Registration for Multiple Phone Numbers in the Session Initiation Protocol (SIP)
draft-ietf-martini-gin-13

[Ballot discuss]
Updated.

#1) withdrawn.  I misread the tetx.

#2) The scenarios in Section 8.1 and 8.2  do not show the authentication step called.  I think it should or the text should say we left them out but you still need to do them.

Can be resolved with the following change (as suggested by the author) in Section 8 something like:

"Note that the following examples elide any steps related to authentication. This is done for the sake of simplicity. Actual deployments will need to provide a level of authentication appropriate to their system."

#3) Agreed with author that specifying an HMAC alg is required.  Instead agreed to add text explaining HMAC-256-80 is HMAC-SHA-256 truncated to 80 bits like:

"In this document, HMAC-SHA256-80 is defined to mean the application of SHA256 [FIPS PUB 180-3], and truncating the results to 80 bits by  discarding the trailing (least significant) bits."

Also to add something like:

"Note that the mention of HMAC-SHA256-80 in Section 7.1.2 is intended solely as an example of a suitable HMAC algorithm. Since all HMACs are generated and consumed by the same entity, the choice of an HMAC is entirely up to an implementation, provided that the cryptographic properties are sufficient to prevent third parties from spoofing GRUU-related information."

[Ballot discuss]
#1) Section 7.1.2.2: The following threw me for a loop:

  A SIP-PBX that issues temporary GRUUs to its UAs MUST maintain an
  HMAC key, PK_a.  This value is used to validate that incoming GRUUs
  were generated by the SIP-PBX.

I'm probably reading more in to "PK_a" than I ought to but it isn't a Public Key (PK) - right!?  It would be bad to use a public key as the HMAC secret.  SK_a is terminology used in Section 7.1.2.1 - can we use the same term or SK_SSP and SK_SIP-PBX?

#2) The scenarios in Section 8.1 and 8.2  do not show the authentication step called.  I think it should or the text should say we left them out but you still need to do them.

#3) Alexey caught the bit about HMAC-256-80 needing a reference.  I think it's a bigger deal because I don't which which parts of the output get used: 1st 80bits, last 80bits, etc.?  It's hard to interoperate without knowing this.  But, if a reference exists it'll be easy to clear.

[Ballot comment]
The examples in section 8 have bugs that are important to fix before publication.
The Call-ID changes unintentionally in each example. The messages that have two Via header field values have the values in the wrong order.

[Ballot comment]
In Section 7.1.2:

  All base64 encoding discussed in the following sections MUST use the
  character set and encoding defined in RFC 2045 [1],

RFC 4648 is a better reference here.

  except that any
  trailing "=" characters are discarded on encoding, and added as
  necessary to decode.


In Section 7.1.2.1:

SHA256-80 needs a reference and an explanation (i.e. that the output of the hash function
is truncated to 80 bits).


The first reference to TLS needs an Informative reference.

[Ballot comment]
The OPS-DIR review by Warren Kumari signalled a number of nits which would be useful to fix:

Abstract:
In the abstract many acronyms are expanded (SIP, SIP-PBX, UA), but AOR is not. Having them all expanded (or none expanded) would be nice.

Section 4:
Globally Routable UA URI's (GRUU) are first mentioned, but the reference to the RFC is in section 7.1.


Section 5.1:
Acronym "UAC" not expanded / defined.


Section 6:
s/An SSP using this mechanism/A SSP using this mechanism/


Section 7.1.2.1 (indented):
s/The registrar maintains a counter, I. this counter is/The registrar maintains a counter, I. This counter is/ (Capitalization of 't').

[Ballot comment]
The OPS-DIR review by Warren Kumari signalled a numkber of nits which would be useful to fix:

Abstract:
In the abstract many acronyms are expanded (SIP, SIP-PBX, UA), but AOR is not. Having them all expanded (or none expanded) would be nice.

Section 4:
Globally Routable UA URI's (GRUU) are first mentioned, but the reference to the RFC is in section 7.1.


Section 5.1:
Acronym "UAC" not expanded / defined.


Section 6:
s/An SSP using this mechanism/A SSP using this mechanism/


Section 7.1.2.1 (indented):
s/The registrar maintains a counter, I. this counter is/The registrar maintains a counter, I. This counter is/ (Capitalization of 't').

First, in the Options Tags subregistry of the Session Initiation
Protocol (SIP) Parameters registry located at:

http://www.iana.org/assignments/sip-parameters

a new option tag will be registered as follows:

Name: gin
Description: This option tag is used to identify the extension that
provides Registration for Multiple Phone Numbers in SIP. When present in
a Require or Proxy-Require header field of a REGISTER request, it
indicates that support for this extension is required of registrars and
proxies, respectively, that are a party to the registration transaction.
Reference: RFC-to-be

Second, in the SIP/SIPS URI Parameters sub registry of the Session
Initiation Protocol (SIP) Parameters registry located at:

http://www.iana.org/assignments/sip-parameters

two new SIP URI parameters will be registered as follows:

Parameter Name: bnc
Predefined Values: No (no values are allowed)
Reference: RFC-to-be

and

Parameter Name: sg
Predefined Values: No
Reference: RFC-to-be

Third, in the Header Fields subregistry of the Session Initiation
Protocol (SIP) Parameters registry located at:

http://www.iana.org/assignments/sip-parameters

the following Header Field will be added:

Header field: Contact
Parameter name: temp-gruu-cookie
Predefined values: none
Reference: RFC-to-be

IANA understands that these three actions are the only ones that need
completion upon approval of this document.

(1.a) Who is the Document Shepherd for this document? Has the
Document Shepherd personally reviewed this version of the document
and, in particular, does he or she believe this version is ready
for forwarding to the IESG for publication?

Bernard Aboba is the document shepherd. I have personally reviewed
the document, and believe it is ready for publication as an Informational RFC.

(1.b) Has the document had adequate review both from key members of
the interested community and others? Does the Document Shepherd
have any concerns about the depth or breadth of the reviews that
have been performed?

The document has been extensively discussed on the MARTINI WG mailing list. The discussion has
included representatives from both the PBX and service-provider communities as well as
participants in SIP Forum. As a result, the reviews appear to have been
reasonably thorough and representative.

(1.c) Does the Document Shepherd have concerns that the document
needs more review from a particular or broader perspective, e.g.,
security, operational complexity, someone familiar with AAA,
internationalization or XML?

No concerns.

(1.d) Does the Document Shepherd have any specific concerns or
issues with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he or
she is uncomfortable with certain parts of the document, or has
concerns whether there really is a need for it. In any event, if
the interested community has discussed those issues and has
indicated that it still wishes to advance the document, detail
those concerns here.

No concerns.

(1.e) How solid is the consensus of the interested community behind
this document? Does it represent the strong concurrence of a few
individuals, with others being silent, or does the interested
community as a whole understand and agree with it?

There appears to be strong consensus behind the document, which
has been evaluated against the solution requirements (and appears
to meet all of them).


(1.f) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in
separate email messages to the Responsible Area Director. (It
should be in a separate email because this questionnaire is
entered into the ID Tracker.)

No.

(1.g) Has the Document Shepherd personally verified that the
document satisfies all ID nits? (See
http://www.ietf.org/ID-Checklist.html and
http://tools.ietf.org/tools/idnits/). Boilerplate checks are not
enough; this check needs to be thorough. Has the document met all
formal review criteria it needs to, such as the MIB Doctor, media
type and URI type reviews?

IDNits are clean:

idnits 2.12.05

tmp/draft-ietf-martini-gin-10.txt:

Checking boilerplate required by RFC 5378 and the IETF Trust (see
http://trustee.ietf.org/license-info):
----------------------------------------------------------------------------

No issues found here.

Checking nits according to http://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------

No issues found here.

Checking nits according to http://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------

No issues found here.

Miscellaneous warnings:
----------------------------------------------------------------------------

-- The document date (September 28, 2010) is 12 days in the past. Is this
intentional?


Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------

(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)

No issues found here.

Summary: 0 errors (**), 0 warnings (==), 1 comment (--).
--------------------------------------------------------------------------------

(1.h) Has the document split its references into normative and
informative? Are there normative references to documents that are
not ready for advancement or are otherwise in an unclear state?
If such normative references exist, what is the strategy for their
completion? Are there normative references that are downward
references, as described in [RFC3967]? If so, list these downward
references to support the Area Director in the Last Call procedure
for them [RFC3967].

The references in the document have been split into normative and informative.

Normative references are all stable documents published as RFCs.

(1.i) Has the Document Shepherd verified that the document IANA
consideration section exists and is consistent with the body of
the document? If the document specifies protocol extensions, are
reservations requested in appropriate IANA registries? Are the
IANA registries clearly identified? If the document creates a new
registry, does it define the proposed initial contents of the
registry and an allocation procedure for future registrations?
Does it suggested a reasonable name for the new registry? See
[I-D.narten-iana-considerations-rfc2434bis]. If the document
describes an Expert Review process has Shepherd conferred with the
Responsible Area Director so that the IESG can appoint the needed
Expert during the IESG Evaluation?

The IANA Considerations section exists (section 9). The document
does not create a new registry or describe an Expert Review process.

(1.j) Has the Document Shepherd verified that sections of the
document that are written in a formal language, such as XML code,
BNF rules, MIB definitions, etc., validate correctly in an
automated checker?

Not applicable.

(1.k) The IESG approval announcement includes a Document
Announcement Write-Up. Please provide such a Document
Announcement Writeup? Recent examples can be found in the
"Action" announcements for approved documents. The approval
announcement contains the following sections:

Technical Summary

This document defines a mechanism by which a SIP server acting as a
traditional Private Branch Exchange (SIP-PBX) can register with a SIP
Service Provider (SSP) to receive phone calls for UAs designated by
phone numbers. The mechanism requires that the multiple AoRs being
registered are each globally unique, which is the case for fully qualified
AoRs representing E.164 numbers.

Working Group Summary

Since this document relates to the registration of multiple AoRs in
a single exchange, much of the discussion centered around the
implications and limitations of the scheme. In particular, there
was extensive discussion on potential requirements for globally
reachable contact URIs, as well as the circumstances under
which the multiple AoRs being registered would each be globally
unique. Although the globally unique AoR requirement can be
met for email-style URIs as well as URIs representing E.164
numbers, this document chooses to focus on URIs representing
E.164 numbers only.

Document Quality

The document has been reviewed by participants within the IETF MARTINI WG, including SIP
service providers as well as representatives from the PBX vendor community. It has gone
through MARTINI WG last call.

Personnel

Bernard Aboba is the document shepherd for this document.
Gonzalo Camarillo is the responsible AD.