Re: [AVTCORE] Secdir last call review of draft-ietf-avtcore-rtp-evc-05
Stephan Wenger <stewe@stewe.org> Thu, 12 October 2023 01:08 UTC
Return-Path: <stewe@stewe.org>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FC15C151069; Wed, 11 Oct 2023 18:08:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=steweorg.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PMfFO35YETFb; Wed, 11 Oct 2023 18:08:11 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10on2124.outbound.protection.outlook.com [40.107.92.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDAA0C14CE5D; Wed, 11 Oct 2023 18:08:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dv9OieQ6aB3wSa+fDB5x/YOAXI3wtEW6y9efPO2UmMz/xfoz7ajTw3Rp4LPxD0Fw2if1cOfAdaNCZ9unrUXrY0TO8+ol0yl27QZOXv6cBwfcSaF0tN72U8m3uMQ46NEt9TwQo8Bzi7MrJaeqGpWe+VMQsX46x1mCcmxkc5fg9+FyZ2SsYeW222DQzhfEvWbLEEchw+iey6w6N8g8/EyFfdejGHwGWk0jSMVEU4QxLQDJnQxBCBUeQIXYqYivb5/DApysQQp8qZG5HO6c5ac0z6p766ITJyecva2IiN4tRluegL7XTc6sz8jfJ7nUMtCWNE9B3dzxylhxaL6albWH8w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b/C8ZbKjftMQYkRaZwTfnhDTOSR4atcpzcLtqUiO9Yc=; b=XM2X4rreUeaupSCa9s5nRmYGexZmu5atKFW23701Xx9succzZS8uTEG2WIsgIeUCSPaFqS8vRGBoj9zy8BtvnX5FYCEv30c32M1glyt2peMQRcvljV3yb/1s3BeF4gxtVLkSbnYuaJtmSXHS+t55b9GhUf/Qr8zrqMqTF0AFB8+CpcF/7Duu+smln4nD6aiUhqcpIbOdhnRCuDUW5aIeaLzhcgGrG7FjsPOi6hlp2yK2PMeF6JFMgoOuJ8o6kAHd+SoURr3qmAmEyW9+myieGAreKpO5F/nFJ3VkIMyGtbQE5WJP+M4FNgHDMTD5ivJU3K78r89SAN9YvIAsQ13cJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=stewe.org; dmarc=pass action=none header.from=stewe.org; dkim=pass header.d=stewe.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=steweorg.onmicrosoft.com; s=selector2-steweorg-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b/C8ZbKjftMQYkRaZwTfnhDTOSR4atcpzcLtqUiO9Yc=; b=KNhT7fESLA2t1aSZYEv4eKbzngdrGR9lN/LRzi/59L6bbj4nLcTJeMpoqaCAwb9S5PWdRvZszWFAmzHlsDRFENJbPxnD6ZlueWPGG8ese/Fw2oeKBQYTtOhmnXuW/gIYtsw0qalItapNOFcBYT05iyOonCp7bcy9Yq4i1kqne20=
Received: from PH0PR17MB4908.namprd17.prod.outlook.com (2603:10b6:510:d6::23) by MW4PR17MB4307.namprd17.prod.outlook.com (2603:10b6:303:7b::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6863.43; Thu, 12 Oct 2023 01:08:06 +0000
Received: from PH0PR17MB4908.namprd17.prod.outlook.com ([fe80::ffdf:9632:4eca:3ec6]) by PH0PR17MB4908.namprd17.prod.outlook.com ([fe80::ffdf:9632:4eca:3ec6%7]) with mapi id 15.20.6863.043; Thu, 12 Oct 2023 01:08:05 +0000
From: Stephan Wenger <stewe@stewe.org>
To: Sean Turner <sean@sn3rd.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "avt@ietf.org" <avt@ietf.org>, "draft-ietf-avtcore-rtp-evc.all@ietf.org" <draft-ietf-avtcore-rtp-evc.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-avtcore-rtp-evc-05
Thread-Index: AQHZ/FKjF1HslsSRoUS6h9iaBSVnlbBFUeys
Date: Thu, 12 Oct 2023 01:08:04 +0000
Message-ID: <PH0PR17MB4908F0DED8383221A2D555D0AED3A@PH0PR17MB4908.namprd17.prod.outlook.com>
References: <169703598045.28899.18058923487691438647@ietfa.amsl.com>
In-Reply-To: <169703598045.28899.18058923487691438647@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=stewe.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: PH0PR17MB4908:EE_|MW4PR17MB4307:EE_
x-ms-office365-filtering-correlation-id: 5ae911f6-e44c-42c1-183e-08dbcabfb067
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1H8ydRo3tYrPrxj3lnEfpSv+gYKa70w/M9lHaTd1uHQj8ZdJwetzxH3iGUvlWc8j01ET1IW82Il8wo9djaREeRZZTts9EnZ9Z+QnxOjzpPc69kgEKTOizBBtT1Mf3qFYf+86xLMYQpONGhFfbnF9IZcp37YRGYCd0OqFFC04m9FE5QK+FbmUpjsP5N2iewewkjWu37BrI6li7drce4h774rsAFu9I/YNlGQ0Y93EQEpTlS1nF6Fb5rVKC3MdG6D6DxYlquDZPLjG/G0XMubmx8oCqtYKgwLhieG+noJnAwCPOn0XsxDfmNdnBns/KCsNYJxuU3aKYV35Aqs9Ku4pO/KlHzfSli2iwnnlWcA5ddEk9HhAP3nBXDC1yCOHixZSeGZ3m0hbKUDU9bmNa8PYRTWMKh/9tO8+Zsm5SCpE7ZL+YQC6KnhP/dBXcK5f3QZaw4l48vE4mpxgBSS++TktOL3i/k8UAvXak1IrO2VKhQEgs9coD7ScwAzL8kfCV6KAbwjsY+xT+NcVRx4X7l5ugbCAD66++F3RD6nZ8u1bpjYPbTbMAui0W6kZtUwC5Sg+jPfqFGYympEbzlpcSjiO168g8seFIxsqUCOpDsEdn18=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR17MB4908.namprd17.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(366004)(396003)(346002)(39830400003)(376002)(136003)(230922051799003)(64100799003)(451199024)(186009)(1800799009)(9686003)(26005)(316002)(8676002)(53546011)(6506007)(86362001)(7696005)(83380400001)(2906002)(38070700005)(71200400001)(122000001)(478600001)(52536014)(5660300002)(38100700002)(99936003)(33656002)(55016003)(8936002)(9326002)(4326008)(41300700001)(66946007)(110136005)(76116006)(64756008)(54906003)(66556008)(66446008)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: Zlpt0v6Q0DAFlMkSGP2aCxfS8zsZ3anu4JhqLczmsFofWZ1v7zx0RXOflwbcEjs8CK4/lV5RUiAlNFFOu7AoYh/Oy2KpHwHbWvr0k42o940wodXOqXkEJUuTsEVQQMMAn4rDsTcuyJUkD29zRChuFi6lL9Btoq8Bi75ZvsGj2WV0RXvbeZqWZerbehyzHilHhQJ2gxp0JuMN4tgHE85A/EjfrSKmT2H9wWMK5MSXhIcWqpspiHdaltTMg53+K9yWY6SV2PUfUz9Sv0MSZpYTOUMiUpTeWNuxJOYIH7BFbwmVTzn47LbgbQaSH823IgDveHmmDvAV4Tj+sCmjdC0qsbVKQnaa2FLSogNBDloWq1cLn4BXy3BRH5Yvv0jME1SmO9Dri5c4IEu3fcM6ammIIfyus19IrN/DQdnE6xSRLwo7ZQ+Ix/FnW4Z//voGa9zhrzloqc0kHmCzceIXo0gtCqXqlMzNx0Bsl9nd12gqLL9VxAhuX4by26yCAEEqPQZA1aFPi6yzlNSfPTHDcOz3cxvTHMEykXe2kyzW7wTavCeikNGQAk9NUZOQ59R9xguMSdn03xS/5K9xUygij/fTtPfdyZ51f115Qz8KauknY2gx/dy6jutAL3M0ZwEVq9XULe3qBv9/1L4SyPWE2h6hYqCZ3bYJPLQvWasSv5U5opNw4SCyGZ3KH0LztMk5hhS6c4oyymkyXBBQx/QwFlQ+gDFooGITo05yat3LyMtRXN1FRen6ePIxlCrlRPfvZ8x/VGVoeJku20x0AoCvD/hNdlIDWmxAXrBbHH21fu3tVHm0CNRxqHe8QJvm4Eg4AL2p7vzdhik/lvh26VMhaS/pCu3h5HWbRZS3o7rEgufr1lvbf+oylJDd9ASr3vEi9nYyxn0PnD9uRWzEtcBrs2bGc/4zv8gVNhXBOFiE6fljdgDcJ57nv+um/TNu8K/uuKGKA0oDdC9OhU1ao+5hQaNXYJ+9Gj1tNZAlbiOSD91l+S92aoOeTsLDK48uSxoIVpzDdgH2q4KeqzNS0qngWJQhKU4ne698QQHGO5Q9ZKwFt9y+jgUAXFfr4puR1y3zOFF+avaT9uxsQt0vrq3+sUk2vbU8YFiVYhzfZIPj4hhDGBoHXywdeAfoW+/+ifPsydprY4JrZU+W4BK6cmlJ5lmqa//NImHyfY7lu3/LOPrV/1ZB6FPFExGGZlrDBDwuZT86IZQkLg09fRUzXh4tfEN1TvDz8/jIDAtQlZWrQfQnlZWaSWOZAWqlk9vqLsaNKgrqRFZQG73C4lRpR3V9V+U8W1RNHcfQGMxbf3wXrsqk943zuT/OZduKQE5zVukSq4USU++kef6D7LnSUlTOZz3pOinSxVYoW7AwX7urA0EDam4aUmJBGsLv7gGuXFdpemHSgsKyyiH2gCenqq88Gfj4rUM2d4CaQnCC+zqLTm9g4gQI03Vvs8Z1vlg3eIrnLO+hPn8daBQEMBX7qIJIhaylvSRaVliF+wkSi/oVZPl9Tj5G3BMDfKb0g4KV1HteQiAqa5ID9gptuCQr4lhg26F5QYpWFn2JESUhUyYxOOVxA9HJgpNBcfUa0WATmk7padeh
Content-Type: multipart/mixed; boundary="_004_PH0PR17MB4908F0DED8383221A2D555D0AED3APH0PR17MB4908namp_"
MIME-Version: 1.0
X-OriginatorOrg: stewe.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR17MB4908.namprd17.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5ae911f6-e44c-42c1-183e-08dbcabfb067
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Oct 2023 01:08:04.9745 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 865fc51c-5fae-4322-98ef-0121a85df0b6
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: uue4FPCX58zvRg6JobJKzAcY9jxum4AaAWIM9toO0neTPeZbOwkgQd+lMr2+L/Lh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MW4PR17MB4307
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/bhSvPjC5cm1MnTznXilN15mVIeg>
Subject: Re: [AVTCORE] Secdir last call review of draft-ietf-avtcore-rtp-evc-05
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Oct 2023 01:08:12 -0000
Hi Sean, Thanks for this review. Short answer: Regarding the “NOT RQUIRED issue: it was spotted also during Murray’s AD review and addressed by removing the NOT REQUIRED language. See the attached email, towards the bottom. We have addressed this issue in our working copy. We will also address the nits. Long answer: We started this EVC draft from the VVC payload, RFC 9328, because VVC and EVC are closer than HEVC and EVC, and because 9328 has undergone its reviews not a year ago. We though that doing so ought to make the review process easier, especially with non-core parts of the document. We frequently refer to the HEVC payload, RFC 7798, because that format is, by now, deployed, and reasonably widely known in the implementer community. For the implementer community, it seems to be better to refer to known, deployed technologies, than a brand-new RFC supporting a codec which many implementers are not yet familiar with. Therefore, editorially and technically, the EVC payload draft is based on 9328 and not on 7798, even if it frequently cites 7798, for the reason mentioned. RFC 9328 includes the offending “NOT REQUIRED” language. RFC 9328 itself is based on 7798. We payload people generally do not invent around the security considerations section but copy stuff that worked in the past; hence the 9328 security section started with the one of 7798. I did not dig deeply into the archives, but the tinkering we saw between the 7798 and 9328 language was, IIRC, the result of SEC AD DISCUSSes. They may not have made much sense to me, but then, who am I, talking about security? When it comes to security, we trust the experts. Clearly, the capitalization of “NOT” is not supported by RFC2119, and I agree with Murray’s comment in the attached email that even a “not RECOMMENDED” language, while consistent with RC2119, is redundant. Hence, we will remove that language, which I think you are aiming towards as well. I hope that addresses your concern; please let us know if not. Thanks, Stephan From: Sean Turner via Datatracker <noreply@ietf.org> Date: Wednesday, October 11, 2023 at 16:53 To: secdir@ietf.org <secdir@ietf.org> Cc: avt@ietf.org <avt@ietf.org>, draft-ietf-avtcore-rtp-evc.all@ietf.org <draft-ietf-avtcore-rtp-evc.all@ietf.org>, last-call@ietf.org <last-call@ietf.org> Subject: Secdir last call review of draft-ietf-avtcore-rtp-evc-05 Reviewer: Sean Turner Review result: Has Issues tl;dr: Just one issue that I'll get to after rambling for a bit. This is your typical I-D for an RTP Payload Format for foo. It contains the usual disclaimers in the Security Considerations section that are found in RTP Payload Format RFCs: * It's just about the payload format * Read RTP & Options for Securing RTP * There's no MTI security solution (see RFC 7202) * Apps SHOULD provide a strong security mechanism This I-D, like RFC 7798, also includes considerations for: * DoS concerns during compression * SEI * End-to-End Security Issue: If this I-D is like RFC 7798, why does RFC 7798 say this: Therefore, the usage of data origin authentication and data integrity protection of at least the RTP packet is RECOMMENDED, for example, with SRTP [RFC3711]. And this I-D says this: Therefore, the usage of data origin authentication and data integrity protection of at least the RTP packet is RECOMMENDED but NOT REQUIRED based on the thoughts of [RFC7202]. It seems like this I-D says it's similar to HEVC, but then adds this little bit extra. Also, "NOT REQUIRED" isn't BCP 14 language so it's probably got to be changed by either rewording or making it lower case. Editorial: * s9 (missing period): s/avoid those/avoid those.
- [AVTCORE] Secdir last call review of draft-ietf-a… Sean Turner via Datatracker
- Re: [AVTCORE] Secdir last call review of draft-ie… Stephan Wenger