IETF Logo Mail Archive

Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12

Alissa Cooper <alissa@cooperw.in> Mon, 09 February 2015 23:59 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD5F01A8AAD for <bfcpbis@ietfa.amsl.com>; Mon, 9 Feb 2015 15:59:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.8
X-Spam-Level:
X-Spam-Status: No, score=-0.8 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYoLgyx2LIoA for <bfcpbis@ietfa.amsl.com>; Mon, 9 Feb 2015 15:58:56 -0800 (PST)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50B6D1A6EE8 for <bfcpbis@ietf.org>; Mon, 9 Feb 2015 15:58:56 -0800 (PST)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 797D620DAC for <bfcpbis@ietf.org>; Mon, 9 Feb 2015 18:58:55 -0500 (EST)
Received: from frontend2 ([10.202.2.161]) by compute5.internal (MEProxy); Mon, 09 Feb 2015 18:58:55 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h= x-sasl-enc:content-type:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; s=mesmtp; bh=uYMzt7iwJuEZWO7A GFJfAWr+Lc0=; b=ZIHTG03q+aGcyNuhsDprHouMBIv9Kz6jPix8ngaSvGxVZ4+9 1FKU9DpwN0gYklNkiCCEK8E5MsaO9dpeesE2SWzDwqRU6DTWiwcJxPHoJAKLvoom Yv5TPPq5jH3lrFqFCpduNid9jmHmfl58ERZfn4H9jHrz4SW8H6JI3D0Pci8=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=x-sasl-enc:content-type:mime-version :subject:from:in-reply-to:date:cc:message-id:references:to; s= smtpout; bh=uYMzt7iwJuEZWO7AGFJfAWr+Lc0=; b=ldo01GK5RHAYFrkh82eR H0I7kTk9n74AiQ0IkPyXQIsbHborUFlTjCTGBMSt7rsUu6QGYaIreFqSAc6AyygS 98LN/UT481bK39Ans6lcVCMyyJrZe6fAYdc54OGDJ1meAe06ldTzbs4Dp1+RdPPh QcKnbHTvA56IxcUfcqG2XhY=
X-Sasl-enc: 7T5Httgsqfbdbmx8Rvd0FxMBnmoV5tP49Pej0EsIk5dH 1423526334
Received: from sjc-alcoop-8817.cisco.com (unknown [128.107.239.233]) by mail.messagingengine.com (Postfix) with ESMTPA id D56026800DB; Mon, 9 Feb 2015 18:58:53 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_10252BE8-4DCC-44B6-AE9B-AB185B336BD6"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <D0F684B3.3C625%eckelcu@cisco.com>
Date: Mon, 09 Feb 2015 15:58:52 -0800
Message-Id: <CC0C9FBD-75D7-4767-9873-CFF6212B9B2D@cooperw.in>
References: <DB7476B4-3F88-4A8F-804D-130A9907C6D8@cooperw.in> <D0F684B3.3C625%eckelcu@cisco.com>
To: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/bfcpbis/grt_rW9F5s_nG6ZIu5pMoB75iOc>
Cc: "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Subject: Re: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Feb 2015 23:59:05 -0000

Hi Charles,

Thanks, some responses inline.

On Feb 4, 2015, at 10:40 AM, Charles Eckel (eckelcu) <eckelcu@cisco.com> wrote:

> HI Alissa,
> 
> Thank you for the review. Please see my thoughts on your comments and questions inline.
> 
> From: Alissa Cooper <alissa@cooperw.in>
> Date: Thursday, January 29, 2015 at 10:19 PM
> To: "bfcpbis@ietf.org" <bfcpbis@ietf.org>
> Subject: [bfcpbis] AD evaluation: draft-ietf-bfcpbis-rfc4582bis-12
> 
>> I have reviewed this draft in preparation for IETF LC. Overall the document appears in good shape. I have a few questions and comments I’d like to discuss before issuing the IETF last call. I’ve also included some editorial nits that should be addressed together with any last call comments.
>> 
>> Comments and questions:
>> 
>> = Section 5.1 =
>> "If an endpoint receives a message with an
>>      unsupported version field value, the receiving server MUST send an
>>      Error message with parameter value 12 (Unsupported Version) to
>>      indicate this.”
>> 
>> This seems a little misleading since RFC 4582 didn’t specify what to do upon receipt of a message with a version other than 1. Implementations that do not get upgraded to be compliant with 4582bis (which could certainly account for some of those that will not support version 2) will therefore never send the error specified here. This seems like it should at least be noted given the MUST-level requirement. The same applies in Section 13.7.
> 
> 
> Good point. I believe we made this a MUST because we were thinking in terms of implementations compliant with this bis version. Adding your suggested note about rfc 4582 implementations here and in section 13.7 seems useful to me.

Ok

>  
>> 
>> 
>> = Section 7 =
>> "BFCP entities MUST support, at a minimum, the
>>    TLS_RSA_WITH_AES_128_CBC_SHA ciphersuite [6].”
>> 
>> I realize this requirement comes from RFC 4582, but I’d like to understand why it has not been updated to be consistent with more current guidance on cipher suite selection (e.g., https://tools.ietf.org/html/draft-ietf-uta-tls-bcp-08#section-4).
> 
> 
> How about we keep this minimum requirement, and add a reference to draft-ietf-uta-tls-bcp along with a recommendation to adhere to the best practices it outlines in section 4?

I think MUST support TLS_RSA_WITH_AES_128_CBC_SHA for backwards compatibility and SHOULD support the ones listed in the UTA drafts would be ok.

> 
>> 
>> 
>> = Sections 8, 8.1, 8.2 =
>> It seems like the transaction ID requirements regarding non-reuse/monotonically increasing IDs are re-stated multiple times across these three sections, in slightly different ways, to the point where it’s not clear exactly what they are. It seems like they are:
>> 
>> (1) Reliable transport, server-initiated transaction: ID is 0
>> (2) Unreliable transport, server-initiated transaction: ID MUST be monotonically increasing (except for wrap-around)
>> (3) Reliable transport, client-initiated transaction: ID MUST NOT be 0 and MUST NOT be reused in another message from the client until a response from the server is received for the transaction, but need not be monotonically increasing (e.g., a lower, recently used ID could be re-used once a response is received)
>> (4) Unreliable transport, client-initiated transaction: ID MUST be monotonically increasing (except for wrap-around)
>> 
>> Is (3) the correct interpretation of the text in 8.1? If so, why not just require IDs in all client-initiated transactions to be monotonically increasing?
> 
> 
> Agree we can and should simplify this. Sections 8.1 and 8.2 cover the client behavior and server behavior in detail. As such, the transaction ID related information at the start of Section 8 is superfluous. I recommend reducing the text in Section 8 to the follow:
> 
> 8. Protocol Transactions
> 
>    In BFCP, there are two types of transactions: client-initiated
>    transactions and server-initiated transactions.
> 
>    Client-initiated transactions consist of a request from a client to a
>    floor control server and a response from the floor control server to
>    the client.
> 
>    Server-initiated transactions have different behavior depending on 
>    underlying transport:
> 
>       When using a reliable transport, server-initiated transactions
>       consist of a single message from a floor control server to a
>       client (notifications).  They do not trigger any response.
> 
>       When using an unreliable transport, server-initiated transactions
>       consist of a request from a floor control server to a client and a
>       response from the client to the floor control server.
> 
>    When using BFCP over an unreliable transport, retransmission timer T1
>    (see Section 8.3) MUST be used for all requests until the transaction
>    is completed.
> 
> Then in section 8.1, we add the important details removed from section 8.
> 
> 8.1.1 Client Behavior
> 
>    A client starting a client-initiated transaction MUST set the
>    Conference ID in the common header of the message to the Conference
>    ID for the conference that the client obtained previously. 
> 
>    The client MUST set the Transaction ID value in the common header to
>    a number that is different from 0 and that MUST NOT be reused in
>    another message from the client until a response from the server is
>    received for the transaction.  The client uses the Transaction ID
>    value to match this message with the response from the floor control
>    server. When using BFCP over an unreliable transport, it is important to
>    choose a Transaction ID value that lets the receiver distinguish the reception 
>    of the next message in a sequence of BFCP messages from a retransmission 
>    of a previous message.  Therefore, BFCP entities using an unreliable transport MUST
>    use monotonically increasing Transaction ID values (except for wrap-around).
> 
>    A client receiving a server-initiated transaction over an unreliable transport
>    MUST copy the Transaction ID from the request received from the server into the
>    response. 
>    [Question: is there a need to copy the Conference ID and User ID, if present?]
> 
> 8.2. Server Behavior
> 
>    A floor control server sending a response within a client-initiated
>    transaction MUST copy the Conference ID, the Transaction ID, and the
>    User ID from the request received from the client into the response.
> 
>    Server-initiated transactions MUST contain a Transaction ID equal to
>    0 when BFCP is used over a reliable transport.  Over an unreliable
>    transport, the Transaction ID shall have the same properties as for
>    client-initiated transactions. The server uses the Transaction ID value to
>    match this message with the response from the floor participant or
>    floor chair.
> 

Thanks, this is better.

>> 
>> 
>> = Section 9 (impacts Section 14 as well) =
>> "BFCP clients SHOULD authenticate the floor control server before
>>    sending any BFCP message to it or accepting any BFCP message from it.
>>    Similarly, floor control servers SHOULD authenticate a client before
>>    accepting any BFCP message from it or sending any BFCP message to it.
>> 
>>    BFCP supports TLS/DTLS mutual authentication between clients and
>>    floor control servers, as specified in Section 9.1.  This is the
>>    RECOMMENDED authentication mechanism in BFCP.”
>> 
>> What are the cases where clients and servers do not need to be authenticating each other? I know this requirement and the other SHOULD-level requirements around use of TLS/DTLS are carried over from RFC 4582, but I’m concerned that they aren’t as strong as they should be. For a conference where the signaling traffic is authenticated and confidentiality and integrity protected, why is it ok for the floor control traffic not to be? Could these requirements be adjusted to require use of TLS/DTLS at least in cases where the signaling is also protected?
> 
> 
> Yes, but again, this would be at the expense of adding a non backward compatible change from rfc 4582. How about saying TLS/DTLS MUST be used for BFCP in such cases, while pointing out the rfc 4582 based implementations may not comply (similar to what we did with the version field).

Works for me.

Feel free to make all of these changes and submit a rev and I’ll issue the IETF LC.

Thanks,
Alissa

>> 
>> 
>> = Section 14 =
>> See the point above about ciphersuites. “Non-null encryption” is not a sufficient minimum baseline, and if the requirements change in Section 7 they should be reflected here as well.
> 
> 
> Yep.
> 
>> 
>> 
>> Editorial nits to be resolved with LC comments:
>> 
>> = Section 5.1 =
>> “The version field MUST be set to 1 when using BFCP over a reliable
>>    transport, i.e. as in [2].”
>> 
>> I find it a little odd to reference the spec you’re obsoleting in this sentence, especially since BFCP over a reliable transport is completely specified in this bis document. I would suggest dropping the i.e. clause.
> 
> 
> Good catch. This is a carry over from before this draft was adopted as a bis version of rfc4582.
> 
>> 
>> "The version field MUST be set to 2 when
>>    using BFCP over an unreliable transport with the extensions specified
>>    in this document.”
>> 
>> The bit about “with the extensions specified in this document” is extraneous and should be removed.
>> 
>> "If an endpoint receives a message with an
>>     unsupported version field value, the receiving server MUST send an
>>     Error message with parameter value 12 (Unsupported Version) to
>>     indicate this.”
>> 
>> Use of the word “server” here makes it sound as if only servers could receive headers with unsupported versions. Should this be “the receiving endpoint”?
>> 
>> = Section 6.2.4 =
>> "[23], Section 6.7 provides useful recommendations …”
>> 
>> The links in the references are not quite right.
>> 
>> = Section 8.3.2 =
>> s/when fires/when fired/
>> 
>> = Section 14 =
>> s/high-jack/hijack/
>> 
>> = Section B.1 =
>> "situation where multiple different and non-interoperable would co-
>>    exist in the market.”
>> 
>> There is a word missing after “non-interoperable."
> 
> 
> This should read “non-interoperable implementations”. Earlier in that same sentence, “BFCP over UDP were already used” should read “BFCP over UDP is already being used”.
> 
> Cheers,
> Charles

v2.23.0 | Report a Bug | By Email