Re: [MMUSIC] [rtcweb] BUNDLE: Attempting to resolve security consideration

Iñaki Baz Castillo <ibc@aliax.net> Mon, 06 March 2017 13:36 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEAC1296E5 for <mmusic@ietfa.amsl.com>; Mon, 6 Mar 2017 05:36:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aliax-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TdV2Hc0_Us_D for <mmusic@ietfa.amsl.com>; Mon, 6 Mar 2017 05:36:03 -0800 (PST)
Received: from mail-wm0-x22b.google.com (mail-wm0-x22b.google.com [IPv6:2a00:1450:400c:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 930A41296E7 for <mmusic@ietf.org>; Mon, 6 Mar 2017 05:36:03 -0800 (PST)
Received: by mail-wm0-x22b.google.com with SMTP id n11so64063485wma.1 for <mmusic@ietf.org>; Mon, 06 Mar 2017 05:36:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=aliax-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=0B0zx30IkoiBw8tEYxABPMC2rx5DZBSNSDHymtLDLiQ=; b=tilQtjAIp1VePLTmKyYFa8rNKuyUw+XB5KGxD86mcMfduH5LTTPlLT+D8gLRRmvoai aY7ky6M4poVl7i1JJtcV1/cX6QfYLjKaHBeAOZgI18teGTyXOHy+7+C182njBkGjZNMc K8MvBNl9Ixa6sNNuHQPEoiRrTjjQQ/VC19LAz2sKFC8IEIQOJ8Z3KdMSpeRCCmt5B1/K myzM4RVM6uP4ubgi0l9hAIIKCrQ4LaGqNgS4H6MPtFoNpdryPHNPkLd5M8d1v5McZ/oV yFJTtQi/lAvTjjqwS4z1l4p2/KKGRnI6bBuDp4UpzTj0wHtCdwwI9VzB8Qe1tXcxS9u0 TyRg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=0B0zx30IkoiBw8tEYxABPMC2rx5DZBSNSDHymtLDLiQ=; b=UT1M8PexO5/zJDnyeLApyskhHAWaMUDIEF6KKNGDndX428myycU1SPE2eGBkPMb4kl IPG5IOlH3F/9XuBrwhCGbzBPg74lyLRTm2xy9EH+YD5WRezWTeKg9tUAUtkSIGL7gPAJ h4OlEodjI1bmJ0KEUA8LkljtilK9w5Gb/QpkDt8CYGO/F5zxWNoXVpMhpOH0ySEjaDvQ AUhHnr8CgU0Rju1QIahu5XxaIbhphqVviy7KQdUZNWwlNhprlTxVSHukvf5/TnN/WoSz 4CJ8CzlLwHVZb0HxDxv6iJJI+JE82XwhdMQs6imKbjruaVphaNdMKYi8/98/LrgNgdQv seWA==
X-Gm-Message-State: AMke39n0HEbxksHMAE5m17hi2mbMkfr2YkSnW9utAeAHPFnejaiXoXefRNviEOskIaxPupEJT00q3oLUS123Ag==
X-Received: by 10.28.97.2 with SMTP id v2mr14431879wmb.3.1488807362027; Mon, 06 Mar 2017 05:36:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.138.222 with HTTP; Mon, 6 Mar 2017 05:35:41 -0800 (PST)
In-Reply-To: <8b2b8754-b10c-6f8e-6262-95cd25374a18@ericsson.com>
References: <8b2b8754-b10c-6f8e-6262-95cd25374a18@ericsson.com>
From: =?UTF-8?Q?I=C3=B1aki_Baz_Castillo?= <ibc@aliax.net>
Date: Mon, 6 Mar 2017 14:35:41 +0100
Message-ID: <CALiegfmcvqnde21Jur8t58m7wGv+eUBKXPsPkajvDq2Tc5xvjA@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Ovvg65bnPq0ceBRtnu-R_yWVvcw>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "mmusic \(E-mail\)" <mmusic@ietf.org>
Subject: Re: [MMUSIC] [rtcweb] BUNDLE: Attempting to resolve security consideration
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 13:36:06 -0000

2017-03-03 14:24 GMT+01:00 Magnus Westerlund <magnus.westerlund@ericsson.com>om>:
> When the BUNDLE extension is used, the number of SSRC values within a single RTP session increases, which increases the risk of SSRC collision

This is relevant when there are ~100000000 streams within a single RTP
session. If there are 10 streams, the exact risk is 10 / 2^32 =
2.32e-09.

I think we can live without having to mention this "issue" in every
RTP related specification.

To be clear: stating that "BUNDLE increases the risk of SSRC
collision" is a no sense IMHO.




-- 
Iñaki Baz Castillo
<ibc@aliax.net>