Last Call Review of draft-ietf-insipid-session-id-24

Request Review of draft-ietf-insipid-session-id
Requested rev. no specific revision (document currently at 27)
Type Last Call Review
Team General Area Review Team (Gen-ART) (genart)
Deadline 2016-08-04
Requested 2016-07-14
Authors Paul Jones, Gonzalo Salgueiro, Chris Pearce, Paul Giralt
Draft last updated 2016-08-04
Completed reviews Genart Last Call review of -24 by Elwyn Davies (diff)
Genart Telechat review of -26 by Elwyn Davies (diff)
Assignment Reviewer Elwyn Davies 
State Completed
Review review-ietf-insipid-session-id-24-genart-lc-davies-2016-08-04
Reviewed rev. 24 (document currently at 27)
Review result Almost Ready
Review completed: 2016-08-04


    I am the assigned Gen-ART reviewer for this draft. The General Area

    Review Team (Gen-ART) reviews all IETF documents being processed

    by the IESG for the IETF Chair.  Please treat these comments just

    like any other last call comments.

    For more information, please see the FAQ at




    Elwyn Davies

    Review Date:

    IETF LC End Date:

    IESG Telechat date: (if known)

    Almost ready.  I think it would be worth emphasising the
    interoperability with H.323 more than is done at present.  I am also
    not sure if Version 4 UUIDs are actually allowed - there was a
    previous query on UUID types and I am not sure if the Version 4
    mention was intended to be removed.  Caveat: I haven't checked the
    fine details of the examples but have looked them over.  

    Major issues:


    Minor issues:

    Interoperability with H.323

    The requirements for the Session Identifier [RFC7206] Section 4.2
    stresses interoperability with H.323.  This is mentioned in passing
    in s1 and in a bit more detail in s3.  I think it would be worth
    mentioning this somewhat more prominently and  that the relevant
    interoperability will potentially be achieved since the format of
    the Session-ID in H.460.27 appears to match the one defined in this
    draft. To this end, I suggest:

    - Mentioning the interoperability in the abstract and stating the
    ITU rec number - this effectively indicates its 'use' in H.323 per
    the end of para 1 in the abstract.

    - Say a bit more about about interoperability in s1, mention
    H.460.27 and give it as a reference there also.

    GIven that H.323 now supports the use of Session Identifiers, it
    might be useful to indicate how Session-IDs need to be handled at
    SBCs [Caveat: I am not a SIP expert and this may be trivial, but I
    think something probably needs to be mentioned.]

    s4.1: Para 2 mentions the possible use of Version 4 or Version 5
    UUIDs.  The last para constrains stateless intermediaries to using
    Version 5 UUIDs 'to ensure consistent generation'.    I am confused
    about whether this consistency would be maintained if endpoints
    and/or stateful intermediaries generated Version 4 UUIDs, or whether
    in fact all UUIDs should be Version 5?

    s8, bullet 5, s6 , s7 and s9:  If an endpoint is involved in a
    multi-point conference has to send a CANCEL message, which remote
    UUID should it be using?  The one that came back with the original
    INVITE response or the one used to identify the conference that is
    sent in the re-INVITEs from the conference focus? (e.g., in s10.4,
    for Alice M1 or M'). [Note lack of SIP expertise:  I am not sure if
    there are circumstances in which this would arise.]

    Nits/editorial comments: 

    s1, paras 1 and 3; s2, last para : s/like/such as/ (total of 3

    s2:  There is no definition of the term 'communication session' in
    the draft.  A definition is given in s3.2 of RFC 7206 and H.460.27

3.2.1 communication session: A communication
      session, or simply ''session'', refers to a call or series of
      calls initiated or received by an endpoint for which the endpoint
      utilizes the same universally unique identifier (UUID) value in
      call signalling messages. From a calling user's perspective, this
      would be all call signalling messages from the time the user
      initiates a call until the time the call is terminated. From the
      called user's perspective, this would be all call signalling
      messages from first message received by the user's terminal until
      the call is terminated.

    In the light of the interoperability question, should the definition
    say something about SBCs? And how the session identifier is
    generated/interpreted in a 'session' that extends across an
    interconnected SIP/H.323 network?  Would SBC be an 'intermediary'
    within the meaning of the definition in s2?

    s2, last para:  The expansion of the B2BUA acronym occurs on the
    second instance rather than the first that is a couple of lines

    s4.2, end of para 2 and in many places thereafter:  The 'null UUID'
    is known as the 'nil UUID' in s4.1.7 of RFC 4122.  For consistency
    s/null/nil/g.  A reference to s4.1.7 of RFC 4122 should be added to
    the first instance in s4.2. 

    s5: Given that RFC 7329 will be obsoleted by this document, it would
    be desirable to copy the gist of the  statements in the first para
    of s7 of RFC 7329:

   This document adds the "Session-ID" token to the definition of the
   element "message-header" in the SIP message grammar.  The Session-ID
   header is a single-instance header.

    Something like an additional para at the beginning of s5:

       This document replaces the definition of the "Session-ID" token
    that was added to the definition of the

       element "message-header" in the SIP message grammar by
    [RFC7329].  The Session-ID

       header is a single-instance header.

    s5, para 3:


    The UUID values for each endpoint are inserted into the "Session-ID"

       header field of all transmitted SIP messages.

    This is potentially confusing when it comes to conference calls as
    there may be more than two endpoints involved in a communication
    session if it is a multi-point conference.  Maybe 


    Any SIP message associated with a communication session has the
    UUIDs for the session created by the message source and destination
    endpoints inserted into the "Session-ID header field of the
    transmitted SIP message.


    s5, last para:

   The Session-ID header field value is technically case-INSENSITIVE,
   but only lowercase characters are allowed in the sess-uuid
   components.  Receiving entities MUST treat sess-uuid components as
   case-insensitive and not produce an error if an uppercase hexadecimal
   character is received.

    I know this is partly carried over from RFC 7329, but, as currently
    drafted, it seems pointless.  Can we not just have:


sess-uuid = 32(DIGIT / %x41-46 / %x61-66) ;32 chars of

    If the reasoning is that sending upper case to 'old' implementations
    will break them, then it would be better to be explicit about it.
    Perhaps, replace the para with:


To allow interoperation with implementations conforming to

         pre-standard specification in [RFC7329], implementations SHOULD

         only lower case letters ("a" - "f") in the sess-uuid field.

    s6, para 2: There could be some minor confusion as to whether the
    'no change of UUID' rule is broken when a conference focus (per s9
    and the examples in s10) changes its UUID after processing the
    initial INVITE and issuing a re-INVITE with a different UUID
    associated with the conference.  Some words covering (I guess) the
    idea that the conference itself is a different communication session
    from the setup request(s) would be useful.  See also the comments on
    s10.4 in Minor Issues above.

    s6 and s7, next to last paras:  These are near duplicates.  They
    could be replaced by a single instance at the end of s5, but no big

    s7, para 12: Expand 3PCC on first use.

    s7, para 12: s/locally-frabricated/locally-fabricated/

    s8, bullet 5: s/487/Request Terminated (487 - see Section 15.1.2 of

    s10.1, start of expansion of SIP messages:

    I think there is a missing 'example.'...



sip:bob at




sip:bob at



    s11: Effectively there is another new/old requirement: the sess-uuid
    field has to use lower case letters (probably).

    s12, para 3:

    I think 'inherit' is not what you mean here...


    Because of the inherit property that Session Identifiers are



    Because of the inherent property that Session Identifiers are



    s13.2: As of this moment, no header parameters have been registered
    for the old RFC 7329 Session-ID header.  I don't know if any
    proprietary, non-documented parameters are around given the status
    of RFC 7329, but would it be worth explicitly banning the
    registration of any new parameters under the old scheme - and maybe
    explicitly not allowing any other parameters than 'remote'  for the
    new version, to avoid issues of privacy etc. If not it might be
    necessary to copy over some of the words about the nature of
    parameters in Session-ID headers and what B2BUAs might have to do
    from the security considerations of RFC 7329.