Re: [bfcpbis] Spencer Dawkins' Discuss on draft-ietf-bfcpbis-rfc4582bis-15: (with DISCUSS and COMMENT)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 05 November 2015 22:23 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3FD11B3C6B; Thu, 5 Nov 2015 14:23:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81GZSUuhv8qk; Thu, 5 Nov 2015 14:23:17 -0800 (PST)
Received: from mail-yk0-x22b.google.com (mail-yk0-x22b.google.com [IPv6:2607:f8b0:4002:c07::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84D81B3C69; Thu, 5 Nov 2015 14:23:17 -0800 (PST)
Received: by ykek133 with SMTP id k133so158292868yke.2; Thu, 05 Nov 2015 14:23:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=cmRrHlMFoMfJbA5PCZWJKmCy8qU/QJQTusxze6oOBUo=; b=MfonzU97TLsZCa/xR71y/27BZCdEiN2Pouc5tub5DjPbXz1sxgJF+c/rIfFfJ/w5kE eL9/1rIsDI/fXRMDvFs+9XJ8+jcsLYQtbFcmIZpj8NnFvv7xoWXzGr3HiU++/CchBjZT ZjqqFoEVmGYRo4Wm2DpwaxOwcIUEq57MfGiA56OxjBrD3l/qU7O7XK1L0IrPCRPBBIqY 7zxZFc/cHQhvAAvEl+7C9NCSvVPNwUKvtgXOxHQYlMDbU0OBU+iy5F/9s1z13uUjWDkb dziBOuavtGmVLNDMsFk2iWN9oyHre6+/85p0gth6QOLVZ6g+qWYDXsI/ugwu+s11ki0Y 13Ig==
MIME-Version: 1.0
X-Received: by 10.31.49.22 with SMTP id x22mr9263475vkx.60.1446762196982; Thu, 05 Nov 2015 14:23:16 -0800 (PST)
Received: by 10.31.149.79 with HTTP; Thu, 5 Nov 2015 14:23:16 -0800 (PST)
Received: by 10.31.149.79 with HTTP; Thu, 5 Nov 2015 14:23:16 -0800 (PST)
In-Reply-To: <5D0066E2-6BD9-4ED8-A37D-CE83118E099E@cooperw.in>
References: <20151105023108.17210.54132.idtracker@ietfa.amsl.com> <19C90DA9-652D-499F-8462-7EC7878307CB@packetizer.com> <CAKKJt-ci2kndZsxmkUKchWCcEPApvoFT9QMsw6MeC7hfKso3tQ@mail.gmail.com> <D261445D.5E397%eckelcu@cisco.com> <CAKKJt-euqJ6skSf_0ivT04Yi5NpGPBSeWTOOiJRqq5QOrS61xA@mail.gmail.com> <5D0066E2-6BD9-4ED8-A37D-CE83118E099E@cooperw.in>
Date: Fri, 06 Nov 2015 07:23:16 +0900
Message-ID: <CAKKJt-fivGMaovuPuPsr1MnAuPW+qRc=g3=yHVX=71iE4LqKTg@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
To: Alissa Cooper <alissa@cooperw.in>
Content-Type: multipart/alternative; boundary="001a11440790d360ff0523d292a7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/bfcpbis/47zNEeZBhWM1ppaHR6FunkZABbs>
Cc: "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>, bfcpbis-chairs@ietf.org, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, "Charles Eckel (eckelcu)" <eckelcu@cisco.com>, "draft-ietf-bfcpbis-rfc4582bis@ietf.org" <draft-ietf-bfcpbis-rfc4582bis@ietf.org>, "Paul E. Jones" <paulej@packetizer.com>, iesg@ietf.org, Mary Barnes <mary.ietf.barnes@gmail.com>
Subject: Re: [bfcpbis] Spencer Dawkins' Discuss on draft-ietf-bfcpbis-rfc4582bis-15: (with DISCUSS and COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 22:23:20 -0000
Hi, Alissa, On Nov 6, 2015 7:06 AM, "Alissa Cooper" <alissa@cooperw.in> wrote: > > Hi Spencer, > > > > On Nov 5, 2015, at 11:20 PM, Spencer Dawkins at IETF < spencerdawkins.ietf@gmail.com> wrote: > >> Hi, Charles, >> >> On Thu, Nov 5, 2015 at 5:43 PM, Charles Eckel (eckelcu) < eckelcu@cisco.com> wrote: >>> >>> For TCP, the use of TLS was not required by RFC 4582. For 4582bis, we do not require TLS in order to maintain backward compatibility with RFC 4582. >> >> >> Got it. I'm holding my nose on this one, based on backward compatibility, and given the degree of difficulty in splicing attack packets into the TCP sequence numbering space if you're off-path. I'm not thrilled, but someone else needs to decide when threats reach the level where making that incompatible change is necessary - and that might not be the right thing to do today. >> >>> >>> For UDP, the reason for not mandating DTLS is backward compatibility with existing solutions. The IMTC Role Based Video Best Practice established a set of recommendations for getting BFCP to work within enterprise video conference deployments. As that time,draft-sandbakken-xcon-bfcp-udp defined BFCP over UDP only. DTLS was left for future study. Today we have many implementations of BFCP over UDP, but few if any using DTLS. We need the ultimate RFC that standardizes BFCP over UDP (and over DTLS) to allow interworking with these existing deployments. >> >> >> OK, I'm not the Protocol Security Police, so, fine, but it seems like the draft could be clearer about this, and what you said in your answer would be really helpful in the document. >> >> If the text said something like "DTLS is REQUIRED unless you are interworking with a pre-standardization deployment that is already insecure, > > > "REQUIRED unless" strikes me as a faulty construction. That case is what RECOMMENDED is for, when there is a known exception to the requirement. That usage is certainly more common in some parts of the IETF than others, but it does get used. But ignoring that. Do you think "RECOMMENDED unless you are interworking with a pre-standardization deployment that is already insecure" is tight enough? The reason I'm asking, is that offpath attacks on UDP-based protocols are a lot easier than TCP-based protocols, and if the IETF is going to publish a proposed standard with a known deficiency to accommodate pre-standardization deployments, I'd prefer that the guidance about using that accommodation be as clear as possible. Thanks, Spencer > Alissa > >> in which case you're not making things worse by running without transport-level security", that would capture my concern and reflect what you're saying, unless I'm missing something. >> >> Thanks to you and Paul for the speedy response on the evening of Bits and Bites! >> >> Spencer >> >> _______________________________________________ >> >> bfcpbis mailing list >> bfcpbis@ietf.org >> https://www.ietf.org/mailman/listinfo/bfcpbis
- [bfcpbis] Spencer Dawkins' Discuss on draft-ietf-… Spencer Dawkins
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Paul E. Jones
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Paul E. Jones
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Alissa Cooper
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Charles Eckel (eckelcu)
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Alissa Cooper
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Paul Kyzivat
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Alissa Cooper
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Charles Eckel (eckelcu)
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Alissa Cooper
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Charles Eckel (eckelcu)
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Charles Eckel (eckelcu)
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Charles Eckel (eckelcu)
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Paul E. Jones
- Re: [bfcpbis] Spencer Dawkins' Discuss on draft-i… Spencer Dawkins at IETF