be useful here.
This is possible with the Path extension to SIP (RFC 3327). That spec
allows for servers between the client and the registrar to indicate
that they need to be on the path of requests from the registrar to the
client. Its a good idea to include a reference to that and a brief
discussion.
Here is what I added:
<t>
In many cases, the server to whom the registration is sent won't be
the registrar itself, but rather, a proxy which then sends the request
to the registrar. In such a case, any incoming requests for the client
must traverse the proxy to whom the registration was directly
sent. The <xref target="RFC3327">Path header extension to SIP</xref>
allows the proxy to indicate that it must be on the path of such
requests.
</t>
and this introduced some additional brittleness that I documented:
<t>If the registrar and the server to whom the client sent its
REGISTER request are not the same, the approach will only work if the
server uses the <xref target="RFC3327">Path header field</xref>. There
is not an easy and reliable way for the server to determine that the
Path header should be used for a registration. Using Path when the
address in the topmost Via header field is a private address will
usually work, but may result in usage of Path when it is not actually
needed.
</t>
I would personally consider the UNSAF document a normative reference,
but this is not a big deal.
RFC 3424 is informational. I dont think you can have a normative
reference to an informational document. As such, I have kept the UNSAF
reference as informational.
Erik Nordmark:
The security considerations section doesn't set a very good example.
It could easily be read as "we didn't look hard for security issues".
Thus I'd like it to provide the reasoning that lead to thinking
that there are no added security issues. Presumably a paragraph or two would
suffice.
OK. Here is the text I put in there:
<t>When a server uses this specification, responses that it sends will
now include the source port where the request came from. In some
instances, the source address and port of a request are sensitive
information. If they are sensitive, requests SHOULD be protected by
using SIP over TLS <xref target="RFC3261"/>. In such a case, this
specification does not provide any response routing functions (as
these only work with TCP); it merely provides the client with
information about the source port as seen by the server.
</t>
<t>
It is possible that an attacker might try to disrupt service to a
client by acting as a man-in-the-middle, modifying the rport parameter
in a Via header in a request sent by a client. Removal of this
parameter will prevent clients from behind NATs from receiving
service. Addition of the parameter will generally have no
impact. Of course, if an attacker is capable of launching a
man-in-the-middle attack, there are many other ways of denying
service, such as merely discarding the request. Therefore, this attack
does not seem significant.
</t>
Thanks,
Jonathan R.
--
Jonathan D. Rosenberg, Ph.D. 600 Lanidex Plaza
Chief Scientist Parsippany, NJ 07054-2711
dynamicsoft
jdrosen@dynamicsoft.com FAX: (973) 952-5050
http://www.jdrosen.net PHONE: (973) 952-5000
http://www.dynamicsoft.com
_______________________________________________
Sip mailing list https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip