IETF Logo Mail Archive

Re: [clue] Eric Rescorla's No Objection on draft-ietf-clue-signaling-14: (with COMMENT)

"Roni Even (A)" <roni.even@huawei.com> Sun, 25 November 2018 05:41 UTC

Return-Path: <roni.even@huawei.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEE8128D0C; Sat, 24 Nov 2018 21:41:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ke01V4cHDZaV; Sat, 24 Nov 2018 21:41:08 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EAD29123FFD; Sat, 24 Nov 2018 21:41:07 -0800 (PST)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 3FDF8195D279A; Sun, 25 Nov 2018 05:41:04 +0000 (GMT)
Received: from lhreml707-chm.china.huawei.com (10.201.108.56) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sun, 25 Nov 2018 05:41:05 +0000
Received: from lhreml707-chm.china.huawei.com (10.201.108.56) by lhreml707-chm.china.huawei.com (10.201.108.56) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1591.10; Sun, 25 Nov 2018 05:41:04 +0000
Received: from DGGEMM422-HUB.china.huawei.com (10.1.198.39) by lhreml707-chm.china.huawei.com (10.201.108.56) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1591.10 via Frontend Transport; Sun, 25 Nov 2018 05:41:03 +0000
Received: from DGGEMM506-MBS.china.huawei.com ([169.254.4.74]) by dggemm422-hub.china.huawei.com ([10.1.198.39]) with mapi id 14.03.0415.000; Sun, 25 Nov 2018 13:41:00 +0800
From: "Roni Even (A)" <roni.even@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: IESG <iesg@ietf.org>, Daniel Burnett <danielcburnett@gmail.com>, "clue@ietf.org" <clue@ietf.org>, "roni.even@mail01.huawei.com" <roni.even@mail01.huawei.com>, "clue-chairs@ietf.org" <clue-chairs@ietf.org>, "draft-ietf-clue-signaling@ietf.org" <draft-ietf-clue-signaling@ietf.org>
Thread-Topic: Eric Rescorla's No Objection on draft-ietf-clue-signaling-14: (with COMMENT)
Thread-Index: AQHUgIto2vun7lYtT0WxvGbN4Em2qaVbqbyg//++u4CABJiZEA==
Date: Sun, 25 Nov 2018 05:40:59 +0000
Message-ID: <6E58094ECC8D8344914996DAD28F1CCD18C7B5DE@DGGEMM506-MBS.china.huawei.com>
References: <154268892146.26648.17870778354406192041.idtracker@ietfa.amsl.com> <6E58094ECC8D8344914996DAD28F1CCD18C762DF@DGGEMM506-MBX.china.huawei.com> <CABcZeBMcQxZuRUFx=tz==C5eCc8zNBrxkKaZfBa+gYnyaV3FOQ@mail.gmail.com>
In-Reply-To: <CABcZeBMcQxZuRUFx=tz==C5eCc8zNBrxkKaZfBa+gYnyaV3FOQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.200.202.166]
Content-Type: multipart/alternative; boundary="_000_6E58094ECC8D8344914996DAD28F1CCD18C7B5DEDGGEMM506MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/PyKUSJtpNR8UVAG6P9y4KMb4fHg>
Subject: Re: [clue] Eric Rescorla's No Objection on draft-ietf-clue-signaling-14: (with COMMENT)
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Nov 2018 05:41:11 -0000

Hi,
The point that is made that in general CLUE is similar to no CLUE RTP media calls. The difference is that since the EP may open more than one RTP video channel there is a greater risk of sending more media to the victim. RFC7201 discuss the options to secure the media and this holds for this case too.

Roni

From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: Thursday, November 22, 2018 5:27 PM
To: Roni Even (A)
Cc: IESG; Daniel Burnett; clue@ietf.org; roni.even@mail01.huawei.com; clue-chairs@ietf.org; draft-ietf-clue-signaling@ietf.org
Subject: Re: Eric Rescorla's No Objection on draft-ietf-clue-signaling-14: (with COMMENT)

The problem is that this is in the context of amplification attacks

   Beyond the need to secure the constituent protocols, the use of CLUE
   does impose additional security concerns.  One area of increased risk
   involves the potential for a malicious party to subvert a CLUE-
   capable device to attack a third party by driving large volumes of
   media (particularly video) traffic at them by establishing a
   connection to the CLUE-capable device and directing the media to the
   victim.  While this is a risk for all media devices, a CLUE-capable
   device may allow the attacker to configure multiple media streams to
   be sent, significantly increasing the volume of traffic directed at
   the victim.

   This attack can be prevented by ensuring that the media recipient
   intends to receive the media packets.  As such all CLUE-capable
   devices MUST support key negotiation and receiver intent assurance
   via DTLS-SRTP [RFC5763] on CLUE-controlled RTP "m=" lines.

And so if you don't require DTLS-SRTP or ICE than in fact there is no amplification
attack defense.

-Ekr


On Thu, Nov 22, 2018 at 3:24 AM Roni Even (A) <roni.even@huawei.com<mailto:roni.even@huawei.com>> wrote:
Hi,
RTP payloads do not require usage of SRTP see RFC7201 and RFC7202
Roni Even

-----Original Message-----
From: Eric Rescorla [mailto:ekr@rtfm.com<mailto:ekr@rtfm.com>]
Sent: Tuesday, November 20, 2018 6:42 AM
To: The IESG
Cc: Daniel C. Burnett; clue@ietf.org<mailto:clue@ietf.org>; roni.even@mail01.huawei.com<mailto:roni.even@mail01.huawei.com>; Roni Even; clue-chairs@ietf.org<mailto:clue-chairs@ietf.org>; draft-ietf-clue-signaling@ietf.org<mailto:draft-ietf-clue-signaling@ietf.org>
Subject: Eric Rescorla's No Objection on draft-ietf-clue-signaling-14: (with COMMENT)

Eric Rescorla has entered the following ballot position for
draft-ietf-clue-signaling-14: No Objection

When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-clue-signaling/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D4099



COMMENTS
S 12.
>      via DTLS-SRTP [RFC5763] on CLUE-controlled RTP "m=" lines.  All CLUE-
>      controlled RTP "m" lines must be secured and implemented using
>      mechanisms such as SRTP [RFC3711].  CLUE implementations MAY choose
>      not to require the use of SRTP to secure legacy (non-CLUE-controlled)
>      media for backwards compatibility with older SIP clients that are
>      incapable of supporting it.

It seems like you need more than support, you also need to require the use of DTLS-SRTP, no?

v2.23.0 | Report a Bug | By Email