IETF Logo Mail Archive

Re: [MMUSIC] [Technical Errata Reported] RFC4568 (6291)

Flemming Andreasen <fandreas@cisco.com> Mon, 21 September 2020 19:55 UTC

Return-Path: <fandreas@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBD73A0CD6 for <mmusic@ietfa.amsl.com>; Mon, 21 Sep 2020 12:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.621
X-Spam-Level:
X-Spam-Status: No, score=-9.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZJ_ife9v5AB for <mmusic@ietfa.amsl.com>; Mon, 21 Sep 2020 12:55:22 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BE393A0D2A for <mmusic@ietf.org>; Mon, 21 Sep 2020 12:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12388; q=dns/txt; s=iport; t=1600718122; x=1601927722; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=eMDqWltUFWDl/YaUxRDIansLXJ6jLbnvVOUwf7+vkCc=; b=QV6mjBcERP2QmaZ3aL6bf7j9sIKyv4uw5aqNpYoyupr9tAGRAPKbGlge okNoN875M/hR7KVYxijut1AnQRDHhp/AgEGCGDi0TeBoTMt71Y0qoc01t hx7ENP/Z0rMbveIi5M5uzEjiLCkKIYFOPXhMolFLfK3LLRGVX2z2P8UvD k=;
X-IronPort-AV: E=Sophos;i="5.77,287,1596499200"; d="scan'208,217";a="736915191"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Sep 2020 19:55:21 +0000
Received: from [10.118.10.20] (rtp-fandreas-2-8813.cisco.com [10.118.10.20]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTP id 08LJtKOF014217; Mon, 21 Sep 2020 19:55:20 GMT
To: "David Nguyen (davidtng)" <davidtng@cisco.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "mbaugher@cisco.com" <mbaugher@cisco.com>, "dwing-ietf@fuggles.com" <dwing-ietf@fuggles.com>, "superuser@gmail.com" <superuser@gmail.com>, "barryleiba@computer.org" <barryleiba@computer.org>, "bo.burman@ericsson.com" <bo.burman@ericsson.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
References: <20200916174633.E62DCF40776@rfc-editor.org> <5DE9F3A3-D36A-484D-B4A6-69B1DD8C63B9@cisco.com>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <64d7b6aa-9473-f8b8-d975-8617f14615ba@cisco.com>
Date: Mon, 21 Sep 2020 15:55:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <5DE9F3A3-D36A-484D-B4A6-69B1DD8C63B9@cisco.com>
Content-Type: multipart/alternative; boundary="------------B9C88596D99609145A7FF863"
Content-Language: en-US
X-Outbound-SMTP-Client: 10.118.10.20, rtp-fandreas-2-8813.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/tyjptAT9GONyEGBK5t3uSIdcPhE>
Subject: Re: [MMUSIC] [Technical Errata Reported] RFC4568 (6291)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 19:55:25 -0000

Hi David

It is indeed - we will take a closer look and get back to you.

Thanks

-- Flemming

On 9/21/20 12:45 PM, David Nguyen (davidtng) wrote:
> Hi All,
>
> I was just wondering if this mailing list is still active?
>
> Thanks,
> David
>
> On 9/16/20, 10:46 AM, "RFC Errata System" <rfc-editor@rfc-editor.org> wrote:
>
>      The following errata report has been submitted for RFC4568,
>      "Session Description Protocol (SDP) Security Descriptions for Media Streams".
>
>      --------------------------------------
>      You may review the report below and at:
>      https://www.rfc-editor.org/errata/eid6291
>
>      --------------------------------------
>      Type: Technical
>      Reported by: David Nguyen <davidtng@cisco.com>
>
>      Section: 7.1.4
>
>      Original Text
>      -------------
>      If the offerer includes an IP address and/or port that differs from
>         that used previously for a media stream (or FEC stream), the offerer
>         MUST include a new master key with the offer (and in so doing, it
>         will be creating a new crypto context where the ROC is set to zero).
>         Similarly, if the answerer includes an IP address and/or port that
>         differs from that used previously for a media stream (or FEC stream),
>         the answerer MUST include a new master key with the answer (and hence
>         create a new crypto context with the ROC set to zero).  The reason
>         for this is that when the answerer receives an offer or the offerer
>         receives an answer with an updated IP address and/or port, it is not
>         possible to determine if the other side has access to the old crypto
>         context parameters (and in particular the ROC).  For example, if one
>         side is a decomposed media gateway, or if a SIP back-to-back user
>         agent is involved, it is possible that the media endpoint changed and
>         no longer has access to the old crypto context.  By always requiring
>         a new master key in this case, the answerer/offerer will know that
>         the ROC is zero for this offer/answer, and any key lifetime
>         constraints will trivially be satisfied too.  Another consideration
>         here applies to media relays; if the relay changes the media endpoint
>         on one side transparently to the other side, the relay cannot operate
>         as a simple packet reflector but will have to actively engage in SRTP
>         packet processing and transformation (i.e., decryption and re-
>         encryption, etc.).
>      Finally, note that if the new offer is rejected, the old crypto
>         parameters remain in place.
>
>
>      Corrected Text
>      --------------
>
>
>      Notes
>      -----
>      (and in so doing, it
>         will be creating a new crypto context where the ROC is set to zero).
>          -Which crypto context for which direction?  Logically this would be the crypto context for media towards the new IP address ?
>
>      (and hence
>         create a new crypto context with the ROC set to zero).
>         -What if the offerer stays the same and only the answerer changes the IP address?
>      New crypto context in direction towards new IP address?
>
>      By always requiring
>         a new master key in this case, the answerer/offerer will know that
>         the ROC is zero for this offer/answer,
>         -Is this resetting crypto context for both directions of media flow?
>
>      Is this section based on having offer and answerer both change the IP address.
>      What if the offerer did not change the IP address but the answerer does change it.
>      What is the expected behavior for media/crypto context/ROC for both sides?
>
>      What is expected for IP address of 0.0.0.0 for hold, should this reset crypto context as well?
>
>      How should all of this be handled for the case of switching to MoH server and then back to original call?
>      SBC ------------- CUCM ------------ EXP (signaling)
>      SBC --------------------------------- EXP (media stream 1)
>      SBC --------------------------------- MOH (media stream 2)
>
>      SBC ------------- CUCM ------------ EXP
>      <--------------------SDP with IP1ofEXP part of early offer from SBC
>      Crypto context for media towards EXP
>      <--------------------SDP with IP2ofMoH part of delayed offer from CUCM and additional early offer CUCM.  CUCM initiates MoH signaling towards SBC.
>      Crypto context for media towards MoH (only SBC and MoH know about this)
>      <--------------------SDP with IP1ofEXP part of delayed offer from CUCM
>      Crypto context for media towards EXP.  Should this be the same as the original if SSRC did not change for media from SBC towards Expressway?
>
>      Instructions:
>      -------------
>      This erratum is currently posted as "Reported". If necessary, please
>      use "Reply All" to discuss whether it should be verified or
>      rejected. When a decision is reached, the verifying party
>      can log in to change the status and edit the report, if necessary.
>
>      --------------------------------------
>      RFC4568 (draft-ietf-mmusic-sdescriptions-12)
>      --------------------------------------
>      Title               : Session Description Protocol (SDP) Security Descriptions for Media Streams
>      Publication Date    : July 2006
>      Author(s)           : F. Andreasen, M. Baugher, D. Wing
>      Category            : PROPOSED STANDARD
>      Source              : Multiparty Multimedia Session Control RAI
>      Area                : Real-time Applications and Infrastructure
>      Stream              : IETF
>      Verifying Party     : IESG
>

v2.23.0 | Report a Bug | By Email