Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rtp-07: Minor issues
Mark Baugher <mbaugher@cisco.com> Sun, 07 March 2010 23:25 UTC
Return-Path: <mbaugher@cisco.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E39AF3A67A1 for <avt@core3.amsl.com>; Sun, 7 Mar 2010 15:25:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.546
X-Spam-Level:
X-Spam-Status: No, score=-9.546 tagged_above=-999 required=5 tests=[AWL=1.052, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPrBKEE0naWk for <avt@core3.amsl.com>; Sun, 7 Mar 2010 15:25:38 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id B6EB33A6358 for <avt@ietf.org>; Sun, 7 Mar 2010 15:25:38 -0800 (PST)
Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-AV: E=Sophos; i="4.49,599,1262563200"; d="scan'208,217"; a="493028506"
Received: from sj-core-3.cisco.com ([171.68.223.137]) by sj-iport-6.cisco.com with ESMTP; 07 Mar 2010 23:25:42 +0000
Received: from sjc-mbaugher-8711.cisco.com (sjc-mbaugher-8711.cisco.com [10.19.93.34]) by sj-core-3.cisco.com (8.13.8/8.14.3) with ESMTP id o27NPf3k013449; Sun, 7 Mar 2010 23:25:42 GMT
References: <4B8E7CB9.2040701@ericsson.com> <04CAD96D4C5A3D48B1919248A8FE0D540B6F3421@xmb-sjc-215.amer.cisco.com>
In-Reply-To: <04CAD96D4C5A3D48B1919248A8FE0D540B6F3421@xmb-sjc-215.amer.cisco.com>
Mime-Version: 1.0 (Apple Message framework v1077)
Content-Type: multipart/alternative; boundary="Apple-Mail-15--213151315"
Message-Id: <5DB80491-286F-401D-816E-A2C82611DF0A@cisco.com>
From: Mark Baugher <mbaugher@cisco.com>
Date: Sun, 07 Mar 2010 15:25:41 -0800
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.1077)
Cc: draft-ietf-avt-rapid-acquisition-for-rtp@tools.ietf.org, IETF AVT WG <avt@ietf.org>
Subject: Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rtp-07: Minor issues
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Mar 2010 23:25:40 -0000
On 3/03/2010, at 1:20 PM, Ali C. Begen (abegen) wrote: >> >> 31. Section 10. >> The security mitigation for the authentication of the RTCP messages >> between the RTP_RX and the RS is SRTP. However, the document fails to >> indicate anything on how you would successfully configure the SRTP with >> keying information. Can you provide some insight into how this would >> work in RAMS scenario? I am more interested if you think there exist a >> keying method that fits the trust model and scenarios? And if it does > > I need some help on this. I am not really an SRTP guy. There are a variety of ways this can be done including through a conditional access system, but this could be considered out of scope for this document. If it is in scope, I would start with a standard multicast key management system like GSAKMP or GDOI and define the signaling for it. Since it's not clear that these systems will even be used, however, this is probably a waste of the authors' time. > >> that it might be worth indicating that in the draft as a recommended >> method. I know there will some that has different trust that can do it >> differently. But some baseline is likely worth to lay down here. > > Could be true or not. I can't really comment. In the IPTV realm, there are a number of competing conditional access systems that might be used for proprietary establishment of an SRTP master key and master salt. These are the most likely methods by which a key might be installed. And there are a number of standard techniques mentioned above. > >> 32. Section 10, page 43: >> In addition to the denial-of-service attacks, man-in-the-middle and >> replay attacks can also be harmful. However, RAMS itself does not >> bring any new risks or threats other than the ones discussed in >> [I-D.ietf-avt-rtcpssm]. >> >> I think the document fails to describe the increased risk for other >> attacks that isn't focused on blasting a lot of packets on to some >> target. For example an on-path attacker can beyond preventing the RTP_RX >> to get service, it may discretely change parameters to make the service >> work less well. Are you saying that there is no way to secure against this? Mark >> Due to that the RAMS extensions are more a control >> protocol than a feedback protocol a different level of security threats >> exist than what is primarily discussed in the RTCP SSM RFC. > > A single RTCP packet carrying multiple NACK messages each reporting multiple missing packets will generate a lot more packets than a single RTCP packet carrying RAMS-R. No?
- [AVT] draft-ietf-avt-rapid-acquisition-for-rtp-07… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Bill Ver Steeg (versteb)
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Mark Baugher
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Ali C. Begen (abegen)
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Roni Even
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Roni Even
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Magnus Westerlund
- Re: [AVT] draft-ietf-avt-rapid-acquisition-for-rt… Ali C. Begen (abegen)