[AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 19 February 2015 15:03 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73D1D1A906E for <avt@ietfa.amsl.com>; Thu, 19 Feb 2015 07:03:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G8x0xZI6ceYA for <avt@ietfa.amsl.com>; Thu, 19 Feb 2015 07:03:45 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E7311A8901 for <avt@ietf.org>; Thu, 19 Feb 2015 07:02:43 -0800 (PST)
X-AuditID: c1b4fb25-f791c6d00000617b-ec-54e5fb100def
Received: from ESESSHC015.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id D0.8A.24955.01BF5E45; Thu, 19 Feb 2015 16:02:41 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.65) with Microsoft SMTP Server id 14.3.210.2; Thu, 19 Feb 2015 16:02:40 +0100
Message-ID: <54E5FB10.2030209@ericsson.com>
Date: Thu, 19 Feb 2015 16:02:40 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: IETF AVTCore WG <avt@ietf.org>, "Paul E. Jones" <paulej@packetizer.com>, nermeen@cisco.com, "David Benham (dbenham)" <dbenham@cisco.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprALMWRmVeSWpSXmKPExsUyM+Jvja7g76chBofWcVi87FnJbnHm1zwm i1Un/rFanL+wgcmBxWPK742sHkuW/GTyaNh3lD2AOYrLJiU1J7MstUjfLoErY++et+wFzUoV cy+0sTUwXpTuYuTkkBAwkfjRupUdwhaTuHBvPVsXIxeHkMARRol3s7axQjjLGSX+/n3NBFLF K6AtsWv+E1YQm0VAVWJdzxEWEJtNwELi5o9GNhBbVCBYYvHzp6wQ9YISJ2c+YQEZJCIwgVHi dednsISwQKDEm5XbgFZzcDALaEqs36UPEmYWkJdo3jqbGcQWAtrV0NTBOoGRbxaSUbMQOmYh 6VjAyLyKUbQ4tTgpN93IWC+1KDO5uDg/Ty8vtWQTIzAID275rbqD8fIbx0OMAhyMSjy8Hzqf hgixJpYVV+YeYpTmYFES57UzPhQiJJCeWJKanZpakFoUX1Sak1p8iJGJg1OqgXHqnCW/OTzf JflN6Apz8w9wmeXHxHzpXHUET+/tjykPZzdfFz9Usm/zZ6bilAsTVNdsOaH4SPHA+R1niqUO 67YbqzCfUK+O8skKXP+q6cYySS6r67klkvUH/wSvqj7PvGLx0+9RPkkXnMJz4vxyRCx4HV7N e10Sd6P5tg3TpZOs3x4um/AnI16JpTgj0VCLuag4EQBakZyEIwIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/7oQ9GEHV1caij0ri85iLWqyHq14>
Subject: [AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 15:03:51 -0000

Hi,
(As individual)

I have just reviewed the draft and are supportive of work in this field.
However, I have some really high level comments in regards to the design
choices.

1. Supported RTP topologies

I think you will need to discuss a bit more which RTP topologies that
the framework should support. The current draft supports only basic
transport translators (Relay) to my understanding, because of it
preventing rewriting of RTP sequence number as well as the SSRC. Thus,
all RTP streams sent to the server must be forwarded to all other
participants.

I believe the intention of the document is to support at least Selective
Forwarding Middlebox (SFM). However, to support such a topology and be
able to suspend delivery of some media streams, then RTP sequence number
rewriting becomes a requirement to keep the media streams compliant with
current RTP specification.

Also people who have been building conferencing middleboxes also uses
other topologies, for example the RTP mixer in also used to build
switching mixers. Where an SSRC can represent a role rather than a
original sender.

I think there is need to have some discussion of which RTP topologies
this type of solution intends to support so that one can determine which
RTP field behaviours that is to be expected and need to be dealt with.

I would appreciate your view of what you see as needed to be supported.

2. Additional privacy concerns in RTP/RTCP.

The proposed framework protects the RTP payloads and their media content
from the middle. However, the document fails to discuss if privacy
protection is needed either for the RTP header extensions themselves or
if any RTCP packets or their content is privacy sensitive.

The RTP header extensions that are defined in IETF, as well as the two
3GPP has registered appears to be privacy sensitive in any way. However,
the big picture issue is that RTP header extensions do not require to be
standardized. The registration requires only an Expert Review, and they
are trivial to use for proprietary extension. So we have no idea what
might be showing up here. I could easily believe that someone would for
example include a geolocation attached to a video stream to capture
where for example a airborne drone where when capturing the video.
Suddenly you have data that is privacy sensitive and may require end to
end protection.

In RTCP you already today have some parts that are privacy sensitive.
For example all the SDES items with the exception of CNAME (if generated
correctly) can contain privacy sensitive data. Also the APP RTCP packet
type might contain data that needs to be protected end to end.

Thus I think you need to consider if there are need for additional
protection mechanisms to realize the goals of this framework. To me it
appears that this are reasonably straightforward SRTP extensions that
could solve these issues if they are considered necessary to resolve.
Even if the initial solution doesn't provide a fully specified solution,
I think it is important to ensure that the framework do support a
solution to specified at a later stage.

3. What must be in the trusted zone?

Looking at the description it looks like the solution is missing one
important part in the trusted zone. That is the list of identities or
secret that enables an invited / allowed participant to participate in a
particular conference. That functionality is key component of the
security solution. How else is the KMF going to be able to determine
which asserted identities that are allowed to get the EKT, thus being
able to get access to the media.

I understand the need for having solution agility when it comes to
identity solutions, however the functionality and the requirement on it
I think needs to be described in this type of framework.


Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------