Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 10 October 2016 08:48 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 899A21295F9 for <mmusic@ietfa.amsl.com>; Mon, 10 Oct 2016 01:48:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kALszEvFKSGS for <mmusic@ietfa.amsl.com>; Mon, 10 Oct 2016 01:48:55 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0D601294B2 for <mmusic@ietf.org>; Mon, 10 Oct 2016 01:48:54 -0700 (PDT)
X-AuditID: c1b4fb30-b73ff70000000cb2-ba-57fb55f484ce
Received: from ESESSHC016.ericsson.se (Unknown_Domain [153.88.183.66]) by (Symantec Mail Security) with SMTP id C8.59.03250.4F55BF75; Mon, 10 Oct 2016 10:48:53 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.68) with Microsoft SMTP Server id 14.3.319.2; Mon, 10 Oct 2016 10:48:51 +0200
To: Eric Rescorla <ekr@rtfm.com>
References: <D41C238A.1095B%christer.holmberg@ericsson.com> <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com> <58510E68-A045-4312-B3B3-3468E83C8EB7@iii.ca> <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com> <CABcZeBOkj908hNQqGMrP0DvStXPW5EpgMeYDkCTa68O9uBC8-Q@mail.gmail.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <8bbd0b10-00a4-d360-adc5-dadeed80df19@ericsson.com>
Date: Mon, 10 Oct 2016 10:48:50 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBOkj908hNQqGMrP0DvStXPW5EpgMeYDkCTa68O9uBC8-Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrJLMWRmVeSWpSXmKPExsUyM2K7k+7X0N/hBkfWc1qseH2O3eLD+h+M FlOXP2axWLHhAKsDi8ff9x+YPJYs+cnkcfn8R0aPyY/bmANYorhsUlJzMstSi/TtErgyjt58 yFQwQbBi0+Mm9gbGm7xdjJwcEgImErf+rmHsYuTiEBJYzyjxf3YzO0hCSGA5o0TnVq0uRg4O YYF8ielT6kDCIgIKEr/+nGCBqJ/HJLGoYzsziMMssIxR4trei4wgVWwCFhI3fzSygdi8AvYS E6fsYQaxWQRUJS59eA4WFxWIkbj+7BFUjaDEyZlPWEBsToFAiTtzjjCB2MxAc2bOP88IYctL NG+dzQxxnLZEQ1MH6wRGgVlI2mchaZmFpGUBI/MqRtHi1OKk3HQjI73Uoszk4uL8PL281JJN jMAAPrjlt8EOxpfPHQ8xCnAwKvHwLmj9FS7EmlhWXJl7iFGCg1lJhHdPyO9wId6UxMqq1KL8 +KLSnNTiQ4zSHCxK4rxmK++HCwmkJ5akZqemFqQWwWSZODilGhhDewXLtT0mxEq8OXd4AfOb gsXlAb/08lS+GC9IffNKq/v+yw8Ne28cX+YoozVb6vGDghUz5jvVOrlmyCXNVJL4aHBP3ywg 4dgdt1kJ9nuz032W3OctV2KrXFLQmb490/SNgZNGM4/474lJ3WLZbtPL4x77z1j1fj3v0ta+ RZGV0jxf5555sFmJpTgj0VCLuag4EQBDZyzJXAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/_TdANbawPz08JNWM0v0h32uG3n4>
Cc: Paul Kyzivat <pkyzivat@alum.mit.edu>, "mmusic@ietf.org" <mmusic@ietf.org>, Cullen Jennings <fluffy@iii.ca>, Christer Holmberg <christer.holmberg@ericsson.com>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Oct 2016 08:48:56 -0000
Den 2016-10-07 kl. 20:33, skrev Eric Rescorla: > ISTM that there are two risks: > 1. That people might use structured RIDs, MIDs, etc. and that that will > leak a lot of information about > 2. That just the structure of the media streams is a fingerprinting risk. > > The first of these seems addressable by guidance about how to construct > these IDs. I note that we > have only very limited guidance on how to construct ICE > ufrag/passwords.... So, the difference here from stuff that normally exists in SDP is that it goes in many RTP packets in the clear compared to only over the signaling path. The ICE ufrag is in that sense equivalent as that is also sent in the clear and in all ICE connectivity checks. The second seems > not that interesting as I bet you can get a lot by other metadata > (packet size, PT, etc). Well, yes there are some other leakages. However, we don't need to increase the exposure, just because there are shortcomings today. So lets review what the current proposal is: 1. Bundle RECOMMENDS encryption of the MID values, do you think that is unnecessary? Should we have no recommendation about confidentiality protection at all? 2. The above point is not relevant in a WebRTC perspective. In WebRTC we already have mandated encryption of RTCP. Thus, RFC 7904 mandates that we also encrypt the MID RTP header extension. Thus, for WebRTC we already have a result, that is not possible to change without revising RFC 7904 and argue that the conclusion there is wrong, which I don't think it is. If we protect information RTCP, it should be protected also in RTP headers. So, anything you like to change here? Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Jonathan Lennox
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- [MMUSIC] BUNDLE - MID Security - Updated text pro… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Cullen Jennings
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Adam Roach
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Ted Hardie
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund