IETF Logo Mail Archive

Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Mon, 03 December 2018 12:17 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B561130E77 for <bfcpbis@ietfa.amsl.com>; Mon, 3 Dec 2018 04:17:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=JydB1y+J; dkim=pass (1024-bit key) header.d=ericsson.com header.b=SVmE9SCa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cMTMpXj6o4K for <bfcpbis@ietfa.amsl.com>; Mon, 3 Dec 2018 04:17:38 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729CA130E9F for <bfcpbis@ietf.org>; Mon, 3 Dec 2018 04:17:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1543839451; x=1546431451; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=7pOoGpYPR1QpAfO5I1vCdCY2pQyCaSKMUf15UZBK6+Q=; b=JydB1y+JBzVuD2TI+fTNt4tmi9yMzUYG/9RwO6PZw9/CRPWKC78HaG/Tp43VDCfj UDz+Q1j2kP9Bj9ew8ssIZRQ+WD7bpBzSh+Wjs67mxOqGkq8q2Cm5zK1/CUAtc0OG ttk8+vtWWNPPr2GoQgQMTk77SoJ1LZhP3okD4j2q5Yw=;
X-AuditID: c1b4fb2d-f49ff70000007af1-57-5c051edb7b3b
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id C9.DD.31473.BDE150C5; Mon, 3 Dec 2018 13:17:31 +0100 (CET)
Received: from ESESBMR503.ericsson.se (153.88.183.135) by ESESBMB504.ericsson.se (153.88.183.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 3 Dec 2018 13:17:29 +0100
Received: from ESESSMB503.ericsson.se (153.88.183.164) by ESESBMR503.ericsson.se (153.88.183.135) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Mon, 3 Dec 2018 13:17:29 +0100
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Mon, 3 Dec 2018 13:17:29 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7pOoGpYPR1QpAfO5I1vCdCY2pQyCaSKMUf15UZBK6+Q=; b=SVmE9SCaVCpFfDsduy4BePRyDcWoOFOhSdrZ3b1iT3+cuN6kyFg78C/ri1vrrYJ7lhxQ/kiCl1T/iAeZuJI1ROPt7GFJsDVtMVh7jfMrKSTwiOR054vO3aeVSBYprimcC9/jDbCDkUhXtLxg7ie0QJgdrVM32cSnITbx5VtLT5c=
Received: from AM6PR07MB5621.eurprd07.prod.outlook.com (20.178.91.14) by AM6PR07MB5075.eurprd07.prod.outlook.com (20.177.188.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.9; Mon, 3 Dec 2018 12:17:28 +0000
Received: from AM6PR07MB5621.eurprd07.prod.outlook.com ([fe80::a5dd:4302:feec:e113]) by AM6PR07MB5621.eurprd07.prod.outlook.com ([fe80::a5dd:4302:feec:e113%3]) with mapi id 15.20.1382.020; Mon, 3 Dec 2018 12:17:28 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org>, "bfcpbis-chairs@ietf.org" <bfcpbis-chairs@ietf.org>, "mary.ietf.barnes@gmail.com" <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
Thread-Index: AQHUbFgkqjLOPVoHgEeAtJWG+o0yN6VruCoAgACeWACAAPajgA==
Date: Mon, 3 Dec 2018 12:17:28 +0000
Message-ID: <3E120CE1-F0A1-4097-9919-5F0CD46CDFD2@ericsson.com>
References: <154046788456.16346.9779422142840687916.idtracker@ietfa.amsl.com> <E35FBC91-7DFF-4EAC-A81F-1F89C5091253@ericsson.com> <20181202233442.GB54918@kduck.kaduk.org>
In-Reply-To: <20181202233442.GB54918@kduck.kaduk.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.13.0.181109
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR07MB5075; 6:aTowqJRlr+Ww2/+4tn5Gd0MdqjB7GC8HHsxEHhKj//m9LjlNkhgFlC1V8EbXGzEH8Bq0VDF7xJ09Gy0r1+w9XRnRDOAoDQTVRvE9HXKUqodsAhVdr8gs7A7gPvZjwLhQqlbIQJORpwhujlPDX7fMWkssC59Jpdq15MVd/b2VgeSqSeg9Cj6iXLXlyLKf5cj/rT/c+P3TkozMwPimG76Nsyz/bdcqVBZZeaSz/KA5we7cyVQdnQmwBBizK0WfgGnN2b2S4Ay9JuszIEvPTYLAgYMkXP6YdBTIvIfXHxW+f6yn5laa+JsySj1mTYqOhO43C7DPMZ2UdGol0Bxg8DFKf524GSdQW/ggCXblnnDXhOLjLM8D0aintcpTT8SpiU1cEVqN4jGzFrSM0CfYgQ0YFyrZnhPc6MKhJHIf8oNbkbqNer9W7uNADMlKAi0qBkYiPHpeaJMprLHADJOZGgyuEQ==; 5:7YSSQNImG8VPzYD1b+Ig0adenY34JjRNPSP5vAtzP4Xl1TIEDV1YQs2Iw5w3PKJO28LXkt/VKhTSO9oCAWLKnE1uEkDCfrAmZcizvAlBt6wKh9KTsziQ6KveL3kOHVNfgs7gQAsbOqGKIK8yFYKPPhCFyIKXk5LcP9gMVwVccYM=; 7:ccXjH0ftLjfdvvdBespeykMwi3NPKP+kIQquYpfbcvkSCcFvnUWSHHd6Xg3g2M3qmn+XWQEKukRDKnKIwdzLtFCSb033Jnr99gdgP2zymmLnh1dHhkpraNyTQ0QBrJ375pVW6APN7oV46XZhNfbpsg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bf71dadb-b16f-4d02-f61c-08d659194ae5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM6PR07MB5075;
x-ms-traffictypediagnostic: AM6PR07MB5075:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-microsoft-antispam-prvs: <AM6PR07MB507532FD285C2E8052CD37EB93AE0@AM6PR07MB5075.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231455)(999002)(944501493)(52105112)(93006095)(93001095)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:AM6PR07MB5075; BCL:0; PCL:0; RULEID:; SRVR:AM6PR07MB5075;
x-forefront-prvs: 08756AC3C8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(366004)(376002)(136003)(39860400002)(396003)(199004)(189003)(39060400002)(8936002)(5660300001)(186003)(26005)(478600001)(68736007)(6486002)(256004)(2171002)(14444005)(82746002)(6436002)(6512007)(446003)(71200400001)(6506007)(66066001)(71190400001)(83716004)(86362001)(486006)(6246003)(7736002)(305945005)(11346002)(476003)(2616005)(76176011)(36756003)(44832011)(97736004)(6916009)(229853002)(106356001)(25786009)(2906002)(3846002)(81156014)(6116002)(81166006)(58126008)(4326008)(14454004)(102836004)(53936002)(99286004)(316002)(8676002)(105586002)(54906003)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB5075; H:AM6PR07MB5621.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: asXLfjzZRQ9FYZigcfXmfaMcFQCj3GgoVDTdnyXXuUhPloddmjiavfWwwVzxZjUvA3VdRnIsIw++K8Bo7crr7f2wgi4xjPURSk7Bo6w16X8EAm2q9v7Vj++JR8xc8tUOzWAxDo/w6jm8bG+2h1KxqnCJgEWy8Jq1RQzymsU1xdg/Wqrvw4VQ1EQEqOjm37WgW+X/9AQPCocLoJtzoEqujDsT6v3uMPLMO7Qq/lo4t4RjHT0ZeE0GDlMwCvhZXk96h5ob8kw40ojXnNYIP8fqXXnQ/6rpyqmJg4QPWbGncX+XMRQFrpExNhU4IgEfHnLmAfouPeEZcr5AMyTooOyWgR9eto9AGh6ShR6UT5/EGTQ=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A50D8B5ADABFA74683C8FC1831549661@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bf71dadb-b16f-4d02-f61c-08d659194ae5
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Dec 2018 12:17:28.4282 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5075
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA01Sa0hTYRjuO98523E6+lwuXywrV5EaXkqDQVIW/hAikP6UJuXKky6nsx2V rH5IZctNUCkrFS+xQaKlZIaXBNHUynJekDSnkSSkWOYtxSt5dgz69zzv87zP97zwsVhRwXiw 2qQUzpCk0akkMrrgXF2qn30XEx34LjNYPfN0gVavV7VTanP5L6n6yWoeVj97WUCp55qbcagk vKFwRBputS5R4bc/teMIHCULieV02jTOEHAsRhY/3L7CJD9SXS8pHMIZyOplQk4skGCwzC9i E5KxCtKGoH9hViqSPwjqjTOU4HIQU8NOUbBQMG6sYwRCk1wMHVN3GFHJo2CxtgOJZBTBmvX9 RhjLSogazOsHhSg3ogJL112J4MEkm4Kl7DUsCNtIDLzOb5SKJg3U1ltoEZ+Ejlc2JGCa7ANj dy4lZMrJcXgxf1V8qwpBweCyw+NEjsDq2kfHLiLbYbHzueMGTNxhaKyUEq8mYG3qxiJWwsT3 dUbAShIAmZ05UnHuBV1To5t+T+grNTsOA/JZAl/L5iSi4AfT+fmbQaehuC+LEU09CIzD01ho CsQXxge8xUIaaK74tulPgJGfZpSLggr/61e4sYGJD1Q3BojjcOgsnWBE7AUPzaNSAcuJK3wo GKPLEFOBlDzH84lxh4P8OYP2Ms/rk/yTuJQatPGDWmpX/OpR5eSJVkRYpHKRG52ZaAWjSePT E1sRsFjlJk++Rkcr5LGa9BucQX/RkKrj+Fa0g6VV7nL/iqYoBYnTpHAJHJfMGf6pFOvkkYEq l/eeSinZw5SshrlanI9ecs/NavmSVdIVGqOzeesnWZtL/+/+QG721m7P9JuDD9AB5UBbuq06 RDcmNUee6e7VD8fXLCzNRphqOyxzYT15W10lRVUu+7e8KbKdt1wpktrzZD/WfXrt5W/H9cWR j8/ez7Ebwa7D9+ouqLWrpn4VzcdrDvliA6/5Cxs+iCY9AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/3nO-Ml1Ngf4AwNzvu2u7roMzP9U>
Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Dec 2018 12:17:40 -0000

Hi,

...

    >>>    Section 7
    >>>    
    >>>          Note: When using Interactive Connectivity Establishment (ICE)
    >>>          [RFC8445], TCP/DTLS/BFCP, and UDP/TLS/BFCP, the straight-forward
    >>>          procedures for connection management as UDP/BFCP described above
    >>>          apply.  [...]
    >>>    
    >>>    nit: this sentence as written applies only when all three of ICE,
    >>>    TCP/DTLS/BFCP, and UDP/TLS/BFCP apply (which is nonsensical).  I assume the
    >>>    intended grouping is: (1) ICE is used, and (2) either TCP/DTLS/BFCP or
    >>>    UDP/TLS/BFCP is used.
    >>   
    >> Correct. I will replace "and" with "or".
    >
    >I'm not sure that just replacing the one word is enough of a fix, but I
    >trust you will do the right thing.
    
    I took a second look, and "or" is good :)

---

    >>> Section 12
    >>>
    >>> It's probably worth noting explicitly that the non-(D)TLS proto values
    >>> offer neither integrity protection nor confidentiality protection to the
    >>> BFCP stream.
    >>     
    >> I think the protection of the BFCP streams belong to 4582bis.
    >
    > This is a non-blocking comment, but I think it's appropriate to mention
    > here.	

What about:

"The usage of certain proto values in the SDP offer/answer negotiation will result in a BFCP stream that is not protected by TLS or DTLS. Operators will need to provide integrity protection and confidentiality protection of the BFCP stream using other means."
    
    >>> An attacker able to view the SDP exchanges can determine which media flows
    >>> contain which content, which could exacerbate existing metadata leakage
    >>> channels in some circumstances.
    >>     
    >> I am not sure how that is related to the BFCP SDP negotiation?
    >
    > The premise here (perhaps farfetched) is that the attacker can view the SDP
    > exchange but the actual media flows are secured with (D)TLS and not visible
    > to the attacker.  The (D)TLS flows will leak some information via packet
    > size/timing, perhaps allowing for traffic analysis to determine what sorts
    > of media flows are going where.  The new attributes in the BFCP SDP
    > negotiation can make this sort of traffic analysis more effective.  I would
    > be fairly receptive if you wanted to say that this is not more noteworthy
    > than for normal SDP security considerations, though.
    
In general I agree with you that non-protected SDP attributes can help in traffic analysis, but the BFCP attributes only provide information about the BFCP stream itself - they don't even indicate which media streams will be controlled by BFCP to begin with (that is negotiated on BFCP level).

But, I could add something like:

"The SDP attributes defined in this specification do not add additional security considerations to the generic security considerations for protecting SDP attributes [RFC3264]. The attributes do not reveal information about the content of individual BFCP controlled media streams, nor do they reveal which media streams will be BFCP controlled." 

Regards,

Christer

v2.8.7 | Report a Bug | By Email