IETF Logo Mail Archive

Re: [MMUSIC] Roman Danyliw's Discuss on draft-ietf-mmusic-ice-sip-sdp-37: (with DISCUSS and COMMENT)

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 08 August 2019 18:03 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 17DD412006D; Thu, 8 Aug 2019 11:03:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t1VFu0ZH9L86; Thu, 8 Aug 2019 11:03:44 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0624.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::624]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AED871200C5; Thu, 8 Aug 2019 11:03:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PGOrncClZukvX5KDu3iUpeUKj8intN5Z/T4xzoP+ofCKnd73kvXmcuaRmvb0DivVha6Ibbd+DW5JIDDPx77eJ+IKij7lqbt4K9kjiVXrQYnAnsKYhKUrKRWx+gIU6PyLEsthi4JmPiMlwATQECdKhvSZvCwTxT8gKyoZbdNgCAdvVmdo+J0hw0Ko+pPgvxoGH0bHRDwjUFiNGJ9a93ZVT6ANfwM9nwuqwQ/YX4KIMTVor5qwSiwOWKqQElOtyVbEURsEYKB6x5wFG7mkYD4t3z7AUtBz1h+/3+qB7S0E5Jwab709WepbO02ohtxRb5rVn8Gnh1Hp5PNpYaF/peD/2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q0K0Jnez9j7DZvm7OJfg07ETEbeAKICYP/B6F904GNU=; b=FXp2iOOhvdoNGKav+ubUE6dYM3YsIE+JJ+I6hTrMXopOeJa1JQhXN3UByPrLiV+wZlPDx/MDPms4LI6KWyXSACqsAlDZNhZGB6L4iSHRs/ZHkND5LFNMHVgtHAUtSkmI2Pdp5S94jK14EIL0c0xi5zP4pRQ1Ib18IfplKwtDSgGJ2U7tDp4HtGHYomwjFrx2oM4MsASmcdvT3jteQyoCJOwH1ZPB587KTm2lCIKAIRQAnlFgONFIp37XkPyk5RhL4LzqpwInd3kR8ZUjnHsEshRTIVtf0LBaeEf5TlMbK8OVQrmgInjlm/KWVSaqAiRUufWVuJzQlz7gWfY9R5qP9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=q0K0Jnez9j7DZvm7OJfg07ETEbeAKICYP/B6F904GNU=; b=XmjZiWv8IrVn2+MAczsAO7uaKMlDyohgymvb/YYu4YVo7x8yDUSd+FnSx2ciSZ45DrbTdMF4ZH5DAolZOqARzdy75I4JHS7kc12nQcfSxmc+x8QQzsdu5E6EHm/89Lw9Lx6R8KdomNlZac01YWDKLK3UXUj69yPfI1qecV5t8Ho=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3180.eurprd07.prod.outlook.com (10.170.245.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.13; Thu, 8 Aug 2019 18:03:39 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::ec0d:f9d3:7159:ba7]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::ec0d:f9d3:7159:ba7%6]) with mapi id 15.20.2157.015; Thu, 8 Aug 2019 18:03:39 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Adam Roach <adam@nostrum.com>, Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "fandreas@cisco.com" <fandreas@cisco.com>, "mmusic-chairs@ietf.org" <mmusic-chairs@ietf.org>, "mmusic@ietf.org" <mmusic@ietf.org>, "draft-ietf-mmusic-ice-sip-sdp@ietf.org" <draft-ietf-mmusic-ice-sip-sdp@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-mmusic-ice-sip-sdp-37: (with DISCUSS and COMMENT)
Thread-Index: AQHVS/6ufVUUgufL4kCmQpKJywP7DqbwFEiAgAGIEwCAACUnAA==
Date: Thu, 08 Aug 2019 18:03:39 +0000
Message-ID: <F196E71C-5D41-40CC-9615-D88A0DD8E991@ericsson.com>
References: <156505852285.2142.10774832459273251927.idtracker@ietfa.amsl.com> <d9877c1a-e36e-7e53-ce72-433f23090687@nostrum.com> <83DA6259-42DE-4A2F-94AB-DE2735FAE743@ericsson.com>
In-Reply-To: <83DA6259-42DE-4A2F-94AB-DE2735FAE743@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1b.0.190715
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [192.176.1.83]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 988c916a-abc2-4727-7a9e-08d71c2abdc0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3180;
x-ms-traffictypediagnostic: HE1PR07MB3180:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <HE1PR07MB31805A342191C89C0953D5CE93D70@HE1PR07MB3180.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 012349AD1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(396003)(346002)(136003)(39860400002)(189003)(199004)(44832011)(6486002)(8676002)(14454004)(102836004)(36756003)(6436002)(81156014)(6506007)(316002)(81166006)(8936002)(58126008)(229853002)(76176011)(110136005)(66946007)(64756008)(66556008)(66476007)(66446008)(76116006)(91956017)(54906003)(66066001)(6246003)(186003)(14444005)(26005)(33656002)(71200400001)(71190400001)(86362001)(7736002)(305945005)(256004)(478600001)(53936002)(966005)(6512007)(2906002)(6116002)(3846002)(99286004)(5660300002)(6306002)(25786009)(11346002)(446003)(486006)(2616005)(476003)(4326008); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3180; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: /qrXRUZxBk5HzqrdzDEvlZqK2lBYoy7wArm8lgxgyRAqW5aEo7cjT914pPs+GaGlUpVSCVVMagZrveyhW296ErILFi/YjOIu/H/GGg/QZGhxPkNXum+tuIqxtwmShSPC6wzpfCDziiPiYiegaXKU4VvibS79a4L7HtXmCpMQb2m5qufZ+lryxMZK0dTR0O3XHl+8QpUvU9S+4O3fBskjiP6JB18uJDEvZrpYa3V5LcE6yxJT/vax0aVCZZqqf7bDhRsk49SrdxqahXVyvg0DI4jTKNKt108uOzYsm2flg5HeTrQVE7TysAZGGU8O8NYPxXZzJIWStmFi1PZVReYC406ffRcSagUlZLP4Fc4RrlmMXJJSJW65wq/aFAFB7YuuwDPpylNIX0qpdUVJtJTVlhwF+toF8FQp3KytnIjzDaM=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <16FA331D8581D449ADE29F5FA411D21D@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 988c916a-abc2-4727-7a9e-08d71c2abdc0
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2019 18:03:39.3018 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BzhGoJoiUyy+lG6rmTO9/vY2ahktquoL+N6mTwN2SMe3qV9QS6ia+FsN+PWBkk3/+l9/5h5KjBv19syPtESX6vMkQ4Jd4MAv1Cg4aTxTAzI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3180
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/bar9GpvLzJ7jr-lMdT9WstluLiU>
Subject: Re: [MMUSIC] Roman Danyliw's Discuss on draft-ietf-mmusic-ice-sip-sdp-37: (with DISCUSS and COMMENT)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 18:03:47 -0000

Hi,

I have now updated the pull request based on the discussion below. Again, the changes related to the Security Considerations are at the end of the pull request:

https://github.com/suhasHere/ice-sip-sdp/pull/18/files

Regards,

Christer


On 08/08/2019, 18.50, "Christer Holmberg" <christer.holmberg@ericsson.com> wrote:

    Hi Adam,
    
    Thanks for Your input! A few comments from me inline.
        
        >> (1) Section 8.1. Per “These require techniques for message integrity and
        >> encryption for offers and answers, which are satisfied by the TLS mechanism
        >> [RFC3261] when SIP is used”, the guidance is right (use TLS), but this
        >> reference is outdated.  Section 26.2.1 of RFC3261 provides rather old guidance
        >> on the ciphersuite.  Is there a reason why not to use BCP195 for guidance on
        >> versions/ciphersuites?
        >
        > As much as SIP has a convoluted layering story, the separation between 
        > SIP and SDP remains pretty clean (both from a protocol perspective and 
        > organizationally within the IETF). While it's likely the case that RFC 
        > 3261 could use some updating to its security story [1], I don't think it 
        > makes sense to hold up this document on that work. It's really rather 
        > far outside the purview of this document to make changes to the 
        > underlying cipher suite; in fact, I would argue that doing so would be 
        > disallowed in MMUSIC, since it is part of the core protocol work that 
        > clearly falls in SIPCORE's charter.
    
        I agree. If we need to update the security properties of SIP, let's do it properly in SIPCORE.
        
        ---    
    
        >> (2) Section 8.2.1, The “voice hammer attack” appears to be an artifact of SDP.
        >> The text explicitly notes that this attack is not “specific to ICE but that ICE
        >> can help provide a remediation” (aside, should “remediation” be “mitigation”).
        >> However, the preceding introductory section (8.2) explicitly says “there are
        >> several attacks possible with ICE”.  These two statements aren’t consistent.
        >
        > It seems that the solution for this would be to promote section 8.2.1 to 
        > its own top-level section inside the security considerations section. 
        > Would that work for you?
        
       I would be ok with that.
    
       However, I think it would be good to add text to 8.2.1 saying that a "Voice hammer attack" attack can take place even when the 
       attacker is an authenticated user, and then go on describing how ICE can be used to prevent the attack. 
    
    
       ---
        
        >> (3) Section 8.2.2.  This section reads like an operational consideration.  The
        >> setup scoped in the parent Section 8.2, “there are several attacks possible
        >> with ICE when the attacker is an authenticated and valid participant in the ICE
        >> exchange”, isn’t discussed here (i.e., how is the presence or absence of an ALG
        >> germane to an attacker who is a participant in the ICE exchange)
        >
        > It seems that the solution for this would be to promote 8.2.2 to its own 
        > top-level section within the document, preceding the Security 
        > Considerations section, possibly with a renaming along the lines of 
        > "Operational Considerations: Interactions with Application Layer 
        > Gateways and SIP". Does that work for you?
        
        I am fine making it its own top-level section. But, do you think it should be a normative section, or an Appendix?
    
        > I note that making both of these changes leaves section 8.2 empty save 
        > for the introductory text; I propose that we simply remove the section.
        
        I am fine with that.
        
        ---
    
        >> (4) Section 8.  Is there a reason why the security considerations from RFC8445
        >> are not noted as also applying (e.g., Section 19.1 - .4.
        >
        > Would the addition of text at the top of section 8 that says "Please 
        > note that the security considerations from sections 19.1 through 19.4 of 
        > [RFC8445] also apply to this document." address your concern?
        
        Others have commented on this, and there is a pull request addressing it:
    
        https://protect2.fireeye.com/url?k=fc78358d-a0f2175b-fc787516-0cc47ad93dcc-f3a799884e91abda&q=1&u=https%3A%2F%2Fgithub.com%2FsuhasHere%2Fice-sip-sdp%2Fpull%2F18%2Ffiles
    
        Please see the last change in the pull request.
    
        Regards,
    
        Christer

v2.23.0 | Report a Bug | By Email