<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Just to wrap this up and to thank those who responded…<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">IQNT’s sonus (ribbon) do not support the DATE header. Ribbon plans to fix it soon. It is being stripped out.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Meta already loaded an efix for us. I think I typed out the issue wrong.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On verification the IAT has the time. The INVITE did not have the DATE. Meta’s perimeta json schema choked due to that.<o:p></o:p></p>
<p class="MsoNormal">They will now use the SBC’s date/time to do a comparison if the DATE is not there. Probably check to see if it is within a certain time frame. After all the DATE and iat may not match when the INVITE comes in when everything is there to
process.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">This should solve the problem and allow us to keep moving along with this.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Matt<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> VoiceOps <voiceops-bounces@voiceops.org> <b>On Behalf Of
</b>John S. Robinson<br>
<b>Sent:</b> Thursday, July 1, 2021 3:31 PM<br>
<b>To:</b> voiceops@voiceops.org<br>
<b>Subject:</b> Re: [VoiceOps] question about stir/shaken - iat and DATE header<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">Date header has been part of
</span><a href="https://datatracker.ietf.org/doc/html/rfc3261.html"><span style="font-family:"Times New Roman",serif">RFC-3261 SIP</span></a><span style="font-family:"Times New Roman",serif"> for 19 years now, but was not used all that much. IAT and Date
are both part of the specs and more recent RFC's that define stir-shaken. So the seldom-used but long time defined Date: header is now required. Furthermore, IAT is part of the formal JSON in the Identity header and must be present, or the claims are
not valid. <br>
<br>
Normally, IAT would restate the Date with Unix Epoch date. IAT is signed, but the Date header is not signed.
<br>
<br>
When a call is received and Verified, the the plain-text signed JSON is validated. If verified IAT is stale, the call is rejected. True, someone could mess with Date header along the route or SIP From header or PAI. And for that matter, someone could
mess with the JSON attributes that are signed. But then the verification would fail, and the call should not be delivered. That's part of the beauty of the system.
<br>
<br>
Best regards,</span><o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="font-family:"Times New Roman",serif">John</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On 7/1/2021 12:29, Joseph Jackson wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><span style="color:#44546A">I’ve heard that TNSi also counts on the date header being present.
</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#44546A"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#44546A">So far we don’t see a lot of people passing tokens with the date header.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#44546A"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#44546A"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="color:#44546A"> </span><o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"> VoiceOps [</span><a href="mailto:voiceops-bounces@voiceops.org"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">mailto:voiceops-bounces@voiceops.org</span></a><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">]
<b>On Behalf Of </b>Matthew Yaklin<br>
<b>Sent:</b> Thursday, July 01, 2021 12:25 PM<br>
<b>To:</b> </span><a href="mailto:voiceops@voiceops.org"><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif">voiceops@voiceops.org</span></a><span style="font-size:10.0pt;font-family:"Tahoma",sans-serif"><br>
<b>Subject:</b> [VoiceOps] question about stir/shaken - iat and DATE header</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">All,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Pretty simple question here. When you do a verify request are you filling in the iat with your sbc’s current date/time or using the DATE information from the invite?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">With Neustar the iat is currently optional. IQNT is basically removing the DATE header in a test we are doing by sending them a call and getting it back in a different region.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">It really does not make sense to me to use the DATE header because it could be messed with by anyone in the path. It is untrusted. The iat is trusted so when you verify it makes more sense to use the current date/time of your SBC because
the limitation is 60 seconds from AS to VS.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">I imagine Neustar made it optional because their own system has some intelligence when it comes to this expiration of the AS.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">On top of that Metaswitch is not prepared for this situation. They are basically counting on that DATE header to be there in their recommended perimeta SBC config. They plan to fix it by using the current date/time.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Just looking for how others are handling this. Just leaving it blank for now?<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Matt<o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>VoiceOps mailing list<o:p></o:p></pre>
<pre><a href="mailto:VoiceOps@voiceops.org">VoiceOps@voiceops.org</a><o:p></o:p></pre>
<pre><a href="https://puck.nether.net/mailman/listinfo/voiceops">https://puck.nether.net/mailman/listinfo/voiceops</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>