Re: [AVTCORE] [Cryptex] PR for recommending Cryptex over RFC 6904

Bernard Aboba <bernard.aboba@gmail.com> Wed, 03 August 2022 13:34 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7267C159490 for <avt@ietfa.amsl.com>; Wed, 3 Aug 2022 06:34:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.103
X-Spam-Level:
X-Spam-Status: No, score=-7.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e94a-4Ns4qKr for <avt@ietfa.amsl.com>; Wed, 3 Aug 2022 06:33:58 -0700 (PDT)
Received: from mail-pg1-x536.google.com (mail-pg1-x536.google.com [IPv6:2607:f8b0:4864:20::536]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 15B16C15948F for <avt@ietf.org>; Wed, 3 Aug 2022 06:33:58 -0700 (PDT)
Received: by mail-pg1-x536.google.com with SMTP id d7so12080933pgc.13 for <avt@ietf.org>; Wed, 03 Aug 2022 06:33:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc; bh=7MK2ZdrrsWzVP6kCnoLvxoWQbdCw4dU/YQO5XvB2Xlw=; b=D5f29Zd2r2IrAgRdx4kEnmWjLCzyN8eqNwECFZp5rLfQsbcAFCrO45+UJLH9xXzGfo STn500rzU/qkEt8DWsQzqxDJc48VYs2gQjceKaMRz17VHORlhbGj8ACvWpXdoQSXF/Uo em6kVEnMUW/U4XP6T1yXuGbpcoxdolZWOfLTgE17WDwZ5f7V9qRvijEvAyf1J40lsLUu 4RudFUikC6xKfVhFqQUYixvJvGeAxIM7MFXcKgTUQdRusV3GrBxY5hoJD/Qao6QftEWr YW0tMVel9bAnVn6z1vKpzcusch3o6vnhwqwl2vud4Z8ereTQ2GE3FxDfz2LPKFwxF1NG fUlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc; bh=7MK2ZdrrsWzVP6kCnoLvxoWQbdCw4dU/YQO5XvB2Xlw=; b=sY+NJ2GTMiATvSNcEmttmWrNHVAAWdk4dRxWw6Ng1jnvyr2VqIIRy0p2t2Dr0lLuZp R9fgOmfkRSZDwTEYXowRLZacAOtD2QcVqSDq/A2lFmkevWGvpGtUnc9QKa0Vk5Hy5hQF IsjFKxXpSLZ/eL2/TQkMI3miLbDcfwnEIUePTjI2KtGeu2ptirW09HWYoOBtIIExzB+V fnh2pcbccnSphgDYwA094QfBBCawKhlUMCs6A0gJjjAeaRhOeFR30LMKaLzQnkLsEdAU PZ54Vhxrb88f39otzQnDnLsqiAU0wWBuZm+4vR+k88fF9H3kxXU72HrzM2kQFga3iTcA NZbw==
X-Gm-Message-State: ACgBeo21pcfVUIviCfpg0QvxxMj11Uy61IW0zYanHoB6+bMmOaDAdA40 YtsmEExzyP//M9bqTL96HoggxEcAXGY=
X-Google-Smtp-Source: AA6agR4i2MgnTKHv1XCHguwZq5huc9D5hg4tMIpAHm9NskqZyJ+DAIgdsyJodtPEAAOzEVZYVyVwTg==
X-Received: by 2002:a05:6a00:a15:b0:52e:8aa:5a77 with SMTP id p21-20020a056a000a1500b0052e08aa5a77mr5127224pfh.25.1659533637047; Wed, 03 Aug 2022 06:33:57 -0700 (PDT)
Received: from smtpclient.apple (c-24-16-156-188.hsd1.wa.comcast.net. [24.16.156.188]) by smtp.gmail.com with ESMTPSA id y18-20020a17090322d200b0016f02fceff4sm1969309plg.57.2022.08.03.06.33.56 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Aug 2022 06:33:56 -0700 (PDT)
From: Bernard Aboba <bernard.aboba@gmail.com>
X-Google-Original-From: Bernard Aboba <Bernard.Aboba@gmail.com>
Content-Type: multipart/alternative; boundary=Apple-Mail-AFEECAF8-B925-4CD6-AF8A-3E8CDB32E701
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Wed, 3 Aug 2022 06:33:55 -0700
Message-Id: <A344C43C-380B-46FE-B52E-F97E01B7BA51@gmail.com>
References: <CA+ag07a-W+=9pYazTyS73SD3NMWqG5w23PP2Ky1uNg9RB00LSg@mail.gmail.com>
Cc: IETF AVTCore WG <avt@ietf.org>
In-Reply-To: <CA+ag07a-W+=9pYazTyS73SD3NMWqG5w23PP2Ky1uNg9RB00LSg@mail.gmail.com>
To: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
X-Mailer: iPhone Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/2ytNvNgJDBGInHlTzU6Udgwo3y0>
Subject: Re: [AVTCORE] [Cryptex] PR for recommending Cryptex over RFC 6904
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2022 13:34:01 -0000

Looks good to me.

> On Aug 2, 2022, at 23:29, Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote:
> 
> 
> How about this:
> 
> If one of the peers has advertised both the ability to receive cryptex and the ability to receive header extensions encrypted as per {{RFC6904}} in the SDP exchange, it is RECOMMENDED for the other peer to use Cryptex over {{RFC6904}} when sending RTP packets so all the header extensions and CSRCS are encrypted unless there is a compelling reason to use {{RFC6904}} (e.g. need for some header extensions to be sent in the clear so that so they are processable by RTP middleboxes) in which case, it SHOULD use {{RFC6904}} instead.
> 
> I don't think we should add the note about checking that the header extensions can be actually sent in clear, as we have put that reason as an example.
> 
> What do you think?
> Sergio
> 
>> On Tue, Aug 2, 2022 at 6:30 PM Bernard Aboba <bernard.aboba@gmail.com> wrote:
>> The wording is a bit confusing, because both the Offerer and Answerer can be "sender and receiver" in this context. 
>> 
>> You are trying to give guidance on what a peer should send where the other peer has advertised both the ability to receive cryptex and the ability to receive header extensions encrypted as per RFC 6904. 
>> 
>> The guidance is to send cryptex unless there is a compelling reason to send RFC 6904 (e.g. need for some header extensions in the clear).  However, this only makes sense if the header extensions to be sent in the clear can actually be sent (e.g. if they are sendonly or sendrecv on the sending peer and recvonly or sendrecv on the receiving peer). 
>> 
>>> On Tue, Aug 2, 2022 at 2:44 AM Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> wrote:
>>> Hi all,
>>> 
>>> As discussed during the last AVTCORE meeting, I have prepared a PR for adding the recommendation of using Cryptex over RFC6904 adding an exception in the case of some of the header extensions should be sent in clear for RTP middleboxes processing:
>>> 
>>> If both Cryptex and the Encryption of Header Extensions mechanism defined in {{RFC6904}} are supported by both the sender and receiver, it is RECOMMENDED to use Cryptex over {{RFC6904}} so all the header extensions and CSRCS are encrypted, except when some of the header extensions should be sent in clear so they are processable by RTP middleboxes, in which case, it SHOULD use {{RFC6904}} instead.
>>> 
>>> https://github.com/juberti/cryptex/pull/111
>>> 
>>> Would be great if someone could review the wording as I think it could be simplified.
>>> 
>>> I will be on vacation from next week, so I will merge the PR and submit a final draft by the end of this week if I don't receive any further feedback on the draft.
>>> 
>>> Best regards
>>> Sergio
>>> _______________________________________________
>>> Audio/Video Transport Core Maintenance
>>> avt@ietf.org
>>> https://www.ietf.org/mailman/listinfo/avt