Re: [AVTCORE] I-D Action: draft-ietf-avt-srtp-not-mandatory-11.txt

Harald Alvestrand <harald@alvestrand.no> Sat, 24 November 2012 23:46 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DF2021F8472 for <avt@ietfa.amsl.com>; Sat, 24 Nov 2012 15:46:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WKWxfFHrr+wS for <avt@ietfa.amsl.com>; Sat, 24 Nov 2012 15:46:17 -0800 (PST)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 5F37021F846E for <avt@ietf.org>; Sat, 24 Nov 2012 15:46:17 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id F1AC939E091 for <avt@ietf.org>; Sun, 25 Nov 2012 00:46:15 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VVe5Wfb8du77 for <avt@ietf.org>; Sun, 25 Nov 2012 00:46:14 +0100 (CET)
Received: from [172.30.42.73] (c-f8f1e555.03-217-73746f1.cust.bredbandsbolaget.se [85.229.241.248]) by eikenes.alvestrand.no (Postfix) with ESMTPSA id 1FBAE39E020 for <avt@ietf.org>; Sun, 25 Nov 2012 00:46:14 +0100 (CET)
Message-ID: <50B15C45.8050600@alvestrand.no>
Date: Sun, 25 Nov 2012 00:46:13 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: avt@ietf.org
References: <20121119225137.6740.64413.idtracker@ietfa.amsl.com> <5119018B-F424-4F1A-AE37-8840169E499C@csperkins.org>
In-Reply-To: <5119018B-F424-4F1A-AE37-8840169E499C@csperkins.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [AVTCORE] I-D Action: draft-ietf-avt-srtp-not-mandatory-11.txt
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Nov 2012 23:46:18 -0000

On 11/19/2012 11:59 PM, Colin Perkins wrote:
> This version of the draft updates the recommendations in Section 6 based on discussion with the Security Area Directors. There are no changes in the rest of the draft.

Mostly looks OK to me.

One thing I did not understand about the new section 6 ....
It describes RTP/AVPF as a profile that is an example of where a single 
security mechanism is not reasonable to mandate, because it's used in 
many other contexts.
I think that's OK - but isn't it true that RTP/AVPF *disallows* the use 
of SRTP, since it would then be RTP/SAVPF?

This can be confusing to the reader - it may be clearer if one mentions 
explicitly that the RTP/AVPF, which is a set of building blocks that 
don't need a security mandate, is used to build RTP/SAVPF, which *is* a 
security mandate.

Or am I the one confused?

                 Harald

>
> Colin
>
>
> On 19 Nov 2012, at 22:51, Internet-Drafts@ietf.org wrote:
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Audio/Video Transport Core Maintenance Working Group of the IETF.
>>
>> 	Title           : Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution
>> 	Author(s)       : Colin Perkins
>>                           Magnus Westerlund
>> 	Filename        : draft-ietf-avt-srtp-not-mandatory-11.txt
>> 	Pages           : 10
>> 	Date            : 2012-11-19
>>
>> Abstract:
>>    This memo discusses the problem of securing real-time multimedia
>>    sessions, and explains why the Real-time Transport Protocol (RTP),
>>    and the associated RTP control protocol (RTCP), do not mandate a
>>    single media security mechanism.  Guidelines for designers and
>>    reviewers of future RTP extensions are provided, to ensure that
>>    appropriate security mechanisms are mandated, and that any such
>>    mechanisms are specified in a manner that conforms with the RTP
>>    architecture.
>>
>>
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-avt-srtp-not-mandatory
>>
>> There's also a htmlized version available at:
>> http://tools.ietf.org/html/draft-ietf-avt-srtp-not-mandatory-11
>>
>> A diff from the previous version is available at:
>> http://www.ietf.org/rfcdiff?url2=draft-ietf-avt-srtp-not-mandatory-11
>