idnits 2.17.00 (12 Aug 2021) /tmp/idnits29422/draft-ietf-stir-identity-header-errors-handling-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (19 April 2022) is 25 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Normative reference to a draft: ref. 'I-D.sparks-sipcore-multiple-reasons' Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Wendt 3 Internet-Draft Somos Inc. 4 Intended status: Standards Track 19 April 2022 5 Expires: 21 October 2022 7 Identity Header Error Handling 8 draft-ietf-stir-identity-header-errors-handling-01 10 Abstract 12 This document extends STIR and the Authenticated Identity Management 13 in the Session Initiation Protocol (SIP) error handling procedures to 14 include the mapping of verification failure reasons to STIR defined 15 4xx codes so the failure reason of an Identity header field can be 16 conveyed to the upstream authentication service when local policy 17 dictates that the call should continue in the presence of a 18 verification failure. This document also defines procedures that 19 enable enable a failure reason to be mapped to a specific Identity 20 header for scenarios that use multiple Identity header fields where 21 some may have errors and others may not and the handling of those 22 situations is defined. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 21 October 2022. 41 Copyright Notice 43 Copyright (c) 2022 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Revised BSD License text as 52 described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Revised BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Reason header field protocol "STIR" . . . . . . . . . . . . . 3 60 4. Use of provisional error responses to signal errors without 61 terminating the call . . . . . . . . . . . . . . . . . . 3 62 5. Handling of a verification error when there are multiple 63 Identity header fields . . . . . . . . . . . . . . . . . 3 64 6. Handling multiple verification errors . . . . . . . . . . . . 4 65 7. Removal of the Reason header field by Authentication 66 Service . . . . . . . . . . . . . . . . . . . . . . . . . 5 67 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 68 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 69 10. Security Considerations . . . . . . . . . . . . . . . . . . . 6 70 11. Normative References . . . . . . . . . . . . . . . . . . . . 6 71 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 73 1. Introduction 75 [RFC8224] in Section 6.2.2 discusses future specifications for 76 enhancement of how errors are communicated and the handling of 77 multiple Identity header fields. This specification provides some 78 additional mechanisms for solutions to address these problems. 80 In some deployments of STIR and specifically using SIP [RFC3261] as 81 defined by [RFC8224], one issue with the current error handling, 82 specifically with the use of the defined 4xx error responses, is that 83 when an error occurs with the verification of the Identity header 84 field or the PASSporT contained in the Identity header field and a 85 4xx response is returned, the call is then terminated. It may be the 86 case that the policy for handling errors dictates that calls should 87 continue even if there is a verification error, in the case of, for 88 example inadvertent errors, however the authentication service should 89 still be notified of the error so that corrective action can be 90 taken. This specification will discuss the use of the Reason header 91 field in subsequent provisional (1xx) responses in order to 92 accomplish this. 94 For the handling of multiple Identity header fields and the potential 95 situation that some of the Identity header fields in a call may pass 96 verification but others may have errors, this document provides a 97 mechanism to add an identifier so that the authentication service can 98 identify which Identity header field is being referred to in the case 99 of an error. 101 2. Terminology 103 The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 104 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 105 "OPTIONAL" in this document are to be interpreted as described in BCP 106 14 [RFC2119] [RFC8174] when, and only when, they appear in all 107 capitals, as shown here. 109 3. Reason header field protocol "STIR" 111 This specification defines a new Reason header field [RFC3326] 112 protocol "STIR" for STIR applications using SIP as defined in 113 [RFC8224]. This will differentiate current protocols, specifically 114 "SIP" which is currently in wide industry usage, from the [RFC8224] 115 defined error cause codes and the potential use of multiple Reason 116 header fields defined in [RFC3326] and updated in [upcoming document 117 TBD] allowing multiple Reason header fields with the same "STIR" 118 protocol string. The use of multiple Reason header field is 119 discussed in more detail later in the document. 121 4. Use of provisional error responses to signal errors without 122 terminating the call 124 In cases where local policy dictates that a call should continue 125 regardless of any verification errors that may have occured, 126 including 4XX errors described in [RFC8224] Section 6.2.2, then the 127 verification service SHOULD NOT send the 4XX as a response, but 128 rather include the error response code and reason phrase in a Reason 129 header field, defined in [RFC3326], in the next provisional or final 130 responses sent to the authentication service. 132 Example Reason header field: 134 Reason: STIR ;cause=436 ;text="Bad Identity Info" 136 5. Handling of a verification error when there are multiple Identity 137 header fields 139 In cases where a SIP message includes multiple Identity header fields 140 and one of those Identity header fields has an error, the 141 verification service SHOULD include the error response code and 142 reason phrase associated with the error in a Reason header field, 143 defined in [RFC3326], in the next provisional or final responses sent 144 to the authentication service. The reason cause in the Reason header 145 field SHOULD represent the error that occurred when verifying the 146 contents of the Identity header field. The association of a Reason 147 header field and error to a specific Identity header field is 148 accomplished by adding a "ppt" parameter containing the PASSporT that 149 generated the error to the Reason header field. The "ppt" parameter 150 for the Reason header field is optional, but RECOMMENDED, in 151 particular for cases that a SIP INVITE contains multiple Identity 152 header fields. The PASSporT can be included in full form, or 153 optionally in compact form, where only the signature of the PASSporT 154 is used to identify the reported Identity header field with an error. 156 Example Reason header field with full form PASSporT: 158 Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppt= \ 159 "eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1I \ 160 joiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJ \ 161 kZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdC \ 162 I6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0.r \ 163 q3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \ 164 ojNCpTzO3QfPOlckGaS6hEck7w" 166 Example Reason header field with compact form PASSporT: ~~~~~~~~~~~ 167 Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppt= \ 168 "..rq3pjT1akEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \ 169 ojNCpTzO3QfPOlckGaS6hEck7w" ~~~~~~~~~~~ 171 6. Handling multiple verification errors 173 If there are multiple Identity header field verification errors being 174 reported the verification service SHOULD include corresponding Reason 175 header fields with "ppt" parameters including full or compact form of 176 the PASSporT with cause and text parameters identifying each error. 177 As mentioned previously, the potential use of multiple Reason header 178 fields defined in [RFC3326] is updated in 179 [I-D.sparks-sipcore-multiple-reasons] allowing multiple Reason header 180 fields with the same protocol value, for this specification being 181 "STIR". 183 Example Reason header fields for two identity info errors: 185 Reason: STIR ;cause=436 ;text="Bad Identity Info" ;ppt= \ 186 "eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1I \ 187 joiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJ \ 188 kZXN0Ijp7InVyaSI6WyJzaXA6YWxpY2VAZXhhbXBsZS5jb20iXX0sImlhdC \ 189 I6IjE0NDMyMDgzNDUiLCJvcmlnIjp7InRuIjoiMTIxNTU1NTEyMTIifX0.r \ 190 q3pjT1hoRwakEGjHCnWSwUnshd0-zJ6F1VOgFWSjHBr8Qjpjlk-cpFYpFYs \ 191 ojNCpTzO3QfPOlckGaS6hEck7w" 193 Reason: STIR ;cause=436 ; text="Bad Identity Info" ;ppt= \ 194 "eyJhbGciOiJFUzI1NiIsInR5cCI6InBhc3Nwb3J0IiwieDV1I \ 195 joiaHR0cHM6Ly9jZXJ0LmV4YW1wbGUub3JnL3Bhc3Nwb3J0LmNlciJ9.eyJ \ 196 xpY2VAZXhhbXBsZS5jb20iXX0sImlhdCkZXN0Ijp7InVyaSI6WyJzaXA6YW \ 197 p7InRuIjoiMTIxNTU1NTEyMTIifX0I6IjE0NDMyMDgzNDUiLCJvcmlnIj.r \ 198 J6F1VOgFWSjHBr8Qjpjlk-cpFYpFYsq3pjT1hoRwakEGjHCnWSwUnshd0-z \ 199 ckGaS6hEck7wojNCpTzO3QfPOl" 201 7. Removal of the Reason header field by Authentication Service 203 When an Authentication Service [RFC8224] receives the Reason header 204 field with a PASSporT it generated as part of an Identity header 205 field and the authentication of a call, it should first follow local 206 policy to recognize and acknowledge the error (e.g. perform 207 operational actions like logging or alarming), but then MUST remove 208 the identified Reason header field to avoid the PASSporT information 209 from going upstream to a UAC or UAS that may not be authorized to see 210 claim information contained in the PASSporT for privacy or other 211 reasons. 213 8. IANA Considerations 215 This document requests the definition of a new protocol value (and 216 associated protocol cause) to be registered by the IANA into the 217 "Reason Protocols" sub-registry under 218 http://www.iana.org/assignments/sip-parameter as follows: 220 Protocol Value Protocol Cause Reference 221 -------------- --------------- ----------- 222 STIR Status code RFC 8224 224 9. Acknowledgements 226 Would like to thank David Hancock for help to identify these error 227 scenarios and Jon Peterson, Roman Shpount, Robert Sparks and STIR 228 working group for helpful feedback and discussion. 230 10. Security Considerations 232 This specification discusses the use of a PASSporT as an identifier 233 for cases where there is multiple identity header errors occuring as 234 part of the Reason header field response. For some call scenarios 235 (e.g. diversion based call flows) the signer of the PASSporT(s) may 236 not be the first hop initiator of the call. In those cases, there 237 may be some security or privacy concerns associated with PASSporT 238 information that is passed beyond the authentication service that 239 originally signed the PASSporT(s) in the resulting error Reason 240 header field. This specification states the authentication service 241 MUST remove the Reason header field with the PASSporT to protect the 242 security (e.g. use of potentially still fresh PASSporT for replay 243 attacks) and privacy of any potential information that could be 244 passed beyond the authentication service response back in the 245 direction of the call initiator. This is just to reinforce this MUST 246 as a security consideration that should be followed. 248 11. Normative References 250 [I-D.sparks-sipcore-multiple-reasons] 251 Sparks, R., "Multiple SIP Reason Header Field Values", 252 Work in Progress, Internet-Draft, draft-sparks-sipcore- 253 multiple-reasons-00, 12 November 2021, 254 . 257 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 258 Requirement Levels", BCP 14, RFC 2119, 259 DOI 10.17487/RFC2119, March 1997, 260 . 262 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 263 A., Peterson, J., Sparks, R., Handley, M., and E. 264 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 265 DOI 10.17487/RFC3261, June 2002, 266 . 268 [RFC3326] Schulzrinne, H., Oran, D., and G. Camarillo, "The Reason 269 Header Field for the Session Initiation Protocol (SIP)", 270 RFC 3326, DOI 10.17487/RFC3326, December 2002, 271 . 273 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 274 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 275 May 2017, . 277 [RFC8224] Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, 278 "Authenticated Identity Management in the Session 279 Initiation Protocol (SIP)", RFC 8224, 280 DOI 10.17487/RFC8224, February 2018, 281 . 283 Author's Address 285 Chris Wendt 286 Somos Inc. 287 Email: chris-ietf@chriswendt.net