[MMUSIC] Re: FW: Security requirements review
Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com> Fri, 07 May 2004 10:17 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13532 for <mmusic-archive@odin.ietf.org>; Fri, 7 May 2004 06:17:12 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2OO-0004Wt-Dm for mmusic-archive@odin.ietf.org; Fri, 07 May 2004 06:15:45 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i47AFiCj017401 for mmusic-archive@odin.ietf.org; Fri, 7 May 2004 06:15:44 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2KM-0002FN-Gz for mmusic-web-archive@optimus.ietf.org; Fri, 07 May 2004 06:11:34 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA13194 for <mmusic-web-archive@ietf.org>; Fri, 7 May 2004 06:11:30 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BM2KI-0004lC-NW for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:11:30 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BM2Iw-0004AL-00 for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:10:07 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BM2Gg-0003Ba-00 for mmusic-web-archive@ietf.org; Fri, 07 May 2004 06:07:46 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BM2C4-0007bi-TO; Fri, 07 May 2004 06:03:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BLoBF-0004bY-40 for mmusic@optimus.ietf.org; Thu, 06 May 2004 15:05:14 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id PAA11446 for <mmusic@ietf.org>; Thu, 6 May 2004 15:05:09 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BLoBC-0001vd-5M for mmusic@ietf.org; Thu, 06 May 2004 15:05:10 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BLoAE-0001V7-00 for mmusic@ietf.org; Thu, 06 May 2004 15:04:10 -0400
Received: from imr1.ericy.com ([198.24.6.9]) by ietf-mx with esmtp (Exim 4.12) id 1BLo9U-0000ne-00 for mmusic@ietf.org; Thu, 06 May 2004 15:03:24 -0400
Received: from eamrcnt750.exu.ericsson.se (eamrcnt750.exu.ericsson.se [138.85.133.51]) by imr1.ericy.com (8.12.10/8.12.10) with ESMTP id i46J0YLc022969; Thu, 6 May 2004 14:00:34 -0500 (CDT)
Received: from ericsson.com (rvi2-93-91.sw.ericsson.se [153.88.93.91]) by eamrcnt750.exu.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2657.72) id JQWK008F; Thu, 6 May 2004 14:00:19 -0500
Message-ID: <409A8B4F.7000806@ericsson.com>
Date: Thu, 06 May 2004 22:00:31 +0300
X-Sybari-Trust: 86c9aa91 08d63d2e 7e64d14e 00000138
From: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Rod.Walsh@nokia.com
CC: dku@tzi.org, jon.peterson@neustar.biz, fandreas@cisco.com, dwing@cisco.com, mbaugher@cisco.com, magnus.westerlund@ericsson.com, jari.arkko@ericsson.com, elisabetta.carrara@ericsson.com, fredrik.lindholm@ericsson.com, mats.naslund@ericsson.com, karl.norrman@ericsson.com, jo@tzi.uni-bremen.de, nom@flab.fujitsu.co.jp, schulzrinne@cs.columbia.edu, Hitoshi.Asaeda@sophia.inria.fr, csp@csperkins.org, juha-pekka.luoma@nokia.com, mmusic@ietf.org
References: <D0299AFF29E01E478321564030AD69097E26B7@trebe003.europe.nokia.com>
In-Reply-To: <D0299AFF29E01E478321564030AD69097E26B7@trebe003.europe.nokia.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Subject: [MMUSIC] Re: FW: Security requirements review
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Hi, a couple of comments: I would clarify what you had in mind when you wrote the following requirement: REQ DOS-3: It SHOULD be possible to avoid DoS attacks that exhaust resources of IMG entities by flooding them with IMG metadata. What do you mean by "avoid"? Do you mean that the entity should be able to run in a stateless mode? Or that it should be able to identify evil packets and discard their data? or...? You should clarify both requirements in Section 6.5 (Replay Attacks): REQ REP-1: IMG metadata MUST be protected against partial or full replacement of newer ("current") versions by older ones. REQ REP-2: Mechanisms MUST be provided to mitigate replay attacks on the IMG operations. Do you mean that you have to bundle somehow the metadata with the delivery mechanism? Let's say I receive metadata and I send it to another user without knowing that a newer version of the metadata is available... should the other user be able to detect this "reply attack"? I guess that an explanatory paragraph would help understand what these requirements really mean. Thanks, Gonzalo Rod.Walsh@nokia.com wrote: > Hi > > Because I found that you have somehow been active on security issues related to MMUSIC, it would be fantastic if you would have a look at the security requirements in: > http://www.ietf.org/internet-drafts/draft-ietf-mmusic-img-req-03.txt > ..and send comments back (CC MMUSIC email list too if possible). > > The document concerns "Requirements for Internet Media Guides" (IMGs). > > This document has completed WGLC and we are thinking about a final sanity check that nothing crazy slipped past the authors, reviewers and numerous editions before handing over to the IESG (as a kindness towards the IESG :) If you spot any impossible, unnecessary or questionable requirements please highlight them. (Naturally we're happy that the document is flawless, but once by your expert eyes would be very reassuring). > > The security sanity check concerns chapter 6 of the document (maybe I'm pushing my luck to say comments on other parts are always welcome too). > > Thanks for any ideas you can offer. > > Cheers, Rod Walsh. > > > PS rather than filling your inbox with lots of background I hope you are happy to ask in case you haven't had chance to follow the IMG work so far. > -- Gonzalo Camarillo Phone : +358 9 299 33 71 Oy L M Ericsson Ab Mobile: +358 40 702 35 35 Telecom R&D Fax : +358 9 299 30 52 FIN-02420 Jorvas Email : Gonzalo.Camarillo@ericsson.com Finland http://www.hut.fi/~gonzalo _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] Re: FW: Security requirements review Gonzalo Camarillo
- [MMUSIC] RE: FW: Security requirements review Rod.Walsh