IETF Logo Mail Archive

Re: [MMUSIC] Alissa Cooper's Discuss on draft-ietf-mmusic-rfc4566bis-35: (with DISCUSS and COMMENT)

Paul Kyzivat <pkyzivat@alum.mit.edu> Mon, 03 June 2019 14:36 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 718B11202BB; Mon, 3 Jun 2019 07:36:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAheBa3GoRsM; Mon, 3 Jun 2019 07:36:50 -0700 (PDT)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 585711202B5; Mon, 3 Jun 2019 07:36:38 -0700 (PDT)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x53EaTgM016864 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Mon, 3 Jun 2019 10:36:30 -0400
To: Alissa Cooper <alissa@cooperw.in>, The IESG <iesg@ietf.org>
Cc: draft-ietf-mmusic-rfc4566bis@ietf.org, mmusic-chairs@ietf.org, fandreas@cisco.com, mmusic@ietf.org
References: <155907213212.25802.10923362703417281306.idtracker@ietfa.amsl.com>
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
Message-ID: <da24d89f-79cc-3fcc-aaad-4753cc552b3b@alum.mit.edu>
Date: Mon, 03 Jun 2019 10:36:29 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <155907213212.25802.10923362703417281306.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/X77vpQZU63L_QqGnf6CR8foRdhI>
Subject: Re: [MMUSIC] Alissa Cooper's Discuss on draft-ietf-mmusic-rfc4566bis-35: (with DISCUSS and COMMENT)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2019 14:36:53 -0000

Alissa,

On 5/28/19 3:35 PM, Alissa Cooper via Datatracker wrote:

> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Section 8.2.8:
> 
> "In the RFC specifications that register new values for SDP "media",
>     "proto", "fmt", "bwtype", "nettype", and "addrtype" parameters, the
>     authors MUST include the following information for IANA to place in
>     the appropriate registry:"
> 
> It doesn't look like all the fields that are listed after this text actually
> appear in the registries. For some of these I don't see why the information
> would be put into the registries (e.g., contact name, contact email address,
> since those appear in the RFCs themselves). I think this needs to be clarified.

OK. There are two things going on here: the information that must be 
provided when registering a new value, and then which of those items 
need to appear in the registry. The distinction isn't clear.

For items where the registration requirements are less that "document 
required" the information must be in the registry since there is no 
place else for it to appear. But when a document is required then in 
principle the name of the item and a reference to the document is all 
that is *necessary* in the registry, and any additional information is 
for convenience of access.

I've found that this distinction often isn't clearly made, especially in 
older stuff.

I can look into this further for all the SDP registries.

> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> Section 5.1:
> 
> Since both this document and RFC 4566 specify version 0 and this version makes
> semantic and syntactic changes, does that mean the protocol versioning is
> non-functional? Or if not, what kinds of changes would require a new version
> number?

It appears that the version field was included in SDP without much 
thought. There are no normative procedures defined for how to deal with 
differing version numbers, so I expect that the result of attempting to 
change the version number is unknown. Probably many implementations 
would not notice, while some might reject a version other than zero.

Given that we have gone 20 years without a version number change, I 
wouldn't attempt one now. Along the way the rule with changes has always 
been to do them in a backward compatible way. AFAIK that is true with 
the changes in this document as well.

> Section 7:
> 
> "Use of the "k=" line poses a significant security risk, since it
>     conveys session encryption keys in the clear.  SDP MUST NOT be used
>     to convey keying material, unless it can be guaranteed that the
>     channel over which the SDP is delivered is both private and
>     authenticated.  Moreover, the "k=" line provides no way to indicate
>     or negotiate cryptographic key algorithms.  As it provides for only a
>     single symmetric key, rather than separate keys for confidentiality
>     and integrity, its utility is severely limited.  The "k=" line MUST
>     NOT be used, as discussed in Section 5.12."
> 
> It's odd to me that this text was retained from RFC 4566 as-is, except for the
> last sentence. I would have expected this to lead with something like 'Use of
> the "k=" line is obsolete due to security risk.' And then perhaps some of the
> rest of the text could remain by way of explanation why it was obsoleted.

IIRC the existing text was the result of security review comments and 
subsequent discussions. Do you want us to revisit those?

> Section 8.2.8:
> 
> "IANA may refer any registration to the IESG for review, and may
>     request revisions to be made before a registration will be made."
> 
> This is trivially true and would be better left out, using RFC 8126 as the
> definitive guidance instead.

I never noticed this. I checked, and it has been present in exactly this 
form since RFC2327 in 1998. I don't recall seeing any language like this 
in any other IANA considerations section. I'm inclined to simply remove it.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email