Re: [bfcpbis] SDP directorate review of draft-ietf-bfcpbis-bfcp-websocket-10

"Charles Eckel (eckelcu)" <eckelcu@cisco.com> Mon, 15 August 2016 14:45 UTC

Return-Path: <eckelcu@cisco.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 722A612DAA6 for <bfcpbis@ietfa.amsl.com>; Mon, 15 Aug 2016 07:45:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ADPcDbmFFcoD for <bfcpbis@ietfa.amsl.com>; Mon, 15 Aug 2016 07:45:30 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A94C812DAA4 for <bfcpbis@ietf.org>; Mon, 15 Aug 2016 07:45:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3946; q=dns/txt; s=iport; t=1471272330; x=1472481930; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=lcCV0tMeRywh0ik1rKWNsCN+xlr9TJINKJVVO83pyqc=; b=mw7Qxj2RDdfdeIRJ4sTRF93i5+oaENO69sA15NJpCT+lFR3+N0bnHL6C 2sbgIQPK0UMUty+NwAMzODY+KdNuVKgGsZN9EH062sWYpcOs9MMDbvB4h lQq7rTvtEVYeqeUWIQvemwvpz9YDi7catC07U0g9Ou8/45aLyVuLV+zVi w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DXAgCJ1LFX/4oNJK1eg0VWfAe5NIF9J?= =?us-ascii?q?IUvSgIcgTA4FAIBAQEBAQEBXieEXwEFAQEhETcDCxACAQgaAiYCAgIlCxUQAgQ?= =?us-ascii?q?BDQUbiBYOrUSQJgEBAQEBAQEBAQEBAQEBAQEBAQEBARcFgQGHIYFSgQOEKhaDA?= =?us-ascii?q?SuCLwWZPgGJG4V6gWuEW4h9kC4BHjaDem6GJX8BAQE?=
X-IronPort-AV: E=Sophos;i="5.28,525,1464652800"; d="scan'208";a="137965393"
Received: from alln-core-5.cisco.com ([173.36.13.138]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 15 Aug 2016 14:45:29 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by alln-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id u7FEjT4H012124 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 15 Aug 2016 14:45:29 GMT
Received: from xch-aln-018.cisco.com (173.36.7.28) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 15 Aug 2016 09:45:29 -0500
Received: from xch-aln-018.cisco.com ([173.36.7.28]) by XCH-ALN-018.cisco.com ([173.36.7.28]) with mapi id 15.00.1210.000; Mon, 15 Aug 2016 09:45:28 -0500
From: "Charles Eckel (eckelcu)" <eckelcu@cisco.com>
To: "Dan Wing (dwing)" <dwing@cisco.com>, "draft-ietf-bfcpbis-bfcp-websocket@tools.ietf.org" <draft-ietf-bfcpbis-bfcp-websocket@tools.ietf.org>, "bfcpbis@ietf.org" <bfcpbis@ietf.org>
Thread-Topic: [bfcpbis] SDP directorate review of draft-ietf-bfcpbis-bfcp-websocket-10
Thread-Index: AQHR9wOqpgyfh/aBrkiYPw9JOld5dw==
Date: Mon, 15 Aug 2016 14:45:28 +0000
Message-ID: <A4978431-AF52-4A84-820D-97E94837446E@cisco.com>
References: <AE16A664-8EE6-40E8-A117-7E8FB04CAEB7@cisco.com>
In-Reply-To: <AE16A664-8EE6-40E8-A117-7E8FB04CAEB7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.20.182.35]
Content-Type: text/plain; charset="utf-8"
Content-ID: <B1D836C7395DC646A358CA9F2AE4EAF9@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bfcpbis/p6ZoSOlrov7ei00pV8dLT7aZGkI>
Cc: "mmusic-chairs@tools.ietf.org" <mmusic-chairs@tools.ietf.org>, "bfcpbis-chairs@tools.ietf.org" <bfcpbis-chairs@tools.ietf.org>
Subject: Re: [bfcpbis] SDP directorate review of draft-ietf-bfcpbis-bfcp-websocket-10
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 14:45:32 -0000

Dan,

As working group chair, thank you for your expert review of this draft. The draft authors are considering your comments and will respond with proposed solutions for the points you have raised.

Cheers,
Charles






On 8/6/16, 11:31 AM, "bfcpbis on behalf of Dan Wing (dwing)" <bfcpbis-bounces@ietf.org on behalf of dwing@cisco.com> wrote:

>My review of draft-ietf-bfcpbis-bfcp-websocket-10 as part of SDP directorate review.
>
>
>Section 6.1, "Transport Negotiation" is unclear if it is overriding the port handling described in draft-ietf-bfcpbis-sdp-ws-uri-05, or merely re-stating the port handling described in draft-ietf-bfcpbis-sdp-ws-uri-05.  That is, the text is not clear if the port in the wss-uri override what is in the 'm' line?  I suggest using exactly the same phrasing in both documents.  This is stated clearly in Section 6.2, and should only be stated once in this document -- or perhaps just defer to what draft-ietf-bcpbis-dsp-ws-uri says and not attempt to re-discuss it here in this document would be best, no?  Section 7 seems pretty duplicative of draft-ietf-bcpbis-dsp-ws-uri, too; which document is normative where the text disagrees, and if the text is word-for-word identical, what purpose is served to repeat it?
>
>nits:  Section 4.1 should clarify that "bFcP" is compared case-insensitive, which we all know, but bears repeating.
>
>
>Section 8:
>"   When a BFCP WebSocket client connects to a BFCP WebSocket server, it
>   SHOULD use TCP/WSS as its transport.  The WebSocket client SHOULD
>   inspect the TLS certificate offered by the server and verify that it
>   is valid."
>
>"Is valid" is too vague.  Please add citation to RFC7525, if that is appropriate.  Or if RFC7525's procedures are inappropriate, detail what steps are performed to determine validity.  It seems the a=fingerprint is *not* supposed to be used, right?  Rather, chasing the certificate chain is used against the FQDN in the wss-uri.
>
>Section 8:
>"   Section 9 of [I-D.ietf-bfcpbis-rfc4582bis] states that BFCP clients
>   and floor control servers SHOULD authenticate each other prior to
>   accepting messages, and RECOMMENDS that mutual TLS/DTLS
>   authentication be used."
>...
>"   In order to authorize the WebSocket connection, the BFCP WebSocket
>   server MAY inspect any cookie [RFC6265] headers present in the HTTP
>   GET request."
>
>This "MAY" to check cookies is too weak, when the recommendation in ietf-bcpbis-rfc4582bis was mutual authentication! The server needs to better authorize the client than just a MAY!  I don't understand how this document can suggest reducing a SHOULD to a MAY, when we're talking of authorizing and authenticating clients.  
>
>-d
>
>_______________________________________________
>bfcpbis mailing list
>bfcpbis@ietf.org
>https://www.ietf.org/mailman/listinfo/bfcpbis