Re: [AVTCORE] Paul Wouters' Discuss on draft-ietf-avtcore-rtp-vvc-16: (with DISCUSS and COMMENT)
Paul Wouters <paul.wouters@aiven.io> Fri, 08 July 2022 13:52 UTC
Return-Path: <paul.wouters@aiven.io>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F304CC157B4C for <avt@ietfa.amsl.com>; Fri, 8 Jul 2022 06:52:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=aiven.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sU2e1EA5d-qW for <avt@ietfa.amsl.com>; Fri, 8 Jul 2022 06:52:03 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16380C159486 for <avt@ietf.org>; Fri, 8 Jul 2022 06:52:02 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id o7so7326182lfq.9 for <avt@ietf.org>; Fri, 08 Jul 2022 06:52:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aiven.io; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=esGykW+xe2pgdcCQ6Iug9wUXpxJhbylEEvei433coHI=; b=cvLIqaJKbtRoQjRWAg+CM0mmg1qyw85XqoPc2fT7Bx26/3PDYveb2LjJ4RfUAsHP8h LAPfDTVSeA/6WQI2zwINGgNodFhvoI3f4QwTGCKHhJihdZ1sAlg2DJT2SCQy+ayhmaSR 7IpM5JgjPR3TCgKT1mkDeZEuLQrLRj6PbkhH0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=esGykW+xe2pgdcCQ6Iug9wUXpxJhbylEEvei433coHI=; b=bdUWHA9TfFTrpJwsP3h7EmDgwVJSYhIB0SiwumDyy+vfvdOwEvX9djQrnXFVLZSNZ3 XYwbg1Dte/a0LGypxLVfyf10RJJjUkPQJLq52xz0//0RiXYHvNgr6tS01b9FY0KhTSrd NXFjXyARbYwkIoLPKpVvM6owzRSzOQrS+iev2x2o2bHnmJWLhE8leaOX5RMWz7zcADlR E16If4DpttPQJLSt1rkhS8OIjunvfVkde3ZScZ5OGMfOMdftlyhnOanc27KA0IbYp/l4 Cr1E829wh/NGdV/a8SKuURi32emv92b/YpvCc5aCmSNqnp++2oecXb1bNPPHP8FpX3px QONw==
X-Gm-Message-State: AJIora+oDqvOwywEBD5T3xnneEuLr+vSCrJpNtEMUlQeSYT9ab1x3sXY MZlFnsRT3TglQYWbTZGRz2O9rTXjOj0984x4K4i4OQ==
X-Google-Smtp-Source: AGRyM1tUHDhC1gQ2LXE6XwBq/NO6b1aW03DTONtzquAA2AfFKoYJqfHZGPuBBRc2Jia3+jhbhcPGwnkCYaTUgfR+mxw=
X-Received: by 2002:a05:6512:2eb:b0:480:ff64:4e80 with SMTP id m11-20020a05651202eb00b00480ff644e80mr2692631lfq.155.1657288319834; Fri, 08 Jul 2022 06:51:59 -0700 (PDT)
MIME-Version: 1.0
References: <AQHYgL58UNv5geVOF0uZay3gErlS1q1QZAiA> <165530085733.40665.12087635017629140595@ietfa.amsl.com> <2906BA65-EB55-49D2-B767-947519AA605C@stewe.org>
In-Reply-To: <2906BA65-EB55-49D2-B767-947519AA605C@stewe.org>
From: Paul Wouters <paul.wouters@aiven.io>
Date: Fri, 08 Jul 2022 09:51:49 -0400
Message-ID: <CAGL5yWa2Zg7xPbkMqcZjDzC8-jULg0xhbGdVQv6T2nt80yfVLg@mail.gmail.com>
To: Stephan Wenger <stewe@stewe.org>
Cc: The IESG <iesg@ietf.org>, "avtcore-chairs@ietf.org" <avtcore-chairs@ietf.org>, "draft-ietf-avtcore-rtp-vvc@ietf.org" <draft-ietf-avtcore-rtp-vvc@ietf.org>, "avt@ietf.org" <avt@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009847bd05e34b8195"
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/lmuacyj8HDcsWCxXoLQzeTxRFK8>
X-Mailman-Approved-At: Fri, 08 Jul 2022 07:44:43 -0700
Subject: Re: [AVTCORE] Paul Wouters' Discuss on draft-ietf-avtcore-rtp-vvc-16: (with DISCUSS and COMMENT)
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2022 13:52:07 -0000
On Wed, Jun 15, 2022 at 7:18 PM Stephan Wenger <stewe@stewe.org> wrote: > Hi Paul, > > Thanks for your review. Comments below in blue. > Thanks for the extensive feedback. I have updated my ballot to No Objection. Note, there is still one "This memo" left at the start of the Introduction that I would change to "This document", but that's something the RFC editor would probably be able to do as well without a new draft version. Paul > To summarize: > > Stephan > > > > > > On 6/15/22, 06:47, "avt on behalf of Paul Wouters via Datatracker" < > avt-bounces@ietf.org on behalf of noreply@ietf.org> wrote: > > > > […] > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-avtcore-rtp-vvc/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > lease be aware that this document is far outside my area of expertise, > > and my comments might make no sense. Please do not be nervous to tell > > me I am wrong - likely I am.... > > > > #1 > > > > [VVC] is particularly vulnerable to such > > attacks, as it is extremely simple to generate datagrams containing > > NAL units that affect the decoding process of many future NAL units. > > Therefore, the usage of data origin authentication and data > integrity > > protection of at least the RTP packet is RECOMMENDED, for example, > > with SRTP [RFC3711]. > > > > Is something is "particularly vulnerable", why is its security counter > > measures only RECOMMENDED instead of REQUIRED ? Is there a real world > > use case where this vulnerable protocol should continue despite the > > threat without these counter measures? > > > > Please see RFC 7202 entitled “Securing the RTP Framework: Why RTP Does Not > Mandate a Single Media Security Solution” for some of the rationale. > Unsecured RTP is widely deployed in enterprises. SRTP (or other hop-to-hop > security) between endpoints and MANEs is currently the only game in town, > commercially. If you wish, we could add a reference to RFC 7202 to this > paragraph. For completeness, let me add that possible inclusion of a > pathologic SEI message is a feature that VVC offers, and was included for > reasons that JVET found compelling with the understanding that it could be > a Bad Thing under certain circumstances. I don’t believe the IETF should > specifically try to forbid the use of mechanisms that VVC offers. After > all, there’s no standards police that would prohibit an implementer to > ignore that part of the spec. :-). > > > > #2 > > > > Media-Aware Network Element (MANE) are briefly mentioned in the > Security > > Considerations, but it is unclear to me how a user can optiin or > opt-out > > of using these or how it could even evaluate a MANE for > trustworthiness. > > Does a user even know if there is a MANE ? > > > > MANEs are everywhere. All the commercial video conferencing tools in > common use today, be it zoom, Webex, teams, whatnot, use them to some > extent. It is in practice close to impossible today to conduct a > multipoint video conference without trusting the service provider. > > Obviously, I don’t know what the typical “user” knows or cares about. > However, if the question is whether an endpoint could provide a user with > technology that indicates whether or not a MANE is in use, then I believe > the answer is “yes”, at least in most cases. Heuristics may come to play. > The question rarely, if ever rises, as no current systems use end-to-end > security, and most commercial systems use MANEs even for point-to-point > communication. (There are good and valid technical and business reasons > why they do so.) > > (FWIW, the IETF RTP community has long recognized this shortcoming, and > many proposals have been made, and continue to be made, to address it. One > of them, cryptex, is currently considered by the IESG. Personally, I > believe none of those candidate solutions address the problems you mention > in a way sufficiently generic and sufficiently unintrusive to technologies > used in MANEs to allow for a commercially viable deployment. Others differ > here, obviously.) > > > > And especially combining the two issues, if a MANE can rewrite the SEI, > > would it not mean that it could attack a user with malicious data that > > appear trusted? > > > > For the reason above the data would not appear to be trusted. If one of > the commercial service providers deploying MANEs would go into such > shenanigans, they would probably be called out quickly and go down not much > later. But technically, your concern is not addressed by this draft, and I > don’t see a way how to address it beyond requiring end-to-end security, > which is not what the world is doing this field. It’s IMO also not the job > of a payload format to educate the world about security risks of a protocol > stack that was developed before security became the thing. > > > > #3 > > > > In the IANA Considerations, it points to another section. It is > customary > > to just make this section stand on its own with clear and explicit > instructions > > for IANA so they do not need to read or understand large parts of the > document. > > > > I don’t think that’s what we usually do in RTP payload formats. In fact, > I believe all recent payload formats with a complex registration, and > certainly all I co-authored, followed the structure we have here. Suggest > no action. > > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > forbidden_zero_bit. Required to be zero in VVC. Note that the > > inclusion of this bit in the NAL unit header was to enable > > transport of VVC video over MPEG-2 transport systems (avoidance of > > start code emulations) [MPEG2S]. In the context of this memo the > > value 1 may be used > > > > So it MUST be zero but MAY be 1? A bit odd for a "forbidden_zero_bit". > > Also, what is "this memo"? Does it mean this document or does it mean > [MPEG2S] ? > > > > “This memo” is a leftover from the days when RFCs customarily used that > language to refer to itself. We can change this to “this payload format” > if you consider it worth the (minor) hassle. > > There is some logic behind the “required to be zero” *in VVC,* and may be > one *here and in other system layer specs*. A forbidden_zero_bit equal > to one, according to VVC, means the bitstream (or better, the part of the > bitstream that’s carried in this NAL unit) is non-compliant. The dumbest > possible decoder would just throw it away. However, historically, there > have been smarter decoders that are capable gracefully handling a bitstream > with a few bit errors, as were (and are) not uncommon in some (mostly > wireless) environments. In such a scenario, if the transport stack knew > that there may be errors, one implementation (but not standardized) > strategy was to set the forbidden bit but leave the bitstream otherwise > unchanged. A dumb decoder would drop the NAL unit as non-compliant. A > smarter decoder, may take the forbidden-zero-bit equal to one as a sign > that there are gremlins here, and perhaps trigger some form of error > concealment, defensive decoding, or whatever, to make at least partial use > of the corrupted NAL unit. > > Following the general style of the VVC and other video coding specs, that > do not include much (barely any) non-normative explanatory language, this > explanation is not included here. However, implementers of the payload > spec will need to have a good understanding of VVC and if those guys > operate in an environment that allows for bit errors, they know the above. > If they don’t, I do not believe that this document is the right place to > educate them. > > Hence, I suggest no change, except perhaps fixing “this memo” to “this > payload format” to remove the ambiguity. > > > > PayloadHdr appears without value in Figure 3 and with "(Type=28)" in > Figure 4. > > Does the first occurance without value also use type=28 ? If so, can > this be > > added? If not, can the non-28 value be added? > > > > You are now the third AD who complaints about this, which suggests > something needs to be done here. Fig. 3 is the single NAL unit mode where > the NAL unit header as defined in the VVC spec co-serves as the payload > header. The type field values allowed are those allowed in VVC, which are > 0 through 27. If you need a more detailed explanation, please refer to my > reply to Roman, which contains a detailed explanation of this issue > (attached). > > We will add an informative note explaining this. > > > > What does the ":" character denote in Figure 5 ,6 and 8? > > > > The begin and end of the aggregation unit, non 32-bit aligned. Others > complained about this as well. We will add a note. > > > > Fragments of the same NAL unit MUST be sent in consecutive > > order with ascending RTP sequence numbers (with no other RTP packets > > within the same RTP stream being sent between the first and last > > fragment). > > > > Why is this? I would say the RTP seq numbers would allow the target to > > order the packets, which it has to do anyway if the network causes > re-ordering. > > > > Error detection/concealment. Without adding further bits, the sequence > number relative to the first Fragmented NAL unit packet, plus the start and > end bits, are required in combination to identify whether a full NAL unit > can be reconstructed out of the fragments. > > > > Why then, can the host not do this? Eg if it has two crypto modules to > > indepdently encrypt these packets without needing to sync sending them > to > > ensure this requirement? > > > > Sorry, I’m not a security expert, and do not understand this scenario. > > > > Security considerations: > > See Section 9 of RFC XXXX. > > > > Does XXXX refer to this document? eg [RFC TBD1]? Or is this a > placeholder > > for another RFC that was forgotten and needs fixing? I think it is > > for this document since it has Security Considerations in Section 9. > > > > Correct. > > > > In Section 7.3.2 starts with "This section describes the negotiation of > > unicast messages" but really also describes using Multicast so it is a > > but contradicting. > > > > Looking at this, I fear we have a section labelling issue. I don’t think > O/A is defined for multicast environments, hence the intro language is > correct. However, Section 7.3.2.4 should really be 7.3.3, and the > following layer 3 sections should move down by one. > > > > Congestion control for RTP SHALL be used > > > > I always find MUST clearer than SHALL? Might be a non-native english > speaker > > issue contaminated by Gandalf's speech. The same paragraph uses "MUST > monitor" > > and not "SHALL monitor", so better at least use either MUST or SHALL > for both > > of these? > > > > SHALL and MUST are used interchangeably, as per RFC2119 and as spelled out > in the intro. My guess is that the MUSTs come more from folks in the > author’s group who are IETFers, whereas the SHALLs come more from the ITU > and ISO groups. Please note that this document recycles a lot of older > language, going back to RFC3984. This is one of those leftovers. > > I suggest not to address this point. > > > > > > > > _______________________________________________ > > Audio/Video Transport Core Maintenance > > avt@ietf.org > > https://www.ietf.org/mailman/listinfo/avt >
- [AVTCORE] Paul Wouters' Discuss on draft-ietf-avt… Paul Wouters via Datatracker
- Re: [AVTCORE] Paul Wouters' Discuss on draft-ietf… Stephan Wenger
- Re: [AVTCORE] Paul Wouters' Discuss on draft-ietf… Paul Wouters