Re: [AVTCORE] draft-ietf-avtcore-rtp-security-options-06 review

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 07 October 2013 08:58 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6FF921E80F5 for <avt@ietfa.amsl.com>; Mon, 7 Oct 2013 01:58:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.154
X-Spam-Level:
X-Spam-Status: No, score=-105.154 tagged_above=-999 required=5 tests=[AWL=1.095, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VXrh9ePK9L3m for <avt@ietfa.amsl.com>; Mon, 7 Oct 2013 01:58:50 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id B21E921E80FD for <avt@ietf.org>; Mon, 7 Oct 2013 01:58:49 -0700 (PDT)
X-AuditID: c1b4fb2d-b7f738e000003ee3-87-525277c7e0e0
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id CD.59.16099.7C772525; Mon, 7 Oct 2013 10:58:47 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.41) with Microsoft SMTP Server id 14.2.328.9; Mon, 7 Oct 2013 10:58:47 +0200
Message-ID: <525277F6.2020104@ericsson.com>
Date: Mon, 7 Oct 2013 10:59:34 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: "Peck, Michael A" <mpeck@mitre.org>
References: <CE71A95A.68A1%mpeck@mitre.org>
In-Reply-To: <CE71A95A.68A1%mpeck@mitre.org>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnluLIzCtJLcpLzFFi42KZGfG3VvdEeVCQwQlBi5c9K9ktTt96zuzA 5LFkyU8mj7cNV9kDmKK4bFJSczLLUov07RK4MnqO/mMqOCdY0XV2GnsD40S+LkZODgkBE4n/ s2azQNhiEhfurWfrYuTiEBI4zCjx4NETVghnGaPE1YMdjCBVvALaEtP+/QGzWQRUJLb/fscK YrMJWEjc/NHIBmKLCgRLtG//ygZRLyhxcuYTsA0iAuoSfYd7gGwODmYBRYlJ7ZIgYWEBD4kD +56ClQgBjV8/4SeYzSmgI7F0wQV2iOMkJbYtOgZmMwsYSBxZNIcVwpaXaN46mxmmt6Gpg3UC o9AsJJtnIWmZhaRlASPzKkb23MTMnPRyw02MwEA9uOW37g7GU+dEDjFKc7AoifN+eOscJCSQ nliSmp2aWpBaFF9UmpNafIiRiYNTqoGx9MmELOtFi3z5oq9M1BaPTl2+RcOCRU+bW+2Iwu7j st9qI3cZi7LZZ587bMFzR2eX/Gv2hhlFZ3Zsn512qOb61wdflV9zPxYt+F977PWGHi9Z05Qn DydOc7zI6Xwx/fY7xa/8l90tPaqmuJgc5rhazC5o0jHRzW6LwqMDXHHn9jxXaxRcsf+SEktx RqKhFnNRcSIAwHUh5yICAAA=
Cc: "avt@ietf.org" <avt@ietf.org>
Subject: Re: [AVTCORE] draft-ietf-avtcore-rtp-security-options-06 review
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Oct 2013 08:58:57 -0000

Hi Michael,

Thanks for the review.

On 2013-10-02 17:22, Peck, Michael A wrote:
> Hi,
> 
> I reviewed draft-ietf-avtcore-rtp-security-options-06.  It looks good, I
> have a few minor comments.
> 
> Section 3.1: 
> I suggest removing the phrase "…and NSA Suite B included cryptographic
> transforms." from the "AES-192 and AES-256:" paragraph.
> The RFC6188 crypto suites are technically not Suite B compliant because
> they use HMAC-SHA1 for authentication, and SHA-1 is not part of Suite B.

Ok, done.

> 
> Section 3.3:
> Another downside of IPsec perhaps worth pointing out is that if it's
> relied upon instead of a higher layer mechanism, information about the
> authenticated identities of the endpoints, or an indication of whether
> encryption is even in place at all, are generally not available at the
> application layer to present through the user interface.

I have added a sentence to the end of this paragraph:

The main concern with using IPsec to protect RTP traffic is that in most
cases using a VPN approach that terminates the security association at
some node prior to the RTP end-point leaves the traffic vulnerable to
attack between the VPN termination node and the end-point. Thus usage of
IPsec requires careful thought and design of its usage so that it meets
the security goals. A important question is how one ensures the IPsec
terminating peer and the ultimate destination are the same. Applications
can have issues using existing APIs with determining if IPsec is being
used or not, and when used who the authenticated peer entity is.


Below has been edited in.
> 
> Editorial comments:
> 
> Introduction:
> "so it worth" -> "so it is worth"
> 
> 3.6:
> "such the fact" -> "such as the fact"
> 

Cheers


Magnus Westerlund

----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------