Re: [clue] Comments on CaptureID and security
Roni Even <roni.even@huawei.com> Sun, 12 February 2017 09:59 UTC
Return-Path: <roni.even@huawei.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC4A129440 for <clue@ietfa.amsl.com>; Sun, 12 Feb 2017 01:59:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOmik-88b9-7 for <clue@ietfa.amsl.com>; Sun, 12 Feb 2017 01:59:16 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DABCC129443 for <clue@ietf.org>; Sun, 12 Feb 2017 01:59:15 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAK90246; Sun, 12 Feb 2017 09:58:58 +0000 (GMT)
Received: from DGGEMM404-HUB.china.huawei.com (10.3.20.212) by lhreml702-cah.china.huawei.com (10.201.5.99) with Microsoft SMTP Server (TLS) id 14.3.301.0; Sun, 12 Feb 2017 09:58:57 +0000
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.117]) by DGGEMM404-HUB.china.huawei.com ([10.3.20.212]) with mapi id 14.03.0301.000; Sun, 12 Feb 2017 17:58:54 +0800
From: Roni Even <roni.even@huawei.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "clue@ietf.org" <clue@ietf.org>
Thread-Topic: Comments on CaptureID and security
Thread-Index: AdJxYyu3dvmMy6+lR4Sf9Fep5IDFDP//gdUA/9gbZDA=
Date: Sun, 12 Feb 2017 09:58:53 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD773560@DGGEMM506-MBX.china.huawei.com>
References: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com> <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
In-Reply-To: <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.200.201.150]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.58A031E2.0115, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.117, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2f058d4d2abf29a32fabe2605f50cc63
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/H1DJY1N6oSsyHJ0vdvbKLz14rbQ>
Cc: Jonathan Lennox <jonathan@vidyo.com>
Subject: Re: [clue] Comments on CaptureID and security
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2017 09:59:18 -0000
HI Magnus, I think that the confidentiality of the RTCP is covered in RFC5764 " Applications using DTLS-SRTP SHOULD coordinate the SRTP Protection Profiles between the DTLS-SRTP session that protects an RTP flow and the DTLS-SRTP session that protects the associated RTCP flow (in those cases in which the RTP and RTCP are not multiplexed over a common port). In particular, identical ciphers SHOULD be used." Roni > -----Original Message----- > From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com] > Sent: יום ד 18 ינואר 2017 10:45 > To: Roni Even; clue@ietf.org > Cc: Jonathan Lennox > Subject: Re: Comments on CaptureID and security > > Hi, > > A comment about the below. I have an issue raised against the below quoted > text from the rtcweb-security-architecture in the RTCWeb WG, as it fails to > specify if RTCP encryption is mandatory to use or not. There are protection > profiles that only have confidentiality protection for RTP, and not for RTCP. I > would recommend requiring confidentiality protection also of RTCP. > > The second note on the below is that depending on the outcome of the > security requirements for the CaptureID RTP header extension, you might in > addition have to require RFC 6904, implementation and usage for the > CaptureId header extension field. Or rather if you write nothing it will by > default be required if you encrypt RTCP, due to RFC 7941. But, I really > recommend that you are explicit on this matter. It comes down to what > security risks the field entails. What information will it leak to a third party > viewer of the RTP/RTCP stream they can capture. > > Cheers > > Magnus > > Den 2017-01-18 kl. 09:33, skrev Roni Even: > > 2. What do we want to say about supported security profile? For > > example does the following directive from > > https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.5 > > looks good for CLUE? > > > > > > > > “Implementations MUST implement SRTP [RFC3711 > > <https://tools.ietf.org/html/rfc3711>]. Implementations MUST > > > > implement DTLS [RFC4347 <https://tools.ietf.org/html/rfc4347>] and > > DTLS-SRTP [RFC5763 <https://tools.ietf.org/html/rfc5763>][RFC5764] for > SRTP > > > > keying. Implementations MUST implement > > > > [I-D.ietf-tsvwg-sctp-dtls-encaps > > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-I- > D.ietf-tsvwg-sctp-dtls-encaps>]. > > > > > > > > All media channels MUST be secured via SRTP. Media traffic MUST NOT > > > > be sent over plain (unencrypted) RTP; that is, implementations MUST > > > > NOT negotiate cipher suites with NULL encryption modes. DTLS-SRTP > > > > MUST be offered for every media channel. > > > > > > > > All data channels MUST be secured via DTLS. > > > > > > > > All implementations MUST implement DTLS 1.0, with the cipher suite > > > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA with the the P-256 curve > > > > [FIPS186 > > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref- > FIPS186>]. > > The DTLS-SRTP protection profile > > > > SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP. > > > > Implementations SHOULD implement DTLS 1.2 with the > > > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite. > > > > Implementations MUST favor cipher suites which support PFS over non- > > > > PFS cipher suites and SHOULD favor AEAD over non-AEAD cipher suites. > > > > “ > > > -- > > Magnus Westerlund > > ---------------------------------------------------------------------- > Services, Media and Network features, Ericsson Research EAB/TXM > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 10 7148287 > Färögatan 6 | Mobile +46 73 0949079 > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com > ----------------------------------------------------------------------
- [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Christian Groves
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund