Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Christer Holmberg <christer.holmberg@ericsson.com> Wed, 12 October 2016 09:32 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A4EE1295BB for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 02:32:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZthHnzNPEzm for <mmusic@ietfa.amsl.com>; Wed, 12 Oct 2016 02:32:27 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B37FE129445 for <mmusic@ietf.org>; Wed, 12 Oct 2016 02:32:26 -0700 (PDT)
X-AuditID: c1b4fb3a-e95069800000099a-37-57fe0328b61e
Received: from ESESSHC001.ericsson.se (Unknown_Domain [153.88.183.21]) by (Symantec Mail Security) with SMTP id 66.30.02458.8230EF75; Wed, 12 Oct 2016 11:32:24 +0200 (CEST)
Received: from ESESSMB209.ericsson.se ([169.254.9.177]) by ESESSHC001.ericsson.se ([153.88.183.21]) with mapi id 14.03.0319.002; Wed, 12 Oct 2016 11:32:23 +0200
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, Cullen Jennings <fluffy@iii.ca>
Thread-Topic: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
Thread-Index: AQHSH9ATPAZhiMqWXkq+6ZcG+jYe1aCbTNuAgACLuoCAALOQAIAIHeaA
Date: Wed, 12 Oct 2016 09:32:22 +0000
Message-ID: <D423DEE7.1101D%christer.holmberg@ericsson.com>
References: <D41C238A.1095B%christer.holmberg@ericsson.com> <71419d1f-af1d-46e9-401d-81c5df73fc49@ericsson.com> <58510E68-A045-4312-B3B3-3468E83C8EB7@iii.ca> <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com>
In-Reply-To: <243c777f-46f9-4053-1588-7e6b58a06c8c@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.6.5.160527
x-originating-ip: [153.88.183.18]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <437624109B9A7F4D800E2ABBFEBB374E@ericsson.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsUyM2K7qK4G879wg+6X6hYf1v9gtJi6/DGL xYoNB1gdmD3+vv/A5LFkyU8mj8vnPzIGMEdx2aSk5mSWpRbp2yVwZVyadJut4BxvxdP5Oxgb GOdwdzFyckgImEhcPraJqYuRi0NIYD2jxLNF71ggnCWMEpOm/WDtYuTgYBOwkOj+pw3SICIQ KbFw0gQmEJtZwFfi5YIvzCC2sEC+xK5vhxghagok/p/qA2sVEXCTWPZIECTMIqAq8XjyU1YQ m1fAWuL68t1Qe68zShxYsI0FJMEp4CAxsf81G4jNKCAm8f3UGqhd4hK3nsxngjhaQGLJnvPM ELaoxMvH/8CGigroSXz/Ohsqrijx8dU+RoheHYkFuz+xQdjWEn92t7FA2NoSyxa+ZoY4SFDi 5MwnLBMYxWchWTcLSfssJO2zkLTPQtK+gJF1FaNocWpxcW66kZFealFmcnFxfp5eXmrJJkZg DB7c8ttqB+PB546HGAU4GJV4eBdo/A0XYk0sK67MPcQowcGsJMK79j9QiDclsbIqtSg/vqg0 J7X4EKM0B4uSOK/ZyvvhQgLpiSWp2ampBalFMFkmDk6pBsbJ/JMtFym5BBlP+HPF52/i/oy7 TFUz7oRf9jz4+uO2PF4fkwz560c+zrgZ9uVx/5KSJ+GuS+1OyRTM27b/pfY9XlO1pesqFx94 f84ndM6y0kucH6PPn5JKePjr8zVprZIrK4PmXPix+FTWxIw3jX5bA7dotb9PeWf3ToSN+aHD RHeLovpG3iMflViKMxINtZiLihMBeKG+eL0CAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/fr5E3FZr5zLHAcJDZsmaleQDm48>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>, Paul Kyzivat <pkyzivat@alum.mit.edu>
Subject: Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bundle-negotiation-32 - Magnus' comments - MID security
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2016 09:32:29 -0000
Hi, Based on the discussions, and input that has been provided, are people ok with adding the text Magnus suggested (see below) to the Security Considerations of BUNDLE? Regards, Christer >>> The identfication-tag when included in the RTP MID SDES item, >>> independent of transport, RTCP SDES packet or RTP header extension, >>> can expose the value to parties beyond the signaling chain. >>> Therefore, the identification-tag MUST NOT contain any user related >>> information. However, the implementation's method for generating >>> identfication-tags combined with hardware configuration can enable >>> fingerprinting of the endpoint device and thus its user. As the >>> identification-tag is also used to route the media stream to the >>> right application functionality it is also important that the value >>> received is the one intended by the sender, thus integrity and the >>> authenticity of the source are important to prevent denial of >>> service on the application. At least to prevent third parties from >>> modifying the identification-tag value. >>> >>> Due to the security risks associated with the MID values in RTP and >>> RTCP it is strongly RECOMMENDED that the MID SDES item is both >>> confidentiality protected as well as source authenticated when >>> transported in either RTCP or RTP header extensions. The security >>> mechanisms used SHALL provide corresponding levels of security for >>> both RTP header extensions and RTCP. Confidentiality mechanisms for >>> RTP/RTCP are discussed in Options for Securing RTP Sessions >>> [RFC7201], for example SRTP [RFC3711] with SRTCP encryption enabled >>> combined with [RFC6904] can provide the necessary security >>> functions.
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Jonathan Lennox
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Cullen Jennings
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Christer Holmberg
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Eric Rescorla
- Re: [MMUSIC] Review of draft-ietf-mmusic-sdp-bund… Magnus Westerlund
- [MMUSIC] BUNDLE - MID Security - Updated text pro… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Cullen Jennings
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Adam Roach
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Ted Hardie
- Re: [MMUSIC] BUNDLE - MID Security - Updated text… Magnus Westerlund