Session Initiation Protocol (SIP) WG

Minutes edited by Keith Drage.

Based on notes by Bruce Lowekamp, Dale Worley, Ben Campbell, A.C. Mahendran  and Spencer Dawkins.

Meeting chaired by Dean Willis and Keith Drage.

Slides presented included in the proceedings.

SIP session 1

Agenda bash and current status

The note well statement was displayed

Slides: SIP-1.pdf

Note takers were identified. Thanks to Bruce Lowekamp, Dale Worley and Spencer Dawkins for taking notes for session 1.

It was identified that there was expected to be an ad-hoc SIP session on the security issues that were being found with RFC 3261, in regard toSIPS usage.

The agenda was agreed with the insertion of a quick slide from Gonzalo Camarillo on SIGCOMP activities.

The following SIP RFCs were identified to have been published since IETF#65:

The following SIP internet-draft was currently in AUTH48:

The following SIP internet-draft was currently in RFC editor's queue:

The following SIP internet-draft are currently with IESG

The following SIP internet-draft is ready for IESG

The following SIP internet-drafts are in working group last call

Existing milestones were identified, along with new dates for the existing milestones (with the new separation of WGLC start dates and IESG submission dates for each internet draft being progressed to RFC.

In response to a question from the floor, this leaves 9 charter items the SIPWG currently has in progress. This was targeted at identifying when the SIP WG would complete its current work.

At this point the WG chairs identified the new WG items that were identified by the WG at IETF#65 and subsequent email activity which identified dates through to the end of 2007. These were still subject toapproval by the IESG as the WG chairs had only got the list to the IESG secretary late the previous week.

In response to another question from the floor as to whether the dates could be earlier (specifically for location conveyance), the WG chairs agreed that dates could always be earlier, providing the WG was satisfied that the document was actually ready. However the WG chairs stated that this represented their best estimate of what was realistic.

The WG chairs then conducted some polls concerning support for some of the current work:

At this point the WG chair projected a picture of a strikingly flattened-looking squirrel on a flagstone patio. After the audience expressed some distress, he remarked that this is a natural phenomenon, the temperature at the time was 45 C and the squirrel is cooling its belly on the stones. Discussion of aboreal rodents ensues upon presentation of the agenda.

SIP and SigComp (draft-ietf-rohc-sigcomp-sip-02.txt)

Gonzalo Camarillo presenting.

Slides: sip-3.pdf

Presentation on problem with compression and record-route. When receiving a request, how to identify the previous SIP hop that sent the request (in order to manage the compression status)? Plea for support in resolving this issue.

Outbound (draft-ietf-sip-outbound)

Rohan Mahy presenting.

Slides: sip-5.pdf

Slide 2: Currently when STUN response indicates change in mapped address, UA assumes NAT rebooted and reregisters immediately. There is no authentication of these STUN keepalives. UDP problem. On unprotected 802.11 networks, an attacker who can see the STUN request, can easily send a response with a different mapped address and will usually beat the real response. This causes UA and registrar (and intervening proxies) to do work. Can melt the registrar. Proposal to add timer delaying re-registration if binding appears to change more than seems reasonable in some period.

Discussion from floor:

Conclusion: Do not add new timer.

Slide 3: Discoverting STUN support. Current text says that keepalive STUN support is "configured" (using a very broad definition of configure). Incompatible with current DHCP proxy discovery (but so is sigcomp) due to limitation of DHCP option. Do we need another way of discovering/probing for STUN support defined in this document? Options: provide DHCP capability, provide DNS based option, or provide some sort of probe mechanism within SIP.

Discussion from floor:

Consensus was considerable support for the rule that "configuration information is enough to send STUN" but most would like some direct validation mechanism created.

Slide 4: Validating STUN support. Currently presence of keepalive=stun used as indicator its OK to send STUN requests. Some expressed concern about misconfiguration causing proxies that don't do STUN to get confused. More of a problem for TCP. Options: treat this as a non-problem; revisit STUN keepalives over TCP problem; don't send STUN until UA validates its OK, by including a parameter in reflected Path, but Path not always present; have UA try the request with a Proxy-Require: sip-stun; probe with OPTIONS. only way to validate keepalive=stun

next issue: validating stun support.

Discussion from floor:

Question put to whether document should be changed in respect of this issue. No consensus.

Back to validation (slide 3). More discussion:

Put to meeting: is the existence of a keepalive=stun in UA configuration sufficient to allow transmission of stun without further validation and progress document with that assumption? No clear consesus with very few responses. Take to a later discussion, and possibly on list.

Discussion:

WG chairs declare there is not sufficient consensus on either of these two issues (slide 3 and slide 4).

Slide 5: STUN keepalive definition. Proposal that STUN keepalive description is pulled into a separate section that can be implemented independently. No objection from floor.

Slide 6: How many flows (minimum)?: Current draft says (from Section 4.2): For each outbound proxy URI in the set, the UA MUST send a REGISTER in the normal way using this URI as the default outbound proxy. Proposed to change to SHOULD.

Discussion:

Consensus: Agreed to change to SHOULD - but there should be strong warnings in the RFC of the dangers of not adhering to the requirement.

Slide 7: Additional discovery and semantics of outbound-proxy-set. Various proposals to discover or manufacture outbound-proxy-set or apply different semantics. We don't even have all the requirements written down for these proposals. Proposal: Can be addressed in future extensions without any changes to outbound. No dissent from floor.

Slide 8: Why does registrar send to edge proxy over same connection? Only needed if EP is in a foreign domain for authorization. Draft defines edge proxy obliquely as in a foreign domain, and other proxies as a disaggregation of a proxy/registrar. Incredibly confusing. Needs to be more explicit. Request made by presenter for assistance in providing text.

Slide 9: How to verify edge proxy support. Currently draft says that edge proxy adds a flow token to a Path header and forwards. No discussion about how the registrar decides that edge proxy actually did this. Proposal: edge proxy adds new parameter "ob" to Path URI to indicate it added flow token appropriately. Example: Path: <sip:token@ep.example.com;lr;ob>. If no token present, registrar ignores reg-id parameter, doesn't return Supported: outbound.

Discussion:

No time for further discussion in meeting so editor makes plea to discuss offline.

Slide 10: Presence of Supported: outbound. What does this mean? Today it means that the registrar supports outbound. Client can use this to understand that if it needs to cleanup old Contacts using RFC 3261 style matching. Proposals: clarify this in the text; only include Supported: outbound if any edge proxy supports outbound as well

re-registering vs replacing flows:

Discussion:

No objection from meeting.

Slide 11: Re-registering with same reg-id. Original intent of reg-id is so that UA can indicate if it wants to add a new flow or to replace an existing flow. Dave Oran asked for change to language (ex: SHOULD replace) to allow for a private use case. WG was later uncomfortable with idea of deleting/replacing flows. In Dallas seemed to have consensus to use most recent flow. Since then, many complaints on the mailing list about this, and no one motivating/defending previous choice. Problems with this: proxy can send traffic to the wrong place (for UDP flows); no way for registrar to delete state until registration expires; no way for UA to say it really wants to replace flow; harder to implement on registrar; not motivated by requirements. Options: leave draft as is; change back to SHOULD replace flows with same reg-id; say registrar MUST replace flows with same reg-id. Proposal: SHOULD replace flows.

Discussion:

SHOULD vs MUST:

SHOULD: some

MUST: more

OBJECT TO MUST: one

OBJECT TO SHOULD: more

WG chair: rough consensus on MUST.

Slide 12: Refresh registration on same flow. Erkki pointed out that registration refresh should happen over the same flow it refreshes. No issue.

Slide 13: Usage of 410 response Code. Adam Roach pointed out that semantics of 410 response code is inconsistent with our usage. Proposal: Use 480. No issue.

Outbound discovery (draft-koivusalo-sip-outbounddiscovery)

Slides: sip-7.pdf

Miguel Garcia presenting.

Problem definition, requirements, solutions, evaluation and specification - all in one small document.

Discussion:

Jonathan Rosenberg will write up description of alternative approach, after which the issue can be discussed.

Adopt as WG draft? No decision to be made at meeting. Will take this to the list to discuss.

Use Case for Mid Dialog Request Routing with Outbound (draft-johns-sip-outbound-middialog-draft)

Slides: sip-4.pdf

Sumanth Channabasappa presenting.

Explores enabling failover when middle boxes fail, and its interaction with the outbound flow mechanism. Presentation includes several use cases. Looking for feedback from the working group.

Discussion:

Question from WG chairs as to whether this should be placed in outbound. Pointed out that this was violently discussed in Vancouver and not agreed.

Consensus is that the I-D remains individual, because there is no consensus on the correct solution to this problem. Need to identify which problems need solving, and which ones should be left out.

Connection reuse (draft-ietf-sip-connect-reuse)

Slides: sip-8.pdf

Vijay Gurbani presenting.

WG chair identified that Vijay would present the current status of connection reuse, but then move on to an issues that he considered needing resolving in order to complete the work, which was where domain certificates came in.

A discussion ensued of Dean's facial hair and whether it has anything to do with the squirrel.

Presents current status of work. Draft is essentially complete, however need text on virtual hosting.

Discussion:

When returned to the issue: Theory is that research on domain certificates will help solve the problem of virtual servers. No consensus as to whether this work has a future or not.

Domain certificates (draft-gurbani-sip-domain-certs)

Slides: sip-9.pdf

Vijay Gurbani presenting.

There is a significant open issue regarding how SIP domains are to be specified in certificates used by proxies for SSL. This issue interacts with practical issues regarding how certificates are obtained, how SSL operates, and the intended security assertions of SIPS/TLS.

Discussion:

Back to presentation. How do servers authenticate clients? Which header does it use: From, Via, ... name in certificate.

Discussion:

Presenter – if we do this, then the proposal has to be to normatively update RFC 3261 in lots of places. Agreement from floor.

Document is currently an author draft, and will remain so.

SIP session 2

Agenda bash

Note takers were identified. Thanks to Be Campbell, A.C. Mahendran and Spencer Dawkins for taking notes for session 2.

Need to move a number of items which we failed to deal with on the previous session into this session, therefore we have shortened some of the original items in an attempt to catch up.

Location conveyance (draft-ietf-sip-location-conveyance)

Slides: sip-2.pdf

James Polk presenting.

Slide 2: Goal of the draft is to push UAC's location to another SIP element. PUBLISH is not pushing in this definition. Along the way, define SIP as a Geopriv ÒUsing ProtocolÓ, per RFC 3693. Incorporate the Geopriv defined PIDF-LO (RFC 4119) into SIP Messaging

Slide 3 & 4: Changes since last version.

Slide 5: Open issues requiring resolution.

Slide 6: Open issues not sure about.

Suggestion to list all SIP methods this extension applies/does-not-apply-to in the abstract.

Discussion:

Conclusion: Will take to list.

Suggestion has been made: For location by value, S/MIME message body always used initially, and to allow a back-off to less secure communication if there is an error.

Discussion:

Conclusion: Good technical reason not to do this.

Suggestion: expanding the location header to allow a base64, PIDF-LO equivalent header value i.e. allow the PIDF-LO object to be present in a SIP header (probably, encoded in base64). This goes against past guidance (from both chairs and ADs).

Discussion:

Conclusion: WG chairs asked for the discussions to be taken to the list (including discussions on motivations for carrying this information in a header as supposed to the body). Also needs to discuss whether it will work with UDP.

Issue: Should location be allowed in responses?

Issue: Add a new requirement that HTTP is required to be used by receipient

for de-referencing location.

Both issues to the list.

Presenter requested more reviewers for the draft.

WG chair: new version needs to be ready for WGLC. If you have objections or technical comments, now is the time to say so, on the mailing list.

SAML for SIP (draft-ietf-sip-saml)

Slides: sip-10.pdf

Jeff Hodges presenting.

Slide 2: Status. Moved to WG document, addressed list feedback from Vijay Gurbani. Enhanced assertion example section; added references; changed order of scope and intro sections; moved use cases in appendix.

Slide 3: Issues: Is this spec a soution for only meeting the trait based auth requirements? Discussion about enabling SIP proxies to add SAML assertions to the - If so, only need to meet stated requrements in trait-authz-02 would not need to met reqs of other saml based drafts may need their own saml profiles, doesn't need to meet reqs of various SAML-based I-Ds eg sippayment, SIP CPC, SPIT.

SIP header by value.

Slide 4: Issues. Discussion about enabling SIP Proxies to add SAML assertions to the SIP header by value.

WG chair: Postive responses on the mailing list and therefore accepted as WG draft.

Discussion:

Conclusion: All issues need to be taken to list.

Certificates (draft-ietf-sip-certs)

Slides: sip-6.pdf

Jason Fischl presenting

A good number (lots?) of people seem to have reviewed the draft. A fair number are implementing or intend to implement. Will be at the next SIPIT.

Will go to WGLC in a couple of weeks - if you're going to scream, do it really soon, onlist. If you have any comments that will cause a revision, get them on the list quickly.

Hop limit diagnostics (draft-ietf-sip-hop-limit-diagnostics)

Slides: sip-0.pdf

Scott Lawrence presenting.

Contrary to what the presenter initially said, this document is not in WGLC, as we are waiting for the charter approval. We have polled to see if it is ready, so we can put the question as soon as the charter comes through.

Issues raised during recent discussion:

Slide 2: whether "request message" should be returned in other un-recoverable errors (400, 403, 410, 414...). This is not the definitive proposal. The problem is this changes the focus of the draft. Text might say that if an error does not already specify a diagnostic or recovery mechanism, it could do this.

Discussion:

Conclusion: No objections in meeting to explanding the scope to include other errors.

Slide 3: Is it ok to use Warning header for problems other than SDP? Should we

use a specific warning code be defined? IANA registry says "used for SDP". But this isn't what the RFCs said, and. Would make more sense to reuse than pick something else for religious reasons.

Discussion:

WG chair asks the SIP WG to think generally about other uses of Warning if we are expanding it to do this, and make sure all intended usages are covered.

Conclusion: Ok to using Warning header (to describe issues with bodies generally, but will need to change IANA registry text as well.

Comment from floor outside scope of this slide on how some intervening entity can know whether to pass on the contents on this or not, and whether the server knows such an intervening entity exists. Such hiding functionality is outside scope of current SIP work. Assumption is that there is no value in interoperator diagnostics if some hiding function provided at an edge.

Document currently uses Warning header 399, which implies no automated action, but some comments have been made that automated responses may be interesting.

Slide 4: Should a limit be set on response size? Very large UDP responses may fragement so much that no response reaches the request originator? Should that limit apply to all responses? If yes, what size? There is no documented limit Scott can find on response sizes (request sizes, but not responses). Do we need a response to say my response is too big? Presenter would prefer to duck this issue in this specific draft.

WG chair indicated that until this problem is resolved in some manner, then this draft will not progress.

Discussion:

Conclusion: Document not ready for WGLC. Editor will introduce at least two threads on issues raised in meeting. No objection to use of Warning header. Message size must go to list.

Connected Identity (draft-ietf-sip-connected-identity, draft-elwell-sip-tispan-connected-identity)

Slides: sip-15.pdf

John Elwell presenting.

Slide 2: need for option-tag to indicate UAS support for the identity header field in mid-dialog requests? Saves UPDATE transaction after answer if the AoR is the same as To header. However yet another option tag. Will anyone support id-change without supporting connected-identity? Email suggestion to make it dependent on receipt of id header.

Proposal: Don't need new option tag

Conclusion: Proposal accepted – a new option tag will not be provided.

Slide 3: sip-identity is silent on how to behave if identity in "From" header field is not one that authenticated UAC is allowed to assert. Left to local policy, but this policy may be different for mid-dialog requests compared to initial requests. Just add a note saying this?

Proposal: Add a note to indicate that it is effectively left to local policy whether to reject or forward without identity header.

Discussion:

Conclusion: Proposal to add note accepted

Slide 4: Should we mandate UPDATE for sending connected-identity rather than reINVITE. Could make 3311 mandatory to support if you support id-change tag.

Discussion:

Proposal: If you support this extention, you must support UPDATE extension.

Conclusion: Accepted

Slide 5: Should we mandate inclusion of SDP offer in UPDATE request? Not strictly necessary. But would be signed, in same way that SDP offer in INVITE request is signed

Discussion:

Conclusion: Not required. It needs to be optional. Allow this if you wish, but do not require.

Slide 6: Should To header field URI in response be allowed to differ from the request? Body of opinion that says that this is an entirely different consideration from the one in Vancouver that led to decision to allow From header field URI to change in mid-dialog requests. No warning in RFC3261 that such a relaxation might occur in the future (unlike the From URI change). Body of opinion that says it would not be useful. Body of opinion that says it doesn't harm anything. TISPAN requirements.

Leads into requirements from slide 7, slide 8, slide 9, slide 10, slide 11, slide 12 (draft-elwell-sip-tispan-connectedidentity), e.g. TISPAN needs two identies each for caller and callee - one identity is used for billing, the other is used for call-backs. For caller's identities, the proposal is to use PAI (P-Asserted-Inentity) for billing-id, and "From" for call-back-id. For callee's identities, the proposal is to use PAI for one of ids, and there are a number of options for carrying the other identity - To header, "From" of a new UPDATE request from callee to caller, etc. Note written at same time as the identity coexistence draft was put out, so conflicts could not be dealt with.

Discussion:

TISPAN does not get to change what the

Proposal: Does the editor fall back and specify requirements around this in tispan-connected-identity? No. The proposed solution is separable and could therefore be covered in another draft and therefore it is separable from the connected identity issue.

Conclusion: Connected identity will proceed without this.

Further discussions on the mailing list on the TISPAN requirements.

Editorial question: Based on RFC 4485 requirement to show real identities, do we need correct values for identity header field, along with a real private key, etc. (as in identity).

Cullen Jennings: Please do this, hard to get this correctly and I'll do this for you because it's hard. Still getting this nailed with Jon in AUTH48 for draft-ietf-sip-identity, didn't have the same answer from two separate implementations.

Security Flows (draft-ietf-sip-sec-flows)

Slides: sip-12.pdf

Robert Sparks presenting.

Working on creating examples with automated tool. Otherwise getting them right is difficult.

Matching certificates rules aren't adequately captured; spread out and not completely clear. This document is not normative, so they will not be captured in this document.

WG chair asked if this fed into the security-guidelines draft to be discussed later in the session.

AD: Should refer to 2818 rules as often as we can, but RFC 2818 is informational, and this is already hitting drafts now. Will be better when IESG gets the downref rules completed.

Lots of implementations match wildcards in DNS names, this is an education issue.

On finishing generation of examples, he will shortly submit a draft for WGLC and publication.

Addressing the Forking Amplification Vulnerability (draft-ietf-sip-fork-loop-fix)

Slides: sip-11.pdf

Robert Sparks presenting

Slide 2: Latest version demonstrates the attack with one resource and one attacker, rather than multiple attackers. Reintroduces some of the motivational text in the security consideration section (based on conversations with Cullen). Updates the 3261 text on loop detection. Identifies open issues. Added notes to implementers pointing to common interop problems at earlier SIPits.

One Suggestion on mailing list not yet in draft: - Don't start loop detection until you've gone around at least once – wait until you see yourself earlier in the via stack. This is an optimisation based on normally not going to hit this. Requires extra logic which gives no major advantage.

Conclusion: WG agrees that this optimisation will not be included in the draft.

Slide 3: In the computed hash, why include all route values, callid, to-tag, from-tag, proxy-require, proxy-authorization headers? Call id, to tag, from tag don't need to be there as they are invariant. Proposal is to leave these out.

- why proxy require, proxy auith

Discussion:

Conclusion: Will leave items out of hash computation unless something comes up in lists. Send specific issue to list.

Feature Creeps - Advancing the SIP Standard - Documenting the feature sets

Slides: sip-13.pdf

Robert Sparks presenting.

Task of identifying the feature sets to advance the standard. Work is just getting started. Want to avoid exponential explosion of must/should/may features, so slide 2 contains an example.

There will brain-stroming on this topic in global.sipit.net. Wiki will be used so anybody can participate. The expectation is to have an initial draft by the San

Diego meeting.

WG chair: Please send out invitation to enable participation in this effort.

Discussion:

Hitchhiker's Guide (draft-ietf-sip-hitchhikers-guide)

Slides: sip-16.pdf

Jonathan Rosenberg presenting.

Adopted as WG item. Removed SIP family discussion of specifications text; this is out of focus for the SIP WG itself. Redefined what's in scope for the document (MIME usage specific to SIP only, SDP stuff), Redefined what's a core spec – something that will be used for every call. Added conferencing topic area, telephony specs, minor extensions. Reference [42] is Hitchiker's Guide book, there's a towel reference.

Issue: When is document done? Proposal A: - Split core into a separate document, issue immediately; rest of it goes much later. Proposal B: Keep as one document, pick a point at which we decide to issue, revise later on. Suggestion: Proposal B

Discussion:

Consensus on A or B will be determined on the list.

Request for comments from editor.

SIPS: Guidelines (draft-audet-sip-sips-guidelines)

Insufficient time for detailed discussion and will be discussed further in the ad-hoc session to follow this meeting.

However WG chairs wanted to gain a view on the need for an informative document to explain what we have and what we mean. Document will not contain any normative changes, which would progress separately.

Discussion:

WG chairs: Any objections to proceeding with an informative document? Will ask ADs to add this to the charter.

There was consensus to add this to the charter.

 

 

 

SIP Security Breakout

 

Issue Framing by Cullen Jennings

We have an interesting problem, based on list review, but there's a lot to look at. Need to pick specific problems.

 

 

Discussion commenced here.

 

Dean - current document problem - no way to know that all nodes complied to the spec in the middle.

 

Brian - we either transitively trusting or we aren't. We have to choose.

 

 

Jon - EKR suggested something like SIPS in the document (RFC 3261), and this was late in the process, threat model pretty much worked out but SIPS inserted quickly (too quickly? and carelessly). Probably a number of problems to address.

draft-audet-sip-sips-guidelines-02

 

 

Discussion of suggestions from list: deprecate SIPS altogether, deprecate last-hop exception (not sufficient alone), explain the exception and fix the bugs that result. Draft assumes third choice, but lots of people like deprecating last-hop exception. People liked deprecating SIPS, too... Noted that we need to accommodate 3GPP here.

 

Do people think we should deprecate SIPS? More chaos, people have implemented SIPS. Juha said "broken for now" note until we fix it - Francois' draft is that note :-)

 

 

Options - deprecate SIPS, explain what SIPS means, allow transport=tls.

 

We have consensus that we will not deprecate SIPS.

 

Transport=tls was formally deprecated, but no one believes this and many/most implementations still understand and will use this.

 

Allows for "best effort" hop-by-hop TLS usage. Endpoints that cannot have a DNS entry can't have own certificates anyway.

 

(Also need to add a transport=tls-sctp (like Via) - would be more consistent, too)

 

Jon is confused here. how to start supporting TLS for one hop? But this isn't about SIPS right now, right? We'll table this now.

 

Registration issue:

 

 

Proposal - write a standards-track document that fixes 3261 and requires outbound?

 

 

Next steps - to list.

 

Jon - need to know how this works with outbound in order to make recommendations.

draft-gurbani-sip-sipsec-00.txt

 

Do SIPS the way HTTPS works - end-to-end upgrade?

 

 

 

draft-srivastava-sip-e2e-ciphersuites-00

Led by Samir Srivastava

Slides presented.

 

Principle argument: Level of security is missing. SIPS is a mess. Should DTLS be considered as well?

 

Proposal: Extend Via to include Ciphersuites, define header for desired cipher-suites, secure protocol, etc.

 

 

Conclusion: Please respin, focusing on problem statement,  and we'll look at this again.