Re: [Cellar] FW: New Version Notification - draft-ietf-cellar-ffv1-18.txt

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Wed, 21 October 2020 18:03 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF1CE3A13F7; Wed, 21 Oct 2020 11:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 195PLzOTeTpO; Wed, 21 Oct 2020 11:03:49 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2FAE3A13F5; Wed, 21 Oct 2020 11:03:48 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id l15so2555219ybp.2; Wed, 21 Oct 2020 11:03:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=sbhh6yZrKCguiHgMmiAZH+PhzRt2/VLghm2yQouU5yw=; b=CeIFtsmg4+o+Z6OAUAzVB9GcgQTRWyOiUg+S9rVdYJX2wZ7dItPwMajf1AM88SqJnK vudUaEGw+cM6q4xRlobRzflb6h+5jJr5UDgul+7+bNso3CvpbEo4qlEkZxsEaQBIltZK r73oHC5962ALoXrg6Mf024K6nv63oaAHqCh/onvSzuyFP7GDkdB+IltVvUnv55d5xUiT bFBMvedkfOtaxqSwB4WIXq9Qt8bhQEYoC3D6yuLx05IjB/KMOQ7jzHy9JEq+qvmPeJPG xYPGep+lnjXKXzS76Bmlihs9IpAr2JLTQwx/K8Iwl0C+AjwUz4wHAfM9+ZQv4V3xmp+v 00lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=sbhh6yZrKCguiHgMmiAZH+PhzRt2/VLghm2yQouU5yw=; b=rE3kAVMru3gq8P9XzCqJnGAwk4KMMshOsc8zc3asZr11cT9lmx8KdSXeg7QY+wawtz f68fScRbgsBQMsgnn/gSX51yOV0UqbvE4mtKihSFhzjROTFrB0WMDkoxoIITvcY6ilYB JURT1JRCJPbBme9jDKahlDcjFOblQoH7gZXZt+rKwzh1SF7m+iqKgLu/WMKfqEskA1Si 2WNuwEE80fb93tLIdEIMHDjbA/vT9OJ8iEnuMj2Pg8KhbBnHniO3jRLzt+dHBfPtsQHV 1xaPbiR+lVXtjL4tcQPLuxkhZL6IEcBGyvmGCrkiTFc0rSeNppbrH90uASKE3nqtLqAQ c8jQ==
X-Gm-Message-State: AOAM533/ehHn5VbqbNKW74fzI4vifPKNLOgH0BI0bOzGOzOP8TZn6cv9 nolaL8by6ofQ+ufzvAeZsvZpDBjhrOIeM+N2CS4=
X-Google-Smtp-Source: ABdhPJzIh0Zxyfjfnqi3+MPmCjOqq1vjrs6rjWDYndQtiiMs+VrpwalqBbDqsChWLjkxoi3Op48I/CN/gLw1qOoRd8A=
X-Received: by 2002:a25:cc89:: with SMTP id l131mr6337422ybf.154.1603303427763; Wed, 21 Oct 2020 11:03:47 -0700 (PDT)
MIME-Version: 1.0
References: <160208949226.20172.3161875416157552929@ietfa.amsl.com> <a5a36dfd1f17466db8a412f7b85f776d@cert.org>
In-Reply-To: <a5a36dfd1f17466db8a412f7b85f776d@cert.org>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Wed, 21 Oct 2020 13:03:21 -0500
Message-ID: <CAKKJt-dqrbSxvNo4CA1eQaaumG7h2203MHMdg8a4BTWc-OjBnQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "draft-ietf-cellar-ffv1@ietf.org" <draft-ietf-cellar-ffv1@ietf.org>, "draft-ietf-cellar-ffv1.chairs@ietf.org" <draft-ietf-cellar-ffv1.chairs@ietf.org>, Barry Leiba <barryleiba@computer.org>, Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004771df05b2322bb2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/KuYTCNSVV65KDqxq7EynlPbzZK4>
Subject: Re: [Cellar] FW: New Version Notification - draft-ietf-cellar-ffv1-18.txt
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 18:03:51 -0000

Hi, Roman,

On Wed, Oct 21, 2020 at 12:38 PM Roman Danyliw <rdd@cert.org> wrote:

> Hi!
> (I can't find your response email to my ballot in my mail client despite
> it being in the archive, so apologizes for making the new thread).
>
> Thanks for the -18 which cleared most of the COMMENTs.  I updated my
> ballot.
>
> In the spirit of clearing what I consider a straightforward DISCUSS, might
> I suggest:
>
> OLD
>
>   Implementations of the FFV1 codec need to take appropriate security
>    considerations into account, as outlined in [RFC4732].  It is
>    extremely important for the decoder to be robust against malicious
>    payloads.  Malicious payloads MUST NOT cause the decoder to overrun
>    its allocated memory or to take an excessive amount of resources to
>    decode.  The same applies to the encoder, ...
>
> NEW
>
> Implementations of the FFV1 codec need to take appropriate security
> considerations into account.  Those related to denial of service are
> outlined in Section 2.1 of [RFC4732].  It is extremely important for the
> decoder to be robust against malicious payloads.  Malicious payloads MUST
> NOT cause the decoder to overrun its allocated memory or to take an
> excessive amount of resources to decode.    An overrun in allocated memory
> could lead to arbitrary code execution by an attacker.  The same applies to
> the encoder, ...
>
> Regards,
> Roman
>

Thanks for this! and I am including the working group in my reply, so
everyone will see it.

Best,

Spencer


>
> -----Original Message-----
> From: internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: Wednesday, October 7, 2020 12:52 PM
> To: Michael Richardson <mcr+ietf@sandelman.ca>ca>; superuser@gmail.com;
> barryleiba@computer.org; Roman Danyliw <rdd@cert.org>rg>; Peter B. <
> pb@das-werkstatt.com>
> Subject: New Version Notification - draft-ietf-cellar-ffv1-18.txt
>
>
> A new version (-18) has been submitted for draft-ietf-cellar-ffv1:
> https://www.ietf.org/id/draft-ietf-cellar-ffv1-18.txt
> https://www.ietf.org/id/draft-ietf-cellar-ffv1-18.html
>
>
> The IETF datatracker page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-cellar-ffv1/
>
> Diff from previous version:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-cellar-ffv1-18
>
> Please note that it may take a couple of minutes from the time of
> submission until the diff is available at tools.ietf.org.
>
> IETF Secretariat.
>
>
>