TSVDIR LC review: <draft-ietf-bfcpbis-rfc4582bis-13.txt> (The Binary Floor Control Protocol (BFCP)) to Proposed Standard>

Allison Mankin <allison.mankin@gmail.com> Mon, 02 March 2015 17:06 UTC

Return-Path: <allison.mankin@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 8A6971A1B9C; Mon, 2 Mar 2015 09:06:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 2lt4nvYbp2ay; Mon, 2 Mar 2015 09:06:14 -0800 (PST)
Received: from mail-qg0-x22d.google.com (mail-qg0-x22d.google.com [IPv6:2607:f8b0:400d:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 677C31A0377; Mon, 2 Mar 2015 09:06:14 -0800 (PST)
Received: by mail-qg0-f45.google.com with SMTP id z107so5894230qgd.4; Mon, 02 Mar 2015 09:06:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=jgY5ctvLSZarYWIgZ6EUO1xnfW5nfHvZGSnHskxWvr0=; b=LI6Il5xhg4zUx8hLM2VMJid5IUQYVrWjJei5xo5+92X+nQx+t0BrYSgWyXnj5iHu0C PBibH7Nd6+gWJFiD1Ijmrzup+QmAtDhdZc6SfKdisjW89GCaczLyjPCkzpKQMa2hJYB0 C1o/fNTn+o4lcJey54Gh0ota1jLI//Yc8Z1SQfyahHD2MfeFjTYM0jVPtyQ9jYN1tNAI tPW41GhCO2s4yDiceGjGgqTJSQQeR+x2MZFsb4dHOsGTrD98QMxh3cM5dOZq8JDtPmcg aBq/0jUmxmUOfJtJ7ZgSfNV/+6+KpyEnaLyw+Ddo2eTQ1Es7HtVo5qGc2jYqPGoWNQR5 CSig==
MIME-Version: 1.0
X-Received: by with SMTP id 71mr7070397qkp.83.1425315973650; Mon, 02 Mar 2015 09:06:13 -0800 (PST)
Received: by with HTTP; Mon, 2 Mar 2015 09:06:13 -0800 (PST)
Date: Mon, 2 Mar 2015 12:06:13 -0500
Message-ID: <CAP8yD=tyoOjqv2y1BHzhR3Dzu3pENmehg1ObHuC6YeOJkTuS1g@mail.gmail.com>
Subject: TSVDIR LC review: <draft-ietf-bfcpbis-rfc4582bis-13.txt> (The Binary Floor Control Protocol (BFCP)) to Proposed Standard>
From: Allison Mankin <allison.mankin@gmail.com>
To: IETF Discussion <ietf@ietf.org>, draft-ietf-bfcpbis-rfc4582bis@tools.ietf.org
Content-Type: multipart/alternative; boundary=001a11473ff84d5d980510513c9b
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/-im5sYaO1HMALmSxtPqcFw3ItZk>
Cc: gorry@erg.abdn.ac.uk, tsv-art@ietf.org, bfcpbis@ietf.org, Transport Directorate <tsv-dir@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Mar 2015 17:06:21 -0000

[Put into template form and forwarded for the TSVDIR reviewer, Gorry
Fairhurst, to expedite while he is traveling]

Please resolve these comments along with any other Last Call comments you
may receive.

Document:  draft-ietf-6man-resilient-rs-04.txt
Reviewer: Gorry Fairhurst
Review Date: 2015-03-01
IETF LC End Date: 2015-03-05
IESG Telechat date: ---

Summary: This draft is not ready for publication as a standards track RFC.

This document defines a control protocol that may be used over TCP or UDP.
The major change between this document and its predecessor RFC4528 is
stated to be:

   Main purpose of this work was to revise the specification to support
   BFCP over an unreliable transport (Section 16.1)

The use of UDP raises a number of issues that need to be considered when
used in environments that may experience congestion, long delay, or
limited capacity. Further work appears to be needed to address these
concerns. Citing RFC 5405 as normative (rather than informational) may be
good, and some of the guidance from this BCP suggests protocol issues that
should be examined and justified or amended. Notable concerns are the lack
support for RTT estimation, and the way in which fragmentation is handled.

There is mention of potential support for SCTP, however the statement on
SCTP appears to need updating.

The intro states:
"BFCP has been designed so that it can be used in low-
bandwidth environments" - there are specific low-bandwidth
concerns when UDP is used. See below.

Section 3.4: Congestion Control
I do not understand how congestion-control is performed on the media flow.
Is it the responsibility of each audio stream to independently react to
congestion? If it is, it would be useful to state this here.

Section 5: Protocol:
"If a floor control server receives a
message with an unsupported version field value, and the extensions
in this document is supported, the receiving server MUST send an
Error message with parameter value 12 (Unsupported Version) to
indicate this. "
- What happens in the case where the receiving server does not support the
extensions in this document? Does it silently discard?

Section 5:

What is the security model when TLS/DTLS is not used? - has the protocol
protection from off-path attacks, and how is this provided?

What is the privacy model when TLS/DTLS is not used?  - Does the protocol
expose the identity of participants to others on the network?

"Res: At this point, the 3 bits"
- This may be better written as perhaps: Res: In version 1 and 2 of the
protocol, the 3 bits".

- Please specify here what a receiver should do with an undefined primitive

Payload Length:
- What happens when using a datagram format if the datagram length (e.g.
UDP-Length) is less or more than the value specified within the BFCP?

Conference ID:
- Is the Conference ID randomised to provide protection to mitigate the
chance of off-path data insertion attacks? Note that in section 6.2.4,
symmetric port numbers (src,dst) are recommended, and hence the a random
ephemeral port does not offer protection from off-path attacks in the case
where TLS/DTLS is not used.

Fragment Length:
- What happens if the datagram length (e.g. UDP-Length) is less or more
than the value specified within the BFCP?

Section 6.1: CC:
"if a TCP
connection cannot deliver a BFCP message and times out or receives an
ICMP port unreachable message mid-connection, the TCP connection
SHOULD be reestablished."
- I think this needs more specification. How many times will the TCP
connection be retried in succession? While it seems OK for a session to be
restarted because of a delivery failure, this seems like a
congestion-control problem if it is unconditionally resumed with no
control of the number of attempts, and no requirement to back-off after
repeated failures.

Section 6.2.1: Retransmission interval:
"The default initial interval MUST be set to 500ms "
- The protocol appears to fail systematically  when the actual path RTT is
greater than 500ms. The sender needs not only to expand the timer each
retransmission, but needs to avoid the possibility that every message is
duplicated when the path RTT is greater than 500mS. A simple solution is
for the sender learn the actual RTT and increase the default timer when
this is greater than 500 mS? This seems like a protocol flaw. See RFC 5405
on the need to back-off timers, based on RTT.

Section 6.2.2:
How does the receiving endpoint verify that the ICMP message was from the
corresponding endpoint, is there any field in the protocol header that
could be used to reduce the chance of off-path attacks?

Section 6.2.2:
This section could usefully also refer to RFC 5405.

Section 6.2.3:
"BFCP entities should consider the MTU size"
- This isn't capitalised as "SHOULD", was that intended? I'm unclear what
the intention is here, especially when discussing PMTU-D.

"and MAY run MTU discovery, such as [20][21][22], for this purpose."
- Presumably this is "Path" MTU Discovery.
- The ID does not explain how this is done. Could it be done using dummy
messages (e.g. padded out with unused options?) or some other method to
probe the path? The current text simply does not explain how PMTUD  or
PLPMTUD is implemented, It needs to specify how to generate a "big" packet
and how to handle retransmission.

Congestion Control:
The protocol appears to say it sends a single datagram per RTT, but
actually fragmentation may result in multiple fragments per RTT. This
amplifies the congestion control risk. There appears to be no limit set to
the number of fragments that may be created, and each are presumably sent
as a burst - and all retransmitted if there is a single loss. This could
introduce a significant risk of congestion collapse, if this happens for
multiple consecutive messages.

Timers T1 and T2 are set to a static value by configuration. While the
values suggested may be reasonable default minimum values, these two
values should be increased when a path has a larger RTT to avoid the
protocol replicating all data (see RFC 5405). The current specification
can increase congestion for long RTT paths, and needs to be updated to
reflect paths discovered to have a larger RTT.

B.1.1.6.  SCTP
"It would be quite straight forward to specify a BFCP binding for SCTP
[28], and then tunnel SCTP over UDP in the use case described in
Appendix B.1.  SCTP is gaining some momentum currently.  There is ongoing
discussion in the RTCWeb WG regarding this approach. However, this
approach for tunneling over UDP was not mature enough  when considered and
not even fully specified."
- it seems this dismisses SCTP support, yet this text appears out of date
and needs  to be updated to reflect RFC 6951, and possibly