Re: WGLC: draft-ietf-sip-connect-reuse-08.txt

Vijay K. Gurbani wrote:
> Paul Kyzivat wrote:
>> I think much less should be said.
>>
>> Don't say that A must reject requests sent to it
over the connection. 
>> But also don't specify, or even imply, a mechanism
by which B might 
>> decide it is ok to send requests on this
connection.
> 
> Any way you cut, slice, and dice this thing, TCP
connection reuse
> in the backwards direction is bad.  Note that it does
not work with
> virtual servers at all.
> 
> Unfortunately, people are using it and as such
something ought to
> be said about it in the draft.  I agree that as the
less said, the
> better.  I also agree that putting the
"alias" parameter in the
> Via request for TCP.

There seems to be something wrong with the last sentence.
Did you forget 
a word or two?

> Going back to our scenario of A opening a connection to
B, it
> probably suffices to massage the text you proposed in
an earlier
> email of this thread:
> 
>    B MUST NOT reuse this connection for requests to
the
>    supposed party at the other end UNLESS it has some
way
>    of verifying the identity of that party to the same
level
>    of assurance as it would have by doing the DNS
lookup and
>    establishing its own connection. For instance, if a
DNS
>    lookup resolved to the same address and port as the
source
>    port of the inbound connection then that ought be be
good
>    enough.

I was thinking about that too. That "for instance"
*seems* reasonable to 
me, but I would like to hear what others think.

> This still does not solve the problem of reusing TCP
connections
> for virtual servers; i.e., B does not know that that
A's physical
> IP address is being used by multiple virtual domains. 

I don't understand what point you are making here.

	Thanks,
	Paul

> Again, I
> can just point this out for the TCP and SCTP transport
in
> the virtual server section more emphatically and leave
it at that.
> 
> - vijay


_______________________________________________
Sip mailing list  https://ww
w1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip

Paul Kyzivat wrote:
>> Unfortunately, people are using it and as such
something ought to
>> be said about it in the draft.  I agree that as the
less said, the
>> better.  I also agree that putting the
"alias" parameter in the
>> Via request for TCP.
> 
> There seems to be something wrong with the last
sentence. Did you forget 
> a word or two?

Yes, sorry; I meant to say that "I also agree that
putting the "alias"
parameter in the Via request for TCP is not a good
idea."

>> This still does not solve the problem of reusing
TCP connections
>> for virtual servers; i.e., B does not know that
that A's physical
>> IP address is being used by multiple virtual
domains. 
> 
> I don't understand what point you are making here.

Consider named-based virtual hosting in SIP, where the same
IP
address supports multiple domains.  red.com and blue.com are
hosted
on a physical server that uses one IP address.  Now, when
red.com
makes a TCP connection to another domain -- example.com --
then
example.com may want to use this TCP connection to send
requests
to blue.com (because blue.com's IP address matches
red.com's).

Same problem we had in TLS, except the way we solved it in
TLS
was to associate the identity picked up from the certificate
with
the connection.

Thanks,

- vijay
-- 
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: vkg{alcatel-lucent.com,bell-labs.com,acm.org}
WWW:   http://www.al
catel-lucent.com/bell-labs


_______________________________________________
Sip mailing list  https://ww
w1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip