Re: [MMUSIC] Hi, May I ask for your opinion on draft-zhou-mmusic-sdes-keymod-01?

"Dan Wing" <dwing@cisco.com> Wed, 18 April 2012 13:34 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE98E21F84FD for <mmusic@ietfa.amsl.com>; Wed, 18 Apr 2012 06:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.624
X-Spam-Level:
X-Spam-Status: No, score=-107.624 tagged_above=-999 required=5 tests=[AWL=-2.975, BAYES_00=-2.599, J_CHICKENPOX_16=0.6, J_CHICKENPOX_46=0.6, MANGLED_DIET=2.3, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U1F+4PVSoBgf for <mmusic@ietfa.amsl.com>; Wed, 18 Apr 2012 06:34:47 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 4C52D21F84F0 for <mmusic@ietf.org>; Wed, 18 Apr 2012 06:34:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=7654; q=dns/txt; s=iport; t=1334756087; x=1335965687; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=flvWt6DXpy7j27jKBxS6lS618DI9gJJka2+O5PjZ7m0=; b=PXBRvZzY2ZsBb8fCpFUamTyFQSa89CDvYdLwWinSk66ZfqgMIJdCHTxd 8QjXJNKpICYQ/nzpFrDdPKz7PS5v/YwI2nfkShAU2NGCpbUQs3iVDOUlU dBNNEBaGqs2jLz8uLNZ3sQTus2RQo5l5BlVI3Mc57IqI7GBwQTYD54lsq U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AswGAHnCjk+rRDoG/2dsb2JhbABEhWabWY4LgXOBB4IJAQEBBAEBAQUKARdECwwBAwIHAg8CBAEBBSMFAhkOFQoJCAEBBBMLEAeHbAyaE40KCJMXgSuOIYEcBIhchRWJD41AgWmDB4E0Bw
X-IronPort-AV: E=Sophos;i="4.75,441,1330905600"; d="scan'208";a="38505730"
Received: from mtv-core-1.cisco.com ([171.68.58.6]) by mtv-iport-3.cisco.com with ESMTP; 18 Apr 2012 13:34:47 +0000
Received: from dwingWS ([10.32.240.197]) by mtv-core-1.cisco.com (8.14.3/8.14.3) with ESMTP id q3IDYkfY031391; Wed, 18 Apr 2012 13:34:46 GMT
From: Dan Wing <dwing@cisco.com>
To: zhou.sujing@zte.com.cn
References: <034c01cd1cb0$b6add5c0$24098140$@com> <OFCDEF0C50.5AA220BF-ON482579E4.000D2D8B-482579E4.000F7E02@zte.com.cn>
In-Reply-To: <OFCDEF0C50.5AA220BF-ON482579E4.000D2D8B-482579E4.000F7E02@zte.com.cn>
Date: Wed, 18 Apr 2012 06:34:46 -0700
Message-ID: <079c01cd1d68$05710670$10531350$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac0dDdDkXF46y+EFSzu5YpSjubGVjAAWf01A
Content-Language: en-us
Cc: mmusic@ietf.org
Subject: Re: [MMUSIC] Hi, May I ask for your opinion on draft-zhou-mmusic-sdes-keymod-01?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Apr 2012 13:34:52 -0000

> -----Original Message-----
> From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn]
> Sent: Tuesday, April 17, 2012 7:49 PM
> To: Dan Wing
> Cc: mmusic@ietf.org
> Subject: RE: RE: RE: Hi, May I ask for your opinion on draft-zhou-
> mmusic-sdes-keymod-01?
> 
> 
> Regards~~~
> 
> -Sujing Zhou
> 
> "Dan Wing" <dwing@cisco.com> 写于 2012-04-17 23:42:36:
> 
> > > -----Original Message-----
> > > From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn]
> > > Sent: Monday, April 16, 2012 10:10 PM
> > > To: Dan Wing
> > > Subject: 答复: RE: Hi, May I ask for your opinion on draft-zhou-
> mmusic-
> > > sdes-keymod-01?
> > >
> > >
> > > Yes,the offer cannot determin if re-trageting or forking are
> occuring.
> > > I added a new parameter "keymod" with NULL value in the offer
> message
> > > (in 01 version) no matter wich scenarios,
> > > to inform the answerer that
> > >
> > >  "Hi, I am kind of concerned about my outgoing
> > > message be intercept by some intermediates, so I am ready to accept
> any
> > > answer message with
> > > keymod parameter, if you send values in keymod parameter, I can
> update
> > > my key accordingly"
> > >
> > > It is up to the answerer to decide if it will send keymod parameter
> > > with valid value.
> > >
> > > If the answer does not care, it can send keymod with NULL value,
> and
> > > this case is the same as the current SDES;
> > > If the answer cares, it can send keymod with non-NULL value, and
> this
> > > case is what our document is solving.
> > >
> > > The answerer may be able to detect it is in a re-targeting/forking
> > > scenario, and be triggered to send keymod;
> > > Or, the answerer could not detect the situation, and be encouraged
> to
> > > send keymod, because offerer asked for.
> >
> > The offerer should just always issue a re-Invite with a new a=crypto
> key.
> >
> > I guess you are trying to optimize that so that the offerer and
> answerer
> > somehow determine if a re-Invite might be necessary?  Why not
> generalize
> > that optimization, so that the answerer indicates "re-direct
> occurred" and
> > indicates "forking occurred"?  That could be useful for this SDESC
> re-Invite
> > optimization, and could be useful elsewhere.  However, I believe it
> is
> > impossible for the Answerer to reliably determine if a re-direct
> occurred or
> > if forking occurred, which is why I have doubt that the proposal in
> your I-D
> > can work as you hope.
> >
> > -d
> 
> Let the offerer send a re-Invite or an UPDATE with a new a=crypto key
> is indeed an solution.
> But it require more roundtrips.
> 
> Our motivations are
> -to optimize the procedure
> -to enhance the security of SDES
> 
> your question is around the applicability of the optimized procedure.
> In the case of re-direct occurs, the anwser always knows it is a re-
> directed call,should no problem, our 00 draft works.
> In the case  of forking, the answer does not know it is a forked call,
> our 00 draft does not work in this case.
> 
> Our 01 verion does not let answer alone to determin if a re-direct or a
> forking occur.
> Instead, our 01 version is a general upgrade to current SDES protocol,
> that will come to our
> another motivation :enhance the security of SDES
> 
> Generaly it is preferable the session key  between two peers  be
> established with contribution from both peers,otherwise we will get
> into trouble
> as  SDES now in the scenarios of re-targetting and forking.
> Our 01 version actually suggests to change the unidirectional key
> transport in SDES into a key agreement(indicated by "keymod"):
> offerer provides: k1
> answer provides: keymod value
> the outgoing key from offerer to answerer is derived from k1 and keymod
> value no matter in which situation.
> Re-targeting and forking  happen to be the scenarios that especially
> benefit from the change.

Which involves the same number of (signaling) round-trips, right?

-d


> 
> 
> 
> >
> >
> > >
> > >
> > > Regards~~~
> > >
> > > -Sujing Zhou
> > >
> > > "Dan Wing" <dwing@cisco.com> 写于 2012-04-17 05:14:58:
> > >
> > > > I don't see how sending additional parameters solves the problem.
> > > >
> > > > The problem is the offerer cannot determine if re-targeting or
> > > forking
> > > > occurred, and thus cannot determine if it needs to send a new
> > > (updated)
> > > > offer.  The only solution is to always send a new offer.
> > > >
> > > > -d
> > > >
> > > >
> > > > > -----Original Message-----
> > > > > From: zhou.sujing@zte.com.cn [mailto:zhou.sujing@zte.com.cn]
> > > > > Sent: Monday, April 16, 2012 12:29 AM
> > > > > To: Dan Wing
> > > > > Subject: Hi, May I ask for your opinion on draft-zhou-mmusic-
> sdes-
> > > > > keymod-01?
> > > > >
> > > > >
> > > > > Hi, Wing,
> > > > >
> > > > >   I have updated my draft incorporating your question.
> > > > > http://tools.ietf.org/html/draft-zhou-mmusic-sdes-keymod-01
> > > > >   May I ask for your opinion and interest in it?
> > > > >
> > > > > Thank you!
> > > > >
> > > > > Regards~~~
> > > > >
> > > > > -Sujing Zhou
> > > > >
> > > > > mmusic-bounces@ietf.org 写于 2012-03-21 09:32:40:
> > > > >
> > > > > >
> > > > > > Hi, Wing
> > > > > >
> > > > > >     Your point is good, I may update our draft (in 01
> version)
> > > like
> > > > > > the following paragraph:
> > > > > > " 3.1.  Generating the Initial Offer - Unicast Streams
> > > > > >
> > > > > >    The generation of the initial offer for a unicast stream
> MUST
> > > > > follow
> > > > > >    that of the crypto attribute RFC4568 [RFC4568], and MAY
> > > > > >
> > > > > >    also include an additional "keymod" parameter with keymod-
> val
> > > > > being
> > > > > >    NULL.  It indicates to the ultimate answerer that the
> offerer
> > > > > wants
> > > > > >    to employ the mechanism specified in
> > > > > >
> > > > > >    this document, a key agreement mechanism with a higher
> > > security
> > > > > level
> > > > > >    than the original SDES.
> > > > > > "
> > > > > > So that answerer does not need to know it is in a re-
> targeting or
> > > > > > forking scenario,
> > > > > > it is offerer suggesting use keymod mechanism.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Regards~~~
> > > > > >
> > > > > > -Sujing Zhou
> > > > > >
> > > > > > "Dan Wing" <dwing@cisco.com> 写于 2012-03-18 10:43:42:
> > > > > >
> > > > > > > To be effective, draft-zhou-mmusic-sdes-keymod needs the
> > > Answerer
> > > > > to send
> > > > > > > the "keymod" extension if it knows, or believes, the INVITE
> was
> > > re-
> > > > > targeted
> > > > > > > or forked.  I have two questions:
> > > > > > >
> > > > > > > I see for the described re-targeting case (Section 5.1 of
> > > > > > > draft-zhou-mmusic-sdes-keymod-00), a "cause" parameter
> > > [RFC4458]
> > > > > can be a
> > > > > > > useful indicator that a call was re-targeted.  Is the
> "cause"
> > > > > parameter
> > > > > > > always present when a call is re-targeted?
> > > > > > >
> > > > > > > How does the Answerer know if a call was forked?
> > > > > > >
> > > > > > > -d
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > _______________________________________________
> > > > > > mmusic mailing list
> > > > > > mmusic@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/mmusic
> > > >
> > > >
> > > >
> >
> >
> >