Re: [clue] Comments on CaptureID and security
Roni Even <roni.even@huawei.com> Wed, 18 January 2017 09:44 UTC
Return-Path: <roni.even@huawei.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D3E912969B for <clue@ietfa.amsl.com>; Wed, 18 Jan 2017 01:44:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.42
X-Spam-Level:
X-Spam-Status: No, score=-7.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vr9gveBRs5TN for <clue@ietfa.amsl.com>; Wed, 18 Jan 2017 01:44:48 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74A17126BF7 for <clue@ietf.org>; Wed, 18 Jan 2017 01:44:47 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DET23919; Wed, 18 Jan 2017 09:44:23 +0000 (GMT)
Received: from DGGEMM401-HUB.china.huawei.com (10.3.20.209) by lhreml702-cah.china.huawei.com (10.201.5.99) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 18 Jan 2017 09:44:22 +0000
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.117]) by DGGEMM401-HUB.china.huawei.com ([10.3.20.209]) with mapi id 14.03.0301.000; Wed, 18 Jan 2017 17:44:19 +0800
From: Roni Even <roni.even@huawei.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "clue@ietf.org" <clue@ietf.org>
Thread-Topic: Comments on CaptureID and security
Thread-Index: AdJxYyu3dvmMy6+lR4Sf9Fep5IDFDP//gdUA//9w7oA=
Date: Wed, 18 Jan 2017 09:44:18 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD76DF3C@DGGEMM506-MBX.china.huawei.com>
References: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com> <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
In-Reply-To: <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.201.112.60]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.587F390C.034D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.117, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 37c3681b66ab832cd4f59909e82edb2b
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/1LsiIXxw2lc7lTleH15KP7nGSmE>
Cc: Jonathan Lennox <jonathan@vidyo.com>
Subject: Re: [clue] Comments on CaptureID and security
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 09:44:50 -0000
Hi, The text I added to the -11 version "The CaptureID is created as part of the CLUE protocol. The CaptId SDES item is used to convey the same CaptureID value in the SDES item. When sending the SDES item the security considertion specied in the security section of [RFC7941] are applicable and this SDES item MUST use similar security as the CLUE protocol messages carried in the CLUE data channel." Say that " this SDES item MUST use similar security as the CLUE protocol messages carried in the CLUE data channel." The CLUE data channel document https://tools.ietf.org/html/draft-ietf-clue-datachannel-14#section-4 point at https://tools.ietf.org/html/draft-ietf-rtcweb-data-channel-13#section-7 pointing to https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-10 So we can reference the rtcweb security architecture or use the text I copied from there to define a security profile As for the second item I agree that if we encrypt the content in the CLUE data channel that includes the captureID, we need also to encrypt RTCP with the captureID SDES item and it does not matter how we create the captureID value, so maybe if we mandate encrypting the SDES item there is no strong need for specifying how to create CaptureID . Note that the CaptureID is not use to provide human-readable textual information which is in the description attribute. Roni > -----Original Message----- > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] > Sent: יום ד 18 ינואר 2017 10:45 > To: Roni Even; clue@ietf.org > Cc: Jonathan Lennox > Subject: Re: Comments on CaptureID and security > > Hi, > > A comment about the below. I have an issue raised against the below quoted > text from the rtcweb-security-architecture in the RTCWeb WG, as it fails to > specify if RTCP encryption is mandatory to use or not. There are protection > profiles that only have confidentiality protection for RTP, and not for RTCP. I > would recommend requiring confidentiality protection also of RTCP. > > The second note on the below is that depending on the outcome of the > security requirements for the CaptureID RTP header extension, you might in > addition have to require RFC 6904, implementation and usage for the > CaptureId header extension field. Or rather if you write nothing it will by > default be required if you encrypt RTCP, due to RFC 7941. But, I really > recommend that you are explicit on this matter. It comes down to what > security risks the field entails. What information will it leak to a third party > viewer of the RTP/RTCP stream they can capture. > > Cheers > > Magnus > > Den 2017-01-18 kl. 09:33, skrev Roni Even: > > 2. What do we want to say about supported security profile? For > > example does the following directive from > > https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.5 > > looks good for CLUE? > > > > > > > > “Implementations MUST implement SRTP [RFC3711 > > <https://tools.ietf.org/html/rfc3711>]. Implementations MUST > > > > implement DTLS [RFC4347 <https://tools.ietf.org/html/rfc4347>] and > > DTLS-SRTP [RFC5763 <https://tools.ietf.org/html/rfc5763>][RFC5764] for > SRTP > > > > keying. Implementations MUST implement > > > > [I-D.ietf-tsvwg-sctp-dtls-encaps > > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-I- > D.ietf-tsvwg-sctp-dtls-encaps>]. > > > > > > > > All media channels MUST be secured via SRTP. Media traffic MUST NOT > > > > be sent over plain (unencrypted) RTP; that is, implementations MUST > > > > NOT negotiate cipher suites with NULL encryption modes. DTLS-SRTP > > > > MUST be offered for every media channel. > > > > > > > > All data channels MUST be secured via DTLS. > > > > > > > > All implementations MUST implement DTLS 1.0, with the cipher suite > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA with the the P-256 curve > > > > [FIPS186 > > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref- > FIPS186>]. > > The DTLS-SRTP protection profile > > > > SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP. > > > > Implementations SHOULD implement DTLS 1.2 with the > > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite. > > > > Implementations MUST favor cipher suites which support PFS over non- > > > > PFS cipher suites and SHOULD favor AEAD over non-AEAD cipher suites. > > > > “ > > > -- > > Magnus Westerlund > > ---------------------------------------------------------------------- > Services, Media and Network features, Ericsson Research EAB/TXM > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Färögatan 6 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ----------------------------------------------------------------------
- [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Christian Groves
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund