Re: [MMUSIC] [rtcweb] BUNDLE: Attempting to resolve security consideration

Eric Rescorla <ekr@rtfm.com> Tue, 07 March 2017 17:47 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A352F1295EF for <mmusic@ietfa.amsl.com>; Tue, 7 Mar 2017 09:47:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R02Vsrxu4iFm for <mmusic@ietfa.amsl.com>; Tue, 7 Mar 2017 09:47:49 -0800 (PST)
Received: from mail-ot0-x234.google.com (mail-ot0-x234.google.com [IPv6:2607:f8b0:4003:c0f::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5D01295EE for <mmusic@ietf.org>; Tue, 7 Mar 2017 09:47:49 -0800 (PST)
Received: by mail-ot0-x234.google.com with SMTP id i1so11106715ota.3 for <mmusic@ietf.org>; Tue, 07 Mar 2017 09:47:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0tBl0k/L5+Z97F15HoA4dPpXAG6g35kmgVfN6biFrpw=; b=tpG9+MB07zigrnrif4tvQo3vbDEcs0okipgmUc8MpGI9gpNCWB80Xku75xs0cjkXBu TtwGLB/j6pZpsc8losPKP/m0b83dcjLQCZ+oVU7nqgNamjVbqCMhYs+JaLNPM/e0USyl 2oq1gsxXdVAuOWlFMHFA0Tdo/2581IW/3q0rK3ZIepisHyfs+izdenL0fhaKZ3MrLFoX cM9iWr6HsauWoUtLgfBcKI87b6GZwLQ7Mo/BlxPJm/RCYzdx6DGkGSc4oXcnkk/6xqeq jFtC1GzxiN+hLMo6FdSPx2VM+jM4SjUOlCcjGUFC9FUnFKbi0OgBP5KvnquK90/eFPsq /jhA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0tBl0k/L5+Z97F15HoA4dPpXAG6g35kmgVfN6biFrpw=; b=izAOZLljO/fZ7pDGaQ24M19DlMKFy5fpb7u2pK441IyBol0NeMYPvAtYV95XiFzMj1 rAR3+oUT0+9kgLGtgk4O0DLe2WnkaZLMzPaxbAATmlRczhDFfOfydz/TDcEwkM4g+Ncm pJVTAvb9TyV2JuV1SJkKt3q64Eot9Aw003qcyPrxGE1rcS8DJM96fSt8Kex7GvFquXM2 zk238rbznle3MQj7bowvOtTpsL5MFRnlhhZ2q0iRyJn18RaKeoNBhbmYvp0Rqk4/lIbH VRJz9+imzRNPrnfoPRlyDoRmJfo32uNMhr3TpP7hJTjd2X115Og4r0XKysVxci/O1Au2 K2Tw==
X-Gm-Message-State: AMke39kCevCnUDsKRTlYhgrISg/MkYqO8C4i0EIJQznBJajR9MYjZsUT8VRiLKt6DsRIv/sclIOlEOk/saUigg==
X-Received: by 10.129.177.8 with SMTP id p8mr431038ywh.327.1488908868404; Tue, 07 Mar 2017 09:47:48 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.154.210 with HTTP; Tue, 7 Mar 2017 09:47:07 -0800 (PST)
In-Reply-To: <f390877e-d6be-11cd-8a35-f68546ae4115@ericsson.com>
References: <8b2b8754-b10c-6f8e-6262-95cd25374a18@ericsson.com> <CABcZeBMTW48fj=1EMJ3uJCdVqEiYuPk+rDy6h_7W=jh0fu7tNQ@mail.gmail.com> <0827af95-b755-9730-6605-5146967760e7@ericsson.com> <CABcZeBPcqz+NzKp=c5zZd_aDqYHjC6AhOyBMjsOdpKEjGF08qw@mail.gmail.com> <a7070e7a-81dc-ab68-c59b-d4df367029c2@ericsson.com> <CABcZeBM6LMJB2f10+F1jQNinKe4nkNGCRpT6VN1tZPXCLskxHQ@mail.gmail.com> <f390877e-d6be-11cd-8a35-f68546ae4115@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 7 Mar 2017 09:47:07 -0800
Message-ID: <CABcZeBNAU0eo+nP02LRjP3Cybtrm487wQMtq34zhmeaB+=uHiQ@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: multipart/alternative; boundary=94eb2c13ce38346e50054a279cce
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/MYfXzZhBP6w_n4rpPDyeRZTTPZs>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "mmusic \(E-mail\)" <mmusic@ietf.org>
Subject: Re: [MMUSIC] [rtcweb] BUNDLE: Attempting to resolve security consideration
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 17:47:50 -0000

On Tue, Mar 7, 2017 at 1:45 AM, Magnus Westerlund <
magnus.westerlund@ericsson.com> wrote:

> Hi,
>
> Please see inline.
>
> Den 2017-03-06 kl. 14:36, skrev Eric Rescorla:
>
>>
>>     I think you are correct assuming that one is using SRTP. All the
>>     IETF key-management scheme follows this, although a=mikey is
>>     IDENTICAL. If one uses other security mechanisms, then this is still
>>     relevant to capture.
>>
>>
>> Which security mechanisms are you thinking of here?
>>
>
> I didn't have any specific security mechanism in mind. I simply want to
> make clear the requirements that arises due to the new mechanisms that
> BUNDLE creates. As you commented I can only think of mechanism that
> protects the whole packet.


Yeah, this seems more confusing than illuminating. There are lots of
theoretical
risks that might happen if we had some new security mechanism with unknown
properties.



Is this precisely true? Do you ever use the MID extension w/o BUNDLE?
>> It certainly changes which ICE checks you do.
>>
>>
> So lets start with the question of MID without using BUNDLE. As MID is
> used in grouping of media lines use cases, i.e. RFC 5888 there are
> certainly uses. However, there exist no need to signal MIDs on RTP session
> level in those cases as there already exist a one to one mapping between
> the MID and the transport addresses used for that RTP session. Only with
> BUNDLE do the RTP streams from the different m= lines start sharing
> transport context.
>

That's what I meant by "MID extension". Sorry for the confusion.



So strictly the above is incorrect. What was multiple security context due
> to different RTP sessions, or other sessions are now moved into a single
> context. I think we could reformulate this to say:
>
>    The security considerations defined in [RFC3264] and [RFC5888] apply
>    to the BUNDLE extension.  Bundle does not change which information,
>    e.g.  RTP streams, that flows over the network.  Primarily it changes
>    which addresses and ports, and thus in which (RTP) sessions that the
>    information is flowing in.  This affects the security contexts being
>    used and can cause previously separated information flows to share
>    security context.  This has very little impact on the performance of
>    the security mechanism of the RTP sessions, however which actors that
>    are present in a particular security context may require additional
>    thoughts when applying Bundle.
>
> Is this better?


But it still seems to be false because of the MID signaling in SDP.

I also don't understand the last line.

-Ekr


>       The identication-tag is
>>
>>
>> Still misspelled.
>>
>
> Yes, there was actually two misspelled instances left, and I had corrected
> one.
>
> Full section text after corrections:
>
> 16.  Security Considerations
>
>    The security considerations defined in [RFC3264] and [RFC5888] apply
>    to the BUNDLE extension.  Bundle does not change which information,
>    e.g.  RTP streams, that flows over the network.  Primarily it changes
>    which addresses and ports, and thus in which (RTP) sessions that the
>    information is flowing in.  This affects the security contexts being
>    used and can cause previously separated information flows to share
>    security context.  This has very little impact on the performance of
>    the security mechanism of the RTP sessions, however which actors that
>    are present in a particular security context may require additional
>    thoughts when applying Bundle.
>
>    When the BUNDLE extension is used, a single set of security
>    credentials might be used for all media streams specified by a BUNDLE
>    group.  When using SRTP this is further required at least for the
>    IETF defined key-management solutions due to their SDP attributes
>    (a=crypto, a=fingerprint, a=mikey) classification in
>    [I-D.ietf-mmusic-sdp-mux-attributes].  But for other security
>    solutions, this may require further consideration.
>
>    The identification-tag, independent of transport, RTCP SDES packet or
>    RTP header extension, can expose the value to parties beyond the
>    signaling chain.  Therefore, the identification-tag values MUST be
>    generated in a fashion that does not leak user information, e.g.,
>    randomly or using a per-bundle group counter, and SHOULD be 3 bytes
>    or less, to allow them to efficiently fit into the MID RTP header
>    extension.  Note that if implementations use different methods for
>    generating identification-tags this could enable fingerprinting of
>    the implementation making it vulnerable to targeted attacks.  The
>    identification-tag is exposed on the RTP stream level when included
>    in the RTP header extensions, however what it reveals of the RTP
>    media stream structure of the endpoint and application was already
>    possible to deduce from the RTP streams without the MID SDES header
>    extensions.  As the identification-tag is also used to route the
>    media stream to the right application functionality it is also
>    important that the value received is the one intended by the sender,
>    thus integrity and the authenticity of the source are important to
>    prevent denial of service on the application.  Existing SRTP
>    configurations requires integrity protection of both RTCP and RTP
>    header extensions.
>
>    "RTP Header Extension for the RTP Control Protocol (RTCP) Source
>    Description Items" [RFC7941] security consideration requires that
>    when RTCP is confidentiality protected that any SDES RTP header
>    extension carrying an SDES item, like the MID RTP header extension,
>    is also protected using commensurate strength algorithms.  However,
>    assuming the above requirements and recommendations are followed
>    there are no known significant security risks with leaving the MID
>    RTP header extension without confidentiality protection.  Thus, the
>    requirements in RFC 7941 MAY be ignored for the MID RTP header
>    extension.  Security mechanisms for RTP/RTCP are discussed in Options
>    for Securing RTP Sessions [RFC7201], for example SRTP [RFC3711] can
>    provide the necessary security functions of ensuring the integrity
>    and source authenticity.
>
>
> --
>
> Magnus Westerlund
>
> ----------------------------------------------------------------------
> Services, Media and Network features, Ericsson Research EAB/TXM
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Färögatan 6                 | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>
>