Re: [AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00
"Paul E. Jones" <paulej@packetizer.com> Tue, 17 March 2015 02:28 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFC3C1ACC87 for <avt@ietfa.amsl.com>; Mon, 16 Mar 2015 19:28:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.012
X-Spam-Level:
X-Spam-Status: No, score=-2.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m--z6ELoiv0n for <avt@ietfa.amsl.com>; Mon, 16 Mar 2015 19:28:33 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7526D1A1EF9 for <avt@ietf.org>; Mon, 16 Mar 2015 19:28:33 -0700 (PDT)
Received: from [192.168.1.20] (cpe-098-027-048-015.nc.res.rr.com [98.27.48.15]) (authenticated bits=0) by dublin.packetizer.com (8.14.9/8.14.9) with ESMTP id t2H2SDc9006791 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Mar 2015 22:28:14 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1426559294; bh=d5v0ET2uqM3Ap9MMoU4yyYMLQ0CphDX/W+wGl+E9c8U=; h=From:To:Subject:Date:In-Reply-To:Reply-To; b=kbxKh30USQ42OGC0bpqLxouFyqsWUHy+Hf3mBqQ6V9Hw0dxUVMwGtgssubZ/oXTTH n7hNSz4/pbxCeC7u08oqn0zu5pqe7XqXMKt2XwZMeHO+u5e/ioaid9sBencSzE4wSW b/0PI63sr+K8l57/978tpoGyt2riimN4/2faeBxw=
From: "Paul E. Jones" <paulej@packetizer.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, IETF AVTCore WG <avt@ietf.org>, nermeen@cisco.com, "David Benham (dbenham)" <dbenham@cisco.com>
Date: Tue, 17 Mar 2015 02:29:18 +0000
Message-Id: <em6c3a269c-c47f-4897-8660-b0612936b763@sydney>
In-Reply-To: <5500473F.1060205@ericsson.com>
User-Agent: eM_Client/6.0.21372.0
Mime-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/JMiDHz7lousv5l66BkBjRjFUSV8>
Subject: Re: [AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Mar 2015 02:28:46 -0000
Magnus, >> The requirements are in the separate requirements document. This >> document was intended to present one possible direction, but I >> appreciate there are different views. > >Yes, but the document is called a framework. I did notice that you >updated the requirements document to create an explicit requirement on >keeping the SSRC. I fail to see why that occurred, it didn't appear to >be motivated at all. I assume you might be referring to PM-06. That has been there for a while, existing as PM-10 in the -00 draft. The reason is just that we need an end-to-end cryptographic context. Appreciating that this could be made to be less SRTP-centric (e.g., something we could implement with something like Aero), perhaps this might be a better PM-06? PM-06: A cryptographic context suitable for enabling end-to-end authenticated encryption MUST be defined. Note that in SRTP, the cryptographic context includes the SSRC, sequence number and rollover counter (ROC). >>>> The intention was the RTP header extensions and RTCP could >>>> optionally be >>>> encrypted using the SRTP keys exchanged as they are today. This >>>>would >>>> be done hop-by-hop. This does not provide for end-to-end privacy, >>>>of >>>> course. That fits with the goals we've stated in the requirements >>>> document. We're not trying to hide the fact that two people >>>> communicated, for example, but we do not want to disclose what is >>>>being >>>> communicated. >>>> >>>> If there is truly a need to encrypt end-to-end such that middle >>>>boxes >>>> cannot gain access to some RTP header extensions or some RTCP data >>>> fields, I would assert we need to define a way to allow some >>>>header >>>> extensions and some RTCP header fields to be visible hop-by-hop. >>>>We do >>>> want to enable middleboxes to be able to collect and use RTCP >>>> statistics, for example. We also want to allow them to have access >>>>to >>>> any header extension that help facilitate packet forwarding and >>>> processing. >>> >>> I fully agree that there MUST be possibility to have both RTP header >>> extensions as well as many type of RTCP packets to be only protected >>>hop >>> by hop. The core of my comment is rather that the solution appear to >>> need to take into account the likely need for end-to-end protection >>>of >>> other RTP/RTCP fields and actively discuss in its security >>> considerations the privacy risk from some existing RTP/RTCP protocol >>> elements, specifically the RTCP SDES items. >> >> You're right that we did not consider a need for end-to-end security >>of >> RTCP or header extensions. Our objective was to ensure that media was >> secured. The need to secure RTCP end-to-end would present certain >> challenges for aggregating RTCP information. If we support encryption >> end-to-end of portions, that might be OK, but we didn't have a need >>for >> that. You mentioned having location information in RTP or RTCP. Are >> there truly requirements for that? Is that for the benefit of >>emergency >> services to get location of a caller while moving? > >I want people to think about this issues, an not immediately dismiss >the >idea just because it might look hard and they can't think of an >immediate need for it. We did not dismiss it for reasons of difficulty. Rather, we were only focused on ensuring end-to-end media privacy (i.e., voice and video content) and did not have a a requirement for ensuring that control information be encrypted end-to-end. That said, it is more challenging when there is a need for intermediary to act on some parts of the control information and not other parts. >>> I fully understand that there is need to enable multiple technical >>> solutions for verifying that identity, however if the intention is >>>to >>> provide a framework for solving this issue, the requirement on parts >>> that are outside of this WGs main expertise, namely RTP must still >>>be >>> discussed. >> >> Agreed, but should it be discussed in the framework or in a separate >> draft? I expect before this work is done that there would be one or >> more drafts covering the signaling, identity, etc. issues. > >I think there need to be something high level that discuss the trust >model and what entities that involved and what requirements exists on >the different entities and their interactions. Then one point to >specific pieces for how to fulfil these requirements. > >This is touching on an issue that I think we need to discuss. Is really >AVTCORE the right WG for this? I have been away so I missed the earlier >steps, but from my personal perspective we have a lot of data that >AVTCORE has big issues gathering critical mass on security related >topics. All good points. I think it's worth the group's time to discuss the problem we're trying to solve at a high level and fight the right home for it if avtcore is not the most appropriate place. Finding security experts on any vertical topic is always a challenge and not unique to avtcore. In an ideal world, there would be folks who are "dedicated" to security matters in all areas, but that's difficult to do since people have other work and already don't have enough time in the day. Still, I agree we need an appropriate review of the work. >Okay, I hope that the AVTCORE agenda discussion that you have requested >will focus on the most important high level bits. I think you need to >consider to actually send the questions you intended to discuss to the >WG mailing list ahead of time so people can prepare. I'll try to do that, but the way things have been going in my work day-to-day, it might be quite late this week or early next week (e.g., Sunday night). Paul
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- [AVTCORE] Design choice comments on draft-jones-a… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Bernard Aboba
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Bernard Aboba