IETF Logo Mail Archive

Re: [clue] Comments on CaptureID and security

Roni Even <roni.even@huawei.com> Sun, 12 February 2017 09:59 UTC

Return-Path: <roni.even@huawei.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC4A129440 for <clue@ietfa.amsl.com>; Sun, 12 Feb 2017 01:59:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.222
X-Spam-Level:
X-Spam-Status: No, score=-4.222 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOmik-88b9-7 for <clue@ietfa.amsl.com>; Sun, 12 Feb 2017 01:59:16 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DABCC129443 for <clue@ietf.org>; Sun, 12 Feb 2017 01:59:15 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DAK90246; Sun, 12 Feb 2017 09:58:58 +0000 (GMT)
Received: from DGGEMM404-HUB.china.huawei.com (10.3.20.212) by lhreml702-cah.china.huawei.com (10.201.5.99) with Microsoft SMTP Server (TLS) id 14.3.301.0; Sun, 12 Feb 2017 09:58:57 +0000
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.117]) by DGGEMM404-HUB.china.huawei.com ([10.3.20.212]) with mapi id 14.03.0301.000; Sun, 12 Feb 2017 17:58:54 +0800
From: Roni Even <roni.even@huawei.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "clue@ietf.org" <clue@ietf.org>
Thread-Topic: Comments on CaptureID and security
Thread-Index: AdJxYyu3dvmMy6+lR4Sf9Fep5IDFDP//gdUA/9gbZDA=
Date: Sun, 12 Feb 2017 09:58:53 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD773560@DGGEMM506-MBX.china.huawei.com>
References: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com> <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
In-Reply-To: <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.200.201.150]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.58A031E2.0115, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.3.117, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2f058d4d2abf29a32fabe2605f50cc63
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/H1DJY1N6oSsyHJ0vdvbKLz14rbQ>
Cc: Jonathan Lennox <jonathan@vidyo.com>
Subject: Re: [clue] Comments on CaptureID and security
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2017 09:59:18 -0000

HI Magnus,
I think that the confidentiality  of the RTCP is covered in RFC5764
" Applications using DTLS-SRTP SHOULD coordinate the SRTP Protection
   Profiles between the DTLS-SRTP session that protects an RTP flow and
   the DTLS-SRTP session that protects the associated RTCP flow (in
   those cases in which the RTP and RTCP are not multiplexed over a
   common port).  In particular, identical ciphers SHOULD be used."

Roni

> -----Original Message-----
> From: Magnus Westerlund [mailto:magnus.westerlund@ericsson.com]
> Sent: יום ד 18 ינואר 2017 10:45
> To: Roni Even; clue@ietf.org
> Cc: Jonathan Lennox
> Subject: Re: Comments on CaptureID and security
> 
> Hi,
> 
> A comment about the below. I have an issue raised against the below quoted
> text from the rtcweb-security-architecture in the RTCWeb WG, as it fails to
> specify if RTCP encryption is mandatory to use or not. There are protection
> profiles that only have confidentiality protection for RTP, and not for RTCP. I
> would recommend requiring confidentiality protection also of RTCP.
> 
> The second note on the below is that depending on the outcome of the
> security requirements for the CaptureID RTP header extension, you might in
> addition have to require RFC 6904, implementation and usage for the
> CaptureId header extension field. Or rather if you write nothing it will by
> default be required if you encrypt RTCP, due to RFC 7941. But, I really
> recommend that you are explicit on this matter. It comes down to what
> security risks the field entails. What information will it leak to a third party
> viewer of the RTP/RTCP stream they can capture.
> 
> Cheers
> 
> Magnus
> 
> Den 2017-01-18 kl. 09:33, skrev Roni Even:
> > 2.       What do we want to say about supported security profile? For
> > example does the following directive from
> > https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.5
> > looks good for CLUE?
> >
> >
> >
> > “Implementations MUST implement SRTP [RFC3711
> > <https://tools.ietf.org/html/rfc3711>].  Implementations MUST
> >
> >    implement DTLS [RFC4347 <https://tools.ietf.org/html/rfc4347>] and
> > DTLS-SRTP [RFC5763 <https://tools.ietf.org/html/rfc5763>][RFC5764] for
> SRTP
> >
> >    keying.  Implementations MUST implement
> >
> >    [I-D.ietf-tsvwg-sctp-dtls-encaps
> > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-I-
> D.ietf-tsvwg-sctp-dtls-encaps>].
> >
> >
> >
> >    All media channels MUST be secured via SRTP.  Media traffic MUST NOT
> >
> >    be sent over plain (unencrypted) RTP; that is, implementations MUST
> >
> >    NOT negotiate cipher suites with NULL encryption modes.  DTLS-SRTP
> >
> >    MUST be offered for every media channel.
> >
> >
> >
> >    All data channels MUST be secured via DTLS.
> >
> >
> >
> >    All implementations MUST implement DTLS 1.0, with the cipher suite
> >
> >    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA with the the P-256 curve
> >
> >    [FIPS186
> > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-
> FIPS186>].
> > The DTLS-SRTP protection profile
> >
> >    SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP.
> >
> >   Implementations SHOULD implement DTLS 1.2 with the
> >
> >    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite.
> >
> >    Implementations MUST favor cipher suites which support PFS over non-
> >
> >    PFS cipher suites and SHOULD favor AEAD over non-AEAD cipher suites.
> >
> > “
> 
> 
> --
> 
> Magnus Westerlund
> 
> ----------------------------------------------------------------------
> Services, Media and Network features, Ericsson Research EAB/TXM
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Färögatan 6                 | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email