Direct Routing and ForwardPAI, why the 'privacy' header is sent all cases.

%3CLINGO-SUB%20id%3D%22lingo-sub-2345513%22%20slang%3D%22en-US%22%3EDirect%20Routing%20and%20ForwardPAI%2C%20why%20the%20'privacy'%20header%20is%20sent%20all%20cases.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2345513%22%20slang%3D%22en-US%22%3E%3CP%3EHi%3C%2FP%3E%3CP%3ELately%20I%20was%20working%20with%20direct%20routing%20and%20I%20was%20a%20bit%20surprised%20to%20see%20that%20Teams%20is%20sending%20'privacy'%20header%20in%20all%20cases%20when%20ForwardPAI%20is%20marked%20as%20%24true.%20Others%20guidelines%20to%20remove%20that%20header%20on%20the%20SBC.%20Also%20similar%20issues%20with%20header%3A%26nbsp%3BP-Asserted-Identity%3C%2FP%3E%3CP%3EWhat%20kind%20standards%20Teams%20is%20following%20with%20these%2C%20and%20have%20you%20though%20to%20offer%20us%20better%20control%20for%20the%20SIP%20messages%3F%20E.g.%20in%20our%20case%20those%20PAI%20headers%20were%20not%20accepted%20by%20operator.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2345513%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdministrator%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20Teams%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2347337%22%20slang%3D%22en-US%22%3ERe%3A%20Direct%20Routing%20and%20ForwardPAI%2C%20why%20the%20'privacy'%20header%20is%20sent%20all%20cases.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2347337%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F90197%22%20target%3D%22_blank%22%3E%40Petri%20X%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EOnce%20Tenant%20Administrator%20set%20the%20value%20of%20the%20%22ForwardPAI%22%20to%20true%20when%20configure%20an%20SBC%2C%20for%20example%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ESet-csoninePSTNGateway%20-Identity%20sbc1.contoso.com%20-ForwardPAI%20%24true%2C%20the%20Direct%20Routing%20will%20always%20add%20Privacy%3AID%20with%20P-Asserted-Identity%20according%20to%20section%207%20of%20%3CA%20href%3D%22https%3A%2F%2Fwww.ietf.org%2Frfc%2Frfc3325.txt%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3ERFC%203325%3C%2FA%3E%20Private%20Extension%20to%20the%20Session%20Initiation%20Protocol%20for%20asserted%20identity%20within%20Trusted%20Networks.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ESection%207%20of%20RFC%203325%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSPAN%20style%3D%22font-style%3A%20italic%3B%22%3EParties%20who%20wish%20to%20request%20the%20removal%20of%20P-Asserted-Identity%20header%20fields%20before%20they%20are%20transmitted%20to%20an%20element%20that%20is%20not%20trusted%20may%20add%20the%20%22id%22%20privacy%20token%20defined%20in%20this%20document%20to%20the%20Privacy%20header%20field.%20The%20Privacy%20header%20field%20is%20defined%20in%20%5B6%5D.%20If%20this%20token%20is%20present%2C%20proxies%20MUST%20remove%20all%20the%20P-Asserted-%20Identity%20header%20fields%20before%20forwarding%20messages%20to%20elements%20that%20are%20not%20trusted.%20If%20the%20Privacy%20header%20field%20value%20is%20set%20to%20%22none%22%20then%20the%20proxy%20MUST%20NOT%20remove%20the%20P-Asserted-Identity%20header%20fields.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%3CSPAN%20style%3D%22font-style%3A%20italic%3B%22%3EWhen%20a%20proxy%20is%20forwarding%20the%20request%20to%20an%20element%20that%20is%20not%20trusted%20and%20there%20is%20no%20Privacy%20header%20field%2C%20the%20proxy%20MAY%20include%20the%20P-Asserted-Identity%20header%20field%20or%20it%20MAY%20remove%20it.%20This%20decision%20is%20a%20policy%20matter%20of%20the%20Trust%20Domain%20and%20MUST%20be%20specified%20in%20Spec(T).%20It%20is%20RECOMMENDED%20that%20the%20P-Asserted-Identity%20header%20fields%20SHOULD%20NOT%20be%20removed%20unless%20local%20privacy%20policies%20prevent%20it%2C%20because%20removal%20may%20cause%20services%20based%20on%20Asserted%20Identity%20to%20fail.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3EBy%20always%20including%20Privacy%3AID%20Microsoft%20relies%20on%20the%20customers%20to%20judge%20if%20the%20P-Asserted-Identity%20must%20or%20must%20not%20be%20striped.%20If%20Privacy%3AID%20is%20not%20included%20when%20SBC%20MUST%20send%20it%20to%20other%20network%20regardless%20it%20the%20network%20is%20trusted%20or%20not.%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200in%3B%20font-family%3A%20Calibri%3B%20font-size%3A%2011.0pt%3B%22%3ETherefore%2C%20Microsoft%20always%20includes%20the%20Privacy%3AID%20and%20let%20customers%20to%20judge%20is%20they%20want%20or%20don't%20want%20to%20strip%20the%20P-Asserted-Identity%20when%20sending%20it%20to%20other%20networks%3C%2FP%3E%3C%2FLINGO-BODY%3E
Super Contributor

Hi

Lately I was working with direct routing and I was a bit surprised to see that Teams is sending 'privacy' header in all cases when ForwardPAI is marked as $true. Others guidelines to remove that header on the SBC. Also similar issues with header: P-Asserted-Identity

What kind standards Teams is following with these, and have you though to offer us better control for the SIP messages? E.g. in our case those PAI headers were not accepted by operator.

2 Replies

@Petri X 

Once Tenant Administrator set the value of the "ForwardPAI" to true when configure an SBC, for example

Set-csoninePSTNGateway -Identity sbc1.contoso.com -ForwardPAI $true, the Direct Routing will always add Privacy:ID with P-Asserted-Identity according to section 7 of RFC 3325 Private Extension to the Session Initiation Protocol for asserted identity within Trusted Networks.

 

Section 7 of RFC 3325

 

Parties who wish to request the removal of P-Asserted-Identity header fields before they are transmitted to an element that is not trusted may add the "id" privacy token defined in this document to the Privacy header field. The Privacy header field is defined in [6]. If this token is present, proxies MUST remove all the P-Asserted- Identity header fields before forwarding messages to elements that are not trusted. If the Privacy header field value is set to "none" then the proxy MUST NOT remove the P-Asserted-Identity header fields.

When a proxy is forwarding the request to an element that is not trusted and there is no Privacy header field, the proxy MAY include the P-Asserted-Identity header field or it MAY remove it. This decision is a policy matter of the Trust Domain and MUST be specified in Spec(T). It is RECOMMENDED that the P-Asserted-Identity header fields SHOULD NOT be removed unless local privacy policies prevent it, because removal may cause services based on Asserted Identity to fail.

 

By always including Privacy:ID Microsoft relies on the customers to judge if the P-Asserted-Identity must or must not be striped. If Privacy:ID is not included when SBC MUST send it to other network regardless it the network is trusted or not.

Therefore, Microsoft always includes the Privacy:ID and let customers to judge is they want or don't want to strip the P-Asserted-Identity when sending it to other networks

@Nikolay Muravlyannikov 

Could you link out to official Microsoft documentation on where you are getting this info from? Not the RFC details, the before and after though. 

Best,