Re: [clue] Comments on CaptureID and security
Magnus Westerlund <magnus.westerlund@ericsson.com> Wed, 18 January 2017 08:45 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: clue@ietfa.amsl.com
Delivered-To: clue@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57B11129411 for <clue@ietfa.amsl.com>; Wed, 18 Jan 2017 00:45:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hgXhCFSHxtjm for <clue@ietfa.amsl.com>; Wed, 18 Jan 2017 00:45:11 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B28F128B44 for <clue@ietf.org>; Wed, 18 Jan 2017 00:45:11 -0800 (PST)
X-AuditID: c1b4fb2d-db0c19800000646e-ce-587f2b15c189
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.183.39]) by (Symantec Mail Security) with SMTP id F6.9E.25710.51B2F785; Wed, 18 Jan 2017 09:45:09 +0100 (CET)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.41) with Microsoft SMTP Server id 14.3.319.2; Wed, 18 Jan 2017 09:44:57 +0100
To: Roni Even <roni.even@huawei.com>, "clue@ietf.org" <clue@ietf.org>
References: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <5eb63eb7-0a07-cae4-cf7d-e4ff00fc7118@ericsson.com>
Date: Wed, 18 Jan 2017 09:44:56 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0
MIME-Version: 1.0
In-Reply-To: <6E58094ECC8D8344914996DAD28F1CCD76DEFF@DGGEMM506-MBX.china.huawei.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrDLMWRmVeSWpSXmKPExsUyM2K7uq6odn2EwfTNuhb7T11mtti/+Dyz xadj51kcmD1ajrxl9Viy5CeTR9uzO+wBzFFcNimpOZllqUX6dglcGZ+f3mUpaJOs2PzsNWMD 4yKRLkZODgkBE4knu/eydTFycQgJrGOUeNbYwgzhLGeU+H9xKwtIlbCAvsTqZXPYQWwRAVeJ Iwv2gdlCAsES76/3sHYxcnAwC2hINE2IAAmzCVhI3PzRyAZi8wrYSzSsec0KYrMIqEoc/D2D EcQWFYiReLt+OTtEjaDEyZlPwFZxCoRI9C45yQIx0l7iwdYykDCzgLxE89bZzBBbtSUamjpY JzAKzELSPQuhYxaSjgWMzKsYRYtTi4tz042M9VKLMpOLi/Pz9PJSSzYxAsP04JbfujsYV792 PMQowMGoxMNbYFgXIcSaWFZcmXuIUYKDWUmEV02tPkKINyWxsiq1KD++qDQntfgQozQHi5I4 r9nK++FCAumJJanZqakFqUUwWSYOTqkGxub3K17oSs47LR3c7TU3/oqyxAV2YbMiKQfhH4fm NZUWvmjK03ix56+zzvKNErzdUtf4Dsk8FzfeoC7o271tt+HfBvGjp5140ny8X6y6ey9B0nN5 /j2u6fvX/plT0rxV+hL3BRVb66eXS92n1nmH7r0wcduqO7u+qh8O8ets9jubOK9hS6/PWSWW 4oxEQy3mouJEAOtjBeJPAgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/clue/gJigwRkl2lw39Gh0NOcTP0X5oQc>
Cc: Jonathan Lennox <jonathan@vidyo.com>
Subject: Re: [clue] Comments on CaptureID and security
X-BeenThere: clue@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: CLUE - ControLling mUltiple streams for TElepresence <clue.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/clue>, <mailto:clue-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/clue/>
List-Post: <mailto:clue@ietf.org>
List-Help: <mailto:clue-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/clue>, <mailto:clue-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 08:45:13 -0000
Hi, A comment about the below. I have an issue raised against the below quoted text from the rtcweb-security-architecture in the RTCWeb WG, as it fails to specify if RTCP encryption is mandatory to use or not. There are protection profiles that only have confidentiality protection for RTP, and not for RTCP. I would recommend requiring confidentiality protection also of RTCP. The second note on the below is that depending on the outcome of the security requirements for the CaptureID RTP header extension, you might in addition have to require RFC 6904, implementation and usage for the CaptureId header extension field. Or rather if you write nothing it will by default be required if you encrypt RTCP, due to RFC 7941. But, I really recommend that you are explicit on this matter. It comes down to what security risks the field entails. What information will it leak to a third party viewer of the RTP/RTCP stream they can capture. Cheers Magnus Den 2017-01-18 kl. 09:33, skrev Roni Even: > 2. What do we want to say about supported security profile? For > example does the following directive from > https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#section-5.5 > looks good for CLUE? > > > > “Implementations MUST implement SRTP [RFC3711 > <https://tools.ietf.org/html/rfc3711>]. Implementations MUST > > implement DTLS [RFC4347 <https://tools.ietf.org/html/rfc4347>] and > DTLS-SRTP [RFC5763 <https://tools.ietf.org/html/rfc5763>][RFC5764] for SRTP > > keying. Implementations MUST implement > > [I-D.ietf-tsvwg-sctp-dtls-encaps > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-I-D.ietf-tsvwg-sctp-dtls-encaps>]. > > > > All media channels MUST be secured via SRTP. Media traffic MUST NOT > > be sent over plain (unencrypted) RTP; that is, implementations MUST > > NOT negotiate cipher suites with NULL encryption modes. DTLS-SRTP > > MUST be offered for every media channel. > > > > All data channels MUST be secured via DTLS. > > > > All implementations MUST implement DTLS 1.0, with the cipher suite > > TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA with the the P-256 curve > > [FIPS186 > <https://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-12#ref-FIPS186>]. > The DTLS-SRTP protection profile > > SRTP_AES128_CM_HMAC_SHA1_80 MUST be supported for SRTP. > > Implementations SHOULD implement DTLS 1.2 with the > > TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 cipher suite. > > Implementations MUST favor cipher suites which support PFS over non- > > PFS cipher suites and SHOULD favor AEAD over non-AEAD cipher suites. > > “ -- Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Christian Groves
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Paul Kyzivat
- Re: [clue] Comments on CaptureID and security Roni Even
- Re: [clue] Comments on CaptureID and security Magnus Westerlund