Re: [MMUSIC] AD Evaluation of draft-ietf-mmusic-rfc4566bis-32

Paul Kyzivat <pkyzivat@alum.mit.edu> Fri, 22 February 2019 20:58 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 049E4130E5E; Fri, 22 Feb 2019 12:58:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ImIOFuE5mRQ4; Fri, 22 Feb 2019 12:58:21 -0800 (PST)
Received: from outgoing-alum.mit.edu (outgoing-alum.mit.edu [18.7.68.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 798AD130E5F; Fri, 22 Feb 2019 12:58:21 -0800 (PST)
Received: from PaulKyzivatsMBP.localdomain (c-24-62-227-142.hsd1.ma.comcast.net [24.62.227.142]) (authenticated bits=0) (User authenticated as pkyzivat@ALUM.MIT.EDU) by outgoing-alum.mit.edu (8.14.7/8.12.4) with ESMTP id x1MKwHNd019045 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Fri, 22 Feb 2019 15:58:18 -0500
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
To: Ben Campbell <ben@nostrum.com>, draft-ietf-mmusic-rfc4566bis.all@ietf.org
Cc: mmusic WG <mmusic@ietf.org>
References: <04CAFF8C-B6ED-4B7D-9FDD-ED37DCA2848B@nostrum.com>
Message-ID: <2f297a3c-39d4-cb99-65f4-f0bcd072306a@alum.mit.edu>
Date: Fri, 22 Feb 2019 15:58:17 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:60.0) Gecko/20100101 Thunderbird/60.5.0
MIME-Version: 1.0
In-Reply-To: <04CAFF8C-B6ED-4B7D-9FDD-ED37DCA2848B@nostrum.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/o_067yHrNY1ZEK5iuYBkuzFP6OU>
Subject: Re: [MMUSIC] AD Evaluation of draft-ietf-mmusic-rfc4566bis-32
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Feb 2019 20:58:25 -0000

Ben,

I just submitted -33. It attempts to address most, but not all, of your 
comments. See my detailed replies below. I need help for some of the 
remainder, specifically security considerations.

There will need to be another revision to address the remaining items.

	Thanks,
	Paul

On 2/11/19 10:45 PM, Ben Campbell wrote:
> Hi,
> 
> This is my AD evaluation of draft-ietf-mmusic-rfc4566bis-32. I have several minor substantive comments, and a number of editorial comments and nits. I’d like to resolve at least the substantive comments prior to IETF last call.
> 
> Thanks!
> 
> Ben.
> ----------------------
> 
> 
> *** Substantive Comments ***
> 
> §1, last paragraph: The statement that this update is limited to essential corrections is demonstrably untrue. For example, this version changes a lot of spellings from British English to US English. While that might be best for the sake of consistency, it would be hard to argue that it is _essential_.

I removed this claim.

> Along the same lines, §10 does not seem to capture all material changes.

I've tried to summarize all the important changes.

> §2, “Media Description”: While true, the text here is not a definition of anything but syntax. Please add a sentence or two to say what the media description semantically represents.

I've added my attempt at describing the semantics. (I posted a query 
about this but didn't get a response that seemed to work.

Please comment if you want a further change.

> - Deleted text formerly in §4.3: The removal of the “private sessions” section in its entirety deserves some explanatory text.

I posted a query about this. The consensus was that the removal here is 
right, but that more discussion is needed in the Security Considerations 
section. But I don't know what to write. I need some help on that.

> §5.2: "Unless an SDP extension for NAT traversal is used
> (e.g., ICE [RFC8445], ICE TCP [RFC6544]), a local IP address MUST
> NOT be used in any context where the SDP description might leave
> the scope in which the address is meaningful”
> 
> That doesn’t apply to just any NAT traversal extension does it? It seems to require extensions that have scope-resolution properties similar to those of ICE.

After reading 5.2 again I realized it is talking about an address in an 
o= line, not c=. Hence there is no intent that anybody connect to this, 
and ICE doesn't apply here. The address is primarily here to add to the 
uniqueness of the o= line. And note that the <sess-id> is required to 
make up any lack of uniqueness in the combination of the other fields. 
And privacy is leading to people not wanting to put real addresses or 
names in here.

So I removed all the discussion of ICE.

Please comment if you think this isn't sufficient or appropriate.

> §5.8: "Use of the "X-" prefix is NOT RECOMMENDED: instead new (non "X-"
> prefix) <bwtype> names SHOULD be defined, and then MUST be registered
> with IANA in the standard namespace.”
> 
> “SHOULD be defined” seems to be in tension with “MUST be registered”.

I twiddled with this. Does it work for you now?

> §5.13: "The "k=" line (key-field) is obsolete and MUST NOT be used.”
> Should it be removed from the field order definition in §5?

It continues to be mentioned because implementations may need to support 
it for backward compatibility with 4566. In that case they need to know 
where it goes.

I left this unchanged.

> §6.1: Please state what behavior is meant by “This attribute is obsoleted”. For example, MUST not send but SHOULD accept? Something different? (This pattern occurs for multiple attributes.)

I beefed up the language for this.

> §6.7.4: "Note that an RTP-based system MUST still send RTCP (if RTCP
> is used), even if started inactive.”
> Other similar attributes use SHOULD instead of MUST. Is the inconsistency intentional?

I brought this to the list. The feedback I got was that is change is 
correct.

> §7, last paragraph:
> What is the impact of this on RFC 4568 (security descriptions)? That RFC seems to allow the use of “k=“ lines at a MAY level. Does this draft need to update that? But more importantly, is it worth distinguishing the case of E@E protection of keying material vs the HBH protection offered by security descriptions?

This text is unchanged since 4566.

I need help with this from a security person.

> §8 and subsectionsl:
> 
> I think there needs to be more clarity about what this draft defines vs what was defined in previous versions, and what has changed. For example, language to the effect of "XXX was originally defined in RFC 4566. This document requests IANA to change the reference to “RFC-this”.”

Done.

> §8.2: "The contact address for all parameters registered below is:
> IETF MMUSIC working group <mmusic@ietf.org>”
> Please consider “The IETF MMUSIC working group <mmusic@ietf.org> or its successor as designated by the IESG.”

Done.

> §8.2.1: "Until that is done, applications SHOULD NOT use these
> types and SHOULD NOT declare support for them in SIP capabilities
> declarations (even though they exist in the registry created by
> [RFC3840]).”
> 
> Should this spec update 3840?

Leaving 3840 as-is doesn't hurt anything. As long as these aren't used 
in m-lines then usage in 3840/3841 will be moot.

I left this as-is.

> §8.2.4.2: This section needs some guidance about the maturity of specs needed to update attributes defined in previous specs. While the registration policy is “spec required”, what happens if someone defines FOO in a standards-track RFC, and someone else wants to update it with some lower-maturity instrument?

> Along the same line, is there any restriction from party B updating an attribute defined by party A without consent? That is clear for IETF stream RFCs where the IETF retains change control, but might not be clear for other specification forms.

Specification Required calls for a designated expert to review the 
registration. I revised the language to ask the expert to consider these 
issues.

> §8.2.8: Are telephone numbers still necessary? Under GDPR rules, we should be careful about requiring data unless there is a clear need for it.

I removed the requirement for a phone number. (This makes it consistent 
with the template for attribute registrations that already didn't ask 
for a phone number.)

> *** Editorial Comments and Nits ***
> 
> §3.3, 2nd paragraph: "Note that descriptions of multicast sessions made only via email or…”
> 
> The sentence no longer makes sense with the change from “announcement” to “description”. If you want to avoid the term “announcements”, consider something like “… descriptions of multicast sessions sent only via email…”

Done.

> §4.1: "This address and port is the destination address and destination port”: Plural disagreement. (It was correct in 4566.)

Fixed.

> §5:
> - “… the end of the whole session description - whichever…”: A dash usually separates two independent clauses, much like a semicolon. That is not the cast here; a comma would be more appropriate.

Done

> - "Some lines in each description are REQUIRED and some are OPTIONAL,” : While I recognize these are unchanged from 4566, the REQUIRED and OPTIONAL terms seem like statements of fact rather than normative statements.

I cleaned this up and made it explicit that the ABNF is normative and 
this section is only a summary of the ABNF.

> - "media-, or session-specific basis” : Incorrect comma usage.

IIUC this is an "Oxford comma", and the use of it is controversial. Does 
IETF have a policy on its use?

(Or we can leave it for the editor to decide.)

I've left this unchanged for now.

> - "An SDP description may contain URIs”
>   I'm not sure this change makes sense. Should it say ''session description”?

After investigating further, I realized that “session description” and 
“SDP description” are used synonymously through the document. So this 
change isn’t *wrong*. IIRC I did it to be consistent with the other 
usage of "SDP description" in the vicinity of this.

I suspect that “session description” might have been considered an 
abstract concept, with an "SDP description" being a specific realization 
of that. But the document doesn’t really make this distinction. And “SDP 
description” is redundant (Session Description Protocol description).

So perhaps every occurrence of “SDP description” should be changed to 
“Session Description”. Alternately, we could change every occurrence of 
"Session Description" to "SDP description".

For now I have left things as-is.

> - "Text containing fields such as the session-name-field and
> information-field”:
> This is ambiguous. Are we talking about text that contains fields, or text-containing fields? From context, I assume the latter.

Done.

> §5.5: "The "u=" line (uri-field) provides URI (Uniform Resource Identifier)
> as used by WWW clients”
> Missing article before URI

Done.

> §5.7:
> - "The "c=" line (connection-field) contains connection data.”
> The section heading was changed from “connection data” to “connection information”. Should that change apply here, too?

That seems pretty circular. Instead I changed it to:

"The "c=" line (connection-field) contains information necessary to 
establish a connection.”

> - There are a number of places in this section (and maybe elsewhere) where IPv6 was changed to IP6. While I realize 4566 was inconsistent on this, wouldn’t it make more sense to change to consistently use the more conventional “IPv6”?  (Probably also true for IP4/IPv4).

This turns out to be tricky: "IP4" and "IP6" are the encodings used in 
the m-line. They are also used in the names of ABNF rules such as 
"IP4-address" and "IP4-multicast".

Most of the text usage seems to be talking about these encodings or 
rules. Just a few seem to be talking about the abstract protocols. I’ve 
changed those few.

Please see if that works for you.

> - "Multiple addresses or "c=" lines MAY be specified on a per media
> description basis”
> 4566 correctly hyphenated “per-media-description basis”. Why were the hyphens removed here?

I see the same text in both for this. OTOH we are using "per-media" in 
the same section. This led me to investigate the use of "media-level" 
vs. "media level" and "session-level" vs. "session-level". It turned out 
to be a mess. So I have attempted to regularize the usage throughout. I 
now use "session level" and "media level" when referring to levels, and 
using "media-level" and "session-level" when the usage is as an adjective.

Let me know what you think.

> §5.8: "A prefix "X-" is defined for <bwtype> names. This is intended for
> experimental purposes only.”
> 
> Please consider active voice for “is defined”, since in this case it obscures the fact that this was defined by an earlier version of the spec. Would it make sense to say that previous versions defined it, but it is now deprecated?

I revised to indicate this came from 4566.

The text already says NOT RECOMMENDED which is pretty much the same as 
deprecated and is normative. I considered saying both in that sentence 
but it seemed peculiar.

> §5.9: "A "t=" line (time-field) initiates a time description that specifies
> the start and stop times for a session.”
> 
> I don't understand what it means to "intitiate" a time description. The text from 4566 seemed more clear.

I changed "initiate" to "begins".

There has been a lot of confusion and questions raised bout how t=/r=/z= 
work together. I revised the ABNF to clarify that, and then reworked 
this text to be consistent with and coordinate with the ABNF.

> §5.13: "(Attribute scopes in addition to media- and
> session- specific may also be defined”
> Should “specific” be “level”?

Yes. Done.

> §5.14:
> 
> - "If noncontiguous
> ports are required, they must be signaled using a
> separate attribute. (There is currently no attribute defined that
> can accomplish this. The "a=rtcp:" defined in [RFC3605] does not
> handle hierarchical encoding.)”
> 
>   This is oddly stated. Is the point that, if non-contiguous ports are needed, someone will have to specify a new attribute?

I rewrote this to make it clearer.

> - "This implies that, unlike
> limited past practice, there is no implicit grouping defined by
> such means and an explicit grouping framework”
> 
> This does considerably more than “imply” it. It states it explicitly. Perhaps “This means that, unlike…”?

I rewrote the paragraph. Hopefully it is better.

> §6.7: "At most one of recvonly/sendrecv/sendonly/inactive MAY appear at
> session level”
> Consider something like "occurrence of recvonly, sendrecv, sendonly, or inactive”. (Please don’t use slashes to substitute for conjunctions.)

Done.

> §6.7.1: "(e.g., an RTP-based system in
> recvonly mode SHOULD still send RTCP packets”
> Please don’t use normative keywords in examples. Examples should never be normative.

Done.

> §11: It seems a shame to completely drop the acknowledgements from 4566, since the fact that this will obsolete it means people should no longer need to read it. I recognize that those acknowledgements do not apply to _this_ draft, but one could always include a paragraph of the form of “RFC 4566 also acknowledged…"

I went back and gathered and acknowledged all the people who authored or 
were acknowledged in any of the documents obsoleted by this one or 4566.

Can you think of anyone else who should be acknowledged?

	Thanks,
	Paul