Re: [clue] I-D Action: draft-ietf-clue-rtp-mapping-12.txt
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 16 January 2017 14:57 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65A7512955C for <clue@ietfa.amsl.com>; Mon, 16 Jan 2017 06:57:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m7XBREXmCSlB for <clue@ietfa.amsl.com>; Mon, 16 Jan 2017 06:57:12 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 874E1129556 for <clue@ietf.org>; Mon, 16 Jan 2017 06:57:12 -0800 (PST)
X-AuditID: c1b4fb2d-db0c19800000646e-be-587cdf46fc31
Received: from ESESSHC023.ericsson.se (Unknown_Domain [153.88.183.87]) by (Symantec Mail Security) with SMTP id 84.2C.25710.64FDC785; Mon, 16 Jan 2017 15:57:10 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.89) with Microsoft SMTP Server id 14.3.319.2; Mon, 16 Jan 2017 15:57:04 +0100
References: <148446246442.24167.11183332125428592480.idtracker@ietfa.amsl.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: clue@ietf.org
Message-ID: <7d5f732c-e7a7-739c-ae8f-7521bfddc7f9@ericsson.com>
Date: Mon, 16 Jan 2017 15:57:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <148446246442.24167.11183332125428592480.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprLLMWRmVeSWpSXmKPExsUyM2J7uK7b/ZoIg1t9Ghb7T11mdmD0WLLk J1MAYxSXTUpqTmZZapG+XQJXxr6uvewF/6Qq3nYuZm9gvCDaxcjJISFgIjFp1m7GLkYuDiGB dYwSk+9MZIVwljNK/H98nAmkSljASWLjngfMILaQgJ/ErhfN7CA2m4CFxM0fjWwgtoiAsMSE Y/vBangF7CXWb94L1ssioCqx4e9BsLioQIzE2/XL2SFqBCVOznzCAmJzCvhLPLpwCaieg4MZ qPfB1jKQMLOAvETz1tlQa7UlGpo6WCcw8s9C0j0LoWMWko4FjMyrGEWLU4uLc9ONjPVSizKT i4vz8/TyUks2MQID7eCW37o7GFe/djzEKMDBqMTDu+FYdYQQa2JZcWXuIUYJDmYlEV7DWzUR QrwpiZVVqUX58UWlOanFhxilOViUxHnNVt4PFxJITyxJzU5NLUgtgskycXBKNTBGcC/59GzV 5PPHmlMP57onPzpzLmZfzbvEON+Lhj25E6Z+XHx74fQ5/+3ebZ5zStfCg/8fp6rqjsmCLlM+ G8zd68tsvE8hVm3ha+WM3106z84EHVjOv2Bp7tHdX2+w3vaavs5OyoF77pNZ0gvEnq5we30s SXpDRUDuwpm7d204yhD64NaMFRWx7UosxRmJhlrMRcWJAMP4hMowAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/UsCUl5omASzo7AbzCXkMVP71nZE>
Subject: Re: [clue] I-D Action: draft-ietf-clue-rtp-mapping-12.txt
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jan 2017 14:57:14 -0000
Hi,
Looking at the update in the draft-12:
> The CaptureID is created as part of the CLUE protocol. The CaptId
> SDES item is used to convey the same CaptureID value in the SDES
> item. When sending the SDES item the security considertion specied
> in the security section of [RFC7941] are applicable and this SDES
> item MUST use similar security as the CLUE protocol messages carried
> in the CLUE data channel.
I don't find this sufficient. First of all, there is no clarify of what
the security treats to the CaptureId are. Secondly, the similar security
here is far from trivial as the SCTPoDTLS data channel uses DTLS while
RTP/RTCP security is the combination of the DTLS-SRTP and SRTP
mechanisms in use. Note that from part of the security aspects DTLS-SRTP
and DTLS is actually quite different.
I will note that I still haven't found the equivalent the RTCWeb
security architecture document. Which actually discusses what protection
profiles to support.
CLUE-Framework:
In
addition, the media MUST be secured. DTLS/SRTP MUST be supported
and SHOULD be used unless the media, which is based on RTP, is
secured by other means (see [RFC7201] [RFC7202]). Media security
is also discussed in [I-D.ietf-clue-signaling] and [I-D.ietf-clue-
rtp-mapping].
In signalling this is also not specified:
All CLUE-
controlled RTP "m" lines must be secured and implemented using
mechanisms such as SRTP [RFC3711]; no specific security mechanisms
are made mandatory to use due to the issues addressed in [RFC7202].
I would note, that the point of RFC 7202, is that "solutions" like CLUE
is the one that shall make mandatory to implement choices. So that CLUE
WG attempts to dodge that aspect is very worrying.
Then RTP-mapping:
The Extended Secure RTP Profile for Real-time Transport Control
Protocol (RTCP)-Based Feedback [RFC5124] (RTP/SAVPF) provides
handling of fundamental issues by offering confidentiality, integrity
and partial source authentication. CLUE endpoints MUST support RTP/
SAVPF and DTLS-SRTP keying [RFC5764].
This part is actually good, but it needs additional sentences saying
which DTLS algorithms and which DTLS-SRTP protection profiles that needs
to be supported. And then we arrive back at the question. Does this
document needs to mandate implementation of RFC6904? And does that
actually provide equivalent security. Which all comes back to what may
the CaptureID value contain. Is that privacy sensitive?
I am sorry press you about the security aspects and the need for
analysis and understanding of what choices implies. Yes, choosing the
right things are difficult. The RTCWeb Security Architecture document
(https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12) still
has a rather large number of issues:
https://github.com/rtcweb-wg/security-arch/issues
Cheers
Magnus Westerlund
----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB | Phone +46 10 7148287
Färögatan 6 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------
- [clue] I-D Action: draft-ietf-clue-rtp-mapping-12… internet-drafts
- Re: [clue] I-D Action: draft-ietf-clue-rtp-mappin… Magnus Westerlund