Re: [AVT] Last Call: <draft-ietf-avt-rapid-acquisition-for-rtp-15.txt> (Unicast-Based Rapid Acquisition of Multicast RTP Sessions) to Proposed Standard

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

Ali C. Begen (abegen) skrev 2010-10-04 14:57:
> Hi Magnus,
> 
>>>> 1. Applicability statement: I think this document should have an
>>>> applicability statement making clear that this is only for engineered
>>>> environments due to the traffic bursts.
>>>
>>> We already put a lot of effort to explain the precautions for using this in BE networks. I don't think there is a strong
>> argument here that this will only work in engineered networks. So, personally I don't think we should put such a statement.
>>
>> I can agree that it works in certain type of best-effort networks.
>> However, I don't think at all it is suitable for any best-effort
>> network. However, as this is mostly bound by the requirement to also
>> support SSM in the same network the deployment cases are usually meeting
>> the assumptions about network capacity. However, if one runs an
>> multicast overlay and a client starts up with not congestion or network
> 
> That is a bit stretch :)
> 
>> capacity information and does a RAMS-R it can severely congest a network
>> for a few seconds.
> 
> Well we have rules how the server is supposed to send the burst (rate, timing, etc.) documented in the text. It explains what the server does.
>  
>> There are a number of assumptions in where this will work most of the
>> time and with very few exceptions have any large scale impact on the
>> network. I think these should be documented in an applicability statement.
> 
> At the end of intro, I think we can put a few sentences about this.

Ok, I guess I have to live with that.

>  
>>>> 2. Section 6.2, bullet 5: I don't think the document is clear on that
>>>> the BRS is expected to determine if a RAMS-R is a retransmission or an
>>>> update based on if any content of the message has been changed.
>>>
>>> The statement over there implies this. And naturally it is the server's job to figure that out. Based on this discussion, we
>> even wrote the new CNAME guidelines document so that the server's job would get easier.
>>
>> Exactly the document implies rather than being explicit. I am not
> 
> Actually, I re-read it and it is pretty explicit. The text says it checks client's CNAME (which must be unique). If the server is already processing a request from the same client for the same SSRC, then it is a update. Ow, it is a new request.
> 
> I can repeat the above in the text if you think it is necessary.
> 
>> certain that I have understood all the mechanism you expect me to use to
>> determine if a RAMS-R is a retransmission or a new request. Based on
>> that it is uncertain for a client to know what effect an RAMS-R message
>> will have. I also think it makes sense to mandate that servers do have
>> retransmission detection, otherwise you end up in a situation where a
>> client don't dare retransmit a request for the fear of getting two bursts.
> 
> OK what if the text said:
>  
>         Updated Request:  The RTP_Rx MAY send an updated RAMS-R message
>         (as unicast feedback in the primary multicast RTP session) with
>         a different value for one or more fields of an earlier RAMS-R
>         message. The RS MUST be able to detect whether a burst is already planned for or being transmitted to this particular RTP_Rx for this particular media source SSRC. If there is an existing burst planned for or being transmitted, the newly arriving RAMS-R is an updated request; otherwise it is a new request...
>      

Better.

>>>> 3. I worried that what is intended to be an RAMS-R update from the
>>>> client will be interpreted as new RAMS-R request. The reason is the only
>>>> that separates these two cases are timing, does it arrive before the
>>>> burst ends or not. Relying on this heuristics is quite weak and error
>>>> prone. I still wished that an sequence number had been added to RAMS-R.
>>>
>>> I gave enough arguments why we should not use a seqnum for the RAMS-R messages earlier. It is not justified IMO. Based
>> on the SSRC of the primary and the requesting client's CNAME, things are pretty straightforward.
>>
>> Yes, I know I am in the rough here. From my perspective, it makes the
>> use of update RAMS-R uncertain to use. Maybe not a big issue if most
>> doesn't implement updates. But if one finds need for it then there will
>> be issues. Consider the AD and IESG notified about the potential issue.
> 
> Is the updated text above good for you?

Not, really, because it has only clarified the issue. The issue is
really the uncertainty for the client how its request will be
interpreted, either as updated request or a new request, all depending
on timing. The biggest issue is the updated request which might be
interpreted as new request, when the client is likely satisfied and
might even have gone one to join the multicast group when the
RAMS-R(update) is processed as a new RAMS-R. Then causing congestion and
unwanted traffic. The client that detects this can surely terminate the
burst, but that will be after some delay, and traffic has arrived.

>  
>>>
>>>> 4. Section 6.2, bullet 5: " Thus, the RTP_Rx MUST choose a globally
>>>>         unique CNAME identifier."
>>>>
>>>> I don't think this is a statement that can either be fulfilled nor
>>>> tested. You can mandate a method for selecting CNAMEs that has low risk
>>>> of producing CNAME collisions, but nothing can guarantee it unless a
>>>> entity is coordinating the CNAME space for all clients. Can you mandate
>>>> the method instead?
>>>
>>> The new CNAME draft has ways to ensure they are unique. If the client uses one of them, we are all set.
>>
>> Yes, but in that case mandate the implementation and usage of one of
>> these instead of statement that can't be ensured.
> 
> Personally, this is one what I did initially but then we agreed that one could come up with an alternative method that would produce unique CNAMEs. In other words, methods for producing unique CNAMEs are not unique. So, we rather put the "MUST" in the sentence above not for the specific implementation.

Okay, I might be nit picking then to request that the text is changed to
"Thus, the RTP_Rx MUST use a method that ensure it uses an unique CNAME
identifier." I don't think globally is the correct scope, it is
unnecessary big, when only needs to be unique within this particular
instance of a system.

> 
>>>> If I understand the impact of a CNAME collision is that the collision
>>>> clients request will be mixed up, for example terminating each others
>>>> request, or update the values in the RAMS-R.
>>>
>>> When they are unique, this won't happen.
>>
>> Just checking, but if that is the case then I am missing a discussion of
>> hijacking attacks in the security consideration section by guessing your
>> targets CNAME.
> 
> We should probably mention this but I am not sure how the server can deal with this. Hijacking is not easy since the attack must take place at the same instant (more or less) with the request from the authentic client. One of your family members can probably do this :)

The real solution is where you have an more permanent id system in place
that you can connect through source authentication of the requests.

In an SSM session that uses simple feedback model the RTP_Rx cname may
leak as they are redistributed.

Based on that you could bombard a BRS with RAMS-T for example for all
known CNAMES and do that in a round-robin fashion across channels and
time. Depending on source address spoofing you will more or less easy to
find. But I do agree that it becomes a little bit more a brute force
attack, but an attacker could gain knowledge about an important piece of
information to mount the attack at all.

>  
>>>> 5. Section 6.4 and others: The draft has a tendency of formulating
>>>> itself as everything is guaranteed to work as long as one keep within
>>>> given limits for bandwidth etc. An example from Section 7.2 Max Receive
>>>> Bitrate TLV:
>>>
>>> We don't assume things will sure work or guarantee that they will work if everything is satisfied. These are simple rules
>> that both sides must comply with.
>>
>> No, but a certain view point is clear in the text. Lets call it
>> optimistic that it will work, while I would write from a more
>> pessimistic view.
> 
> Things may go wrong anytime, and we do ack that in the paper and have solutions. But if one does not comply with the rules, more things will likely go wrong.
>  

It is a writing style thing and I think we can stop the discussion.

>>>> 6. Section 7:
>>>>
>>>> Each feedback message has a fixed-length field for version, padding,
>>>>    feedback message type (FMT), payload type (PT), length, SSRC of
>>>>    packet sender, SSRC of media sender as well as a variable-length
>>>>    field for feedback control information (FCI).
>>>>
>>>>
>>>> What is called "Payload type" is actually "Packet Type" in RTCP packet
>>>> headers.
>>>
>>> We followed the definition from 4585 but "packet type" makes more sense to me as well.
>>
>> Well, section 6.1 of RFC 4585 is wrong.
> 
> OK, "packet type" it is then.
>  

Great.

>>>
>>>> 7. Section 7.3:
>>>> "The MSN value SHALL
>>>>       be set to zero only when a new RAMS request is received."
>>>>
>>>> How is that actually known? And why reset it at all? Why not increase if
>>>> for each new RAMS-I message with new content, independently if it is an
>>>> update or a new request.
>>>
>>> If this is relating to a new burst request, then it is reset. Ow, what is the point of having a seqnum? If something has
>> changed compared to the previous RAMS-I, then MSN is incremented. If it is just a re-xmit, MSN stays the same.
>>
>> I fully agree with the need for separating retransmissions from updates.
>> However, I wonder over the reset of the field for each new RAMS-R. It
>> appears to me to be more robust to simply increment it rather than
>> reset. Otherwise you can send RAMS-R(1) resulting in RAMS-I MSN = 0.
> 
> I think we discussed this before. The RAMS-R numbers are no way correlated with the RAMS-I numbers. You are still trying to correlate them.

Nope, the number here are still only to indicate that they are different
to get the sequence right. My point is that the client can determine
based on MSN if it is an repeat or a new RAMS-I based on a new request.

> 
>> Then a RAMS-R(2) that is intended to be an update but becomes an new
>> request results in an RAMS-I with MSN = 0. The client will not know if
>> this is an retransmission of RAMS-R(1) info. The updated should result
>> in MSN=1. So without comparing the RAMS-I you can't determine if there
> 
> The client checks the RAMS-I seqnum to see whether it is a repeat or new info. If RAMS-I MSN is zero, that is the first RAMS-I anyway so it must be fully parsed. Does not matter which RAMS-R actually generated it since that is the info from the server until an updated RAMS-I is received. This is how the protocol works.

As I try to explain there is a case where you can get two RAMS-I with
MSN=0 in a row with different information. Thus not providing any
relieve for the client in the need to compare the whole request with the
previous one.

> 
>> is new information. Going my way (no reset) does not allow a client to
>> determine if an RAMS-R was treated as update or new request, but it will
>> correctly know that it is new RAMS-I information.
> 
> The server cannot keep state information (i.e. tracking RAMS-R numbers) across different sessions. Furthermore, requests for different streams can go to different servers.
>  

No, I am not talking about RAMS-R number here. I am talking about RAMS-I
MSN numbers, that they shouldn't be kept. But I see your point in that
you don't want to keep CNAME,SSRC => MSN counter mappings.

But in that case, I think we should make it clear that a client that has
sent a RAMS-R (update) must check if the RAMS-I information is same or
different to determine if the server interpreted the update as a new
request.

>>>> 14. Section 10:
>>>>
>>>> Shouldn't the security consideration make it clear that RAMS-R are
>>>> especially suspectible to Replay attacks as there is no information in
>>>> the packet that one can use to detect that it is out of sequence.
>>>
>>> There is a wording about this in that section (which simply refers the reader to 5760). Are you considering a RAMS-specific
>> replay attack here?
>>
>>
>> Yes, I am considering that it is easy to target RAMS-R specifically for
>> an replay attack. Especially when sent in a reduced size RTCP packet
>> only containing RAMS-R and SDES CNAME. That has no time specific
>> information and all replay detection must happen in the security protocol.
> 
> The Token stuff (or the cookie stuff) will avoid request messages from being sent by others (it will do at least a reverse path check). Beyond that is not SRTCP a good solution to avoid this?

SRTCP is if keyed correctly a good solution yes.

 My point is that one normally document the vulnerability and then
ensure that one has a remedy for it. When it comes to the token stuff I
am not certain that it helps against a replay attack. Unless the token
has expired on the server you still will get traffic to the target. That
is why I think a reverse path check when you start delivering should
happen. Because first in that case if there is no listener at the
indicated address and port will you find out that you are attempting a
delivery not intended.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------