IETF Logo Mail Archive

Re: [MMUSIC] WGLC for draft-ietf-mmusic-delayed-duplication-01

"Ali C. Begen (abegen)" <abegen@cisco.com> Thu, 25 April 2013 07:55 UTC

Return-Path: <abegen@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2BAB21F93AB for <mmusic@ietfa.amsl.com>; Thu, 25 Apr 2013 00:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.374
X-Spam-Level:
X-Spam-Status: No, score=-10.374 tagged_above=-999 required=5 tests=[AWL=-0.075, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n+1FdEGG1Wzs for <mmusic@ietfa.amsl.com>; Thu, 25 Apr 2013 00:55:35 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id F034221F9377 for <mmusic@ietf.org>; Thu, 25 Apr 2013 00:55:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2305; q=dns/txt; s=iport; t=1366876532; x=1368086132; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=cwhPolj7/ZOGFLcqW+XW0sNQ7WW5ZkwLfItjv07sIqo=; b=b3KyX3Pgks7vdXZPTCLNYgTNU9QzRYjK+Ci5LtnjfBJR2oQ4kubqNpkS /JwVQQod23+qKw2TH6tXNZl5gAAeiLOvkZ6dEi5OLY/l7NCib8B+lEBGU uJq2vY5XdOMtHNDUiKrNGtXpgtxqrjZqDEi95vvIPCl1KceyPvFpAcMsF I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgIFAA3heFGtJXHA/2dsb2JhbABRgmUhvmaBARZ0gh8BAQEDAXkFCwIBCBgKJDIlAgQOBQiIBgYBvh2NeYEEAjEHgmthA4hYn2SDDoFrPQ
X-IronPort-AV: E=Sophos;i="4.87,548,1363132800"; d="scan'208";a="202868611"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-6.cisco.com with ESMTP; 25 Apr 2013 07:55:31 +0000
Received: from xhc-rcd-x14.cisco.com (xhc-rcd-x14.cisco.com [173.37.183.88]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r3P7tVYi023187 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 25 Apr 2013 07:55:31 GMT
Received: from xmb-aln-x01.cisco.com ([fe80::747b:83e1:9755:d453]) by xhc-rcd-x14.cisco.com ([173.37.183.88]) with mapi id 14.02.0318.004; Thu, 25 Apr 2013 02:55:31 -0500
From: "Ali C. Begen (abegen)" <abegen@cisco.com>
To: Ari Keränen <ari.keranen@ericsson.com>
Thread-Topic: [MMUSIC] WGLC for draft-ietf-mmusic-delayed-duplication-01
Thread-Index: AQHOMh+OrJd+p16ntUKckcdJFFsN55jk0xuAgACHcACAAPSDgIAAtQcA
Date: Thu, 25 Apr 2013 07:55:30 +0000
Message-ID: <C15918F2FCDA0243A7C919DA7C4BE9940D017374@xmb-aln-x01.cisco.com>
References: <515F03F3.6070400@ericsson.com> <51770ADD.6080702@ericsson.com> <C15918F2FCDA0243A7C919DA7C4BE9940D00FB1B@xmb-aln-x01.cisco.com> <51784997.3040207@ericsson.com>
In-Reply-To: <51784997.3040207@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.86.242.164]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <8996FBEF43ED1D4E9F1B670A03EAFF45@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<draft-ietf-mmusic-delayed-duplication@tools.ietf.org>" <draft-ietf-mmusic-delayed-duplication@tools.ietf.org>, mmusic <mmusic@ietf.org>
Subject: Re: [MMUSIC] WGLC for draft-ietf-mmusic-delayed-duplication-01
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 07:55:36 -0000

On Apr 25, 2013, at 6:07 AM, Ari Keränen <ari.keranen@ericsson.com> wrote:

> On 4/24/13 9:32 AM, Ali C. Begen (abegen) wrote:
>> 
>> On Apr 24, 2013, at 7:27 AM, Ari Keränen <ari.keranen@ericsson.com>
>> wrote:
>> 
>>> Hi,
>>> 
>>> I reviewed the draft and noticed that in the intro section you
>>> mention a possible DoS attack using the delayed duplication
>>> functionality, but it's not discussed at all in the security
>>> considerations section. Should that be addressed too?
>>> 
>> 
>> Really? the whole section talks about what could happen if someone
>> could modify the SDP (number of dup streams, delays, etc.).
>> Especially the last paragraph mentions this. is it not clear?
> 
> Not really. I guess I was expecting something more for a "new series of denial-of-service attacks" than what was described in the security section. To make this more clear, perhaps you could use the term DoS also in the security section, where applicable.
> 
> Especially the last section talks about software bug or misconfiguration, but couldn't an active attacker also do this?
> 

I will change the text as follows. let me know if there are objections.

OLD:

   Another security risk is due to possible software misconfiguration or
   a software bug where a large number of duplicates could be
   unwillingly signaled in the 'duplication-delay' attribute.  In
   applications where this attribute is to be used, it is a good
   practice to put a hard limit both on the number of duplicate streams
   and the total delay introduced due to duplication regardless of what
   the SDP description specifies.

NEW:

   Another security risk is due to possible software misconfiguration or
   a software bug where a large number of duplicates could be
   unwillingly signaled in the 'duplication-delay' attribute. Similarly, an attacker can use this attribute to start a denial-of-service attack by signaling and sending too many duplicated streams. In
   applications where this attribute is to be used, it is a good
   practice to put a hard limit both on the number of duplicate streams
   and the total delay introduced due to duplication regardless of what
   the SDP description specifies.


> 
> Cheers,
> Ari

v2.23.0 | Report a Bug | By Email