Re: [AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 18 March 2015 14:49 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BC1391A09C9 for <avt@ietfa.amsl.com>; Wed, 18 Mar 2015 07:49:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 530WRhxRyoGw for <avt@ietfa.amsl.com>; Wed, 18 Mar 2015 07:49:43 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6023A1A09CF for <avt@ietf.org>; Wed, 18 Mar 2015 07:49:39 -0700 (PDT)
X-AuditID: c1b4fb30-f79996d000006ebb-53-5509908163a2
Received: from ESESSHC010.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 06.D5.28347.18099055; Wed, 18 Mar 2015 15:49:37 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.50) with Microsoft SMTP Server id 14.3.210.2; Wed, 18 Mar 2015 15:49:36 +0100
Message-ID: <5509907F.3020102@ericsson.com>
Date: Wed, 18 Mar 2015 15:49:35 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: "Paul E. Jones" <paulej@packetizer.com>, IETF AVTCore WG <avt@ietf.org>, nermeen@cisco.com, "David Benham (dbenham)" <dbenham@cisco.com>
References: <em6c3a269c-c47f-4897-8660-b0612936b763@sydney>
In-Reply-To: <em6c3a269c-c47f-4897-8660-b0612936b763@sydney>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOLMWRmVeSWpSXmKPExsUyM+JvjW7jBM5Qg8U7dSxe9qxktzjzax6T xaoT/1gtzl/YwOTA4jHl90ZWjyVLfjJ5NOw7yh7AHMVlk5Kak1mWWqRvl8CVcWWmUcFsq4oV N7azNTAu1uti5OSQEDCRWH+4gQ3CFpO4cG89kM3FISRwhFHi8oKVTBDOckaJSY/XsIBU8Qpo SyxePJ0VxGYRUJX48/AVWDebgIXEzR+NYLaoQLDEz/bdTBD1ghInZz5hARkkIjCBUeLrqimM IAlhgVCJxqU7wYqEBKwlpr7eAmZzCthIzD99AmgQBwezgKbE+l36IGFmAXmJ5q2zmSHKtSUa mjpYJzAKzEKyYhZCxywkHQsYmVcxihanFiflphsZ6aUWZSYXF+fn6eWllmxiBIbswS2/DXYw vnzueIhRgINRiYfX4BVHqBBrYllxZe4hRmkOFiVxXjvjQyFCAumJJanZqakFqUXxRaU5qcWH GJk4OKUaGDe/fsNUkfPcf83FN2uX3P5xdZ73MQGHmA/bohZUtk3mvfX8S7pJtHL3XynD7OtP b2yPavtsErmmPvZx0sJQznei+U7FCWWvmnYa1G5OsY4+O0nNZluO8pErsVeWdqe0z73yTmDH s0mvpM6YRjj1Ld3/+srm522m35NTK+YeOrfxSOTyG/b8/TOVWIozEg21mIuKEwHzSLUXOgIA AA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/avt/kfc2RY-vnDfxPayUSyEz8uOLqT8>
Subject: Re: [AVTCORE] Design choice comments on draft-jones-avtcore-private-media-framework-00
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 14:49:45 -0000
On 2015-03-17 03:29, Paul E. Jones wrote: > Magnus, > >>> The requirements are in the separate requirements document. This >>> document was intended to present one possible direction, but I >>> appreciate there are different views. >> >> Yes, but the document is called a framework. I did notice that you >> updated the requirements document to create an explicit requirement on >> keeping the SSRC. I fail to see why that occurred, it didn't appear to >> be motivated at all. > > I assume you might be referring to PM-06. That has been there for a > while, existing as PM-10 in the -00 draft. The reason is just that we > need an end-to-end cryptographic context. Appreciating that this could > be made to be less SRTP-centric (e.g., something we could implement with > something like Aero), perhaps this might be a better PM-06? > > PM-06: A cryptographic context suitable for enabling end-to-end > authenticated encryption MUST be defined. Note that in SRTP, the > cryptographic context includes the SSRC, sequence number and rollover > counter (ROC). Yes, I reacted to the change of the requirement appearing to mandate the SSRC was inmutable in the middlebox. An endpoints crypto context can be SSRC driven, as long as all components does not require that the value stay the same from sender to receiver. For example, if one would key with EKT, then as long as the EKT messages are kept with the RTP payloads, even if the RTP headers are changed and the SSRC different the EKT could provide the key for this specific stream, and it makes sense for the receiving endpoint to look up the context based on the local SSRC. > >>>>> The intention was the RTP header extensions and RTCP could >>>>> optionally be >>>>> encrypted using the SRTP keys exchanged as they are today. This >>>>> would >>>>> be done hop-by-hop. This does not provide for end-to-end privacy, of >>>>> course. That fits with the goals we've stated in the requirements >>>>> document. We're not trying to hide the fact that two people >>>>> communicated, for example, but we do not want to disclose what is >>>>> being >>>>> communicated. >>>>> >>>>> If there is truly a need to encrypt end-to-end such that middle >>>>> boxes >>>>> cannot gain access to some RTP header extensions or some RTCP data >>>>> fields, I would assert we need to define a way to allow some header >>>>> extensions and some RTCP header fields to be visible hop-by-hop. >>>>> We do >>>>> want to enable middleboxes to be able to collect and use RTCP >>>>> statistics, for example. We also want to allow them to have >>>>> access to >>>>> any header extension that help facilitate packet forwarding and >>>>> processing. >>>> >>>> I fully agree that there MUST be possibility to have both RTP header >>>> extensions as well as many type of RTCP packets to be only >>>> protected hop >>>> by hop. The core of my comment is rather that the solution appear to >>>> need to take into account the likely need for end-to-end protection of >>>> other RTP/RTCP fields and actively discuss in its security >>>> considerations the privacy risk from some existing RTP/RTCP protocol >>>> elements, specifically the RTCP SDES items. >>> >>> You're right that we did not consider a need for end-to-end security of >>> RTCP or header extensions. Our objective was to ensure that media was >>> secured. The need to secure RTCP end-to-end would present certain >>> challenges for aggregating RTCP information. If we support encryption >>> end-to-end of portions, that might be OK, but we didn't have a need for >>> that. You mentioned having location information in RTP or RTCP. Are >>> there truly requirements for that? Is that for the benefit of emergency >>> services to get location of a caller while moving? >> >> I want people to think about this issues, an not immediately dismiss the >> idea just because it might look hard and they can't think of an >> immediate need for it. > > We did not dismiss it for reasons of difficulty. Rather, we were only > focused on ensuring end-to-end media privacy (i.e., voice and video > content) and did not have a a requirement for ensuring that control > information be encrypted end-to-end. That said, it is more challenging > when there is a need for intermediary to act on some parts of the > control information and not other parts. Sure, lets just continue to discuss both the actual needs for this as well as the potential to solve it. > > >>>> I fully understand that there is need to enable multiple technical >>>> solutions for verifying that identity, however if the intention is to >>>> provide a framework for solving this issue, the requirement on parts >>>> that are outside of this WGs main expertise, namely RTP must still be >>>> discussed. >>> >>> Agreed, but should it be discussed in the framework or in a separate >>> draft? I expect before this work is done that there would be one or >>> more drafts covering the signaling, identity, etc. issues. >> >> I think there need to be something high level that discuss the trust >> model and what entities that involved and what requirements exists on >> the different entities and their interactions. Then one point to >> specific pieces for how to fulfil these requirements. >> >> This is touching on an issue that I think we need to discuss. Is really >> AVTCORE the right WG for this? I have been away so I missed the earlier >> steps, but from my personal perspective we have a lot of data that >> AVTCORE has big issues gathering critical mass on security related >> topics. > > All good points. I think it's worth the group's time to discuss the > problem we're trying to solve at a high level and fight the right home > for it if avtcore is not the most appropriate place. Agreed, for the moment this is in AVTCORE and there is definitely need for RTP expertise in this work. > > Finding security experts on any vertical topic is always a challenge and > not unique to avtcore. In an ideal world, there would be folks who are > "dedicated" to security matters in all areas, but that's difficult to do > since people have other work and already don't have enough time in the > day. Still, I agree we need an appropriate review of the work. Yes, lets consider how we best can achieve getting the needed people engaged in this matter. > > >> Okay, I hope that the AVTCORE agenda discussion that you have requested >> will focus on the most important high level bits. I think you need to >> consider to actually send the questions you intended to discuss to the >> WG mailing list ahead of time so people can prepare. > > I'll try to do that, but the way things have been going in my work > day-to-day, it might be quite late this week or early next week (e.g., > Sunday night). > Thanks Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- [AVTCORE] Design choice comments on draft-jones-a… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Bernard Aboba
- Re: [AVTCORE] Design choice comments on draft-jon… Paul E. Jones
- Re: [AVTCORE] Design choice comments on draft-jon… Magnus Westerlund
- Re: [AVTCORE] Design choice comments on draft-jon… Bernard Aboba