Re: [MMUSIC] Comments on draft-ietf-mmusic-sdp-srcfilter-03.txt
Magnus Westerlund <magnus.westerlund@era.ericsson.se> Mon, 17 March 2003 16:59 UTC
Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20377 for <mmusic-archive@odin.ietf.org>; Mon, 17 Mar 2003 11:59:54 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h2HHGME16035 for mmusic-archive@odin.ietf.org; Mon, 17 Mar 2003 12:16:22 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2HHGMO16032 for <mmusic-web-archive@optimus.ietf.org>; Mon, 17 Mar 2003 12:16:22 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20354 for <mmusic-web-archive@ietf.org>; Mon, 17 Mar 2003 11:59:23 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2HHGDO16023; Mon, 17 Mar 2003 12:16:13 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2HHD5O15872 for <mmusic@optimus.ietf.org>; Mon, 17 Mar 2003 12:13:05 -0500
Received: from penguin.wise.edt.ericsson.se (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA20227 for <mmusic@ietf.org>; Mon, 17 Mar 2003 11:56:05 -0500 (EST)
Received: from esealnt611.al.sw.ericsson.se (alteon-nat4.sw.ericsson.se [153.88.254.121]) by penguin.wise.edt.ericsson.se (8.12.8/8.12.8/WIREfire-1.5) with ESMTP id h2HGwHwv001891; Mon, 17 Mar 2003 17:58:17 +0100 (MET)
Received: from era.ericsson.se (permit151.er.ki.sw.ericsson.se [147.214.97.151]) by esealnt611.al.sw.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id FDVP14LX; Mon, 17 Mar 2003 17:58:16 +0100
Message-ID: <3E75F2B0.6000203@era.ericsson.se>
Date: Mon, 17 Mar 2003 17:07:12 +0100
X-Sybari-Trust: 6c22ca29 9ffcebbb a5ee123c 00000138
From: Magnus Westerlund <magnus.westerlund@era.ericsson.se>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1
X-Accept-Language: en-us
MIME-Version: 1.0
To: Ross Finlayson <finlayson@live.com>
CC: mmusic@ietf.org
Subject: Re: [MMUSIC] Comments on draft-ietf-mmusic-sdp-srcfilter-03.txt
References: <4.3.1.1.20030316131612.00b8b5a0@laptop-localhost>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: mmusic-admin@ietf.org
Errors-To: mmusic-admin@ietf.org
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Hi Ross, See below: Ross Finlayson wrote: > Magnus, > > Thanks for the feedback. Addressing the substantive (i.e., > non-syntactic) comments: > >> 6. Section 2.1, paragraph three: Does it really work to imply the >> number of address part of this source filter. Is it totally >> unforeseeable that a multi-layered media stream using multiple >> multicast addresses actually has different filters? If not, the case >> where one source filter contains the first address and another the >> third is ambiguous. It can either be that the first filter apply to >> the second address or it is not specified. Please clarify this rule. > > > Good point. The issue here is how to specify source filters if the > SDP 'connection address' specifies multiple multicast addresses, e.g. > c=IN IP4 224.2.1.1/127/3 > > There are a number of possible ways to deal with this: > > 1/ Specify that the source filter line must use the first multicast > address only, but that it applies to all of the possible multicast > addresses in the range. (E.g., in the example above, it would not be > possible to specify different source filters for 224.2.1.1 and > 224.2.1.3. Also, it would be illegal for the source filter line to > use any multicast address other than 224.2.1.1.) > > 2/ Specify that the source filter line contains individual multicast > addresses only. To specify source filters for a range of multicast > addresses, there must be an individual source filter line for each one > - e.g., > a=source-filter: incl IN IP4 224.2.1.1 192.168.9.10 > a=source-filter: incl IN IP4 224.2.1.3 192.168.9.42 > Note that in this example, there would *not* be any source filter for > 224.2.1.3.2 > > 3/ Change the source filter specification to include the > "/<number-of-addresses>" field. But then, for consistency, should we > also require the "/<ttl>" field, even though it's useless? Also, what > would the following mean: > a=source-filter: incl IN IP4 224.2.1.2/127/2 192.168.9.10 > a=source-filter: incl IN IP4 224.2.1.1/127/3 192.168.9.42 > and would the meaning change if the order of these two lines were > reversed? > > Personally, I think that option 1 is too restrictive, and option 3 far > too complicated, and too difficult to understand. For this reason, > I'd prefer option 2: Require individual source filters for each > multicast address in a range. Any comments? I am fine with two. It will be clear and simple at the small cost of possibly having to duplicate lines in cases the same filter applies to several address in a range. > > >> 7. Is it never interesting to define the filters based on ports or >> port ranges? > > > (Presumably you mean *source* ports here, right?) Noone has ever > expressed an interest in specifying this, but if someone wanted this, > I guess they could define a separate attribute for this - e.g., > "a=source-port-filter:" or something... > Actually, no. I was thinking of destination ports. It was around the same lines of the multiple addresses in one line. I think it is very common that a single multicast address is used to deliver both audio and video. In this case these streams may be produced on different entities and would still likes to be the only valid source. It is a corner case, however I think it should be addressed in someway. Either by acknowledging that it is not possible or fix so that it works. I have no real view on the usefulness of these, I just want to ensure that it as been thought through. > >> 9. Section 6: One important security problem for this is how easy it >> is to do DOS by specifying filters that exclude the correct source. >> Therefore there is strong need for authentication and also a general >> warning that SDPs not coming from the session source may not be trusted. > > > If one could generate a fake SDP description that specified a bogus > source filter, then they could have just as easily specified bogus > *destination address(es)*. I.e., a SDP description always needs to be > 'trusted', and the presence of source filter lines doesn't make any > this more (or less) important Okay, you might be right that it is no different than changing the destination address to one that any attacker control. The point being that SDPs should be authenticated. Best Regards Magnus Westerlund Multimedia Technologies, Ericsson Research ERA/TVA/A ---------------------------------------------------------------------- Ericsson AB | Phone +46 8 4048287 Torshamsgatan 23 | Fax +46 8 7575550 S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@era.ericsson.se _______________________________________________ mmusic mailing list mmusic@ietf.org https://www1.ietf.org/mailman/listinfo/mmusic
- [MMUSIC] Comments on draft-ietf-mmusic-sdp-srcfil… Magnus Westerlund
- Re: [MMUSIC] Comments on draft-ietf-mmusic-sdp-sr… Ross Finlayson
- Re: [MMUSIC] Comments on draft-ietf-mmusic-sdp-sr… Magnus Westerlund