[AVTCORE] comments on draft-ietf-avtcore-rtp-security-options-04

Dan Wing <dwing@cisco.com> Fri, 16 August 2013 02:18 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 25EEC11E8235 for <avt@ietfa.amsl.com>; Thu, 15 Aug 2013 19:18:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.49
X-Spam-Status: No, score=-109.49 tagged_above=-999 required=5 tests=[AWL=1.109, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3uf6ur0JhaE2 for <avt@ietfa.amsl.com>; Thu, 15 Aug 2013 19:18:32 -0700 (PDT)
Received: from mtv-iport-1.cisco.com (mtv-iport-1.cisco.com []) by ietfa.amsl.com (Postfix) with ESMTP id C7BC511E81AA for <avt@ietf.org>; Thu, 15 Aug 2013 19:18:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8868; q=dns/txt; s=iport; t=1376619511; x=1377829111; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=wHMAtl+HHUORKsaEGmP+Xgj9F5Sfx1KH3/wV3uKAM8U=; b=NYRG3jdgRJkhmu2X/L83RNbv385sPFqX2w1uxoz1twugnlkmzzYBnE7z 0GZMSqnXZAHNv3A9+PBuV9jBL2JLLsXJ/34KOSFFHzA4PgEFncn5EbJDK EWZ9uVRCjjF6WNYcg61JSv6fsPxaL+sPJ4Kt6+WDpri8thUPCeZbLDyBy 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvQGAIKKDVKrRDoG/2dsb2JhbABSCYMGwBqBJhZtB4JlP4E+Lod0uh+PCoFGgyJ3A4ktjjeRUoM7HA
X-IronPort-AV: E=Sophos;i="4.89,890,1367971200"; d="scan'208";a="85996477"
Received: from mtv-core-1.cisco.com ([]) by mtv-iport-1.cisco.com with ESMTP; 16 Aug 2013 02:18:30 +0000
Received: from sjc-vpn5-1481.cisco.com (sjc-vpn5-1481.cisco.com []) by mtv-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r7G2IShZ021417; Fri, 16 Aug 2013 02:18:28 GMT
From: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Thu, 15 Aug 2013 19:18:28 -0700
Message-Id: <F4327517-C01E-4146-9430-E34C2DF48DDF@cisco.com>
To: "avt@ietf.org" <avt@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
X-Mailer: Apple Mail (2.1508)
Cc: draft-ietf-avtcore-rtp-security-options@tools.ietf.org
Subject: [AVTCORE] comments on draft-ietf-avtcore-rtp-security-options-04
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2013 02:18:42 -0000

Overall a strong document, and I know it was difficult to write.

My comments:

In the Introduction, the end of
   Because of the heterogeneity of
   RTP applications and use cases, however, a single security solution
   cannot be mandated. 
feels like it could include a citation back to draft-ietf-avt-srtp-not-mandatory.

In section 3.1, Depending on when AES-GCM is published compared to when draft-ietf-avtcore-rtp-security-options is published, updating the following paragraph might be prudent (so it no longer says "ongoing work", as it will be published work at that point),
   AES-GCM:  There is also ongoing work to define AES-GCM (Galois
      Counter Mode) and AES-CCM (Counter with CBC) authentication for
      AES-128 and AES-256.  This authentication is included in the
      cipher text which becomes expanded with the length of the
      authentication tag instead of using the SRTP authentication tag.
      This is defined in [I-D.ietf-avtcore-srtp-aes-gcm].

In section 3.1.1, 
s/cipher suits/cipher suites/

Section 3.1.4, suggest changing
   This can enable interworking between DTLS-SRTP and for
   example security descriptions or other keying systems where either
   part can set the key.
   This can enable interworking between DTLS-SRTP and 
   other keying systems where either party can set the key (e.g., 
   interworking with security descriptions).
(original says "either part", should say "either party").

Section 3.4 for consistency with the section title and the rest of the section's text, I suggest:
   There does not appear to be significant usage of RTP over DTLS.
   There does not appear to be significant usage of DTLS for RTP.

Section 3.6 says:
   Mechanisms have been defined that encrypt only the payload of the RTP
   packets, and leave the RTP headers and RTCP in the clear.  
which immediately made me think, "ah, like SRTP."  But then the rest of the section goes on to describe non-SRTP object encryption (DRM).  Can that first sentence somehow be made clearer that this section is not describing SRTP encryption, but object encryption?  Afterall, SRTP also leaves RTP headers in the clear.  Also, the title of the section is "Payload-Only Security Mechanisms", but the second paragraph discusses the need for transport security (which is not 'payload security').  Perhaps the section could be renamed to "Object Security" or "Digital Rights Management" or some other term, so that the payload security and transport security can both be discussed without exceeding the scope of the section title.

Section 4.1.1,
s/might provided/might provide/

Section 4.1.3, Changing from "I", "you", and "your" to "host" and "peer" would keep this section more consistent with the rest of the document.

Section 4.1.3, I had some technical heartburn over these two paragraphs, which together make it seem like DTLS-SRTP is weaker than Security Descriptions, and the text claims this weakness is because DTLS-SRTP sends the certificate hash over signaling whereas Security Descriptions sends the session key over signaling:
      For example, consider a point-to-point communication system that
      uses DTLS-SRTP using self-signed certificates for key management,
      and SIP for signalling.  In such a system the end-points for the
      DTLS-SRTP handshake have securely-established keys that are not
      visible to the signalling nodes.  However, as the certificates
      used by DTLS are not bound to any PKI they can't be verified.
      Instead, hashes of the certificate are sent over the signalling
      path.  If the signalling can be trusted not to collaborate on
      performing a man-in-the-middle attack by modifying the hashes,
      then the end-points can verify that they have established keys
      with the peer they are doing signalling with.

      Systems where the key-exchange is done using the signalling
      systems, such as Security Descriptions [RFC4568] or MIKEY embedded
      in SDP [RFC4567], enable a direct binding between signalling and
      key-exchange.  Independent of DTLS-SRTP or MIKEY in SDP the actual
      security depends on the trust one can place in the signalling
      system to correctly associate the peer's identity with the key-

Of course, DTLS-SRTP does not need to rely solely on trust for identity, which is described elsewhere in this same document.  RFC4474 or a later section of this same document should be cited in that first paragraph (or in the Using Identities section, whichever the authors prefer), as RFC4474 provides a way to ensure the DTLS-SRTP certificates are bound to the identity provider's public key.  Yes, RFC4474 has some deficincies and perhaps those should be mentioned briefly (doesn't survive going through an SBC, for example).  I would add a citation and description of RFC4474 to that first paragraph discussing DTLS-SRTP.

The second paragraph I quoted of Section 4.1.3, I am confused that its first sentence discusses Security Descriptions and MIKEY, but the paragraphs second sentence starts with "Independent of DTLS-SRTP or MIKEY in SDP" -- is this an editing mistake and that second sentence supposed to read "Independent of **security descriptions** or MIKEY" ??  If it is not an editing mistake, I admit I cannot parse that second paragraph and it would benefit from a rewrite to make its point more clear.

Section 4.1.5 on privacy mentions relays.  It might be useful to add a citation to TURN as an example of a relay.

Section 5.1:
   At the basic level DTLS has a number of good security properties.
   For example, to enable a man in the middle someone in the signalling
   path needs to perform an active action and modify the signalling
   At the basic level DTLS has a number of good security properties.
   For example, to enable a man in the middle someone in the signalling
   path needs to perform an active action and modify both the signalling
   message and the DTLS handshake.

Also, what is meant by "At the basic level"?  That wording implies there an identified problem/weakness at some other level (advanced level).

Section 5.2, 
   Unless one uses a Identity provider and the proposed identity
   solution [I-D.ietf-rtcweb-security-arch], the web application still
   has the possibility to insert a MITM. 

There are other ways to detect and prevent insertion of a MitM other than an Identity provider -- such as verifying the certificate hash out of band (verifying it matches what is printed on a business card, or verifying the hash is the same as the previously-used hash with that same user as described by ZRTP, as two examples).  Could that be re-worded so that Identity provider is just one way to avoid insertion of MITM?

Section 5.2,
      Prevent tracking between sessions:  RTP CNAMEs and DTLS-SRTP
      certificates provide information that could possibly be re-used
      between session instances.  Thus to prevent tracking, the same
      information can't be re-used between different communication
Yes, but another solution (allowing the re-use of DTLS-SRTP certificates, thus saving CPU resources to create new public/private key pairs) is to have better TLS handshake, such as is being pursued for TLS 1.2 so the certificates are exchanged later in the TLS exchange (after the session is encrypted).  I would suggest:
      Prevent tracking between sessions:  RTP CNAMEs and DTLS-SRTP
      certificates provide information that could possibly be re-used
      between session instances.  Thus to prevent tracking, the same
      information can't be re-used between different communication
      Prevent tracking between sessions:  static RTP CNAMEs and DTLS-SRTP
      certificates provide information that is re-used
      between session instances.  Thus to prevent tracking, the information
      is not re-used between sessions or the information is not sent in the
      clear between sessions.

Section 5.3, I suggest:
   If these goals are to be meet with the specified
   solution there needs to exist trust in that neither the
   implementation of the client nor the platform the application runs
   can be accessed or modified by the attacker.
   To meet these goals with the specified solution the client 
   implementation and the application platform are trusted to 
   protect against access and modification by an attacker.