[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: connected-identity before 200 Ok

To: Dan Wing <dwing@xxxxxxxxx>, sip@xxxxxxxx
Subject: RE: connected-identity before 200 Ok
From: "Elwell, John" <john.elwell@xxxxxxxxxxx>
Date: Mon, 19 Feb 2007 09:23:54 +0000
Cc: ietf-rtpsec@xxxxxxx, Rob Raymond <rob@xxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx

Dan,

The important thing is that there be evidence that the 18x has reached the
calling UA before sending an UPDATE request to the calling UA. Otherwise the
UPDATE request might receive a 481 response. So I suppose the called UA
could send an UPDATE request and be prepared to repeat it (and the 18x
response) if a 481 response is received. This would be another example of
"poor man's PRACK". A problem could arise if the calling UA holds state to
say whether a 18x has been received reliably and rejects an UPDATE request
if not - I guess this depends on how it is implemented in practice. Also a
calling UA that does not implement PRACK might also be unable to accept
UPDATE before answer, but the option tag that indicates support for UPDATE
will not tell you this.

Another issue is whether the presence or absence of SDP offer in an UPDATE
request has impact on when it can/cannot be sent. If it contains an SDP
offer, obviously it has to obey the strict offer-answer rules, so clearly
has to be sent after any previous offer-answer sequence has completed.
Without waiting for the PRACK it could be dangerous. Consider the following
slightly revised sequence:

    Alice                      Bob
      |                         |
  1.  |--Invite with SDP offer->|
  1a  |<--18x without SDP answer|
  2.  |x--183 with SDP answer---|  (183 is unreliable)
  3.  |<--UPDATE with SDP-------|
  4.  |---Ack Update----------->|

The first 18x is send unreliably and established the early dialog. The
second 183 containing SDP answer is lost. The UPDATE request will not
receive a 481 response (because the early dialog is already established) but
the SDP offer will be illegal. It is unclear what response Alice would give.
So in this particular case it is a lot safer to wait for the PRACK.
Therefore I think the 

However, if the UPDATE request does NOT contain an SDP offer (which for
connected-identity purposes it doesn't need to), the following are
questionable:
- the need to wait for PRACK if the 18x is sent reliably;
- the need to send the 18x reliably
- the whether the UPDATE request can be sent even if the only 18x sent does
not contain SDP answer;
- whether an UPDATE request containing an offer for early session
disposition can be sent before the normal answer has been sent or before it
has been acknowledged through PRACK.

I don't think these points are covered by RFC3311.

John

> -----Original Message-----
> From: Dan Wing [mailto:dwing@xxxxxxxxx] 
> Sent: 17 February 2007 00:49
> To: sip@xxxxxxxx
> Cc: ietf-rtpsec@xxxxxxx; Elwell, John; Rob Raymond
> Subject: connected-identity before 200 Ok
> 
> This message is a result of some offline discussions with Rob 
> and ample
> caffeine consumption on my part.  The concern is if PRACK is 
> necessary in
> order to use connected-identity before the call is answered 
> in order to
> avoid some of the attacks Robin brought up on RTPSEC.
> 
> 
> Reading RFC3311 (SIP UPDATE), it says:
> 
>       o  If the UPDATE is being sent before completion of the initial
>          INVITE transaction, and the initial INVITE contained 
> an offer,
>          the UPDATE can contain an offer if the callee generated an
>          answer in a reliable provisional response, and the caller has
>          received answers to any other offers it sent in 
> either PRACK or
>          UPDATE, and has generated answers for any offers it 
> received in
>          an UPDATE from the callee.
> 
> draft-ietf-sip-connected-identity seems to say you need to 
> use PRACK if you
> want connected-identity before the 200 Ok:
> 
>    After an early dialog has been formed, if the "from-change" option
>    tag has been received in a Supported header field the UA 
> MAY issue an
>    UPDATE request (RFC 3311 [4]) on the same dialog, subject to having
>    sent a reliable provisional response to the INVITE request 
> and having
>    received and responded to a PRACK request. 
> 
> Which I interpret to mean that the following is illegal, even 
> if the SDP in
> message 2 and 3 are identical:  
> 
>     Alice                      Bob
>       |                         |
>   1.  |--Invite with SDP offer->|
>   2.  |<--183 with SDP answer---|  (183 is unreliable)
>   3.  |<--UPDATE with SDP-------|
>   4.  |---Ack Update----------->|
> 
> Please confirm that the above call flow is disallowed per the rules of
> RFC3311 and per the rules of draft-ietf-sip-connected-identity.
> 
> 
> Question:  would ICE's "poor-man's PRACK" (as I call it) be 
> sufficient to
> meet the needs of RFC3311 and -sip-connected-identity for a reliable
> provisional response?  ICE's "poor-man's PRACK" is described in
> <http://tools.ietf.org/html/draft-ietf-mmusic-ice-13#section-1
> 2.1>, around
> the middle of section 12.1.
> 
> -d
>

Follow-Ups:
- RE: [Sip] RE: connected-identity before 200 Ok
  - From: Dan Wing

Prev by Date: connected-identity before 200 Ok
Next by Date: RE: [Sip] RE: connected-identity before 200 Ok
Previous by thread: connected-identity before 200 Ok
Next by thread: RE: [Sip] RE: connected-identity before 200 Ok
Index(es):
- Date
- Thread