Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Christer Holmberg <christer.holmberg@ericsson.com> Wed, 12 October 2016 11:47 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9E012948B for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 04:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qc4ciXCtrw5 for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 04:47:17 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A67191297A0 for <mmusic@ietf.org>; Wed, 12 Oct 2016 04:47:16 -0700 (PDT)
X-AuditID: c1b4fb3a-aa3ff7000000099a-52-57fe22c210b3
Received: from ESESSHC008.ericsson.se (Unknown_Domain [153.88.183.42]) by (Symantec Mail Security) with SMTP id DC.DD.02458.2C22EF75; Wed, 12 Oct 2016 13:47:15 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.177]) by ESESSHC008.ericsson.se ([153.88.183.42]) with mapi id 14.03.0319.002; Wed, 12 Oct 2016 13:47:13 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Christer Holmberg <christer.holmberg@ericsson.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, Cullen Jennings <fluffy@iii.ca>
Thread-Topic: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Thread-Index: AQHSH9ATPAZhiMqWXkq+6ZcG+jYe1aCbTNuAgACLuoCAALOQAIAIHeaAgAAlrQA=
Date: Wed, 12 Oct 2016 11:47:12 +0000
Message-ID: <D423FEEE.11074%christer.holmberg@ericsson.com>
References: <D41C238A.1095B%christer.holmberg@ericsson.com> <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com> <58510E68-A045-4312-B3B3-3468E83C8EB7@iii.ca> <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com> <D423DEE7.1101D%christer.holmberg@ericsson.com>
In-Reply-To: <D423DEE7.1101D%christer.holmberg@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-originating-ip: [153.88.183.19]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <0933DD8759E43646AB4A500ABD75E284@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsUyM2K7lu5hpX/hBm+OcFh8WP+D0WLq8scs Fis2HGB1YPb4+/4Dk8eSJT+ZPC6f/8gYwBzFZZOSmpNZllqkb5fAlfGm9xtjwReBimPzdrE3 MPbwdTFyckgImEjsa9vL1MXIxSEksJ5R4vqqZ2wgCSGBJYwS99rUuxg5ONgELCS6/2mD1IgI 9DJKTH58iwWkhlnAV+L9z+nsILawQL7Erm+HGEFsEYECif+n+lghbD+Jw28vs4DMYRFQlbj1 RgIkzCtgLfH99C8WiL2dTBLf1lwC28spYCOx/XYL2BxGATGJ76fWMEHsEpe49WQ+E8TRAhJL 9pxnhrBFJV4+/ge2S1RAT+L719lQcUWJ9qcNjBC9OhILdn9ig7CtJQ4u3wZ1v7bEsoWvmSEO EpQ4OfMJywRG8VlI1s1C0j4LSfssJO2zkLQvYGRdxShanFpcnJtuZKSXWpSZXFycn6eXl1qy iREYgwe3/LbawXjwueMhRgEORiUe3gUaf8OFWBPLiitzDzFKcDArifBOU/gXLsSbklhZlVqU H19UmpNafIhRmoNFSZzXbOX9cCGB9MSS1OzU1ILUIpgsEwenVANjKLtQRJyWs8GBlmX7Jve5 vpiZc4LHi+O715NfJ2/8Xln3qETE+uwmlnN3lzeKzb1/89yCwuInqwp+16lV3v9e0+Fw6rVo 2WHHLyc2vOxdZtAm5hrH5py+81zaHJZ0u6unIqYFRAiHBwZ9T7bK40t0/fjo7su/jTpsVV5G Qf/cNWUyXr9mq/+pxFKckWioxVxUnAgAqDhaC70CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/1-NEMD6aslFAlZfpfun3GfsBIgE>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 11:47:19 -0000
Pull request created. https://github.com/cdh4u/draft-sdp-bundle/pull/11 Regards, Christer On 12/10/16 12:32, "mmusic on behalf of Christer Holmberg" <mmusic-bounces@ietf.org on behalf of christer.holmberg@ericsson.com> wrote: >Hi, > >Based on the discussions, and input that has been provided, are people ok >with adding the text Magnus suggested (see below) to the Security >Considerations of BUNDLE? > >Regards, > >Christer > > >>>> The identfication-tag when included in the RTP MID SDES item, >>>> independent of transport, RTCP SDES packet or RTP header extension, >>>> can expose the value to parties beyond the signaling chain. >>>> Therefore, the identification-tag MUST NOT contain any user related >>>> information. However, the implementation's method for generating >>>> identfication-tags combined with hardware configuration can enable >>>> fingerprinting of the endpoint device and thus its user. As the >>>> identification-tag is also used to route the media stream to the >>>> right application functionality it is also important that the value >>>> received is the one intended by the sender, thus integrity and the >>>> authenticity of the source are important to prevent denial of >>>> service on the application. At least to prevent third parties from >>>> modifying the identification-tag value. >>>> >>>> Due to the security risks associated with the MID values in RTP and >>>> RTCP it is strongly RECOMMENDED that the MID SDES item is both >>>> confidentiality protected as well as source authenticated when >>>> transported in either RTCP or RTP header extensions. The security >>>> mechanisms used SHALL provide corresponding levels of security for >>>> both RTP header extensions and RTCP. Confidentiality mechanisms for >>>> RTP/RTCP are discussed in Options for Securing RTP Sessions >>>> [RFC7201], for example SRTP [RFC3711] with SRTCP encryption enabled >>>> combined with [RFC6904] can provide the necessary security >>>> functions. > >_______________________________________________ >mmusic mailing list >mmusic@ietf.org >https://www.ietf.org/mailman/listinfo/mmusic
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Jonathan Lennox
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- [MMUSIC] BUNDLE - MID Security - Updated text pro… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Cullen Jennings
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Adam Roach
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Ted Hardie
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund