A Session Identifier for the Session Initiation Protocol (SIP)
draft-kaplan-insipid-session-id-04

[Ballot comment]
This is a non-blocking comment/suggestion:
The security considerations section should include a sentence about the requirement to avoid any values that may raise privacy concerns in the SIP header.  This is already listed earlier int he document, but may be helpful to repeat in this section.

[Ballot discuss]

Just one discuss point which is just to check if the WG did
or didn't consider a thing...

In the case of DomainKeys/DKIM, the WG felt it very
important that the legacy/non-standards-track RFC not be
produced before the standards track RFC. The goal was to not
have the non-standards track flavour become further
entrenched while the standards track work was being done and
also to disincent those with legacy implemenations from
gaming the work on the standards track RFC. Did the WG
consider such a tactic? If not, should they?

[Ballot comment]


- Were the IESG discusses/comments on the insipid WG
requirements document considered in this text? If not, why
not? I suspect (without having looked back) that some of
them might apply here and be ok to handle here as well. (I
had a discuss on that that I'd like you to look at.)

- Why are we only implicitly recommending implementations
follow the standards track approach and not this?

[Ballot comment]
It seems to me to be slightly simplistic to say that because the
Session ID has no sensitive information in it, it will not reveal any
information related to any SIP device or domain identity.  That is,
of course, examined in isolation it will not reveal anything, but it
becomes a piece of metadata that can be examined at several points in
the network to discover information about the session. Indeed, it
seems that the purpose of the Session ID is exactly to provide
correlation that would not otherwise be possible (or might only be
possible if the B2BUAs sisn't mess with the Call IDs).


This does not speak against the use of a Session ID, but does suggest
that its use might not be quite as harmless as this document suggests.

---

There is a wrinkle with 4.5.1...

Imagine there are two B2BUAs along the path both of which change the
Call-ID. Suppose also that the original request does not contain a
Session ID. The first B2BUA does not add a Session ID (it is a "MAY"
and anyway it is a legacy implementation). The second B2BUA adds a
Session ID using the received Call-ID, but this is not original one.

Question: why does the text require that the Session ID inserted by
a B2BUA be derived from the received Call-ID? It doesn't seem to make
any difference (it is, after all, using the B2BUA's secret) and the
received Call-ID is no different to the B2BUA's substituted Call-ID.

---

There is, of course, a very small chance that two Session IDs will be
identical. This could happen at one point of generation or across two
such points.

Should you include advice to a Session ID generator to catch such cases?
Should you give a warning to users of the Session ID that this might
happen?

Unlikely though it is, it will happen in the field the first time the
function is enabled :-)

IESG/Authors:

IANA has reviewed draft-kaplan-insipid-session-id-03.  Authors should review the comments and/or questions below.  Please report any inaccuracies and respond to any questions as soon as possible.

We received the following comments/questions from the IANA's reviewer:

Upon approval of this document, IANA understands that there is a single action which it is required to complete.

In the Header Fields subregistry of the Session Initiation Protocol (SIP) Parameters registry located at:

http://www.iana.org/assignments/sip-parameters/sip-parameters.xhtml

a single, new header field is to be registered as follows:

Header Name: session-id
Compact:
Reference: [ RFC-to-be ]

NOTE: Currently RFC5727 defines the Informational Headers through expert review.  This draft document is Informational according to the tracker. 
We will initiate a request and send this to the designated expert for
review.

IANA understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed
until the document has been approved for publication as an RFC.
This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (A Session Identifier for the Session Initiation Protocol (SIP)) to Informational RFC


The IESG has received a request from an individual submitter to consider
the following document:
- 'A Session Identifier for the Session Initiation Protocol (SIP)'
  as Informational RFC

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-08-30. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Note that this IETF last call is not intended to form IETF consensus on
the content of this document. Consequently, the IESG is only looking for
comments on the value of publishing this document as-is, not for
comments on the content of the document.

Abstract


  This RFC, which contains the text of an individual Internet Draft
  that was submitted originally to the DISPATCH Working Group, is
  being published now as an Informational document to provide a
  reference for later RFCs.  The mechanism defined in this document
  has been widely deployed, and is being followed in a backward-
  compatible fashion for a new Standards Track RFC in the INSIPID
  Working Group.  The original Abstract follows.

  There is a need for having a globally unique session identifier for
  the same SIP session, which can be consistently maintained across
  Proxies, B2BUAs and other SIP middle-boxes, for the purpose of
  Troubleshooting.  This draft proposes a new SIP header to carry such
  a value: Session-ID.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-kaplan-insipid-session-id/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-kaplan-insipid-session-id/ballot/


No IPR declarations have been submitted directly on this I-D.

PROTO questionnaire for: draft-kaplan-insipid-session-id-03

To be Published as: Informational

Prepared by: Gonzalo Salgueiro (gsalguei@cisco.com) on 1 August 2013


  (1) What type of RFC is being requested (BCP, Proposed Standard,
      Internet Standard, Informational, Experimental, or Historic)? 
      Why is this the proper type of RFC?  Is this type of RFC indicated 
      in the title page header?

This document is requested to be published as Informational. This RFC
type is indicated on the title page.

The directive from the AD is to use Informational. The original intent
was to use Historic. The requirement is to convey that this is not the
solution going forward.

    (2) The IESG approval announcement includes a Document Announcement
        Write-Up. Please provide such a Document Announcement Write-Up.
        Recent examples can be found in the "Action" announcements for
        approved documents. The approval announcement contains the
        following sections:

        Technical Summary:

There is a need for having a globally unique session identifier for
the same SIP session, which can be consistently maintained across
Proxies, B2BUAs and other SIP middle-boxes, for the purpose of
Troubleshooting.  This draft originally proposed a new SIP header
(Session-ID) to carry such a value, which is now being defined by the
INSIPID WG.

        Working Group Summary:

        Was the document considered in any WG, and if so, why was
        it not adopted as a work item there? Was there controversy
        about particular points that caused the WG to not adopt the
        document?
       
This RFC, which contains the text of an individual Internet-Draft that
was submitted originally to the DISPATCH Working Group, is being
published now as an Informational document to provide a reference for
the work currently being defined in the INSIPID WG.  The INSIPID WG
Session-ID solution replaces the 'legacy' solution presented in
draft-ietf-insipid-session-id-03 and intends to ensure
interoperability and backwards compatibility with such legacy
Session-ID entities.

        Document Quality:
       
        Are there existing implementations of the protocol? Have a
        significant number of vendors indicated their plan to
        implement the specification? Are there any reviewers that
        merit special mention as having done a thorough review,
        e.g., one that resulted in important changes or a
        conclusion that the document had no substantive issues? If
        there was a MIB Doctor, Media Type or other expert review,
        what was its course (briefly)? In the case of a Media Type
        review, on what date was the request posted?

The legacy Session-ID solution described in this document is very
widely deployed, especially by Service Providers providing 3GPP IMS.
The ubiquity of this legacy solution and the requirement that the
current INSIPID WG work be backwards compatible with it is the primary
driver for its publications as an Informational RFC that can be
referenced by the current INSIPID WG documents. This document does not
meet the requirements defined in
https://datatracker.ietf.org/doc/draft-ietf-insipid-session-id-reqts/

        Personnel:
       
        Who is the Document Shepherd? Who is the Responsible Area
        Director?
       
Gonzalo Salgueiro (INSIPID WG co-chair) is the Document Shepherd.
Gonzalo Camarillo is the Responsible AD.


    (3) Briefly describe the review of this document that was
        performed by the Document Shepherd.  If this version of
        the document is not ready for publication, please explain
        why the document is being forwarded to the IESG.

No review was performed on this document by the document shepherd.
There is no desire to review the technical accuracy of the contents of
this document. The intent is to merely publish the legacy Session-ID
in its current form so that it can be referenced by the new INSIPID
Session-ID work that is replacing it, but needs to be backwards
compatible with it.
     
     
    (4) Does the document Shepherd have any concerns about the depth
        or breadth of the reviews that have been performed?

N/A (See previous question).


    (5) Do portions of the document need review from a particular
        or from broader perspective, e.g., security, operational
        complexity, AAA, DNS, DHCP, XML, or internationalization?
        If so, describe the review that took place.
No.


    (6) Describe any specific concerns or issues that the Document
        Shepherd has with this document that the Responsible Area Director
        and/or the IESG should be aware of? For example, perhaps he or
        she is uncomfortable with certain parts of the document,
        or has concerns whether there really is a need for it. In any
        event, if the interested community has discussed those issues
        and has indicated that it still wishes to advance the document,
        detail those concerns here.

There are no specific concerns or issues on the basis that this is
being published only to permanently document a legacy solution.


    (7) Has each author confirmed that any and all appropriate IPR
        disclosures required for full conformance with the provisions
        of BCP 78 and BCP 79 have already been filed. If not, explain why.

Yes.
 
 
    (8) Has an IPR disclosure been filed that references this document?
        If so, summarize any discussion and conclusion regarding the IPR
        disclosures.

No IPR disclosures are filed against this draft or on its predecessors
under different names. It is possible that disclosures filed against
https://datatracker.ietf.org/doc/draft-ietf-insipid-session-id-reqts/
or https://datatracker.ietf.org/doc/draft-kaplan-insipid-session-id/
could also apply to this document, but no declaration has been made to
that effect.


    (9) How solid is the consensus of the interested community behind this
        document? Does it represent the strong concurrence of a few
        individuals, with others being silent, or does the interested
        community as a whole understand and agree with it?

This document is not a milestone or a part of the INSIPID WG work
stream. Rather, it is being published with the sole intent of having a
permanent document that documents the widely deployed legacy
Session-ID solution that can be referenced by the current Session-ID
solution being developed in the INSIPID WG.  There is strong WG
consensus to publish this document in its current form so that it can
be referenced by current INSIPID WG documents.


    (10) Has anyone threatened an appeal or otherwise indicated extreme
        discontent? If so, please summarise the areas of conflict in
        separate email messages to the Responsible Area Director. (It 
        should be in a separate email because this questionnaire is
        publicly available.)

No.


    (11) Identify any ID nits the Document Shepherd has found in this
        document. (See http://www.ietf.org/tools/idnits/ and the
        Internet-Drafts Checklist). Boilerplate checks are not enough;
        this check needs to be thorough.

The document passes idnits 2.12.17. 

    (12) Describe how the document meets any required formal review
        criteria, such as the MIB Doctor, media type, and URI type
        reviews.

N/A


    (13) Have all references within this document been identified as
        either normative or informative?

Yes.

    (14) Are there normative references to documents that are not ready
        for advancement or are otherwise in an unclear state?
        If such normative references exist, what is the plan for their
        completion?

No.  All the normative references are for RFCs.  None are downward
references.


    (15) Are there downward normative references references (see RFC 3967)?
        If so, list these downward references to support the Area Director
        in the Last Call procedure.

No.


    (16) Will publication of this document change the status of any
        existing RFCs? Are those RFCs listed on the title page header,
        listed in the abstract, and discussed in the introduction?
        If the RFCs are not listed in the Abstract and Introduction,
        explain why, and point to the part of the document where the
        relationship of this document to the other RFCs is discussed.
        If this information is not in the document, explain why the
        interested community considers it unnecessary.

No RFC will be updated with the publication of this document.


    (17) Describe the Document Shepherd's review of the IANA considerations
        section, especially with regard to its consistency with the body
        of the document. Confirm that all protocol extensions that the
        document makes are associated with the appropriate reservations
        in IANA registries. Confirm that any referenced IANA registries
        have been clearly identified. Confirm that newly created IANA
        registries include a detailed specification of the initial
        contents for the registry, that allocations procedures for future
        registrations are defined, and a reasonable name for the new
        registry has been suggested (see RFC 5226).

The document registers a new header field name. The instructions for
performing this are clear. No other IANA registrations are required.

Note that the intent is that
https://datatracker.ietf.org/doc/draft-kaplan-insipid-session-id/ will
either modify or replace this registration when it is published, as
that document uses the same header field (in an appropriately extended
fashion).

    (18) List any new IANA registries that require Expert Review for
        future allocations. Provide any public guidance that the IESG
        would find useful in selecting the IANA Experts for these new
        registries.

N/A


    (19) Describe reviews and automated checks performed by to validate 
        sections of the document written in a formal language, such as
        XML code, BNF rules, MIB definitions, etc.

None.