Re: [AVT] FW: New Version Notification for draft-begen-avt-rtp-cnames-01
"Ali C. Begen (abegen)" <abegen@cisco.com> Wed, 19 May 2010 04:32 UTC
Return-Path: <abegen@cisco.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65C2D3A6984 for <avt@core3.amsl.com>; Tue, 18 May 2010 21:32:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.056
X-Spam-Level:
X-Spam-Status: No, score=-10.056 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g+rg66x5cIzP for <avt@core3.amsl.com>; Tue, 18 May 2010 21:32:42 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 5FAC93A690E for <avt@ietf.org>; Tue, 18 May 2010 21:32:42 -0700 (PDT)
Authentication-Results: sj-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEABcH80urR7Hu/2dsb2JhbACeCHGjcZlghRAEg0A
X-IronPort-AV: E=Sophos;i="4.53,260,1272844800"; d="scan'208";a="327265853"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-1.cisco.com with ESMTP; 19 May 2010 04:32:35 +0000
Received: from xbh-sjc-221.amer.cisco.com (xbh-sjc-221.cisco.com [128.107.191.63]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o4J4WZHP010562; Wed, 19 May 2010 04:32:35 GMT
Received: from xmb-sjc-215.amer.cisco.com ([171.70.151.169]) by xbh-sjc-221.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 18 May 2010 21:32:35 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 18 May 2010 21:32:24 -0700
Message-ID: <04CAD96D4C5A3D48B1919248A8FE0D540C262209@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <04c801caf708$b42a71c0$c4f0200a@cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [AVT] FW: New Version Notification for draft-begen-avt-rtp-cnames-01
Thread-Index: AcrsX4HHCnbPB7dpQ0+55RZub3M3ZgAAGcuQAqCX8hAAB3g1cAABtY7gAAEM+0A=
References: <04CAD96D4C5A3D48B1919248A8FE0D540C044FF3@xmb-sjc-215.amer.cisco.com> <046601caf6e7$633c3990$c4f0200a@cisco.com> <04CAD96D4C5A3D48B1919248A8FE0D540C2621EB@xmb-sjc-215.amer.cisco.com> <04c801caf708$b42a71c0$c4f0200a@cisco.com>
From: "Ali C. Begen (abegen)" <abegen@cisco.com>
To: "Dan Wing (dwing)" <dwing@cisco.com>, avt@ietf.org
X-OriginalArrivalTime: 19 May 2010 04:32:35.0280 (UTC) FILETIME=[4DF12D00:01CAF70C]
Cc: draft-begen-avt-rtp-cnames@tools.ietf.org
Subject: Re: [AVT] FW: New Version Notification for draft-begen-avt-rtp-cnames-01
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2010 04:32:44 -0000
> > > My two large-ish issues with the draft: > > > > > > 1. FQDNs are not necessarily unique, but the draft assumes > > > they are. For example, 'home.comcast.net' is probably > > > a very common FQDN for Comcast customers. > > > > #2 is not suggesting to use 'home.comcast.net', is it? It is > > suggesting to use the mac address for the host part. > > The text in RFC3550, a full standard, says 'a host can use > its FQDN'. Your document (which I expect will only be a > Proposed Standard) does not explicitly discourage using FQDN. OK, we will make it more explicit. > > > 2. The three current recommendations (IPv6 address, FQDN, > > > UUID) all expose information about the RTP host, which > > > provides additional information for traffic analysis. > > > > These are unique identifiers, and they are supposed to be. > > But, how would you know who has a given specific UIUD for example? > > I don't know who has the red Ferrari in my neighborhood, but > I notice when he comes and goes. And I notice when he has > a passenger. > > In telephony, if an endpoint is using UUID in its RTCP messages, > I can learn its UUID by just calling it and having someone > answer. Or waiting for it to call me (by phishing the human > with an email message, for example). Now, if I manage to > trace any traffic (even if it is encrypted with SRTP) I can > determine who that person is calling (by doing a simlar attack > on the destination). > > It is valuable to know, for example, that the CEO and CFO of > Company "A" are talking a lot to the CEO and CFO of Company > "B". Millions of dollars can be made (or lost). :) we will be happy to add the text you suggest for this. > > > We might consider suggesting something more robust against > > > traffic analysis, which changes for every RTP session, and > > > which does not use an identifier (e.g., IPv6 address) that > > > can be correlated with the endpoint. > > > > Do you think this is a real concern? And even if yes, the > > IPv6 address of an endpoint can always be recorded next to > > the RTCP reports it sends (even if we use something else for > > the CNAME) so the risk is still there, no? > > That's what IPv6 Privacy Addresses (RFC4941) are intended to > thwart. (We can get into a long discussion about their viability, > how difficult they are to trigger from an application, how > application programmers who have never needed to consider > such things don't know when/how/why to bother getting a new > IPv6 address.) > > But the CNAMEs being encouraged in this draft do expose hosts > to expose host-specific identifiers that have not been encouraged > to be disclosed previously. That's why it seems prudent to discuss > in the Security Considerations section. Fair enough. > Which brings up another minor thing: the draft should mention > that a host with any sort of IPv6 address can use that address as > its CNAME. That is, the RTP session does not to be with an > IPv4 address on the host. Right. > > > Detail: > > > > > > > > > * Abstract should remove citations to RFC3550, because for style > > > reasons the RFC Editor will remove that prior to publication. > > > > We can deal with that at that time. > > > > > > > > * Section 1, > > > > > > Change reference from [I-D.miles-behave-l2nat] to RFC3022. > > > > OK. > > > > > > > > * Section 1 reads: > > > > > > [RFC3550] suggests that > > > such applications provide a configuration option to > > allow the user to > > > choose a unique CNAME, and puts the burden on the translator to > > > translate CNAMEs from private addresses to public addresses if > > > necessary to keep private addresses from being exposed. > > Experience > > > has shown that this does not work well in practice. > > > > > > it is true that RFC3550 mentions CNAME "addresses" should > > > be "translated". But CNAMEs might, or might not, contain an > > > address. If RFC3550 had recommended any sort of CNAME translation, > > > it should not have used the word 'address'; rather, it should have > > > just said 'translate'. > > > > > > As an example, and something else that should also be discussed > > > in the Introduction, is that hosts are often given simple names > > > ("host" or "home" or "home-pc") and can use the default domain > > > name assigned by their ISP (a real example is comcast.net; an > > > example for the I-D would of course be example.net). Thus, > > > ignoring NAT and RFC1918 addresses and everything for just a > > > moment, and thinking about some IPv6 nirvana, a RTP endpoint > > > that uses a FQDN such as "home-pc.comcast.net" is *also* > > > not going to have a unique CNAME. > > > > > > So, please add FQDN collisions as another example in the > > > Introduction. > > > > Good suggestion. > > > > > > > > * Section 3, "Choice of RTCP CNAME in Private Networks" > > > > > > I don't like the title. The introduction already dissuaded > > readers from > > > thinking this was a problem solely with RFC1918 addresses. > > > > Is "Choice of RTCP CNAME" good? > > Yep. Or "Choosing RTCP CNAME" > > > > * Section 3, > > > > > > It is a difficult task for a host to determine whether it resides > > > behind a NAT without the help of an external mechanism > > such as STUN > > > [RFC5389]. > > > > > > Actually, it can be impossible, because "I am behind a NAT" is not > > > a binary answer. Rather, it depends on the path to the RTP peer > > > if I am "behind a NAT". For example, when communicating between > > > two hosts in my house. > > > > > > I would rather that sentence above be rewritten to say: > > > > > > It is difficult, and in some cases impossible, for a host to > > > determine if there is a NAT between itself and its RTP peer. > > > > > > and don't mention STUN at all. > > > > Good catch. > > > > > > > > * Section 3 recommends against IP address. It should say > > > "IPv4" (rather than "IP"). > > > > Agreed. > > > > > * Section 3, which IPv6 address should be used? Maybe > > > recommend using the > > > IPv6 privacy address [RFC4941], if present? > > > > Sure, but is there a problem with others? > > No problem with the others. > > > > * Section 3, I found the word "order" in the following > > > paragraph confusing: > > > > > > This memo does not mandate a specific order in which > > > these methods > > > should be practiced. A specific order would be only > > > needed if an RTP > > > endpoint was expected to be comprised of multiple programs that > > > independently needed to choose the same CNAME. Since > > > this is not a > > > common implementation technique, a specific order is not needed. > > > > > > How about saying, instead, "Each of the techniques is > > > equally effective, > > > and an implementation can choose which to use." > > > > Sounds good to me. > > > > > As for the need to pick a single CNAME if there are > > > disconnected bits and > > > pieces of RTP; do we need to mention that? Seems like an > > > implementation > > > detail. If you want to mention it, I suggest doing so in a > > > separate paragraph and/or section. > > > > We thought of this and I don't think we need to mention this. > > > > > > > > * Section 4, Security Considerations: > > > > > > The security considerations of [RFC3550] apply to this > > document as > > > well. > > > > > > and RFC3550's Security Considerations says only this about CNAMEs: > > > > > > Within RTCP, the > > > CNAME and NAME information may be used to impersonate another > > > participant. > > > > > > The recommendations in draft-begen-avt-rtp-cnames create > > some additional > > > security exposure, specifically the ability for an on-path > > sniffer to examine > > > RTCP messages and get the unique identifier of the RTP > > endpoint (IPv6 address, > > > MAC address, or UUID) and correlate RTP traffic to/from > > different endpoints. > > > As SRTP (RFC3711) recommends that SRTCP be only > > authenticated (not encrypted), > > > the normal SRTP operation will continue to expose that same > > information. > > > > Correct. > > > > > Here is a suggestion to get that started: > > > > > > Following the recommendations of this memo provides > > > additional information in RTCP which is useful for > > > traffic analysis. The recommended default encryption > > > mode for SRTCP [RFC3711] uses authentication (without > > > encryption), so if traffic analysis is a concern the > > > SRTCP payloads should be encrypted. > > > > We should add this. > > > > > > > > * Question: Are there any ideas on the table for generating a unique > > > identifier that wouldn't be useful for traffic analysis? > > That is, a unique > > > identifier that is generated on each call? For example, a > > BASE64-encoded > > > SHA1-HMAC of one of the three pieces of information > > currently suggested in the > > > memo (IPv6 address, unique FQDN, UUID), where the 'secret' > > is changed for > > > every new RTP session? This seems it could eliminate > > traffic analysis > > > concerns. > > > > Personally, I did not consider the need for this one but > > looks like you want to have this option. And I don't see why > > we should not have it. > > Depends on the application, I suppose. Telephony is different > from streaming IPTV of today's news. But, I suppose there > are some interesting/controversial news programs. I can throw > some text your way when you need it. Yes, we should get this into the next revision, which we should do in the next few days. Thanks, acbegen. > -d
- [AVT] FW: New Version Notification for draft-bege… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification for draft-… Dan Wing
- Re: [AVT] FW: New Version Notification for draft-… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification for draft-… Dan Wing
- Re: [AVT] FW: New Version Notification for draft-… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification for draft-… Roni Even
- Re: [AVT] FW: New Version Notification fordraft-b… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification fordraft-b… Colin Perkins
- Re: [AVT] FW: New Version Notificationfor draft-b… Dan Wing
- Re: [AVT] FW: New Version Notificationfor draft-b… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification for draft-… Peter Musgrave
- Re: [AVT] FW: New Version Notification for draft-… Ali C. Begen (abegen)
- Re: [AVT] FW: New Version Notification for draft-… Peter Musgrave
- Re: [AVT] FW: New Version Notification for draft-… Ali C. Begen (abegen)