----------------------------------------------------------------------------
0900 Open Meeting -- Chairs
Agenda bash
9:30 topic changed to Body Additions - Rohan
Lot of stuff in RFC Editor Queue - Not much has come out since Ietf59
Last Call on 3312, ANAT, Content Indirection, etc.
WGLC - GRUU closed
Nothing currently in Last Call
Milestones - See slides
No hope of closing WG anytime soon (Dean)
Non-Invite ready for WGLC
Draft-sparks-sip-nit-problems-01.txt
Draft-sparks-sip-nit-actions-01.txt
No Comments
What is SIPPING 16? (Rohan)
Some mention of Sipping 16 at voicecon.
It does not exist.
Formal response needed - draft-ietf-sipping-16 :)
Adam - RFC?
See slides
http://www.softarmor.com/sipwg/meets/ietf60/slides/pres-sip-chairs-ietf60.ppt
------------------------------------------------------------
0915 Content Indirection -- Dean Willis
WGLC and Ietf LC. Came back with some issues, fixed in 04.
Hash added
Trust anchor problem
TLS HTTP has been upgraded to MUST
Open Issues:
Content expiration - Needed or not? If so how to get this without
updates to 2017
Cullen - Doesn't think this is important - Should be removed
Dan - Point was to give client an idea of how long the content would
be available
Rohan - Yes, needed
Eric - Is needed
Allison - Has been reviewed before. Dean - hash is new.
Refer to Mime mailing list ****
Hash is base64
Does Hash value need to be surrounded by double quotes
Yes - put it in quotes and name the hash. ****
Multipart
1. How to reject one media type
Eric - rfc3259 - Content can be rejected
See slides
http://www.softarmor.com/sipwg/meets/ietf60/slides/pres-willis-sip-indirectm
ech-ietf60.ppt
----------------------------------------------------------------------------
------------------------------------------------------------
0930 Body Additions - Rohan Mahy
Body Additions - Rohan Mahy
Slides not on the website yet
Do we relax a line in 3261?
Maybe minor adjustments needed for the applications
Typical Applications
Logging - Financial or Helathcare (regulation)
communications logged.
UAC offer copy of information directly to endpoint
and offer another copy to intermediary.
Possibly to encrypt body with multiple keys
Bandwidth/Media/Codec Policy - By intermediary
Problems with changes in policy - How to enforce?
UAC to Intermediary - Share info, UAS side unclear
When does info flow directly or when does it get
redirected?
Coop NAT and Firewall Traversal
Do we need to support this for SIP (Midcom)?
Require History
Crux of issue - Proxy wants to add info for benefit
of UAS
Body or set restrictions to Request History?
Location Conveyance
UA could have location info to provide to UAS
UAC might not know location, but proxy or service
might
-(Comment ??) How to tell UAC to include body?
Topologies
Explicit Policy Fetch
Alice - atlanta.com - biloxi.com - Bob
Full redirect Model
Alice would not go through her own domain
Doesn't work through all middleboxes
(Comment -Cullen) - Not always true. Works
through UPNP
(Comment - Rohan) - UPNP Lover
Doesn't work with the GRUU mechanism
(Comment - Jon) - Is it possible to redirect
to a GRUU
Triangle Redirect
Ideal if client can make outbound TCP connections
and has limited policy restrictions
Trapezoid Redirect Model
Lots of RTTs
Authorization and Consent unclear
(Comment - Rosenberg) - No relationship
between Alice and biloxi.
Biloxi needs to tell bob what to do,
not Alice.
(Comment - Rohan) - Logging example
(Comment - Camarillo) - Alice might not
understand policies. Biloxi and Bob need to handle this.
(Comment - Cullen) - Multiple hops
complicate things.
(Comment - Rosenberg) - Body additions not a
good idea. Lot of complications
Foreign Piggyback Model
Requires addition of bodies by biloxi.com.
S/Mime needs to be changed. Intergrity done on a
body by body basis.
Full Piggyback Model
Alice can't consent to modifications/insertions by
atlanta.
This model does not work.
(Comment - Peterson) - Lots of changes to security sections
(section 26)
Bodies does entail changes to section 26. Believes
this is a lot bigger than just adding bodies. Includes modification and
deleting.
Multiple bodies signed by different entities is
troublesome.
(Comment - Rosenberg) - why isn't the foreign model
symmetric? This is a session policy discussion.
(Comment - Cullen) - Issue with Body addition - Integrity of
bodies done individually. Complicates things.
(Comment - Camarillo)- We will discuss this tomorrow.
(Comment - Rohan) - We are not addressing the last two
issues.
(Comment - Rosenberg) - Auth broken. This means changing the
whole security model.
(Comment - Peterson) - Bodies addition worse. Any consensus
we can take? We need resolution. Possibly can't be resolved until after
policy issues are resolved.
(Comment - Rohan) - Willing to go along with not adding
bodies, but we have to address all the applications.
----------------------------------------------------------------------------
1000 Connection Reuse -- Rohan Mahy
draft-ietf-sip-connect-reuse-02.txt
Efficiency - Use existing connections
Works for this motivation
Connectivity - Firewall/NAT can only make outbound connnections
Need some way to force traffic to reuse existing
connections.
Problem with multiple proxy servers. Only first proxy server
can talk to registered client.
Big security hole.
(Comment - Rosenberg) - URI doesn't provide appropriate context.
(Comment - ??) - Header to get URI with correct context
How do we want to provide an address that is meaningful to proxy
server?
We know what we need to fix. If you have a concrete idea let Rohan
know.
(Comment - Rosenberg) - The reason most SIPS implementations work is
because clients are ignoring some contacts and other stuff to make it work.
----------------------------------------------------------------------------
1030 Authenticated Identities -- Jon Peterson
draft-ietf-sip-identity-02.txt
draft-ietf-sip-authid-body-03.txt
Authid-body status - DONE - In RFC-ED queue
Sip-identity- not revised since Boston
Open issues -
Retargeting accpetable?
Big part of proposal
Seperating local and non-local contacts ?
GRUU Interaction and connect-reuse
Rfc3323 and sip-identity
Possible change or addition of text
Canonicalization of header field values for
signature
Retargeting and Redirection
Retargeting to a non-local URI (like an AoR)
Critical
More than one way in SIP.
Serious for a Proxy to redirect rather than
retarget.
(Comment - Rohan) - email vs web analogy is a good
one. Email currently has lots of problems due to retargeting.
(Comment - Peterson) - No one using S/MIME.
Implications for 3g networks. More concerned about IETF threat model.
(Comment - Rosenberg) - Difficulty implementing
services. Need program reentry point. Pretty much every thing can be done
with redirection that can be done with retargeting
(Comment - Paul) - might want to do mulitple things
in parallel.
(Comment -??) - HTTP does use Retargeting
Benefits of Retargeting
Control
Privacy
Speed
Firewall/NAT traversal
(Comment - Peterson) - Believes in the last one, but
not so much with the first three
Drawbacks
Response identity
Request-history - The originator needs to know the
history
Eliminates caller consent
Blind call forwarding
Creates unnecessary transitive trust
Very little direct trust
Low-level protocol weirdness
We should give up non-local retargeting
Goal is to make it mandatory for proxies to implement
authentication service.
We need a long term goal of making identity mandatory.
(Comment - ??) - If we break non-local retargeting does this
break caller prefs?
(Comment - Rosenberg) - No
(Comment - Mary) - no problem with history-info and
request-history
(Comment -??) - Need to make requirements.
(Comment - Peterson) - Requirements are in 3261 Threat
model.
(Comment - Cullen) - almost all forwards are local forwards
(Comment - Paul) - Caller Prefs - Can still be used in
retargeting. Could minimize the value of caller prefs. Make sure it actually
works.
(Comment - Peterson) - Recursion text is somewhat incoherent
in 3261.
In the future should there be a restriction on recursion?
(Comment - Rosenberg) - Not clear that there is substantial
speed differences.
(Comment - Mary) - Feels that it is clear in 3261 what is
local and what is non-local.
(Comment - Rohan) - RTT over wireless. Shouldn't make
changes based on a layer two protocol.
Are people comfortable with the draft? Getting mature. We need to
take it out into the field.
(Comment - Cullen) - Thinks this has been studied to death.
(Comment - Chairs) - Should there be a design team? Does the
audience understand the problem?
(Comment -??) - Uncomfortable - Tradeoff between security and other
functions. Not the optimal solution for all problems.
(Comment - Peterson) - Nothing currently for internet.
Long term goal to provide interaction and interoperability
People want a chance to read the draft.
----------------------------------------------------------------------------
1100 GRUU -- Jonathan Rosenberg
draft-ietf-sip-gruu-02.txt
Issues
URN Equality - pretty much resolved
We don't mandate a URN scheme
Use lexical equality
Ramp-Up Problem (Avalanche restart)
Minimize messaging when recovering from catastrophic
client failures
Requires 4 message exchanges - 1/4 capacity cost.
Solutions
Override old registration with new
Keep Both
Does this violate GRUU property
(Comment - Rohan) - Contributes to avalanche restart
problem. More complicated
(Comment - Sparks) - Not a big step
(Comment - Paul) - prefers Overriding old
registration.
(Comment - Rosenberg) - Ok to have multiple
routes/connections
(Comment - Rohan) - Should be a flag to indicate
whether the Gruu register is overwritten or not.
(Comment - Paul) - Multiple contacts with the same
instance id complicates the way proxies handle certain errors. Complicates a
lot of things
(Comment -??) - What happens in a client failure
case?
(Comment - Sparks) - Sounds familiar with Etag and
XCAP.
Kris Pate
v753-2288
(972) 728-2288
kris.pate@mci.com
<><