]> Somos

chris-ietf@chriswendt.net

ART STIR Working Group Identity This document extends STIR and the Authenticated Identity Management in the Session Initiation Protocol (SIP) error handling procedures to include the mapping of verification failure reasons to STIR defined 4xx codes so the failure reason of an Identity header field can be conveyed to the upstream authentication service when local policy dictates that the call should continue in the presence of a verification failure. This document also defines procedures that enable a failure reason to be mapped to a specific Identity header for scenarios that use multiple Identity header fields where some may have errors and others may not and the handling of those situations is defined.

Introduction in Section 6.2.2 discusses future specifications for enhancement of how errors are communicated and the handling of multiple Identity header fields. This specification provides some additional mechanisms for solutions to address these problems. In some deployments of STIR and specifically using SIP as defined by , one issue with the current error handling, specifically with the use of the defined 4xx error responses, is that when an error occurs with the verification of the Identity header field or the PASSporT contained in the Identity header field and a 4xx response is returned, the call is then terminated. It may be the case that the policy for handling errors dictates that calls should continue even if there is a verification error, in the case of, for example inadvertent errors, however the authentication service should still be notified of the error so that corrective action can be taken. This specification will discuss the use of the Reason header field in subsequent provisional (1xx) responses in order to accomplish this. For the handling of multiple Identity header fields and the potential situation that some of the Identity header fields in a call may pass verification but others may have errors, this document provides a mechanism to add an identifier so that the authentication service can identify which Identity header field is being referred to in the case of an error.

Terminology The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Reason header field protocol "STIR" This document defines a new Reason header field protocol "STIR" for STIR applications using SIP as defined in . The use of "STIR" as a reason header field protocol with the defined error cause codes allows the use of multiple Reason header fields defined in and updated in . Any SIP Response message, with the exception of a 100 (Trying), MAY contain one or more Reason header fields with a STIR related cause code defined in or future specifications. The use of multiple Reason header field is discussed in more detail later in the document.

Use of provisional error responses to signal errors without terminating the call In cases where local policy dictates that a call should continue regardless of any verification errors that may have occured, including 4XX errors described in Section 6.2.2, then the verification service SHOULD NOT send the 4XX as a response, but rather include the error response code and reason phrase in a Reason header field, defined in , in the next provisional or final responses sent to the authentication service. Example Reason header field:

Handling of a verification error when there are multiple Identity header fields In cases where a SIP message includes multiple Identity header fields and one of those Identity header fields has an error, the verification service SHOULD include the error response code and reason phrase associated with the error in a Reason header field, defined in , in the next provisional or final responses sent to the authentication service. The reason cause in the Reason header field SHOULD represent the error that occurred when verifying the contents of the Identity header field. The association of a Reason header field and error to a specific Identity header field is accomplished by adding a PASSporT identifier, "ppi", parameter containing the PASSporT string as an identifier for the identity header and corresponding PASSporT that generated the error to the Reason header field. The "ppi" parameter for the Reason header field is optional, but RECOMMENDED, in particular for cases that a SIP INVITE contains multiple Identity header fields. As implied and defined in , error codes associated with STIR targeted at authentication services that produced a specific identity header represent a single error occurring with the verification and processing of that identity header. Therefore the association of a "ppi" parameter with a Reason header using "STIR" protocol MUST only identify a single cause code in the context of a call dialog defined in or in future documents defining STIR related errors. The PASSporT can be included in full form or in compact form, where only the signature of the PASSporT is included with two periods as a prefix as defined in Section 7 to identify the reported Identity header field with an error. Compact form is the recommended form as full form may include information that could have privacy or security implications in some call scenarios as discussed in . Example Reason header field with full form PASSporT:

Example Reason header field with compact form PASSporT:

Handling multiple verification errors If there are multiple Identity header field verification errors being reported the verification service SHOULD include corresponding Reason header fields with "ppi" parameters including full or compact form of the PASSporT with cause and text parameters identifying each error. As mentioned previously, the potential use of multiple Reason header fields defined in is updated in allowing multiple Reason header fields with the same protocol value, for this specification being "STIR". Example Reason header fields for two identity info errors:

Removal of the Reason header field by Authentication Service When an Authentication Service receives the Reason header field with a PASSporT it generated as part of an Identity header field and the authentication of a call, it should first follow local policy to recognize and acknowledge the error (e.g. perform operational actions like logging or alarming), but then MUST remove the identified Reason header field to avoid the PASSporT information from going upstream to a UAC or UAS that may not be authorized to see claim information contained in the PASSporT for privacy or other reasons.

IANA Considerations This document requests the definition of a new protocol value (and associated protocol cause) to be registered by the IANA into the "Reason Protocols" sub-registry under http://www.iana.org/assignments/sip-parameters as follows:

This document also requests the definition of a new header field parameter name to be registered by IANA into the Header Field Parameters and Parameter Values sub-registry under https://www.iana.org/assignments/sip-parameters as follows:

Security Considerations This specification discusses the use of a PASSporT as an identifier for cases where there is multiple identity header errors occuring as part of the Reason header field response. For some call scenarios (e.g. diversion based call flows) the signer of the PASSporT(s) may not be the first hop initiator of the call. In those cases, there may be some security or privacy concerns associated with PASSporT information that is passed beyond the authentication service that originally signed the PASSporT(s) in the resulting error Reason header field. This specification states the authentication service MUST remove the Reason header field with the PASSporT to protect the security (e.g. use of potentially still fresh PASSporT for replay attacks) and privacy of any potential information that could be passed beyond the authentication service response back in the direction of the call initiator. While this specification allows for both full and compact form of the PASSporT to be used as the error identifier, use of the compact form can avoid many of the security and privacy concerns.

The SIP Reason Header Field as defined in RFC 3326 allows only one Reason value per protocol value. Experience with more recently defined protocols shows it is useful to allow multiple values with the same protocol value. This update to RFC 3326 allows multiple values for an indicated registered protocol when that protocol defines what the presence of multiple values means. This document describes Session Initiation Protocol (SIP), an application-layer control (signaling) protocol for creating, modifying, and terminating sessions with one or more participants. These sessions include Internet telephone calls, multimedia distribution, and multimedia conferences. [STANDARDS-TRACK] The REGISTER function is used in a Session Initiation Protocol (SIP) system primarily to associate a temporary contact address with an address-of-record. This contact is generally in the form of a Uniform Resource Identifier (URI), such as Contact: <sip:alice@pc33.atlanta.com> and is generally dynamic and associated with the IP address or hostname of the SIP User Agent (UA). The problem is that network topology may have one or more SIP proxies between the UA and the registrar, such that any request traveling from the user's home network to the registered UA must traverse these proxies. The REGISTER method does not give us a mechanism to discover and record this sequence of proxies in the registrar for future use. This document defines an extension header field, "Path" which provides such a mechanism. [STANDARDS-TRACK] The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identity and for conveying a reference to the credentials of the signer.This document obsoletes RFC 4474. This document defines a method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of the identity of the originator and to verify the assertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networks and other multi-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.

Acknowledgements Would like to thank David Hancock for help to identify these error scenarios and Jon Peterson, Roman Shpount, Robert Sparks and STIR working group for helpful feedback and discussion.