Re: [Cellar] New Version Notification - draft-ietf-cellar-ffv1-18.txt

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Tue, 01 December 2020 23:41 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: cellar@ietfa.amsl.com
Delivered-To: cellar@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94DC13A0B23; Tue, 1 Dec 2020 15:41:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D7a99Po-EoN6; Tue, 1 Dec 2020 15:41:28 -0800 (PST)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACC5A3A0489; Tue, 1 Dec 2020 15:41:28 -0800 (PST)
Received: by mail-yb1-xb2b.google.com with SMTP id l14so3533978ybq.3; Tue, 01 Dec 2020 15:41:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=2PID2Ura0aGBNNJxmIEADCB4jV6suG+ZiH+5AQ9xQEg=; b=ocZTj8QocWLl5sp6RsiXb2L5mgcE1C3owB49kWXsasBTNCFUKuQJ48HghDqrtXZxlZ /iN8n694T7Pd4v6hmMoA0qyhS9E0KsMrLbh6W6o+QZgss6C3XK4coNQP2A/Xyha6OIfT 2EKrul6mLHFmGAHHl47eB1jzHTMsAr22YXq2YVqNmChS6KV0DhMM3sDvjn5yz9HCX6Ec 7P7/KlsBa8/4F0dI5d28NGmiP1zf4EOq1b+xP7adGwZZr5d8XRwofEWbx+minbcC372p pReofYFxcq5DE7/N0NU0VTTx92cgkthjtmiv8btm8AhppojbRifsYfokeAnp868ZyPeE jUlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=2PID2Ura0aGBNNJxmIEADCB4jV6suG+ZiH+5AQ9xQEg=; b=JqY70nbCnO6c9Vl8DJQi6j1aiq6p3FUGf7U4SQ2Oe+bW6q/kkfT/1eI7DtGzhMOCFF SJA7C9t1CYpyb2ejyCeXxGMv1blExSavLUd/OQvcn+LW04W5GsQ4P1QJJO5/TJ9tm0zi qEl7JStL4+PteLMI9plLIz3XzF0HQW5V35YN3vwBPJC1lkMBlL2EjhanfbJhqf7QUz8p aloqUjiwShry58N/PW99KyD+TtIPqz4UjK5AlZvSY6tcgqrmJKXUYd5qMrE8FAvpY5ZG f8Z6yhZsVFP0GP8FS3VaA4X2etl01XgNfgxjoqKjWaP2hdAgZO0J2FENjIPD/08Vb8Q9 TvRg==
X-Gm-Message-State: AOAM533rhsXUcp/CO/0VeUhrvh1YEUoY8r052MQZGIgK6yNYxxm7vJFD nykm0cXPao+6rcfqspPUx9WN43wKWeOPBaaoNWg=
X-Google-Smtp-Source: ABdhPJwEQyV5HJvlxt9j+TAJTvP4kXwpYhBAESWAu4gkF7ZWtz5l1x931XGBSmcTsdunvn9CDSTibrs0sQAWlsHeHO8=
X-Received: by 2002:a25:ae53:: with SMTP id g19mr6920144ybe.288.1606866087919; Tue, 01 Dec 2020 15:41:27 -0800 (PST)
MIME-Version: 1.0
References: <160208949226.20172.3161875416157552929@ietfa.amsl.com> <a5a36dfd1f17466db8a412f7b85f776d@cert.org> <CAKKJt-dqrbSxvNo4CA1eQaaumG7h2203MHMdg8a4BTWc-OjBnQ@mail.gmail.com> <FB3C907F-0DEB-4DB0-86C3-03B0AE02A78B@dericed.com> <B5AABB82-0474-4E3A-9211-403B2248F93E@dericed.com> <308c772b2e324fe88836caa91c78c8fb@cert.org>
In-Reply-To: <308c772b2e324fe88836caa91c78c8fb@cert.org>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Tue, 1 Dec 2020 17:41:01 -0600
Message-ID: <CAKKJt-ea6ajN_o5V=KmW_amgq5KwWegH9rUH9ddkQmy9N=CXZw@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: Dave Rice <dave@dericed.com>, "draft-ietf-cellar-ffv1.chairs@ietf.org" <draft-ietf-cellar-ffv1.chairs@ietf.org>, "draft-ietf-cellar-ffv1@ietf.org" <draft-ietf-cellar-ffv1@ietf.org>, Codec Encoding for LossLess Archiving and Realtime transmission <cellar@ietf.org>, Barry Leiba <barryleiba@computer.org>
Content-Type: multipart/alternative; boundary="0000000000005f42e305b56faac4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/cellar/mW-DWAJ1oLzyw5dmQ-qy0QcnXNU>
Subject: Re: [Cellar] New Version Notification - draft-ietf-cellar-ffv1-18.txt
X-BeenThere: cellar@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Codec Encoding for LossLess Archiving and Realtime transmission <cellar.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cellar>, <mailto:cellar-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cellar/>
List-Post: <mailto:cellar@ietf.org>
List-Help: <mailto:cellar-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cellar>, <mailto:cellar-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 23:41:31 -0000

Thanks, Roman and Dave!

Best,

Spencer

On Tue, Dec 1, 2020 at 4:01 PM Roman Danyliw <rdd@cert.org> wrote:

> Hi Dave!
>
>
> > -----Original Message-----
> > From: Dave Rice <dave@dericed.com>
> > Sent: Tuesday, December 1, 2020 4:17 PM
> > To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>om>; Roman
> > Danyliw <rdd@cert.org>
> > Cc: draft-ietf-cellar-ffv1.chairs@ietf.org;
> draft-ietf-cellar-ffv1@ietf.org; Codec
> > Encoding for LossLess Archiving and Realtime transmission <
> cellar@ietf.org>gt;;
> > Barry Leiba <barryleiba@computer.org>
> > Subject: Re: [Cellar] New Version Notification -
> draft-ietf-cellar-ffv1-18.txt
> >
> > Hi Roman, Spencer,
> >
> > > On Oct 30, 2020, at 1:41 PM, Dave Rice <dave@dericed.com> wrote:
> > >
> > > Thank you Roman,
> > >
> > >> On Oct 21, 2020, at 2:03 PM, Spencer Dawkins at IETF
> > <spencerdawkins.ietf@gmail.com> wrote:
> > >>
> > >> Hi, Roman,
> > >>
> > >> On Wed, Oct 21, 2020 at 12:38 PM Roman Danyliw <rdd@cert.org> wrote:
> > >> Hi!
> > >> (I can't find your response email to my ballot in my mail client
> despite it
> > being in the archive, so apologizes for making the new thread).
> > >>
> > >> Thanks for the -18 which cleared most of the COMMENTs.  I updated my
> > ballot.
> > >>
> > >> In the spirit of clearing what I consider a straightforward DISCUSS,
> might I
> > suggest:
> > >>
> > >> OLD
> > >>
> > >>   Implementations of the FFV1 codec need to take appropriate security
> > >>    considerations into account, as outlined in [RFC4732].  It is
> > >>    extremely important for the decoder to be robust against malicious
> > >>    payloads.  Malicious payloads MUST NOT cause the decoder to overrun
> > >>    its allocated memory or to take an excessive amount of resources to
> > >>    decode.  The same applies to the encoder, ...
> > >>
> > >> NEW
> > >>
> > >> Implementations of the FFV1 codec need to take appropriate security
> > considerations into account.  Those related to denial of service are
> outlined in
> > Section 2.1 of [RFC4732].  It is extremely important for the decoder to
> be
> > robust against malicious payloads.  Malicious payloads MUST NOT cause the
> > decoder to overrun its allocated memory or to take an excessive amount of
> > resources to decode.    An overrun in allocated memory could lead to
> arbitrary
> > code execution by an attacker.  The same applies to the encoder, ...
> > >
> > > The recommendation looks appropriate to me and more clear. I moved it
> to a
> > pull request at https://github.com/FFmpeg/FFV1/pull/253 for the
> consideration
> > of the other authors.
> >
> > Please note that we just updated the draft to include the recommended
> > changes for security considerations on denial of service, which can be
> reviewed
> > in version 19 of
> https://datatracker.ietf.org/doc/draft-ietf-cellar-ffv1/. Here’s a
> > link to the diff of version 18 and 19:
> https://www.ietf.org/rfcdiff?url1=draft-
> > ietf-cellar-ffv1-18&url2=draft-ietf-cellar-ffv1-19&difftype=--html.
>
> Thanks for the update and pushing this text into -19.  I just cleared my
> discussion position.
>
> Regards,
> Roman
>