Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
"Charles Eckel (eckelcu)" <eckelcu@cisco.com> Fri, 07 December 2018 07:28 UTC
Return-Path: <eckelcu@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96EEC127133; Thu, 6 Dec 2018 23:28:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.96
X-Spam-Level:
X-Spam-Status: No, score=-15.96 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SAJIjNuvRXo0; Thu, 6 Dec 2018 23:28:49 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F3DB126DBF; Thu, 6 Dec 2018 23:28:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7862; q=dns/txt; s=iport; t=1544167729; x=1545377329; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=Wshy6ZNUgTApAZ5VTfqW1A3xe0O0xJt8wogIsNpNNXk=; b=jikZRECLHHVg6GawQhO+40I1sCBglTegBp6TyswXvP8UcpNWTEkxYxHT D87DaR6l/jjXRrwpyxhfSTkULYp3erU4j4UpbR3pNj1M9RANtDhFp6mgW qA5V0sYnksjBQvL28J/Co0BCXQcaDhN7P9B5kZreta2R1KwnIwXuRsKXG Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAAAqIApc/51dJa1hAg4LAQEBAQEBAQEBAQEBBwEBAQEBAYFRBAEBAQEBCwGCA2aBAicKg3CIGY14JYkSjj2BegsBARgLhANGAheDACI0CQ0BAwEBAgEBAm0cDIU8AQEBBAEBIRE6CwwEAgEIEQMBAgMCEhQCAgIfBgsVCAgCBAENBYMhAYFpAxUPpUOBL4gHDYIXBYELixQXgX+BEScME4JMgldHAQGBeDEMgjAxgiYClW6KHycuCQKOGoMuGJE2iQ+Ff4llAhEUgScfOIFVcBU7KgGCQYJQiEyFBDtBMQGJB4EfgR8BAQ
X-IronPort-AV: E=Sophos;i="5.56,324,1539648000"; d="scan'208";a="209856755"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Dec 2018 07:28:47 +0000
Received: from XCH-ALN-018.cisco.com (xch-aln-018.cisco.com [173.36.7.28]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id wB77Slkp006511 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 7 Dec 2018 07:28:47 GMT
Received: from xch-aln-018.cisco.com (173.36.7.28) by XCH-ALN-018.cisco.com (173.36.7.28) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Fri, 7 Dec 2018 01:28:47 -0600
Received: from xch-aln-018.cisco.com ([173.36.7.28]) by XCH-ALN-018.cisco.com ([173.36.7.28]) with mapi id 15.00.1395.000; Fri, 7 Dec 2018 01:28:47 -0600
From: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "mary.ietf.barnes@gmail.com" <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org>
Thread-Topic: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
Thread-Index: AQHUjDeNJYj0YvLoRkeeWdulSFyGfaVwFdUAgAGmQwCAAUUUAIAA3tQA
Date: Fri, 07 Dec 2018 07:28:47 +0000
Message-ID: <8B0A6F27-B9A0-4F86-9375-9594EFFE18EA@cisco.com>
References: <4809F8B5-F43F-49B0-A638-68935FC5BC5B@cisco.com> <CF3B0A92-4497-41F1-8E8F-66C6327BA46E@ericsson.com> <4E5CA82F-AB2F-4DE0-BADF-FB48B911FF79@cisco.com> <0DC599D8-9582-4830-9887-0D2760E81A7D@ericsson.com>
In-Reply-To: <0DC599D8-9582-4830-9887-0D2760E81A7D@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.13.0.181109
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.70.231.143]
Content-Type: text/plain; charset="utf-8"
Content-ID: <A17642E9D6B9C940A1308A8C9D5DCB42@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.28, xch-aln-018.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/TLybpiiVZWsdDGD3hUnhK_Jwo74>
Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 07:28:51 -0000
Looks good to me, thanks! Charles -----Original Message----- From: Christer Holmberg <christer.holmberg@ericsson.com> Date: Friday, December 7, 2018 at 4:12 PM To: Charles Eckel <eckelcu@cisco.com>, Benjamin Kaduk <kaduk@mit.edu> Cc: Mary Barnes <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org> Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT) The pull request has been updated. Regards, Christer On 06/12/2018, 0.47, "Charles Eckel (eckelcu)" <eckelcu@cisco.com> wrote: -----Original Message----- From: bfcpbis <bfcpbis-bounces@ietf.org> on behalf of Christer Holmberg <christer.holmberg@ericsson.com> Date: Wednesday, December 5, 2018 at 7:37 PM To: Charles Eckel <eckelcu@cisco.com>, Benjamin Kaduk <kaduk@mit.edu> Cc: Mary Barnes <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org> Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT) Hi, .... >>>>> An attacker able to view the SDP exchanges can determine which media flows >>>>> contain which content, which could exacerbate existing metadata leakage >>>>> channels in some circumstances. >>>>> >>>>> I am not sure how that is related to the BFCP SDP negotiation? >>>> >>>> exchange but the actual media flows are secured with (D)TLS and not visible >>>> to the attacker. The (D)TLS flows will leak some information via packet >>>> size/timing, perhaps allowing for traffic analysis to determine what sorts >>>> of media flows are going where. The new attributes in the BFCP SDP >>>> negotiation can make this sort of traffic analysis more effective. I would >>>> be fairly receptive if you wanted to say that this is not more noteworthy >>>> than for normal SDP security considerations, though. >>> >>> In general I agree with you that non-protected SDP attributes can help in traffic analysis, but >>> the BFCP attributes only provide information about the BFCP stream itself - they don't even indicate which >>> media streams will be controlled by BFCP to begin with (that is negotiated on BFCP level). >> >> But, I could add something like: >> >> "The SDP attributes defined in this specification do not add additional security considerations to the generic >> security considerations for protecting SDP attributes [RFC3264]. The attributes do not reveal information >> about the content of individual BFCP controlled media streams, nor do they reveal which media streams >> will be BFCP controlled." > >[cue] I don't think I agree with this last part. The info in SDP does indicate which media streams will be >controlled using BFCP. For example, > > m=application 50000 TCP/TLS/BFCP * > a=setup:actpass > a=connection:new > a=fingerprint:sha-256 \ > 19:E2:1C:3B:4B:9F:81:E6:B8:5C:F4:A5:A8:D8:73:04: \ > BB:05:2F:70:9F:04:A9:0E:05:E9:26:33:E8:70:88:A2 > a=floorctrl:c-only s-only > a=confid:4321 > a=userid:1234 > a=floorid:1 mstrm:10 > a=floorid:2 mstrm:11 > a=bfcpver:1 2 > m=audio 50002 RTP/AVP 0 > a=label:10 > m=video 50004 RTP/AVP 31 > a=label:11 > > The combination of floorid/mstrm and label attributes indicate that the corresponding audio and > video m-lines are to be controlled via BFCP. You are right. So, something like: "The generic security considerations associated with SDP attributes are defined in [RFC3264]. While the defined in this specification do not reveal information about the content of individual BFCP controlled media streams, they do reveal which media streams will be BFCP controlled." Yes, except s/While the defined/While those defined Cheers, Charles Regards, Christer _______________________________________________ bfcpbis mailing list bfcpbis@ietf.org https://www.ietf.org/mailman/listinfo/bfcpbis
- [bfcpbis] Benjamin Kaduk's No Objection on draft-… Benjamin Kaduk
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Benjamin Kaduk
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Benjamin Kaduk
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Charles Eckel (eckelcu)
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Charles Eckel (eckelcu)
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Charles Eckel (eckelcu)
- Re: [bfcpbis] Benjamin Kaduk's No Objection on dr… Christer Holmberg