Requirements for an End-to-End Session Identification in IP-Based Multimedia Communication Networks
draft-ietf-insipid-session-id-reqts-11

[Ballot comment]

Thanks for addressing my discuss points in -11. I didn't check
the comments below, so they may also have been handled.

---- OLD COMMENTS

3.1 - as-is, the term session is so ill-defined in this section
that it could be considered to be ok for a session to last a
year. It might be worth just saying here its meant for what a
user would consider a call in most common cases.

3.1 - you confused me:-) 3rd para says "three parties" but
earlier you said "exactly two." I think what you mean is that
the term party might have different meanings in different
protocols? (It becomes clear later though.)

4.3 - if a privacy enhancing B2BUA is present, then I don't
think I buy the proposition that it won't mess with the session
id.

4.4 - typo s/where/were/

4.6 - first use of "restrictive" seems wrong. I think you mean
lax or maybe expressive or permissive (as the secdir review
suggested).

5 - REQ9 could contradict what I'd like to see in REQ4. (Just
noting that.)

7 - saying you MUST NOT use MAC address etc is not right. You
could use those, so long as they cannot be derived from the
session ID, e.g. "AES(k,MAC||random)" could be used for a k
known only the the initiator perhaps. I'm not saying you
should do that, but that the MUST NOT seems OTT.

7 - I don't get how the integrity requirements stated can be
independent of the n/w infrastructure etc. To me, that reads
like text added to just sound good, so I must be missing
something about it - can you explain the last paragraph a bit
more?

[Ballot discuss]

(1) REQ4 is almost nice:-) However, I think you need to say
something about correlation over time. For example, I assume it
ought not be possible to know just from looking at session ids
(even if the operator knows how they're generated in intimate
detail) that they correspond to the same (sets of) user(s).
I note that the WG charter has some similar language about
correlation.

(2): I assume that the solution draft will contain more privacy
considerations related to the use and storage of these
identifiers, however, you say here that they are to be usable
days or weeks after a call, so don't you also need to say that
a solution needs to describe the security and privacy
issues related to storage of identifiers? (Since there is a real
possibility that e.g. leakage of logs would expose who has been
calling whom for how long.)

[Ballot discuss]
So, I really want a session ID (and I have since before I co-chaired SIPCLF, which needed such a thing), and I really want to ballot "yes", but I'm confused. Could you clue me in?

I'm looking at this text:

3.1. What does the Session Identifier Identify?

  How the endpoints determine which signaling messages share a given
  identifier (that is, what constitutes a single invocation of a
  communication application) is intentionally left loosely defined.

  The requirements in this document put some constraints on what an
  endpoint will consider the same, or a different, invocation of a
  communication session.  They also ensure that related sessions (as
  this document is using the term) can be correlated using only the
  session identifiers for each session.  Again, what constitutes a
  "related" session is intentionally left loosely defined.

as saying pretty much "a session is whatever I say it is", and I'm looking at this text:

3.2. Communication Session

  The following are examples of acceptable communication sessions as
  described in Section 3.1 and are by not exhaustive:

                                    ^^ typo? but that's not my point

    o A call directly between two user agents

    o A call between two user agents with one or more SIP middleboxes
      in the signaling path

    o A call between two user agents that was initiated using third-
      party call control (3PCC) [7]

    o A call between two user agents (e.g., between Alice and Carol)
      that results from a different communication session (e.g., Alice
      and Bob) wherein one of those user agents (Alice) is transferred
      to another user agent (Carol) using a REFER request or a re-
      INVITE request

  The following are not considered communication sessions:

    o A call between any two user agents wherein two or more user
      agents are engaged in a conference call via a conference focus:

        o each call between the user agent and the conference focus
          would be a communication session, and

        o each of these is a distinct communication session.

    o A call between three user agents (e.g., Alice, Bob, and Carol)
      wherein the first user agent (Alice) ad hoc conferences the
      other two user agents (Bob and Carol)

        o The call between Alice and Bob would be one communication
          session.

        o The call between Alice and Carol would be a different
          communication session.

which gives *examples* of what is, and is not, a session, but I'm not seeing a clear description that would let me figure out whether a call that doesn't fit one of these categories is a session, and the text says the examples aren't exhaustive.

Are these two lists of examples, taken together, just saying "any call with exactly two endpoints can be a session, and a call with any other number of endpoints can't be a session"? Is there any other requirement?

Am I missing something?

[Ballot comment]
In 3.3. End-to-End

  The term "end-to-end" in this document means the communication
  session from the point of origin, passing through any number of
  intermediaries, to the ultimate point of termination. It is
  recognized that legacy devices may not support the end-to-end session
  identifier, though an identifier might be created by an intermediary
  when it is absent from the session signaling.

is the last sentence talking about an intermediary that supports this specification creating an identifier if a legacy endpoint hasn't created one? I'm guessing so, based on   

REQ5: It must be possible to identity SIP traffic with an end-to-end
  session identifier from and to end devices that do not support this
  new identifier, such as by allowing an intermediary to inject an
  identifier into the session signaling.

but I'm guessing.

In 4.2. Protocol Interworking

  It is expected that the ITU-T will define protocol elements for H.323
  to make the end-to-end signaling possible.

I'm sensitive to Stewart's comment - perhaps it's more diplomatic to say something like "if ITU-T defines the corresponding protocol elements for H.323, end-to-end signaling will be possible in the presence of protocol interworking".

[Ballot discuss]

(1) REQ4 is almost nice:-) However, I think you need to say
something about correlation over time. For example, I assume it
ought not be possible to know just from looking at session ids
(even if the operator knows how they're generated in intimate
detail) that they correspond to the same (sets of) user(s).
I note that the WG charter has some similar language about
correlation.

(2): I assume that the solution draft will contain more privacy
considerations related to the use and storage of these
identifiers, however, you say here that they are to be usable
days or weeks after a call, so don't you also need to say that
a solution needs to describe the security and privacy
issues related to storage of identifiers? (Since there is a real
possibility that e.g. leakage of logs would expose who has been
calling whom for how long.)

(3) DISCUSS-DISCUSS, this is for the IESG, the authors
needn't worry about it.  IPR: There are 3 delcarations (two
really I guess) on this *requirements* document, which I don't
understand at all. But whatever, if the WG are ok with that,
then its ok I guess. However, the sponsoring AD is one of
the folks who declared IPR and is listed as an inventor on
the referenced patent application. Is that kosher process-wise?
I've not seen it before that I recall so just want to check.
I think it would be cleaner if that were not the case.

[Ballot comment]

3.1 - as-is, the term session is so ill-defined in this section
that it could be considered to be ok for a session to last a
year. It might be worth just saying here its meant for what a
user would consider a call in most common cases.

3.1 - you confused me:-) 3rd para says "three parties" but
earlier you said "exactly two." I think what you mean is that
the term party might have different meanings in different
protocols? (It becomes clear later though.)

4.3 - if a privacy enhancing B2BUA is present, then I don't
think I buy the proposition that it won't mess with the session
id.

4.4 - typo s/where/were/

4.6 - first use of "restrictive" seems wrong. I think you mean
lax or maybe expressive or permissive (as the secdir review
suggested).

5 - REQ9 could contradict what I'd like to see in REQ4. (Just
noting that.)

7 - saying you MUST NOT use MAC address etc is not right. You
could use those, so long as they cannot be derived from the
session ID, e.g. "AES(k,MAC||random)" could be used for a k
known only the the initiator perhaps. I'm not saying you
should do that, but that the MUST NOT seems OTT.

7 - I don't get how the integrity requirements stated can be
independent of the n/w infrastructure etc. To me, that reads
like text added to just sound good, so I must be missing
something about it - can you explain the last paragraph a bit
more?

[Ballot comment]
It is expected that the ITU-T will define protocol elements for H.323
to make the end-to-end signaling possible.

This looks like the IETF making a demand on the ITU.
Perhaps "It is anticipated..."?

Are there any privacy considerations associated with this identifier?

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-insipid-session-id-reqts-08, which is currently in Last Call, and has the following comments:

We understand that, upon approval of this document, there are no IANA Actions that need completion. IANA requests that the IANA Considerations section of the document remain in place upon publication.

If this assessment is not accurate, please respond as soon as possible.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Requirements for an End-to-End Session Identification in IP-Based Multimedia Communication Networks) to Informational RFC


The IESG has received a request from the INtermediary-safe SIP session ID
WG (insipid) to consider the following document:
- 'Requirements for an End-to-End Session Identification in IP-Based
  Multimedia Communication Networks'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-09-24. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document specifies the requirements for an end-to-end session
  identifier in IP-based multimedia communication networks.  This
  identifier would enable endpoints, intermediate devices, and
  management and monitoring systems to identify a session end-to-end
  across multiple SIP devices, hops, and administrative domains.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-insipid-session-id-reqts/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-insipid-session-id-reqts/ballot/


The following IPR Declarations may be related to this I-D:

  http://datatracker.ietf.org/ipr/1882/
  http://datatracker.ietf.org/ipr/1883/
  http://datatracker.ietf.org/ipr/1925/

Document writeup for "Requirements for an End-to-End Session Identification in IP-Based Multimedia Communication Networks" draft-ietf-insipid-session-id-reqts-08

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

It is intended that the document be published as informational. It is not intended that this document should be applicable directly to an implementation, but rather identifies a set of requirements on which a future IETF solution will be built; the latter document will be standards track. In the cases where these requirements are a standalone document, they have traditionally been published as an informational RFC.
The document status is indicated in the document title page.

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction.
This document specifies the requirements for an end-to-end session identifier in IP-based multimedia communication networks.  This identifier would enable endpoints, intermediate devices, and management and monitoring systems to identify a session end-to-end across multiple SIP devices, hops, and administrative domains.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough?

The document has achieved working group consensus.

One particular issue was on how much terminology to define in this document, and section 3 has been substantially worked upon within the working group.

There also has been significant discussion on the scoping of the work, and its applicability to more complex scenarios. In accordance with the charter, the work has been kept to the simpler scenarios, and the applicability to the more complex scenarios will be limited to whatever works as a result.
Document Quality:

Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted?

There are no implementations as this is a requirements document. The working group is currently working on a solutions document in draft-ietf-insipid-session-id.

Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

Keith Drage is the document shepherd. Gonzalo Camarillo is the responsible area director.

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.
Primarily a read through to ensure all the text is consistent with the remainder of the document, along with a check for editorial and idnit issues. The working group has gone several times through each requirement in the requirements clause in open discussion.

The document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

The document shepherd has no concerns about the depth or breadth of the reviews that have been performed.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

This document does not need reviews from a particular or a from a broader perspective. The solution document might need such wider reviews, but this is not appropriate for a requirements document.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The document shepherd has no concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Each author has confirmed that all appropriate IPR disclosures have been made.

Note that some authors have declared IPR on the related solutions document, but do not consider such a declaration impacts the requirements document.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

IPR disclosures have been filed on this document. These have been identified in working group discussions, and further brought to the working group's attention during the working group last call. No concerns have been raised within the working group.

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

The contents of this document have been extensively discussed amongst many individuals in this working group.
A significant number of individuals have indicated they had read the document during working group last call and had no further comments.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No such view has been expressed.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

No idnits have been found and the document passes the boilerplate checks.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

The document contains no material of a formal nature requiring such review.

(13) Have all references within this document been identified as either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

All normative references are published RFCs.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

There are no downward references.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

This document is not of such a nature to change any other RFC.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

The document has no IANA considerations, as it makes no changes to any IANA registry.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

The document has no IANA considerations, as it makes no changes to any IANA registry.

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

The document contains no material of a formal nature requiring such review.

Document writeup for "Requirements for an End-to-End Session Identification in IP-Based Multimedia Communication Networks" draft-ietf-insipid-session-id-reqts-08

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header?

It is intended that the document be published as informational. It is not intended that this document should be applicable directly to an implementation, but rather identifies a set of requirements on which a future IETF solution will be built; the latter document will be standards track. In the cases where these requirements are a standalone document, they have traditionally been published as an informational RFC.
The document status is indicated in the document title page.

(2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections:

Technical Summary:

Relevant content can frequently be found in the abstract and/or introduction of the document. If not, this may be an indication that there are deficiencies in the abstract or introduction.
This document specifies the requirements for an end-to-end session identifier in IP-based multimedia communication networks.  This identifier would enable endpoints, intermediate devices, and management and monitoring systems to identify a session end-to-end across multiple SIP devices, hops, and administrative domains.

Working Group Summary:

Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough?

The document has achieved working group consensus.

One particular issue was on how much terminology to define in this document, and section 3 has been substantially worked upon within the working group.

There also has been significant discussion on the scoping of the work, and its applicability to more complex scenarios. In accordance with the charter, the work has been kept to the simpler scenarios, and the applicability to the more complex scenarios will be limited to whatever works as a result.
Document Quality:

Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted?

There are no implementations as this is a requirements document. The working group is currently working on a solutions document in draft-ietf-insipid-session-id.

Personnel:

Who is the Document Shepherd? Who is the Responsible Area Director?

Keith Drage is the document shepherd. Gonzalo Camarillo is the responsible area director.

(3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG.
Primarily a read through to ensure all the text is consistent with the remainder of the document, along with a check for editorial and idnit issues. The working group has gone several times through each requirement in the requirements clause in open discussion.

The document is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed?

The document shepherd has no concerns about the depth or breadth of the reviews that have been performed.

(5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place.

This document does not need reviews from a particular or a from a broader perspective. The solution document might need such wider reviews, but this is not appropriate for a requirements document.

(6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here.

The document shepherd has no concerns.

(7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why?

Each author has confirmed that all appropriate IPR disclosures have been made.

Note that some authors have declared IPR on the related solutions document, but do not consider such a declaration impacts the requirements document.

(8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures.

IPR disclosures have been filed on this document. These have been identified in working group discussions, and further brought to the working group's attention during the working group last call. No concerns have been raised within the working group.

(9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it?

The contents of this document have been extensively discussed amongst many individuals in this working group.
A significant number of individuals have indicated they had read the document during working group last call and had no further comments.

(10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarise the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.)

No such view has been expressed.

(11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough.

No idnits have been found and the document passes the boilerplate checks.

(12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews.

The document contains no material of a formal nature requiring such review.

(13) Have all references within this document been identified as either normative or informative?

Yes.

(14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion?

All normative references are published RFCs.

(15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure.

There are no downward references.

(16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary.

This document is not of such a nature to change any other RFC.

(17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226).

The document has no IANA considerations, as it makes no changes to any IANA registry.

(18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries.

The document has no IANA considerations, as it makes no changes to any IANA registry.

(19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc.

The document contains no material of a formal nature requiring such review.