IETF Logo Mail Archive

Re: [MMUSIC] Input wanted for draft-ietf-mmusic-sdp-uks

Flemming Andreasen <fandreas@cisco.com> Fri, 15 June 2018 18:11 UTC

Return-Path: <fandreas@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9990212F18C for <mmusic@ietfa.amsl.com>; Fri, 15 Jun 2018 11:11:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hUMB29Qbvu2g for <mmusic@ietfa.amsl.com>; Fri, 15 Jun 2018 11:11:04 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F586129C6B for <mmusic@ietf.org>; Fri, 15 Jun 2018 11:11:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8597; q=dns/txt; s=iport; t=1529086264; x=1530295864; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=ZFutY0LWhFR01PLKt1CAeOvRHCMpQbhwZbQMfutt/b8=; b=EdjiLJFiW2uMDyRcy0b0g160el+G5cp5VKgJid/VBpLfMqcoZo/rLo2l TaUha2Kdi3iOt4Xew8Ma9pulI0hUL7bdeExPdzF1u+QconQYreZTT/Dvk GZTjF2TIE5YnY6zyIXQr3bJ/kjsqtnFacGSfF7a+xab9xHX4FbEsPQ+6z 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CbAQDBACRb/4QNJK1bGQEBAQEBAQEBAQEBAQcBAQEBAYNIYn8og3mUVoFWKY9whH+BeAsYAQqEA0YCglIhNhYBAgEBAQEBAQJtHAyFKAEBAQMBAQEhSwsFCwsYKgICJzAGDQYCAQEXgwcCgXIFCA+qAoIcH4Q8g26BYwWGF4I1gVQ/gQ8kgmiDEwEBAwGEXYJVApkOCYV5iQIGgT+EAIJFhTSKDYc0gUgNJIFSTSMVO4JDixGFWiMwkFkBAQ
X-IronPort-AV: E=Sophos;i="5.51,228,1526342400"; d="scan'208,217";a="400492071"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Jun 2018 18:11:02 +0000
Received: from [10.118.10.21] (rtp-fandreas-2-8814.cisco.com [10.118.10.21]) by alln-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id w5FIB10R008581; Fri, 15 Jun 2018 18:11:02 GMT
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Bo Burman <bo.burman@ericsson.com>, mmusic@ietf.org, Eric Rescorla <ekr@rtfm.com>
References: <DB7PR07MB3850C6167834ABFD35D598988D950@DB7PR07MB3850.eurprd07.prod.outlook.com> <a3fbc621-c0cd-4d72-ee59-d4c66dcd9c05@cisco.com> <CABkgnnUwZ4-7vvCimxdzF_2HVrK-aSbV0O2ENDHRL19EWKWzLg@mail.gmail.com>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <ad6bedcf-f725-012f-e14a-42f893e94186@cisco.com>
Date: Fri, 15 Jun 2018 14:10:58 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <CABkgnnUwZ4-7vvCimxdzF_2HVrK-aSbV0O2ENDHRL19EWKWzLg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------B034F723FBA49B01ABDEAFAF"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/Ryj4rYFmR8ae5csnozWhhq43ysI>
Subject: Re: [MMUSIC] Input wanted for draft-ietf-mmusic-sdp-uks
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Jun 2018 18:11:07 -0000


On 6/15/18 12:14 PM, Martin Thomson wrote:
> Thanks for reviewing this Flemming.
>
> This is definitely a difficult attack to understand (and therefore
> also explain).  I took a look at the description we have in the draft
> and tried to improve it a little.  I pointed out that the basic attack
> can be extended to session concatenation in the overview section, and
> tweaked the wording in a few places.
Ok
> However, I don't think that details of signaling would make this
> clearer.  Though it's possible that this is eliding a few things that
> seem obvious to me.  Of course, I'm too close to this to be sure.
> Maybe we can discuss how this works and maybe we can figure out how to
> improve the text.
Sounds good - assuming you are in Montreal, maybe we can discuss further 
in person there.

> This has been pretty widely reviewed, but I can provide another nudge
> for the related working groups to have a look.
That would be great, since I do think we will need to hear from those 
groups as well (speaking with my chair hat on on this last point).

-- Flemming


>
>
> On Thu, Jun 14, 2018 at 2:43 PM Flemming Andreasen <fandreas@cisco.com> wrote:
>> I took a look at the document and have a couple of comments:
>>
>> I was initially expecting the unknown key share attack to be about what the document refers to as Session Concatenation (in Section 5), however the attack overview in Section 2.1 describes two other attack scenarios instead. I think it would be helpful to be clear on all the attack scenarios up front.
>>
>> Secondly, I find it very difficult to follow the "two concurrent calls" attack scenario described. The overview is very high-level and the example in Section 2.3 omits too many details for me to fully understand the attack (there seems to be more going on between Mallory and Patsy than explained in the text and there are subtleties around what Mallory actually does with the respective SIP, DTLS and media packets for each session that are not entirely clear to me). Without a solid understanding of the attack, it is difficult to determine if the proposed solution truly mitigates it (I was in fact wondering about how the solution would work with session concatenation in the absence of somehow securely associating the session identifier with a particular SIP signaling session, which the document gets more into later in Section 5).
>>
>> A similar concern applies to the WebRTC use case, since I'm not familiar with the details of how that works, and hence would benefit from more details.
>>
>> On that note, there are solution elements here that span TLS/DTLS, SDP, and WebRTC/RTCWeb, and we should ensure those groups review the document as well. Have the authors circulated the document in those groups ?
>>
>> Thanks
>>
>> -- Flemming (as individual)
>>
>>
>>
>>
>> On 5/21/18 9:44 AM, Bo Burman wrote:
>>
>> WG,
>>
>>
>>
>> We have not seen any discussion on the list for this draft since it was submitted late January 2018. Please consider reviewing and commenting if you have interest in progressing the draft. It is a short document (only 13 pages in total).
>>
>>
>>
>> Datatracker: https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-uks/
>>
>>
>>
>> Cheers,
>>
>> Bo
>>
>> MMUSIC co-chair
>>
>>
>>
>>
>>
>> _______________________________________________
>> mmusic mailing list
>> mmusic@ietf.org
>> https://www.ietf.org/mailman/listinfo/mmusic
>>
>>
> .
>

v2.23.0 | Report a Bug | By Email