[MMUSIC] Re: FW: Security requirements review
Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com> Fri, 07 May 2004 10:17 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13532 for <mmusic-archive@odin.ietf.org>; Fri, 7 May 2004 06:17:12 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2OO-0004Wt-Dm for mmusic-archive@odin.ietf.org; Fri, 07 May 2004 06:15:45 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i47AFiCj017401 for mmusic-archive@odin.ietf.org; Fri, 7 May 2004 06:15:44 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2KM-0002FN-Gz for mmusic-web-archive@optimus.ietf.org; Fri, 07 May 2004 06:11:34 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13194 for <mmusic-web-archive@ietf.org>; Fri, 7 May 2004 06:11:30 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BM2KI-0004lC-NW for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:11:30 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BM2Iw-0004AL-00 for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:10:07 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BM2Gg-0003Ba-00 for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:07:46 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2C4-0007bi-TO; Fri, 07 May 2004 06:03:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BLoBF-0004bY-40 for mmusic@optimus.ietf.org; Thu, 06 May 2004 15:05:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA11446 for <mmusic@ietf.org>; Thu, 6 May 2004 15:05:09 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BLoBC-0001vd-5M for mmusic@ietf.org; Thu, 06 May 2004 15:05:10 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BLoAE-0001V7-00 for mmusic@ietf.org; Thu, 06 May 2004 15:04:10 -0400
Received: from imr1.ericy.com ([198.24.6.9]) by ietf-mx with esmtp (Exim 4.12) id 1BLo9U-0000ne-00 for mmusic@ietf.org; Thu, 06 May 2004 15:03:24 -0400
Received: from eamrcnt750.exu.ericsson.se (eamrcnt750.exu.ericsson.se [138.85.133.51]) by imr1.ericy.com (8.12.10/8.12.10) with ESMTP id i46J0YLc022969; Thu, 6 May 2004 14:00:34 -0500 (CDT)
Received: from ericsson.com (rvi2-93-91.sw.ericsson.se [153.88.93.91]) by eamrcnt750.exu.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id JQWK008F; Thu, 6 May 2004 14:00:19 -0500
Message-ID: <409A8B4F.7000806@ericsson.com>
Date: Thu, 06 May 2004 22:00:31 +0300
X-Sybari-Trust: 86c9aa91 08d63d2e 7e64d14e 00000138
From: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Rod.Walsh@nokia.com
CC: dku@tzi.org, jon.peterson@neustar.biz, fandreas@cisco.com, dwing@cisco.com, mbaugher@cisco.com, magnus.westerlund@ericsson.com, jari.arkko@ericsson.com, elisabetta.carrara@ericsson.com, fredrik.lindholm@ericsson.com, mats.naslund@ericsson.com, karl.norrman@ericsson.com, jo@tzi.uni-bremen.de, nom@flab.fujitsu.co.jp, schulzrinne@cs.columbia.edu, Hitoshi.Asaeda@sophia.inria.fr, csp@csperkins.org, juha-pekka.luoma@nokia.com, mmusic@ietf.org
References: <D0299AFF29E01E478321564030AD69097E26B7@trebe003.europe.nokia.com>
In-Reply-To: <D0299AFF29E01E478321564030AD69097E26B7@trebe003.europe.nokia.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [MMUSIC] Re: FW: Security requirements review
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Hi,
a couple of comments:
I would clarify what you had in mind when you wrote the following
requirement:
REQ DOS-3: It SHOULD be possible to avoid DoS attacks that exhaust
resources of IMG entities by flooding them with IMG metadata.
What do you mean by "avoid"? Do you mean that the entity should be able
to run in a stateless mode? Or that it should be able to identify evil
packets and discard their data? or...?
You should clarify both requirements in Section 6.5 (Replay Attacks):
REQ REP-1: IMG metadata MUST be protected against partial or full
replacement of newer ("current") versions by older ones.
REQ REP-2: Mechanisms MUST be provided to mitigate replay attacks on
the IMG operations.
Do you mean that you have to bundle somehow the metadata with the
delivery mechanism? Let's say I receive metadata and I send it to
another user without knowing that a newer version of the metadata is
available... should the other user be able to detect this "reply
attack"? I guess that an explanatory paragraph would help understand
what these requirements really mean.
Thanks,
Gonzalo
Rod.Walsh@nokia.com wrote:
> Hi
>
> Because I found that you have somehow been active on security issues related to MMUSIC, it would be fantastic if you would have a look at the security requirements in:
> http://www.ietf.org/internet-drafts/draft-ietf-mmusic-img-req-03.txt
> ..and send comments back (CC MMUSIC email list too if possible).
>
> The document concerns "Requirements for Internet Media Guides" (IMGs).
>
> This document has completed WGLC and we are thinking about a final sanity check that nothing crazy slipped past the authors, reviewers and numerous editions before handing over to the IESG (as a kindness towards the IESG :) If you spot any impossible, unnecessary or questionable requirements please highlight them. (Naturally we're happy that the document is flawless, but once by your expert eyes would be very reassuring).
>
> The security sanity check concerns chapter 6 of the document (maybe I'm pushing my luck to say comments on other parts are always welcome too).
>
> Thanks for any ideas you can offer.
>
> Cheers, Rod Walsh.
>
>
> PS rather than filling your inbox with lots of background I hope you are happy to ask in case you haven't had chance to follow the IMG work so far.
>
--
Gonzalo Camarillo Phone : +358 9 299 33 71
Oy L M Ericsson Ab Mobile: +358 40 702 35 35
Telecom R&D Fax : +358 9 299 30 52
FIN-02420 Jorvas Email : Gonzalo.Camarillo@ericsson.com
Finland http://www.hut.fi/~gonzalo
_______________________________________________
mmusic mailing list
mmusic@ietf.org
https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] Re: FW: Security requirements review Gonzalo Camarillo
- [MMUSIC] RE: FW: Security requirements review Rod.Walsh