Re: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mmusic-sdescriptions-12.txt?
Mark Baugher <mbaugher@cisco.com> Wed, 08 February 2006 19:14 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F6umC-0000Pb-K2; Wed, 08 Feb 2006 14:14:52 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1F6umB-0000OC-DX for mmusic@megatron.ietf.org; Wed, 08 Feb 2006 14:14:51 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA22911 for <mmusic@ietf.org>; Wed, 8 Feb 2006 14:13:09 -0500 (EST)
Received: from sj-iport-2-in.cisco.com ([171.71.176.71] helo=sj-iport-2.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1F6uyn-0001Fm-1z for mmusic@ietf.org; Wed, 08 Feb 2006 14:27:56 -0500
Received: from sj-core-5.cisco.com ([171.71.177.238]) by sj-iport-2.cisco.com with ESMTP; 08 Feb 2006 11:14:38 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id k18JEZk9027442; Wed, 8 Feb 2006 11:14:36 -0800 (PST)
Received: from xfe-sjc-211.amer.cisco.com ([171.70.151.174]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 8 Feb 2006 11:14:35 -0800
Received: from [192.168.0.10] ([10.21.121.223]) by xfe-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Wed, 8 Feb 2006 11:14:33 -0800
In-Reply-To: <010e01c62cd9$2c34eff0$60c8000a@acmepacket.com>
References: <010e01c62cd9$2c34eff0$60c8000a@acmepacket.com>
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <2CB688AD-95FB-4F89-AF75-8214CEE84629@cisco.com>
Content-Transfer-Encoding: 7bit
From: Mark Baugher <mbaugher@cisco.com>
Subject: Re: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mmusic-sdescriptions-12.txt?
Date: Wed, 08 Feb 2006 11:14:32 -0800
To: Hadriel Kaplan <HKaplan@acmepacket.com>
X-Mailer: Apple Mail (2.746.2)
X-OriginalArrivalTime: 08 Feb 2006 19:14:34.0036 (UTC) FILETIME=[E526C740:01C62CE3]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 03169bfe4792634a390035a01a6c6d2f
Content-Transfer-Encoding: 7bit
Cc: 'Flemming Andreasen' <fandreas@cisco.com>, 'Dan Wing' <dwing@cisco.com>, mmusic@ietf.org, 'Jon Peterson' <jon.peterson@neustar.biz>, 'Allison Mankin' <mankin@psg.com>, 'Brian E Carpenter' <brc@zurich.ibm.com>, 'Colin Perkins' <csp@csperkins.org>, 'Joerg Ott' <jo@acm.org>
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Sender: mmusic-bounces@ietf.org
Errors-To: mmusic-bounces@ietf.org
Hadriel, Thanks for your comments. On Feb 8, 2006, at 9:57 AM, Hadriel Kaplan wrote: > I am also in favor of changing the security preconditions piece to > Informative. The fairly rare use of sip preconditions should be an > indicator. > > Also, one your lines below I believe is misleading: "Without the > answer, > there is no way to determine which crypto offer has been selected > by an > answerer that sends media upon receiving the first SDP message." > That's > true, but I thought the real reason an answer has to be sent back > for early > media is because the sdes offer was for the keys of the > transmitting media > direction (from the offerer to the answerer) - so the offerer does > not know > any of the keys to decode early received media until she gets an sdes > answer. In other words even if only one crypto suite and one key were > offered, you would still need an answer to decrypt early media. What you say is correct and thanks for the clarification. My point is that it is not simply a matter of handing a bidirectional master key or a second, unidirectional master key to the receiver for sending its media so long as multiple offers are possible. The real problem to the problem of early commencement of media is the presence of multiple offers in the SDP message not the way a key is sent. > > On a side note, I know it's too late to change, but I was always > curious why > the sdes offerer sent the keys for transmitting media, instead of > the ones > for receive-side as it does with everything else in SDP. I'm not sure what you mean by "as it does with everything else in SDP." There are recvonly, sendonly and sendrecv attributes in SDP for specifying direction semantics. In the earliest versions of SDP security descriptions, we allowed a direction attribute on the key so an SDP sender could hand a receiver a key with which to decrypt its received stream, encrypt its transmitted stream, or both (the "key use indicator" of Section 4.4.2 in http://www3.ietf.org/proceedings/ 03jul/I-D/draft-ietf-mmusic-sdescriptions-01.txt). This allowed a key to be shared among endpoints, which we generally don't want to do when counter mode encryption (the SRTP default) is used. It also confused a lot of people. We decided to simplify the specification by removing it. I thought at the time that we could in the future specify a second key for the receiver to use to encrypt its stream if this were needed. As I mentioned above, however, giving the receiver a key does not help with the current problem. > Was there a > rationale for this? We did not want to share a single key by default among two or more end systems because SRTP AES counter mode has a risk of counter overlap. Counter overlap has the risk of exposing known plaintext in encrypted packets. The probability of this happening is low: SRTP uses the SSRC to make each stream unique and avoid counter overlap, but the SSRC can collide among endpoints. Thus, we do not want to make key sharing a default behavior given this one, known weakness of counter mode. So why not have the SDP offerer offer two keys? The quality of the encryption is greatly affected by the randomness of the key. When creating keys, it is best to have each side add some randomness in the key derivation as is commonly done in pairwise key establishment protocols. This is not possible for groups and sdesc needs to support groups. Supplying an encryption key to the receiver is risky because in some protocols, such as SIP, the supplied key is handed to a group of receivers when forking occurs, thus raising the probability of SSRC collision. The next best thing IMHO is to at least allow a sender to ensure the quality of a key for *its* data by supplying the decryption key for its data. I'm not religious about this point. If supplying the encryption key (rather than or in addition to the decryption key) to the receiver solved the problem described above, I'd personally support that. But it doesn't. Mark > > -hadriel > > >> -----Original Message----- >> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On >> Behalf >> Of Mark Baugher >> Sent: Tuesday, February 07, 2006 10:02 PM >> To: mmusic@ietf.org >> Cc: Flemming Andreasen; Dan Wing; Jon Peterson; Allison Mankin; >> Brian E >> Carpenter; Colin Perkins; Joerg Ott >> Subject: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mmusic- >> sdescriptions- >> 12.txt? >> >> Hello, >> >> An issue arose during RFC Editor review of draft-ietf-mmusic- >> sdescriptions-12 just prior to publication. An Internet Draft >> document, Security Preconditions, appears among the Normative >> references. The authors did not intend for it to be a Normative >> reference; it should have been in the Informative References >> section. Still, this triggered a review and discussion. Before >> proceeding to publication, the chairs and ADs wish for the WG to >> consider some of the issues of publishing draft-ietf-mmusic- >> sdescriptions without Security Preconditions. >> >> SDP security descriptions (sdesc) as defined in draft-ietf-mmusic- >> sdescriptions-12.txt is designed to support a variety of signaling >> protocols that use SDP. One of the most important is SIP. The way >> sdesc is defined, an answer has to be received before incoming media >> can be processed correctly by the offerer; this is unavoidable in >> cases where there are multiple crypto suites among the SDP offers. >> Without the answer, there is no way to determine which crypto offer >> has been selected by an answerer that sends media upon receiving the >> first SDP message. This is a problem whenever media commences prior >> to receipt of the SDP answer. >> >> The authors recognized this problem while working on the sdesc >> specification, and as a result, two of the authors wrote Security >> Preconditions (see draft-ietf-mmusic-securityprecondition-01.txt). >> However not everyone in the SIP community likes preconditions due to >> the added state machine complexity and signaling latency. The >> current sdesc merely offers security preconditions as one possible >> solution, however it incorrectly lists it as a Normative reference. >> One alternative has already been offered (draft-wing-mmusic-sdes- >> early-media-00.txt) and at least one more extension to sdesc to >> address these issues is in the works. >> >> In lieu of the above, the authors would like to change the current >> Normative reference to security preconditions to be an Informative >> reference instead. There is a concern, however, that with such a >> change, we would not have a complete normative solution for SIP. So, >> we're asking the WG members for comments. draft-ietf-mmusic- >> sdescriptions-12.txt has finished last call in the WG and the IESG, >> but the document that completed last call relied upon security >> preconditions, which may not be the ultimate solution. We would like >> to know if anyone in the WG objects to progressing this I-D without >> security preconditions being normative and without another normative >> solution to address the above issues. If you object, please speak up >> and let us know what the normative solution should be. >> >> Thanks, >> >> Mark, Flemming & Dan >> >> _______________________________________________ >> mmusic mailing list >> mmusic@ietf.org >> https://www1.ietf.org/mailman/listinfo/mmusic _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] Re: ADs - Re: Status of draft-ietf-mmusi… Mark Baugher
- Re: [MMUSIC] Re: ADs - Re: Status of draft-ietf-m… Colin Perkins
- RE: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mm… Hadriel Kaplan
- Re: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mm… Mark Baugher
- RE: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mm… Hadriel Kaplan
- Re: [MMUSIC] Re: ADs - Re: Status ofdraft-ietf-mm… Mark Baugher