Elwell, John wrote:
Jiri,
It is well-known that I am not comfortable that we have a **deployable**
solution for preventing From URI spoofing. The reason it is not
deployable is because of B2BUAs, and to some extent because of
E.164-based URIs and the way they are handled in practice. Furthermore
there are issues with PSTN interworking, but we can't do much about
that.
I have tried to articulate these issues by means of several I-Ds over
the last year or so, but capturing a "problem statement" acceptable to
all seems to be an elusive goal.
The reason seems to be that if I describe the problem in a certain way
(e.g., B2BUAs break the RFC 4474 signature), people say "but we can get
round this by doing A", so the problem statement has to be extended to
say why A doesn't work, and then people say "but you can get round it by
doing B", so the problem statement has to be further extended to say why
B will not work, and so on ad infinitum.
So I would welcome any other attempts to write the problem statement.
Hi John,
I think it is really worth to separate the application problem from B2BUA
problems.
I think the DERIVE "B2BUA traversal" is primarily a B2BUA problem. A
test for
what's the root is for me "is this guaranteed to work with an RFC3261 proxy
server as used in the field"? For DERIVE, the answer is yes. It is the
B2BUA unpredictability which makes UAs enter thin ice. That can be improved
using suggestions like Hadriel has extended.
The Identity problem is possibly on both sides. It is certainly Identity
problem,
since any field proxy will rewrite SDP for sake of NAT traversal and
Identity will
fail. (even if there was a CA in the field). If that was fixed, some extra
effort on the B2BUA would be probably needed as well.
I think we shall make progress on those sides. Certainly on DERIVE and I
belive
on B2BUA too. At least to the extent we understand their shortcoming,
and the way
one can address them.
-jiri
John
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Jiri Kuthan
Sent: 20 November 2008 23:53
To: [email protected]; Cullen Jennings
Subject: [Sip] scope of derive
I'm just wondering, if folks could help to explain me this:
apparently when I asked if people in the WG feel safe about
IETF's mechanisms deployable to prevent spoofed From, nobody
spoke up. At the same time, there were some who felt that
we don't have a problem statement. I would be thankful if
representatives of the latter group could share with me
what is the missing piece here to state a problem.
Thank you very much indeed,
-jiri
p.s. the other aspects such as B2BUA traversal is IMO very
orthogonal and is to be ellaborated on in a seprate document.
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
