Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-ietf-avtcore-multi-party-rtt-mix-18: Answer 2 on 3.19 security
Gunnar Hellström <gunnar.hellstrom@ghaccess.se> Mon, 24 May 2021 14:33 UTC
Return-Path: <gunnar.hellstrom@ghaccess.se>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABF73A2AD2; Mon, 24 May 2021 07:33:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=egensajt.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F7KqDPMdeJM3; Mon, 24 May 2021 07:33:29 -0700 (PDT)
Received: from smtp.egensajt.se (smtp.egensajt.se [193.42.159.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 319763A2AAC; Mon, 24 May 2021 07:33:28 -0700 (PDT)
Received: from [192.168.2.137] (h77-53-37-81.cust.a3fiber.se [77.53.37.81]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: gunnar.hellstrom@ghaccess.se) by smtp.egensajt.se (Postfix) with ESMTPSA id 3F15D2004C; Mon, 24 May 2021 16:33:25 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=egensajt.se; s=dkim; t=1621866805; bh=uiy5phX1K8yoBjcJFJHxPh0F4Jm3+Pk2+E/CCyvbsOU=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=PrI9dXz4xUko12t7cOM0wVsI2zGuHHQrvl11QgKtJDgVsrWL8uePCQajPvG2mz4cm aFOHAVByqQkystis9hs6EH1Ghq98RB3a4YEGjTiiJp3aLc2e4UZppLken1MQdyZAXs qmlSWOwu4Wd4KxzFNMZmidl51Qz30u899UXk6sjo=
To: Benjamin Kaduk <kaduk@mit.edu>, The IESG <iesg@ietf.org>
Cc: draft-ietf-avtcore-multi-party-rtt-mix@ietf.org, avtcore-chairs@ietf.org, avt@ietf.org, bernard.aboba@gmail.com
References: <162139279927.706.12647899386073526674@ietfa.amsl.com>
From: Gunnar Hellström <gunnar.hellstrom@ghaccess.se>
Message-ID: <c80019e4-a37a-0e5f-8433-b688fcf2705d@ghaccess.se>
Date: Mon, 24 May 2021 16:33:23 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.2
MIME-Version: 1.0
In-Reply-To: <162139279927.706.12647899386073526674@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------BCCC6E69C69AD0C803FA198E"
Content-Language: sv
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/ZvC2MYLmoYEq9Zif5VCyRA8MTd4>
Subject: Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-ietf-avtcore-multi-party-rtt-mix-18: Answer 2 on 3.19 security
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 14:33:35 -0000
Benjamin, I hope I resolved the issues with 3.9 in the previous answer. Therefore I continue here with 3.19 that you partly included in the DISCUSS. You say: "I also left a note in the comment that there's a remark about "lower security level" in Section 3.19 that's not really accurate; we should resolve that in some manner before the document proceeds." Section 3.19 Security SHOULD be applied when possible regarding the capabilities of the participating devices by use of SIP over TLS by default "Security" is not some all-encompassing attribute that can be generically applied; there are specific security properties that may or may not be achieved by any given mechanism, and it's generally worth being precise about what properties are (or are not) achieved. So here we might say "security mechanisms to provide confidentiality and integrity protection and peer authentication SHOULD be applied". [GH] Accepted and included. We cannot in general achieve source authenticity with just SRTP when a mixer is involved, though RFC 8723 does specify a double-encryption mechanism that applies in some cases when there is a central media distributor. In applications where legacy endpoints without security may exist, a negotiation SHOULD be performed to decide if encryption on the media level will be applied. [...] How would endpoints know if legacy endpoints might exist? [GH] It may be a decision by the service provider. It is of course not desirable to mix secure and unsecured endpoints, but that is what is specified in the next generation emergency service RFC:s RFC 6443 and RFC 6881. These RFCs have reasoning about that choise. I suggest to replace "may exist" with "are allowed". How would this negotiation be performed? [GH]The draft only supplies a suitable example in next sentence by recommending RFC 8643 OSRTP when nothing else is specified in the application. RFC 6443 and RFC 6881 also specifies mechanisms to be used for negotiating security. I suggest that that is sufficient. security levels. The mixing for conference-unaware endpoints has lower security level than the mixing method for conference-aware endpoints, because there may be an opportunity for a malicious mixer or a middleman to masquerade the source labels accompanying the text streams in text format. This is especially true if support of un- encrypted SIP and media is supported because of lack of such support in the target endpoints. However, the mixing for conference-aware endpoints as specified here also requires that the mixer can be trusted. [...] As the last sentence indicates, the provided reasoning in the first sentence is not really accurate, since the mixer could just as easily adjust the CSRC value in the header as change the label in the in-band text stream. This does not inherently invalidate the claim that there are different security levels, though, as the correct behavior of the mixer seems easier to independently validate in the conference-aware endpoint case (with the well-formed RTP payloads providing information that can be validated out-of-band with other participants). But I don't think this description should be left in the document as-is; it doesn't seem accurate. In the case of unencrypted media, it does seem technically true that it is easier for a non-mixer middleman to masquerade the source labels, since in that case it only adjusts the payload directly without needing to keep state on the RTP sender information and produce well-formed RTP headers after its adjustment. But this is only a modest level of additional difficulty and does not reflect any kind of effective security control, so it may not be worth mentioning at all. [GH]I suggest to delete the paragraph, except the last sentence referring to "Further security considerations..." End-to-end encryption would require further work and could be based on WebRTC as specified in Section 1.2. Is RFC 8723 not applicable to these scenarios at all? I do not think it is WebRTC-specific. [GH] Yes, it looks good, but requires quite another approach to how to detect and indicate text loss, because RFC 2198 that is used, has a header in the RTP payload, containing Payload type and timestamp offsets. RFC 8723 has a special chapter on how to handle cases when RFC 2198 is used, and it requires the detection of loss and recovery to be handled between the source and the destination rather than by the mixer. I suggest to add reference to RFC 8723 in the sentence about further work to read: "End-to-end encryption would require further work and could be based on WebRTC as specified in section 1.2 or on double encryption as specified in [RFC8723]." ---- Continuation will follow with the COMMENT points. Thanks, Gunnar Den 2021-05-19 kl. 04:53, skrev Benjamin Kaduk via Datatracker: > Benjamin Kaduk has entered the following ballot position for > draft-ietf-avtcore-multi-party-rtt-mix-18: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-avtcore-multi-party-rtt-mix/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I'm not sure I understand how the examples are consistent with the main > specification, so let's please discuss it to either un-confuse me or fix > the document. > > Section 3.9 seems to say that the oldest (source or redundant) text at > the mixer takes priority when there is text from more than one source > waiting to be sent, but the examples in Section 3.21 seem to show (e.g.) > text received from A at time 20400 that is to be sent as redundancy, > being sent after text from B received at time 20500 (sent as primary). > Is the intent that if there is any primary text, the oldest primary text > is sent first, and only if there is no outstanding primary text do we > consider the redundant text? > > In a related vein, Section 3.10 says that a packet is sent when (among > other things) "330 ms has passed since already transmitted text was > queued for transmission as redundant text". But that doesn't say > anything about the timer being reset by subsequent transmission or > queuing of redundant text, so I'm not sure how in the Section 3.21 > example, we say that transmitting B1 and B2 as redundancy was planned as > 330 ms after packet 105 -- the original B2 was sent in packet 104, so > shouldn't the 330ms start from packet 104's transmission? (The stated > time for this seems to match 330ms after 104, so maybe the "105" is just > a typo?) > > > I also left a note in the comment that there's a remark about "lower > security level" in Section 3.19 that's not really accurate; we should > resolve that in some manner before the document proceeds. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > -- Gunnar Hellström GHAccess gunnar.hellstrom@ghaccess.se
- [AVTCORE] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk via Datatracker
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Benjamin Kaduk
- Re: [AVTCORE] Benjamin Kaduk's Discuss on draft-i… Gunnar Hellström