IETF Logo Mail Archive

Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 07 December 2018 07:12 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C66781277C8 for <bfcpbis@ietfa.amsl.com>; Thu, 6 Dec 2018 23:12:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.759
X-Spam-Level:
X-Spam-Status: No, score=-5.759 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=PVpNNQEP; dkim=pass (1024-bit key) header.d=ericsson.com header.b=XwiJpIUa
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V8VTjLOLpOMK for <bfcpbis@ietfa.amsl.com>; Thu, 6 Dec 2018 23:12:20 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 637A5127133 for <bfcpbis@ietf.org>; Thu, 6 Dec 2018 23:12:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1544166735; x=1546758735; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dYHCHSoKDPyclm6y8E2p3iYBJOOxngfucuvPZAUavug=; b=PVpNNQEPpSutwJBowUH/45lPOeMiJNnHHBjxcywL3mcbgNu+hZwbWo6La5JWN/1C tanrlbv3nF/b5SZlkvziQB4NK8c68ggCB1Y+fgAapEk6aYdWgwxwooEsfwhF5qhs kBckEsWC1gXcz2h22OTLW1Cbaw/Bd261uxL7XuL6lYc=;
X-AuditID: c1b4fb25-a68609e00000191f-58-5c0a1d4e39c7
Received: from ESESSMB502.ericsson.se (Unknown_Domain [153.88.183.120]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 84.DE.06431.E4D1A0C5; Fri, 7 Dec 2018 08:12:14 +0100 (CET)
Received: from ESESBMR505.ericsson.se (153.88.183.201) by ESESSMB502.ericsson.se (153.88.183.190) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 7 Dec 2018 08:11:19 +0100
Received: from ESESBMB501.ericsson.se (153.88.183.168) by ESESBMR505.ericsson.se (153.88.183.201) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 7 Dec 2018 08:11:19 +0100
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB501.ericsson.se (153.88.183.168) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 7 Dec 2018 08:11:19 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dYHCHSoKDPyclm6y8E2p3iYBJOOxngfucuvPZAUavug=; b=XwiJpIUan7OnUFSCwauewjsBfoNGjtyODnf+rGYomrebs/bEtG/5D9UL8OOlgL7TZJ12kG5NNXkKNEmH8gHFDMfCNXCmdPMlm+y4Oc2KKTF2Hgt8g+gkc679EOzpaUnb58KAAZpzw44q7aeMuxkr/vIXgxWBi8DcKSfSD/JCZHA=
Received: from AM6PR07MB5621.eurprd07.prod.outlook.com (20.178.91.14) by AM6PR07MB4471.eurprd07.prod.outlook.com (20.176.242.80) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1404.13; Fri, 7 Dec 2018 07:11:14 +0000
Received: from AM6PR07MB5621.eurprd07.prod.outlook.com ([fe80::a5dd:4302:feec:e113]) by AM6PR07MB5621.eurprd07.prod.outlook.com ([fe80::a5dd:4302:feec:e113%3]) with mapi id 15.20.1382.024; Fri, 7 Dec 2018 07:11:14 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: "mary.ietf.barnes@gmail.com" <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org>
Thread-Topic: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
Thread-Index: AQHUjDeNJYj0YvLoRkeeWdulSFyGfaVwFdUAgAGmQwCAAUUUAA==
Date: Fri, 07 Dec 2018 07:11:14 +0000
Message-ID: <0DC599D8-9582-4830-9887-0D2760E81A7D@ericsson.com>
References: <4809F8B5-F43F-49B0-A638-68935FC5BC5B@cisco.com> <CF3B0A92-4497-41F1-8E8F-66C6327BA46E@ericsson.com> <4E5CA82F-AB2F-4DE0-BADF-FB48B911FF79@cisco.com>
In-Reply-To: <4E5CA82F-AB2F-4DE0-BADF-FB48B911FF79@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.13.0.181109
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [89.166.49.243]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; AM6PR07MB4471; 6:svjUsCDGm8egz+vZxPmCcwmlhNEt+x3NTUTf108HMq2JBSiK1mO37Hdi1hdV/81F7lcQjKvNWN6558mY6hXqCj8y5GssFHXqG1MdyaBw922zMjvIZhFkIBZ0kmKUbJG2efe790kM8skCp9UH9H460SISTpHp+Md16EU9F2UsLwRnWbHFclGqk9yDpMxBBwx+d1IjG0DgaoQhOrSkFwyPJrVQSM1AL/ih+6PeUIZ0De+o7MZSmC1BYLkvYFJLsIX8LHN1hZRjivIANUtmFcSJfnXGY+U4yx6ZwRmSnns/gdqKZG5/MHv9sAxvBT6AuUp6YAsknzMGY3VgANnZvwCkVgyCbSiCSM2VLU5hsmpJWIU/3aNrqYenPJRA6sUXpkaOffpv/zYl5G17+dhJiddNIYBDODNOMRBY54EcGtYuPLIGjkJLnzoDpC9iCrpAQWU7n14wIa3sRj1tV0YMB5lzag==; 5:rfO5UPyB2X7snnrbQx2QdPL5apl9TF2vejFftku+WRdrt5bRDtQTrJ4B35YXmgFcxuv6jUSq/+KuQQQYYvtn5hIQRV3zPDcZRMz3phI0jJb+oFRC1fLtauzOryt6lIe63D8NW35I3OFJJB9NHCRFzuYJZU0iwA46ymQEwj9+Y/k=; 7:ASlcnLwxj98IqnHVBfGjkSg30E5KHNxDV1IMA4u11eLgz2f+/aU7FdtZkQbpp/syIuFDCfoQwefrXKqIhHzNrOGYmwcmfc7InQEn7+q4MjOiR2eTEH2vLBiAxGLpwDxmJlpNL6AgrAI5z25QOW4VFg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 4ea6a08d-f430-42aa-c4c0-08d65c132d03
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:AM6PR07MB4471;
x-ms-traffictypediagnostic: AM6PR07MB4471:
x-microsoft-antispam-prvs: <AM6PR07MB447128D13E7A9BD954C0D68393AA0@AM6PR07MB4471.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231455)(999002)(944501520)(52105112)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123562045)(20161123560045)(20161123564045)(201708071742011)(7699051)(76991095); SRVR:AM6PR07MB4471; BCL:0; PCL:0; RULEID:; SRVR:AM6PR07MB4471;
x-forefront-prvs: 0879599414
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39860400002)(376002)(136003)(346002)(396003)(189003)(199004)(13464003)(36756003)(14444005)(53936002)(105586002)(102836004)(2171002)(6246003)(39060400002)(6512007)(4326008)(6306002)(478600001)(25786009)(33656002)(186003)(26005)(305945005)(68736007)(256004)(2616005)(8676002)(476003)(446003)(106356001)(11346002)(6116002)(3846002)(486006)(6436002)(6486002)(81156014)(81166006)(5660300001)(44832011)(54906003)(58126008)(86362001)(229853002)(76176011)(99286004)(110136005)(316002)(8936002)(14454004)(6506007)(53546011)(82746002)(2906002)(966005)(71190400001)(71200400001)(97736004)(66066001)(7736002)(83716004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR07MB4471; H:AM6PR07MB5621.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: nGBXlaQWck3W860Me276QA6ZPIDGcT3kiC42VEJGsvZ7SosgrpPb24/HT+URTqceDaxtUtqUS5cfM3tjnTZaMq8tyQrfGx0IP/RGNiWrDRM2GRNZzLunZbX3D/yC6Uj3GLB1Lfn2gfLwliy2wz9vCSkW4uckIGobY7IeLJmMTOcgGrur50UB/VoCSl1pGAIFxW5C3a10BpM/FKj43J6Pgpcj6t9UN2tc+/EBcpkGwLqQtKePtqZu8s/5yCYeCgLACHTZqyJku+JhUjyOvLDwAYYNCcoSuHjY0anfTeuX9n5MNMjrll1GCqrqDJac60rRpLT0j9FH6EqP8aWH/72r0B2mHaEthbTV19rmxf74XG4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <1BB0ED93C309F94581FBE4D05EBD885D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4ea6a08d-f430-42aa-c4c0-08d65c132d03
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2018 07:11:14.8099 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4471
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02SbUhTURjHOffebXfTxXFpPlqSTs1SdKZCAzUr+jA/JJIQYULd8qpLnbKr opIoYV9c+AIaug++5CQz0XwJm5jWUsP5lhqLTNGhUcEswUrF0tyuQd/+z/n//s9zzsOhSVmH wJNWa3JYrYbJkAslVN3VvvzgOC9JUui4LUq52zFCKHWtayJlt/6HUFn7u4pUPuqqI5QbQ0Pk OaGqeqdLoDLqF0Uqg2GbUN2dGCHjqURJVDKboc5jtYqzNyRpT8sXUbY5PL/hyX2yBDWGlSEx DTgCZpdnUBmS0DI8jGDPPEXwxU8ECxW9IjvlKIYmOd5oJmCha5qyFxSuJGG049kBVUXA0gNf nrIimNjQ7/eiaSFWgm43yM644gQYqC518CR+j2C3wd2OHMa3YdPsxCPpYG1qInl9AQabxym7 prAf/NpaIexaimNg5kU5yY9qQdDXWSewG2IcDc3bfxwQwkf2e7YT/Cx3mF9tIPg3YzAMTJO8 doOvK7uOrBtWwD1zhYjPMjDUtnzA+MDkN+tB1gtmG3SOfQG2COHL/JKAN4JhvabmIHAJ5lc+ kjz0FkF3Z7+INwJhermV4nU6jJaVoUoUrv/vgvr9ZZD4FHT2K/hjFZhsBiGvfaBaZxXpHQtw gbG6VaoRCdqQG8dyNzNTw8JDWK36FsdlaUI0bE432v9Fr3p3/J+jOdt5E8I0kjtL10GSJBMw eVxBpgkBTcpdpbI74iSZNJkpKGS1Wde1uRksZ0JHaUruLrWe6UmU4VQmh01n2WxW+88laLFn CfK2VLoU9lwpuFjkPqaiXsf+flgoOn65d6rXeS72pTQmN8DJ702xJdS7ftP5hCLSmC2OczHa 9gYilz73iKPXYzyCIlK0LcxqywdjI/l9eG7Epr42XBzATKgTjpUKmJRk30FTu2Sl9tC6f4XM sqXx8J1dM8abPwWZinTvTj421MspLo05HUhqOeYvbhwjJEEDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/i7L9c_kjkTjUg1HBw3fFNQuJplY>
Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 07:12:22 -0000

The pull request has been updated.

Regards,

Christer


On 06/12/2018, 0.47, "Charles Eckel (eckelcu)" <eckelcu@cisco.com> wrote:

    -----Original Message-----
    From: bfcpbis <bfcpbis-bounces@ietf.org> on behalf of Christer Holmberg <christer.holmberg@ericsson.com>
    Date: Wednesday, December 5, 2018 at 7:37 PM
    To: Charles Eckel <eckelcu@cisco.com>, Benjamin Kaduk <kaduk@mit.edu>
    Cc: Mary Barnes <mary.ietf.barnes@gmail.com>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bfcpbis-rfc4583bis@ietf.org" <draft-ietf-bfcpbis-rfc4583bis@ietf.org>
    Subject: Re: [bfcpbis] Benjamin Kaduk's No Objection on draft-ietf-bfcpbis-rfc4583bis-26: (with COMMENT)
    
        Hi,
                
                ....
                
                    >>>>> An attacker able to view the SDP exchanges can determine which media flows
                    >>>>> contain which content, which could exacerbate existing metadata leakage
                    >>>>> channels in some circumstances.
                    >>>>>     
                    >>>>> I am not sure how that is related to the BFCP SDP negotiation?
                    >>>>
                    >>>> exchange but the actual media flows are secured with (D)TLS and not visible
                    >>>> to the attacker.  The (D)TLS flows will leak some information via packet
                    >>>> size/timing, perhaps allowing for traffic analysis to determine what sorts
                    >>>> of media flows are going where.  The new attributes in the BFCP SDP
                    >>>> negotiation can make this sort of traffic analysis more effective.  I would
                    >>>> be fairly receptive if you wanted to say that this is not more noteworthy
                    >>>> than for normal SDP security considerations, though.
                    >>>
                    >>> In general I agree with you that non-protected SDP attributes can help in traffic analysis, but 
                    >>> the BFCP attributes only provide information about the BFCP stream itself - they don't even indicate which 
                    >>> media streams will be controlled by BFCP to begin with (that is negotiated on BFCP level).
                    >>
                    >> But, I could add something like:
                    >>
                    >> "The SDP attributes defined in this specification do not add additional security considerations to the generic 
                    >> security considerations for protecting SDP attributes [RFC3264]. The attributes do not reveal information 
                    >> about the content of individual BFCP controlled media streams, nor do they reveal which media streams 
                    >> will be BFCP controlled." 
                    >
                    >[cue] I don't think I agree with this last part. The info in SDP does indicate which media streams will be 
                    >controlled using BFCP. For example,
                    >
                    > m=application 50000 TCP/TLS/BFCP *
                    > a=setup:actpass
                    > a=connection:new
                    > a=fingerprint:sha-256 \
                    > 19:E2:1C:3B:4B:9F:81:E6:B8:5C:F4:A5:A8:D8:73:04: \
                    > BB:05:2F:70:9F:04:A9:0E:05:E9:26:33:E8:70:88:A2
                    > a=floorctrl:c-only s-only
                    > a=confid:4321
                    > a=userid:1234
                    > a=floorid:1 mstrm:10
                    > a=floorid:2 mstrm:11
                    > a=bfcpver:1 2
                    > m=audio 50002 RTP/AVP 0
                    > a=label:10
                    > m=video 50004 RTP/AVP 31
                    > a=label:11
                    >
                   > The combination of floorid/mstrm and label attributes indicate that the corresponding audio and 
                   > video m-lines are to be controlled via BFCP.
        
        You are right.
        
        So, something like:
        
                "The generic security considerations associated with SDP attributes are defined in [RFC3264]. While the 
                  defined in this specification do not reveal information about the content of individual BFCP controlled 
                  media streams, they do reveal which media streams will be BFCP controlled."
    
    Yes, except s/While the defined/While those defined
    
    Cheers,
    Charles
                
                Regards,
                
                Christer    
        
        _______________________________________________
        bfcpbis mailing list
        bfcpbis@ietf.org
        https://www.ietf.org/mailman/listinfo/bfcpbis

v2.23.0 | Report a Bug | By Email