IETF Logo Mail Archive

Re: [bfcpbis] Spencer Dawkins' Discuss on draft-ietf-bfcpbis-rfc4582bis-15: (with DISCUSS and COMMENT)

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 05 November 2015 14:20 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CEB81B2D7C; Thu, 5 Nov 2015 06:20:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SO73DmZJujFb; Thu, 5 Nov 2015 06:20:44 -0800 (PST)
Received: from mail-yk0-x233.google.com (mail-yk0-x233.google.com [IPv6:2607:f8b0:4002:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 730351B2D53; Thu, 5 Nov 2015 06:20:42 -0800 (PST)
Received: by ykdr3 with SMTP id r3so132564529ykd.1; Thu, 05 Nov 2015 06:20:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3L6ai6Vz1XCJ+opoJBIUPfsPu9d8UWufbIbRvgm6E80=; b=DZeGZLfop47A2XRfpygOPXKItz501nJm5q+XTpms0LctCXoc1Vq7lSum+zUnzdyRV5 XsJj83birLVchYgpjg2ifmBt44nva8Vwph3SHq7ZO8CusAPWTgMIlEZcZ2rIpPD6xhHK GE0AzN893+z5sjn/epJ9Rj43Vso1w+FCh/7aWoNfpLCKhC2AAcmvuTC5uW75em0BCLxl lgtQz8DCEQD9geiwy6/Dduv+M0VOC6owpxOWKv4N/pfZkAw1z8InBfpH2GedXQWNsjEK rIHZKX2C58f5DkyFcDVThYirekgMNhl4hdPBQSdnSIAWajmHt6j/NZXL/rplX9zjID+M GU+A==
MIME-Version: 1.0
X-Received: by 10.31.8.69 with SMTP id 66mr7223072vki.82.1446733241432; Thu, 05 Nov 2015 06:20:41 -0800 (PST)
Received: by 10.31.149.79 with HTTP; Thu, 5 Nov 2015 06:20:41 -0800 (PST)
In-Reply-To: <D261445D.5E397%eckelcu@cisco.com>
References: <20151105023108.17210.54132.idtracker@ietfa.amsl.com> <19C90DA9-652D-499F-8462-7EC7878307CB@packetizer.com> <CAKKJt-ci2kndZsxmkUKchWCcEPApvoFT9QMsw6MeC7hfKso3tQ@mail.gmail.com> <D261445D.5E397%eckelcu@cisco.com>
Date: Thu, 05 Nov 2015 23:20:41 +0900
Message-ID: <CAKKJt-euqJ6skSf_0ivT04Yi5NpGPBSeWTOOiJRqq5QOrS61xA@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
To: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
Content-Type: multipart/alternative; boundary="001a11440bccf0c10f0523cbd4c5"
Archived-At: <http://mailarchive.ietf.org/arch/msg/bfcpbis/UQsHqCr578KpT3xefrIK2TvvKMs>
Cc: "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>, "bfcpbis-chairs@ietf.org" <bfcpbis-chairs@ietf.org>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, "draft-ietf-bfcpbis-rfc4582bis@ietf.org" <draft-ietf-bfcpbis-rfc4582bis@ietf.org>, "Paul E. Jones" <paulej@packetizer.com>, The IESG <iesg@ietf.org>, Mary Barnes <mary.ietf.barnes@gmail.com>
Subject: Re: [bfcpbis] Spencer Dawkins' Discuss on draft-ietf-bfcpbis-rfc4582bis-15: (with DISCUSS and COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Nov 2015 14:20:46 -0000

Hi, Charles,

On Thu, Nov 5, 2015 at 5:43 PM, Charles Eckel (eckelcu) <eckelcu@cisco.com>
wrote:

> For TCP, the use of TLS was not required by RFC 4582. For 4582bis, we do
> not require TLS in order to maintain backward compatibility with RFC 4582.
>

Got it. I'm holding my nose on this one, based on backward compatibility,
and given the degree of difficulty in splicing attack packets into the TCP
sequence numbering space if you're off-path. I'm not thrilled, but someone
else needs to decide when threats reach the level where making that
incompatible change is necessary - and that might not be the right thing to
do today.


> For UDP, the reason for not mandating DTLS is backward compatibility with
> existing solutions. The IMTC Role Based Video Best Practice established a
> set of recommendations for getting BFCP to work  within enterprise video
> conference deployments. As that time,draft-sandbakken-xcon-bfcp-udp defined
> BFCP over UDP only. DTLS was left for future study. Today we have many
> implementations of BFCP over UDP, but few if any using DTLS. We need the
> ultimate RFC that standardizes BFCP over UDP (and over DTLS) to allow
> interworking with these existing deployments.
>

OK, I'm not the Protocol Security Police, so, fine, but it seems like the
draft could be clearer about this, and what you said in your answer would
be really helpful in the document.

If the text said something like "DTLS is REQUIRED unless you are
interworking with a pre-standardization deployment that is already
insecure, in which case you're not making things worse by running without
transport-level security", that would capture my concern and reflect what
you're saying, unless I'm missing something.

Thanks to you and Paul for the speedy response on the evening of Bits and
Bites!

Spencer

v2.23.0 | Report a Bug | By Email