Re: [clue] Comments on CaptureID and security
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 23 February 2017 08:32 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FE4C12A14C for <clue@ietfa.amsl.com>; Thu, 23 Feb 2017 00:32:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ynhx613yKt8m for <clue@ietfa.amsl.com>; Thu, 23 Feb 2017 00:32:39 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DBD4129C60 for <clue@ietf.org>; Thu, 23 Feb 2017 00:32:39 -0800 (PST)
X-AuditID: c1b4fb2d-18e0e98000005112-99-58ae9e25e8b7
Received: from ESESSHC024.ericsson.se (Unknown_Domain [153.88.183.90]) by (Symantec Mail Security) with SMTP id 27.B6.20754.52E9EA85; Thu, 23 Feb 2017 09:32:37 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.92) with Microsoft SMTP Server id 14.3.319.2; Thu, 23 Feb 2017 09:32:30 +0100
To: Roni Even <roni.even@huawei.com>, "clue@ietf.org" <clue@ietf.org>
References: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com> <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com> <6E58094ECC8D8344914996DAD28F1CCD76DF3C@DGGEMM506-MBX.china.huawei.com> <74afe259-a7cd-c55b-ed4a-bea29ede012f@ericsson.com> <6E58094ECC8D8344914996DAD28F1CCD773548@DGGEMM506-MBX.china.huawei.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <c56da3c2-dc6a-26c4-4776-62a0e17a235e@ericsson.com>
Date: Thu, 23 Feb 2017 09:32:30 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <6E58094ECC8D8344914996DAD28F1CCD773548@DGGEMM506-MBX.china.huawei.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrLLMWRmVeSWpSXmKPExsUyM2J7lK7qvHURBh1LDC32n7rMbLF/8Xlm i0/HzrM4MHu0HHnL6rFkyU8mj7Znd9gDmKO4bFJSczLLUov07RK4Mm5NyC6YIFRxZccD9gbG u3xdjBwcEgImEp3nk7sYuTiEBNYxSjycvpoRwlnOKPHs/gXmLkZODmEBfYnVy+awg9giAq4S RxbsY4couswkseXPS3aQScwCGhJNEyJAatgELCRu/mhkA7F5BewlZl58xwJiswioSky5uxLM FhWIkdjbf58JokZQ4uTMJ2BxToEQiQkXz7GC2MxAc2bOP88IYctLNG+dDXaPkIC2RENTB+sE RoFZSNpnIWmZhaRlASPzKkbR4tTi4tx0I2O91KLM5OLi/Dy9vNSSTYzAQD245bfuDsbVrx0P MQpwMCrx8BYsXxshxJpYVlyZe4hRgoNZSYQ3a/a6CCHelMTKqtSi/Pii0pzU4kOM0hwsSuK8 ZivvhwsJpCeWpGanphakFsFkmTg4pRoYVxbs/lFzu7ngypYLN73z5+9VOBA3c//Nyhf7eVYn XnvrXyMvbTBbcvob3yts/w9yzZ61nWHRW+W5EzY+rGNNSLwYtHHHgrNtuxXmqKuoL2/cFbLs z5Ibtkv+/1v8NMcpL+CE8te693mrPFScPxua/AisfXhK4R3H//nKZ9JOeb6vuPaoibv0/kkl luKMREMt5qLiRAAYs/ehUAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/651zqf_KTg3mYVtXBetrEn5csjQ>
Cc: Jonathan Lennox <jonathan@vidyo.com>
Subject: Re: [clue] Comments on CaptureID and security
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 08:32:41 -0000
Hi Roni, Den 2017-02-12 kl. 10:26, skrev Roni Even: > Hi Magnus, About the requirement to encrypt the RTCP (do not use NULL > security profile) I was wondering why it is not mention also on > RTCPweb, is it because RTP/RTCP multiplexing? I think that it should > be mentioned also there since there is option to support non > multiplex RTP/RTCP That is actually a shortcoming of RTCWeb Security architecture and there exists an tracked issue for it: https://github.com/rtcweb-wg/security-arch/issues/34 So, yes, I would really like to see the communication security section mandate encrypted RTCP. This due to the information included in RTCP about the application. The protection profile mandated does imply equal strength RTCP protection, but if one uses other profiles it might not be as clear cut. So a wording on protecting RTCP at same or similar protection strength to RTP I think is motivated. What I also think is missing in the new text is discussion of RTP header extension encryption, i.e. RFC 6904. I thought the conclusion on the capture ID is that there is no strong generation requirements to ensure they don't contain privacy sensitive information. And it definitely reveals what is happening in the application context to third parties. Thus, I think encrypting the RTP header extensions would be good practice in clue situations. I also reacted to the use of "untraceable" in this sentence: CLUE endpoint MUST generate short-term persistent RTCP CNAMES, as specified in [RFC7022], resulting in untraceable CNAME values. The point of them is that they are not long term persistent and thus can't be used for long term tracking of the user. Writing "untraceable" I would interpret as indicating a stronger user protection then what is actually provided. Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Christian Groves
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund