Re: [codec] Stephen Farrell's No Objection on draft-ietf-codec-oggopus-13: (with COMMENT)
Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 17 February 2016 02:26 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: codec@ietfa.amsl.com
Delivered-To: codec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAF221A0273; Tue, 16 Feb 2016 18:26:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.307
X-Spam-Level:
X-Spam-Status: No, score=-4.307 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i7ZJvzYm8CtK; Tue, 16 Feb 2016 18:26:18 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B6A11A026F; Tue, 16 Feb 2016 18:26:18 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id B6A21BE54; Wed, 17 Feb 2016 02:26:16 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KxLEJlcPbS61; Wed, 17 Feb 2016 02:26:12 +0000 (GMT)
Received: from [10.10.11.56] (unknown [104.220.240.149]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 3FC34BE3E; Wed, 17 Feb 2016 02:26:11 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1455675972; bh=deRjZ0NgYE5CSla3I8Aj/vTy1VM2734c5bbOXPiZNUQ=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=odrD3iPLdr7WnRqy23WnLtv108K9ok2RLbo0yXxQe/MKrjGLdl+Z3BCTGLZGEWf7u JlHgAjhqBtXR4Vz5+WWcmzJeibpkSyZrs3ubbLYggifQXUBEUp+44dcN1kohlmRHA0 kmcWtdnqX7yjNsOieMv6WUQoN6uMvdKsz/q//rZ8=
To: "Timothy B. Terriberry" <tterribe@xiph.org>, The IESG <iesg@ietf.org>
References: <20160215180233.30650.39279.idtracker@ietfa.amsl.com> <56C3D6C0.70904@xiph.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <56C3DA41.60107@cs.tcd.ie>
Date: Wed, 17 Feb 2016 02:26:09 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56C3D6C0.70904@xiph.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060905080102020604090300"
Archived-At: <http://mailarchive.ietf.org/arch/msg/codec/nY0mYYdZIh4QrXRcqfMseHWgGHk>
Cc: codec-chairs@ietf.org, codec@ietf.org, draft-ietf-codec-oggopus@ietf.org
Subject: Re: [codec] Stephen Farrell's No Objection on draft-ietf-codec-oggopus-13: (with COMMENT)
X-BeenThere: codec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Codec WG <codec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/codec>, <mailto:codec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/codec/>
List-Post: <mailto:codec@ietf.org>
List-Help: <mailto:codec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/codec>, <mailto:codec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2016 02:26:23 -0000
Hiya, Thanks - I'm fine with all that and especially the new security considerations text which seems much better, Cheers, S. On 17/02/16 02:11, Timothy B. Terriberry wrote: > Thanks for the detailed comments. Responses are in-line below. > > Stephen Farrell wrote: >> - general, (but a nit): there are some odd unexplained numbers >> here, which is fine ... but odd. (E.g. 125,829,120) It might be >> nicer to explain to the reader why these values were chosen. I > > The number quoted is just 120 MB (120*1024*1024). I added a > parenthetical to clarify this. The 61,440 number in the same paragraph > is explained later in the text. Happy to clarify any others you think > should be explained better. > >> - An example or diagram in the intro or section 3 would maybe >> have helped. > > The appropriate figure for the introduction is probably the one from > Section 5 of RFC 3533. We could copy it here, but I think the reference > is enough (it would probably require more text to explain it, text which > is already in RFC 3533). > > Section 3 is a bit more specific to this draft. I added the following > figure: > > Page 1 Pages 2 ... n Pages (n+1) ... > +------------+ +---+ +---+ ... +---+ +-----------+ +---------+ +-- > | | | | | | | | | | | | | > |+----------+| |+-----------------+| |+-------------------+ +----- > |||ID Header|| || Comment Header || ||Audio Data Packet 1| | ... > |+----------+| |+-----------------+| |+-------------------+ +----- > | | | | | | | | | | | | | > +------------+ +---+ +---+ ... +---+ +-----------+ +---------+ +-- > ^ ^ ^ > | | | > | | Mandatory page break > | | > | ID header is contained on a single page > | > 'Beggining Of Stream' > > Figure 1: Example packet organization for a logical Ogg Opus stream > > >> - section 5: Q7.8 is a new one to me. Maybe add a reference? > > Added a reference to > <https://en.wikipedia.org/w/index.php?title=Q_%28number_format%29&oldid=697252615>. > > >> - 5.1.1.5: Could figures 3-8 do with some body text to explain >> them? That's (having body text that refers to the figures), >> general good practice and I'm not sure if they're sufficiently >> clear for an implementer to get right. (But as I'm not coding >> this, I don't know, so just checking:-) > > I think the meaning is relatively unambiguous, but certainly adding a > reference to the figures instead of just saying "the following matrices" > would be clearer, so I have done that. > >> - 5.2: You don't say that the user comment strings must also be >> UTF8, but you do for the vendor string. Why not? I think it'd be >> good to call that out. > > The text doesn't but the header says: > > "User Comment #i String (variable length, UTF-8 vector):" > > I've normalized the text to match that of the vendor string for > consistency, however. > >> - 5.2.1: [vorbis-comment] is, correctly, a normative reference >> here but I wonder if a xiph.org URL is a good enough reference >> for that. Is there anything better, or are we confident enough >> in that URL? > > According to archive.org, that URL has been stable since at least 2005 > (since the year 2000, according to our svn logs, but the final version > for Vorbis 1.0 wasn't posted until July 11th 2002). I don't know of a > better authority. > >> - 5.2.1: From what namespace are the -573 and 111 values here >> selected? How is that managed? (Just wondering.) > > Those values are just examples. I've added a sentence saying that, since > it must not have been clear. The syntax for them is described in the > paragraph below. If people feel that description is imprecise we could > probably add some EBNF. > >> - section 9: While I like the MUST NOT here, it's really only >> wishful thinking and isn't a strictly valid use of 2119 terms. >> I'm ok with that though. The SHOULD NOT statement is also kind >> of bogus. Generally this section would be better if it had >> guidance on where implementers are likely to go wrong in ways >> that cause security issues. Reference such as are provided in > > I agree. The current text was adapted from RFC 6716, but I think we have > enough implementation experience at this point to write something > better. I propose the following additional text: > > Header parsing code contains the most likely area for potential > overruns. It is important for implementations to ensure their > buffers contain enough data for all of the required fields before > attempting to read it (for example, for all of the channel map data > in the ID header). Implementations would do well to validate the > indices of the channel map, also, to ensure they meet all of the > restrictions outlined in Section 5.1.1, in order to avoid attempting > to read data from channels that do not exist. > > To avoid excessive resource usage, we advise implementations to be > especially wary of streams that might cause them to process far more > data than was actually transmitted. For example, a relatively small > comment header may contain values for the string lengths or user > comment list length that imply that it is many gigabytes in size. > Even computing the size of the required buffer could overflow a > 32-bit integer, and actually attempting to allocate such a buffer > before verifying it would be a reasonable size is a bad idea. After > reading the user comment list length, implementations might wish to > verify that the header contains at least the minimum amount of data > for that many comments (4 additional octets per comment, to indicate > each has a length of zero) before proceeding any further, again > taking care to avoid overflow in these calculations. If allocating > an array of pointers to point at these strings, the size of the > pointers may be larger than 4 octets, potentially requiring a > separate overflow check. > > Another bug in this class we have observed more than once involves > the handling of invalid data at the end of a stream. Often, > implementations will seek to the end of a stream to locate the last > timestamp in order to compute its total duration. If they do not > find a valid capture pattern and Ogg page from the desired logical > stream, they will back up and try again. If care is not taken to > avoid re-scanning data that was already scanned, this search can > quickly devolve into something with a complexity that is quadratic in > the amount of invalid data. > > In general when seeking, implementations will wish to be cautious > about the effects of invalid granule position values, and ensure all > algorithms will continue to make progress and eventually terminate, > even if these are missing or out-of-order. > > >> RFC 6562 about the dangers of VBR might also be useful here, not >> sure. > > In most of the expected uses of Ogg Opus on the internet (e.g., https > streaming), the encryption and network packetization would be separate > from the container's packetization/pagination, so I don't think the > dangers referred to by RFC 6562 apply (if you can see the Ogg packet > sizes, it's because you already have access to the decrypted plaintext). > In other contexts, RFC 6716 already includes a reference to 6562. > > I've attached a diff of the relevant changes to the XML.
- [codec] Stephen Farrell's No Objection on draft-i… Stephen Farrell
- Re: [codec] Stephen Farrell's No Objection on dra… Timothy B. Terriberry
- Re: [codec] Stephen Farrell's No Objection on dra… Stephen Farrell