Re: [MMUSIC] Hi, May I ask for your opinion on draft-zhou-mmusic-sdes-keymod-01?

zhou.sujing@zte.com.cn Wed, 18 April 2012 02:49 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 96B0A21F857F for <mmusic@ietfa.amsl.com>; Tue, 17 Apr 2012 19:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.655
X-Spam-Level:
X-Spam-Status: No, score=-96.655 tagged_above=-999 required=5 tests=[AWL=-0.220, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, J_CHICKENPOX_46=0.6, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, RCVD_DOUBLE_IP_LOOSE=0.76, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRYoH3FosenE for <mmusic@ietfa.amsl.com>; Tue, 17 Apr 2012 19:49:06 -0700 (PDT)
Received: from mx5.zte.com.cn (mx6.zte.com.cn [95.130.199.165]) by ietfa.amsl.com (Postfix) with ESMTP id BC37F21F857D for <mmusic@ietf.org>; Tue, 17 Apr 2012 19:49:05 -0700 (PDT)
Received: from [10.30.17.99] by mx5.zte.com.cn with surfront esmtp id 28620978252052; Wed, 18 Apr 2012 10:09:46 +0800 (CST)
Received: from [10.30.3.21] by [192.168.168.15] with StormMail ESMTP id 96035.2712434073; Wed, 18 Apr 2012 10:49:00 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id q3I2mt4H003881; Wed, 18 Apr 2012 10:48:55 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <034c01cd1cb0$b6add5c0$24098140$@com>
To: Dan Wing <dwing@cisco.com>
MIME-Version: 1.0
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OFCDEF0C50.5AA220BF-ON482579E4.000D2D8B-482579E4.000F7E02@zte.com.cn>
From: zhou.sujing@zte.com.cn
Date: Wed, 18 Apr 2012 10:48:48 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.1FP4|July 25, 2010) at 2012-04-18 10:48:57, Serialize complete at 2012-04-18 10:48:57
Content-Type: multipart/alternative; boundary="=_alternative 000F7DFF482579E4_="
X-MAIL: mse02.zte.com.cn q3I2mt4H003881
Cc: mmusic@ietf.org
Subject: Re: [MMUSIC] Hi, May I ask for your opinion on draft-zhou-mmusic-sdes-keymod-01?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 02:49:10 -0000

Regards~~~

-Sujing Zhou

"Dan Wing" <dwing@cisco.com> 写于 2012-04-17 23:42:36:

> > -----Original Message-----
> > From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn]
> > Sent: Monday, April 16, 2012 10:10 PM
> > To: Dan Wing
> > Subject: 答复: RE: Hi, May I ask for your opinion on 
draft-zhou-mmusic-
> > sdes-keymod-01?
> > 
> > 
> > Yes,the offer cannot determin if re-trageting or forking are 
occuring.
> > I added a new parameter "keymod" with NULL value in the offer message
> > (in 01 version) no matter wich scenarios,
> > to inform the answerer that
> > 
> >  "Hi, I am kind of concerned about my outgoing
> > message be intercept by some intermediates, so I am ready to accept 
any
> > answer message with
> > keymod parameter, if you send values in keymod parameter, I can update
> > my key accordingly"
> > 
> > It is up to the answerer to decide if it will send keymod parameter
> > with valid value.
> > 
> > If the answer does not care, it can send keymod with NULL value, and
> > this case is the same as the current SDES;
> > If the answer cares, it can send keymod with non-NULL value, and this
> > case is what our document is solving.
> > 
> > The answerer may be able to detect it is in a re-targeting/forking
> > scenario, and be triggered to send keymod;
> > Or, the answerer could not detect the situation, and be encouraged to
> > send keymod, because offerer asked for.
> 
> The offerer should just always issue a re-Invite with a new a=crypto 
key. 
> 
> I guess you are trying to optimize that so that the offerer and answerer
> somehow determine if a re-Invite might be necessary?  Why not generalize
> that optimization, so that the answerer indicates "re-direct occurred" 
and
> indicates "forking occurred"?  That could be useful for this SDESC 
re-Invite
> optimization, and could be useful elsewhere.  However, I believe it is
> impossible for the Answerer to reliably determine if a re-direct 
occurred or
> if forking occurred, which is why I have doubt that the proposal in your 
I-D
> can work as you hope.
> 
> -d
 
Let the offerer send a re-Invite or an UPDATE with a new a=crypto key is 
indeed an solution.
But it require more roundtrips.

Our motivations are 
-to optimize the procedure
-to enhance the security of SDES

your question is around the applicability of the optimized procedure.
In the case of re-direct occurs, the anwser always knows it is a 
re-directed call,should no problem, our 00 draft works.
In the case  of forking, the answer does not know it is a forked call, our 
00 draft does not work in this case.

Our 01 verion does not let answer alone to determin if a re-direct or a 
forking occur.
Instead, our 01 version is a general upgrade to current SDES protocol, 
that will come to our
another motivation :enhance the security of SDES

Generaly it is preferable the session key  between two peers  be 
established with contribution from both peers,otherwise we will get  into 
trouble 
as  SDES now in the scenarios of re-targetting and forking.
Our 01 version actually suggests to change the unidirectional key 
transport in SDES into a key agreement(indicated by "keymod"):
offerer provides: k1 
answer provides: keymod value
the outgoing key from offerer to answerer is derived from k1 and keymod 
value no matter in which situation.
Re-targeting and forking  happen to be the scenarios that especially 
benefit from the change.



> 
> 
> > 
> > 
> > Regards~~~
> > 
> > -Sujing Zhou
> > 
> > "Dan Wing" <dwing@cisco.com> 写于 2012-04-17 05:14:58:
> > 
> > > I don't see how sending additional parameters solves the problem.
> > >
> > > The problem is the offerer cannot determine if re-targeting or
> > forking
> > > occurred, and thus cannot determine if it needs to send a new
> > (updated)
> > > offer.  The only solution is to always send a new offer.
> > >
> > > -d
> > >
> > >
> > > > -----Original Message-----
> > > > From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn]
> > > > Sent: Monday, April 16, 2012 12:29 AM
> > > > To: Dan Wing
> > > > Subject: Hi, May I ask for your opinion on draft-zhou-mmusic-sdes-
> > > > keymod-01?
> > > >
> > > >
> > > > Hi, Wing,
> > > >
> > > >   I have updated my draft incorporating your question.
> > > > http://tools.ietf.org/html/draft-zhou-mmusic-sdes-keymod-01
> > > >   May I ask for your opinion and interest in it?
> > > >
> > > > Thank you!
> > > >
> > > > Regards~~~
> > > >
> > > > -Sujing Zhou
> > > >
> > > > mmusic-bounces@ietf.org 写于 2012-03-21 09:32:40:
> > > >
> > > > >
> > > > > Hi, Wing
> > > > >
> > > > >     Your point is good, I may update our draft (in 01 version)
> > like
> > > > > the following paragraph:
> > > > > " 3.1.  Generating the Initial Offer - Unicast Streams
> > > > >
> > > > >    The generation of the initial offer for a unicast stream MUST
> > > > follow
> > > > >    that of the crypto attribute RFC4568 [RFC4568], and MAY
> > > > >
> > > > >    also include an additional "keymod" parameter with keymod-val
> > > > being
> > > > >    NULL.  It indicates to the ultimate answerer that the offerer
> > > > wants
> > > > >    to employ the mechanism specified in
> > > > >
> > > > >    this document, a key agreement mechanism with a higher
> > security
> > > > level
> > > > >    than the original SDES.
> > > > > "
> > > > > So that answerer does not need to know it is in a re-targeting 
or
> > > > > forking scenario,
> > > > > it is offerer suggesting use keymod mechanism.
> > > > >
> > > > >
> > > > >
> > > > > Regards~~~
> > > > >
> > > > > -Sujing Zhou
> > > > >
> > > > > "Dan Wing" <dwing@cisco.com> 写于 2012-03-18 10:43:42:
> > > > >
> > > > > > To be effective, draft-zhou-mmusic-sdes-keymod needs the
> > Answerer
> > > > to send
> > > > > > the "keymod" extension if it knows, or believes, the INVITE 
was
> > re-
> > > > targeted
> > > > > > or forked.  I have two questions:
> > > > > >
> > > > > > I see for the described re-targeting case (Section 5.1 of
> > > > > > draft-zhou-mmusic-sdes-keymod-00), a "cause" parameter
> > [RFC4458]
> > > > can be a
> > > > > > useful indicator that a call was re-targeted.  Is the "cause"
> > > > parameter
> > > > > > always present when a call is re-targeted?
> > > > > >
> > > > > > How does the Answerer know if a call was forked?
> > > > > >
> > > > > > -d
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > mmusic mailing list
> > > > > mmusic@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/mmusic
> > >
> > >
> > >
> 
> 
>