IETF Logo Mail Archive

Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security

Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 13 October 2016 13:18 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C08061294F8 for <mmusic@ietfa.amsl.com>; Thu, 13 Oct 2016 06:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zoz0UJW36nPX for <mmusic@ietfa.amsl.com>; Thu, 13 Oct 2016 06:18:13 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5CF0129454 for <mmusic@ietf.org>; Thu, 13 Oct 2016 06:18:12 -0700 (PDT)
X-AuditID: c1b4fb25-15fff7000000793b-17-57ff899098b8
Received: from ESESSHC015.ericsson.se (Unknown_Domain [153.88.183.63]) by (Symantec Mail Security) with SMTP id 94.3B.31035.0998FF75; Thu, 13 Oct 2016 15:18:11 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.65) with Microsoft SMTP Server id 14.3.319.2; Thu, 13 Oct 2016 15:18:08 +0200
To: Eric Rescorla <ekr@rtfm.com>
References: <D41C238A.1095B%christer.holmberg@ericsson.com> <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com> <58510E68-A045-4312-B3B3-3468E83C8EB7@iii.ca> <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com> <D423DEE7.1101D%christer.holmberg@ericsson.com> <D423FEEE.11074%christer.holmberg@ericsson.com> <CABcZeBO7b3XGRTCzN4-Z-6=8sTD3nrr8HtgN1q9np-hZ3tqbMQ@mail.gmail.com> <7594FB04B1934943A5C02806D1A2204B4BD668D1@ESESSMB209.ericsson.se> <CABcZeBNDpt5F_HZeHC9tavPUKzq-Dw3u2SroKcH4U-k-hWNmyg@mail.gmail.com> <4a000249-91d9-f6b3-5b01-4833e6d359fc@ericsson.com> <CABcZeBNwbWWZPcjothhZEv2L8uSpW=stg5-eyxS_nOYUjNwp8A@mail.gmail.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <53d2e50d-25a5-11da-0062-3bd6dc14fd3b@ericsson.com>
Date: Thu, 13 Oct 2016 15:18:06 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNwbWWZPcjothhZEv2L8uSpW=stg5-eyxS_nOYUjNwp8A@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrFLMWRmVeSWpSXmKPExsUyM2K7ve7kzv/hBh3t3BYrXp9jt/iw/gej xdTlj1ksVmw4wOrA4vH3/QcmjyVLfjJ5XD7/kdFj8uM25gCWKC6blNSczLLUIn27BK6MK/+P sBR806g4uWMbawPjNYUuRk4OCQETielLm1m7GLk4hATWM0pc79vNBOEsZ5T4fX4fUIaDQ1gg X2L6lDqQBhEBBYlff06wQNR0sUo0rmxnBnGYBZYxSkyYuIkNpIpNwELi5o9GMJtXwF5i0aKZ TCA2i4CqxJEv3SwgtqhAjMT1Z4+gagQlTs58AhbnFAiUaL35ACzODDRn5vzzjBC2vETz1tnM ILaQgLZEQ1MH6wRGgVlI2mchaZmFpGUBI/MqRtHi1OKk3HQjY73Uoszk4uL8PL281JJNjMAQ Prjlt+oOxstvHA8xCnAwKvHwKlT9CxdiTSwrrsw9xCjBwawkwju97X+4EG9KYmVValF+fFFp TmrxIUZpDhYlcV6zlffDhQTSE0tSs1NTC1KLYLJMHJxSDYwdB/Pl9tveeeDz5j3TpsP71eMm bBHS2iyut3vaxrOeaX6V5mK1Dzd2tXR8uvSkdUOsmWfnBK8Yg0nyMy2Wninhzaq+enTKVyae XVlP/zqc9jiUY13H9Vjk1z7vjecnXpzkecdwB6Ov1gSPI96V26U0AxcU+6e4v+Off+/lwrit R23TT3P521QosRRnJBpqMRcVJwIATsSW+10CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/VTubMuo-1gN0PD8Pj-IvSC0Wbv8>
Cc: Cullen Jennings <fluffy@iii.ca>, "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 13:18:15 -0000

Den 2016-10-13 kl. 14:12, skrev Eric Rescorla:

> On Thu, Oct 13, 2016 at 2:09 AM, Magnus Westerlund
> <magnus.westerlund@ericsson.com <mailto:magnus.westerlund@ericsson.com>>
> wrote:
>
>     Den 2016-10-13 kl. 02:51, skrev Eric Rescorla:
>
>
> I think I am being constructive. I'm trying to get the draft finished,
> and this seems to be poorly motivated.
>

Yes, I am also trying to get it finished by ensuring that we actually 
have a security consideration section that discuss the potential issues.

>
>     I hope you are not disagreeing with a RECOMMEND for source
>     authentication at least? Having third party attackers being able to
>     change the MID on path that is a quite serious attack, so integrity
>     and source authentication I think is well motivated.
>
>
> There seem to be two cases:
>
> 1. You're using SRTP (and this should also include SRTCP).
> 2. You're not using SRTP.
>
> In case #1, then the MID should be integrity protected because it's part
> of the packet. If not, then I don't think a partial solution helps.
>

Yes, I agree that if you are using the SRTP/SRTCP then this is not an 
issue. But, as we clearly point out in RFC 7201 SRTP is not the only 
solution. Thus, I at least try to ensure that any security 
considerations around RTP do discuss the requirements rather than 
mandating a single solution.

Do you have a problem with actually saying that source authentication is 
something that one really should do?

>
>     Regarding the aspects regarding privacy and information leakage. You
>     previously indicated that you agree that we should at least avoid
>     structured MIDs to avoid that implementation specifics or hardware
>     addresses of source devices leaks this way.
>
>
> No, that's not what I said. Rather, I said:
>
> "The first of these seems addressable by guidance about how to construct
> these IDs. I note that we
> have only very limited guidance on how to construct ICE ufrag/passwords...."
>
> If you think this kind of identifier-generation tracking is an issue, I
> would suggest doing a broader survey
> first, rather than focusing on this case.
>

Okay, then I misunderstood your intention with bringing up ICE.

As that broader survey is quite a significant work and something that 
likely spans at least from the transport flow structure, across the RTP 
streams up to the signaling this is quite an undertaking if one want to 
investigate what possibilities exist just for the media protocol part of 
a WebRTC system. No something I will promise to do. I will once more 
remark that our steps from single media streams to multi-stream, 
multi-party setups has changed what we exposes at the different layers.

But, I can agree that BUNDLE is likely not the most appropriate point to 
tackle the fingerprinting issue. So unless someone else is of the 
opinion that is needs to be tackled in BUNDLE i will drop this for now.

However, that doesn't remove the need for an updated MID related 
security consideration. The MID security part in current version is the 
following:

    The identification-tag MUST NOT
    contain any user information, and applications SHALL avoid generating
    the identification-tag using a pattern that enables application
    identification.

This completely ignores the issues with on path modifications. That at 
least needs to be added.

Okay, dropping the fingerprint, I still think the security consideration 
should say something like this:


The identfication-tag when included in the RTP MID SDES item, 
independent of transport, RTCP SDES packet or RTP header extension, can 
expose the value to parties beyond the signaling chain. Therefore, the 
identification-tag MUST NOT contain any user related information for 
privacy reasons nor hardware based identifiers that would enable 
tracking of the sending end point.

The identification-tag is used to route the media stream to the right 
application functionality, thus is important that the value received is 
the one intended by the sender. Malicious modifications can result in 
that a media stream is wrongly attributed or fails to be played. Thus, 
integrity and the authenticity of the source are RECOMMENDED to the 
attacks on the application. Note, that the SDES RTP header extensions 
[RFC7941] requires encryption of the header extension in cases when the 
RTCP encrypts the SDES item. Security mechanisms for RTP/RTCP are 
discussed in Options for Securing RTP Sessions [RFC7201], for example 
SRTP [RFC3711] with SRTCP encryption enabled combined with [RFC6904] can 
provide the necessary security functions.


Is the above more acceptable?

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email