Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rtp-04: Review Comments
"DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com> Wed, 01 December 2010 14:49 UTC
Return-Path: <keith.drage@alcatel-lucent.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CE37528C117 for <avt@core3.amsl.com>; Wed, 1 Dec 2010 06:49:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.283
X-Spam-Level:
X-Spam-Status: No, score=-103.283 tagged_above=-999 required=5 tests=[AWL=-1.634, BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_14=0.6, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFOOfjOuTmhE for <avt@core3.amsl.com>; Wed, 1 Dec 2010 06:49:09 -0800 (PST)
Received: from smail6.alcatel.fr (smail6.alcatel.fr [64.208.49.42]) by core3.amsl.com (Postfix) with ESMTP id A008028C115 for <avt@ietf.org>; Wed, 1 Dec 2010 06:49:08 -0800 (PST)
Received: from FRMRSSXCHHUB03.dc-m.alcatel-lucent.com (FRMRSSXCHHUB03.dc-m.alcatel-lucent.com [135.120.45.63]) by smail6.alcatel.fr (8.14.3/8.14.3/ICT) with ESMTP id oB1EoBL5002247 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Wed, 1 Dec 2010 15:50:18 +0100
Received: from FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com ([135.120.45.46]) by FRMRSSXCHHUB03.dc-m.alcatel-lucent.com ([135.120.45.63]) with mapi; Wed, 1 Dec 2010 15:50:13 +0100
From: "DRAGE, Keith (Keith)" <keith.drage@alcatel-lucent.com>
To: "Ali C. Begen (abegen)" <abegen@cisco.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>
Date: Wed, 01 Dec 2010 15:46:23 +0100
Thread-Topic: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rtp-04: Review Comments
Thread-Index: AcuP0wsN1xeVlWjrTySem2E+yJ/N8AAANZqAAGSOo4A=
Message-ID: <EDC0A1AE77C57744B664A310A0B23AE21E36365E@FRMRSSXCHMBSC3.dc-m.alcatel-lucent.com>
References: <4CF3BAB3.2000501@ericsson.com> <04CAD96D4C5A3D48B1919248A8FE0D540DC93041@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <04CAD96D4C5A3D48B1919248A8FE0D540DC93041@xmb-sjc-215.amer.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.64 on 155.132.188.84
Cc: 'IETF AVT WG' <avt@ietf.org>
Subject: Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rtp-04: Review Comments
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Dec 2010 14:49:10 -0000
(As WG chair) Magnus can you indicate which of these issues you now believe are closed, and which therefore are still open and needing discussion. Ali: When you see a response from Magnus, can you open separate threads on these and get them closed to the satisfaction of the WG. Members of the WG, please chime in - we'd like to get these closed and issue a new version of the draft by the 10th. regards Keith > -----Original Message----- > From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On > Behalf Of Ali C. Begen (abegen) > Sent: Monday, November 29, 2010 3:37 PM > To: Magnus Westerlund; > draft-ietf-avt-ports-for-ucast-mcast-rtp@tools.ietf.org; IETF AVT WG > Subject: Re: [AVT] > draft-ietf-avt-ports-for-ucast-mcast-rtp-04: Review Comments > > Hi Magnus, > > > -----Original Message----- > > From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On > Behalf Of > > Magnus Westerlund > > Sent: Monday, November 29, 2010 9:38 AM > > To: > draft-ietf-avt-ports-for-ucast-mcast-rtp@tools.ietf.org; IETF AVT > > WG > > Subject: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rtp-04: Review > > Comments > > > > Hi, > > > > I have done a review of the document and have a number of comments. > > The upper part will contain technical or larger editorial comments, > > while the lower parts will be minor editorial comments. > > > > T1. Section 1. I am missing a discussion of the signalling > aspects for > > the applications using these tools. Declarative service signalling > > seems to be one of the reasons for doing dynamic session creation. > > Yes, that is the primary use case. But, I am not sure whether > I understand what you mean by "discussion of the signaling aspects". > > > T2. Section 3. I am missing an explicit list of the assumptions on > > what is in place around the service when describing the > port mapping. > > I am also not sure what you mean here. > > > T3. Section 3.2, page 9, bullet 3: > > 3. If the client does not have a valid Token: > > Actually, that line should say "if the client does not have a Token". > > > How does a client determine if it has a valid token or not. To my > > understanding the following things needs to be done. > > > > First, it needs to check if it has a token for the server + port > > specified by the session description. May be from a > previous session. > > Secondly, it checks if it hasn't expired due to age. > > The client can only do one reliable check based on the > relative exp time. The client's public IP may have changed > and it cannot necessarily know this. > > So, naturally, the client knows from which server/port it > received the token and should have started a timer upon > receiving it. Then, it can compare it with the relative exp time. > > > T4. Section 4. IP address for token request. > > > > It is not clear on how the IP address for the Token Request is > > determined. Is this the C=? I think there is a good point > in allowing > > optional specification of the address information in this SDP > > attribute, similar to the a=rtcp attribute. > > The address is the feedback target address in the primary > session, which equals to the address given in the C line for > the unicast session (as you indicated). > > Does it make any sense to have the token request message to > be sent to a different address than the unicast source (which > also means the token response could be sent by another > entity)? This may break the Token actually since client's IP > address might be different for different destinations, right? > > > T5. Section 4. Offer/Answer behavior for the "a=portmapping-req" > > attribute. Having learned my lessong with other attributes. Lets > > define the SDP offer/answer behavior for this attribute already now. > > I understand your concern about somebody else trying to use > this attribute in an O/A setting in the future. But, if that > were possible, we would not be needing this Token mechanism > in the first place. > > Instead, I suggest we make it clear in the document saying > the O/A behavior MUST NOT be defined or used for this attribute. > > > > > T6. Section 4. Where should the signalling aspects of the > port-mapping > > be normatively discussed. It might be that Section 4, should be > > expanded to cover the signalling requirements and their > implementation > > using SDP both declarative and offer/answer. > > Relating to the previous comment, lets just define the > declarative requirements and forbid the o/a. > > > T7. Section 5.1: Random Nonce. It is not clear when a client should > > generate a new nonce. My guess would be for each new Token > request, i.e. > > every time a new Token needs to be acquired, but that isn't stated. > > Yes, correct, we should add this. > > > T8. Section 5.2 etc: Fixed length token. > > > > I think this solution should abandon a fixed length token, > and instead > > use a variable length token. I think there are a number of > reasons for that: > > > > 1. Crypto-agility: If we specify that the crypto hash > length is to be > > 128 bits, then that doesn't prevent using another hashing > mechanism, > > but it prevents going for a stronger protection by > increasing the hash > > output length. As it is likely that a key will be in long > term usage > > there is potential for needing quite strong keys. This as this > > solution is possible to do off-line attacks. Do a token request, > > capture the material going into the hash, then go find the key. > > > > 2. Freedom of implementing the token according to the needs of the > > implementation. As there only need to be agreement between all the > > servers using the same token. But an example implementation is good. > > > > 3. There is no space for indication of which key has been > used, which > > makes key-roll over slightly more difficult. Using only the > expiration > > time for which key should be used, is possible but puts > requirements > > on implementation to do things in the right order. > > > > 4. Possibility to include additional information in the token, > > including the address for better error detection. > > > > Thus I would recommend that we allow for a variable token, > and with a > > recommended way of generating the token. We do need to be > clear on the > > security requirements on the token. > > OK, I am neutral on this and we can certainly allow for > variable-length Tokens but for that, we will need a length > field (like a TLV element) to carry the Token back and forth. > > Are you suggesting to keep section 6 as an example but not > mandatory to follow? > > > T9. NTP values: I think some mentioning of the epochs for the NTP > > clock is needed. 2032 isn't that far off, and the roll over > needs to be handled. > > Seriously, you think we will be using tokens at that time :) > if so, I guess somebody will fix it for NTP and then we can > rev the token draft at that time. > > > T10. Section 5.4: > > Why no error code in the Token Failure message. To me it seems > > possible that a server can separate a couple of different > failures and > > report back on them: > > > > - Expired token > > - Missmatch of address (Either by keeping state or include > the address > > in the token) > > - Missmatch in Nonce. > > - Adminstratively expired token. > > I don't think the server can determine which component was > the reason for verification failure. I.e., the server > generates a new token based on the new input and it can only > decide whether it is a match or not. If it is not, it cannot > determine whether the nonce or the IP was to blame. > > As for the expiration time, the client should not send such > tokens anyway. If it does and it receives a failure message, > the reason would be obvious. > > Overall, I don't think we can (or need anyway to) specify the > reason for failure. > > > T11. Section 5.4: Why isn't the "associated Nonce" included in the > > error response? Either that or the token needs to be > included so that > > the client knows which token that didn't work. This as a client may > > have multiple outstanding requests and not necessarily with > the same token. > > Normally a client would not need to send multiple different > requests to the same FTAp to get a token. If the client puts > a different nonce in each request, yes, the tokens will be > different but what is the point in doing that? One token is > enough for the client. > > So, I don't really see a need for this. Did I miss something > you had in mind? > > Adding the nonce or the token is not a big deal anyway, so > lets add the Token to the failure message. > > > T12. Section 6. More comments on token generation: > > a. Missing recommended expiration time, or at least what is a > > reasonable token life time. > > Is not this really application specific? If you were asked to > recommend one, what would you say? > > > b. Make it clear that the key do need to be well generated, and not > > use Null keying of the HMAC. > > Ok. > > > c. Why not recommend SHA-256? Even if HMAC-SHA1 isn't > broken yet, it > > starting to be an aging crypto mechanism. > > I don't have much to favor one over another. But, it is not > like we are protecting your financial data. > > I would imagine you could spend less effort to hack into such > a network to divert the traffic compared to hacking into > somebody else's token. Remember that just stealing somebody > else's token does not get you much. > > > T13. Section 10. > > I am lacking a discussion of the security issues around the token > > itself. As I see it factors as how long the server uses a key, > > key-roll over requirements, off-line attack possibility and crypto > > agility all needs discussion. > > I will let Dan respond to this. > > > Then I am missing the signalling aspect vulnerabilities on this > > solution and the requirement that puts on the signalling > infrastructure. > > You mean if somebody messes with the portmapping-req > attribute in the SDP? > > > E1: Abstract: "This document presents a port mapping solution that > > allows RTP > > receivers to choose their own ports for an auxiliary > unicast session > > in RTP applications using both unicast and multicast services > > (almost) without the need for retrieving pre-authorization." > > > > "I would reformulate the last part of the sentence, i.e. from > > "(almost)". There is no meaning in differentiating between the > > solution when this is the one we are doing. > > > > In addition maybe try to make the abstract a bit more > complete in what > > it the document covers. > > > > E2. Section 1, second paragraph: I would include NATs as being > > actively considered and a reason why dynamic mappings are > to be preferred. > > > > E3. Section 1, fourth paragraph: > > An example scenario is where the RTP packets are > distributed through > > source-specific multicast (SSM) and a receiver sends unicast RTCP > > feedback to a local repair server (also functioning as a feedback > > target) [RFC5760] asking for a retransmission of the > packets it is > > missing, and the local repair server sends the > retransmission packets > > over a unicast RTP session [RFC4588]. > > > > I would do the following changes to the above: > > > > An example scenario is where the RTP packets are > distributed through > > source-specific multicast (SSM) and a receiver sends unicast RTCP > > NACK feedback to a local repair server (also functioning as a > > ^^^^ > > > > unicast RTCP feedback > > ^^^^^^^^^^^^ > > target) [RFC5760] asking for a retransmission of the > packets it is > > missing, and the local repair server sends the > retransmission packets > > over a unicast RTP session [RFC4588]. > > > > E4. Section 3.2: Instead of jumping straight into the > example I would > > spend at least one paragraph on a high level description of what is > > assumed to be happening in generic wording. Maybe something like: > > > > When an RTP receiver transmits an RTCP feedback message where it > > expects the server to send unicast RTP traffic to the receiver, it > > needs to include the acquired token from step one in a RTCP Token > > verification request message. The server receives the RTCP compound > > message and verifies the token. The server can then assume that the > > RTCP message requesting a particular service, such as > retransmission > > or Rapid Acquisition of a Multicast session, is legit. An > existing or > > new unicast RTP session is used to fulfill the request. > > > > E5. Page 8, bullet "1": > > If c0=c1, the occasional (periodic) RTCP receiver > > reports sent from port c0 (for the multicast session) will > > ensure the NAT does not time out the public port > associated > > with the incoming unicast traffic to port c1. > > > > I would suggest the following edit: > > > > If c0=c1, the occasional (periodic) RTCP receiver > > reports sent from port c0 (for the multicast session's > > RTCP port P3) will > > ^^^^^^^^^^^^ > > ensure the NAT does not time out the public port > associated > > with the incoming unicast traffic to port c1. > > > > E6. Page 9, > > 2. The client determines its port numbers (*c0, *c1 and *c2). > > > > I would change it to: > > 2. The client selects its local port numbers (*c0, *c1 and *c2). > > > > E7. section 3.2: > > 2The server generates an opaque encapsulation (i.e., the > > Token) that conveys client's IP address > information using a > > reversible transform only known to the server. > For details, > > see Section 6." > > > > There seems to be a mismatch between this text and Section > 6. Also see > > tech discussion about the token. > > > > E8. Section 3.2, page 10, bullet 5: > > "Note that in the > > unicast session the RTP and RTCP packets MUST be > multiplexed on > > the (same) port c1." > > > > I would try to improve the clarify on the directionality in the > > traffic in this paragraph, especially the above sentence: > > > > Note that in the > > unicast session traffic from the server to the > receiver the RTP > > and RTCP packets MUST be multiplexed, i.e. both RTP and > RTCP sent from > > P3 with the destination port c1'. > > > > E9. Section 8. I think this section makes sense to include as a > > sub-section under a signalling discussion section where high level > > requirements, SDP extensions, SDP usages including O/A and then > > examples are included. > > We will get these fixed in the revision. > > Cheers, acbegen. > > > > Cheers > > > > Magnus Westerlund > > > > > ---------------------------------------------------------------------- > > Multimedia Technologies, Ericsson Research EAB/TVM > > > ---------------------------------------------------------------------- > > Ericsson AB | Phone +46 10 7148287 > > Färögatan 6 | Mobile +46 73 0949079 > > SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com > > > ---------------------------------------------------------------------- > > _______________________________________________ > > Audio/Video Transport Working Group > > avt@ietf.org > > https://www.ietf.org/mailman/listinfo/avt > _______________________________________________ > Audio/Video Transport Working Group > avt@ietf.org > https://www.ietf.org/mailman/listinfo/avt >
- [AVT] draft-ietf-avt-ports-for-ucast-mcast-rtp-04… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… DRAGE, Keith (Keith)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Colin Perkins
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Van Caenegem, Tom (Tom)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Colin Perkins
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Colin Perkins
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-ports-for-ucast-mcast-rt… Magnus Westerlund