IETF Logo Mail Archive

Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 12 October 2016 19:54 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66DB112965D for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 12:54:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XJY0CeSxj9Nj for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 12:54:39 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCD7F1294F4 for <mmusic@ietf.org>; Wed, 12 Oct 2016 12:54:38 -0700 (PDT)
X-AuditID: c1b4fb3a-e95069800000099a-f6-57fe94fc794e
Received: from ESESSHC011.ericsson.se (Unknown_Domain [153.88.183.51]) by (Symantec Mail Security) with SMTP id 97.D9.02458.CF49EF75; Wed, 12 Oct 2016 21:54:37 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.177]) by ESESSHC011.ericsson.se ([153.88.183.51]) with mapi id 14.03.0319.002; Wed, 12 Oct 2016 21:54:35 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Thread-Index: AQHSH9ATPAZhiMqWXkq+6ZcG+jYe1aCbTNuAgACLuoCAALOQAIAIHeaAgAAlrQCAACKGAIAAUtbw
Date: Wed, 12 Oct 2016 19:54:33 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B4BD668D1@ESESSMB209.ericsson.se>
References: <D41C238A.1095B%christer.holmberg@ericsson.com> <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com> <58510E68-A045-4312-B3B3-3468E83C8EB7@iii.ca> <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com> <D423DEE7.1101D%christer.holmberg@ericsson.com> <D423FEEE.11074%christer.holmberg@ericsson.com> <CABcZeBO7b3XGRTCzN4-Z-6=8sTD3nrr8HtgN1q9np-hZ3tqbMQ@mail.gmail.com>
In-Reply-To: <CABcZeBO7b3XGRTCzN4-Z-6=8sTD3nrr8HtgN1q9np-hZ3tqbMQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: multipart/alternative; boundary="_000_7594FB04B1934943A5C02806D1A2204B4BD668D1ESESSMB209erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrOIsWRmVeSWpSXmKPExsUyM2K7se7fKf/CDRpO81useH2O3eLD+h+M FlOXP2axWLHhAKsDi8ff9x+YPJYs+cnkcfn8R0aPyY/bmANYorhsUlJzMstSi/TtErgyjt1Z xlYwqa7izJsFTA2MD6q6GDk4JARMJE5uU+pi5OIQEljPKPHrzWIWCGcJo8SJexNZQIrYBCwk uv9pdzFycogIKEj8+nMCrIZZYBmjRP+UbSwgCWGBfIkJe26xQRQVSPw/1ccKYUdJ/Jw4lxHE ZhFQlfjU1wsW5xXwlVi9/grUsiZmiasr57KDLOMUCJToWJQFUsMoICbx/dQaJhCbWUBc4taT +WC2hICAxJI955khbFGJl4//sULYShJrD29ngajPl2j6uoURYpegxMmZT1gmMIrMQjJqFpKy WUjKZgFdwSygKbF+lz5EiaLElO6H7BC2hkTrnLnsyOILGNlXMYoWpxYX56YbGemlFmUmFxfn 5+nlpZZsYgRG38Etv612MB587niIUYCDUYmHV6HqX7gQa2JZcWXuIUYJDmYlEV6RXqAQb0pi ZVVqUX58UWlOavEhRmkOFiVxXrOV98OFBNITS1KzU1MLUotgskwcnFINjJqi4YvTFNmelF59 smTDFo6Za9vT+vYHikzatvzQlvj7jl/6ev/Ex222fV3GIGJq1jbB8vJHpw3cLIKfJFPXP9wm sDuiNkVpi+vsqpAFiqr9P9Vcju03eBgYyL7k7kmLJa/CI6+8reVdus+lRFkgT/pa7/5T+7oP dv2fG5iseJ2r3mpVa3lgmRJLcUaioRZzUXEiAJSsp4y6AgAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/dBPYQO8f4Wd5ntb8PKJiwomBYYk>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, Cullen Jennings <fluffy@iii.ca>, "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 19:54:41 -0000

Hi,

My intention was not to claim we have consensus. I just wanted to put forward some text to see whether it’s something we can work on.

Or, would you prefer to not saying anything?

Regards,

Christer

From: mmusic [mailto:mmusic-bounces@ietf.org] On Behalf Of Eric Rescorla
Sent: 12 October 2016 19:57
To: Christer Holmberg <christer.holmberg@ericsson.com>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>; Paul Kyzivat <pkyzivat@alum.mit.edu>; mmusic@ietf.org; Cullen Jennings <fluffy@iii.ca>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security

I don't think there is anything like consensus for a 2919-level RECOMMENDED to encrypt the MID.

On Wed, Oct 12, 2016 at 4:47 AM, Christer Holmberg <christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>> wrote:
Pull request created.

https://github.com/cdh4u/draft-sdp-bundle/pull/11


Regards,

Christer


On 12/10/16 12:32, "mmusic on behalf of Christer Holmberg"
<mmusic-bounces@ietf.org<mailto:mmusic-bounces@ietf.org> on behalf of christer.holmberg@ericsson.com<mailto:christer.holmberg@ericsson.com>>
wrote:

>Hi,
>
>Based on the discussions, and input that has been provided, are people ok
>with adding the text Magnus suggested (see below) to the Security
>Considerations of BUNDLE?
>
>Regards,
>
>Christer
>
>
>>>> The identfication-tag when included in the RTP MID SDES item,
>>>> independent of transport, RTCP SDES packet or RTP header extension,
>>>> can expose the value to parties beyond the signaling chain.
>>>> Therefore, the identification-tag MUST NOT contain any user related
>>>> information. However, the implementation's method for generating
>>>> identfication-tags combined with hardware configuration can enable
>>>> fingerprinting of the endpoint device and thus its user. As the
>>>> identification-tag is also used to route the media stream to the
>>>> right application functionality it is also important that the value
>>>> received is the one intended by the sender, thus integrity and the
>>>> authenticity of the source are important to prevent denial of
>>>> service on the application. At least to prevent third parties from
>>>> modifying the identification-tag value.
>>>>
>>>> Due to the security risks associated with the MID values in RTP and
>>>> RTCP it is strongly RECOMMENDED that the MID SDES item is both
>>>> confidentiality protected as well as source authenticated when
>>>> transported in either RTCP or RTP header extensions. The security
>>>> mechanisms used SHALL provide corresponding levels of security for
>>>> both RTP header extensions and RTCP. Confidentiality mechanisms for
>>>> RTP/RTCP are discussed in Options for Securing RTP Sessions
>>>> [RFC7201], for example SRTP [RFC3711] with SRTCP encryption enabled
>>>> combined with [RFC6904] can provide the necessary security
>>>> functions.
>
>_______________________________________________
>mmusic mailing list
>mmusic@ietf.org<mailto:mmusic@ietf.org>
>https://www.ietf.org/mailman/listinfo/mmusic

_______________________________________________
mmusic mailing list
mmusic@ietf.org<mailto:mmusic@ietf.org>
https://www.ietf.org/mailman/listinfo/mmusic

v2.23.0 | Report a Bug | By Email