Re: [MMUSIC] [Technical Errata Reported] RFC4568 (6291)
Flemming Andreasen <fandreas@cisco.com> Mon, 21 September 2020 19:55 UTC
Return-Path: <fandreas@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBD73A0CD6 for <mmusic@ietfa.amsl.com>; Mon, 21 Sep 2020 12:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.621
X-Spam-Level:
X-Spam-Status: No, score=-9.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZJ_ife9v5AB for <mmusic@ietfa.amsl.com>; Mon, 21 Sep 2020 12:55:22 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BE393A0D2A for <mmusic@ietf.org>; Mon, 21 Sep 2020 12:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12388; q=dns/txt; s=iport; t=1600718122; x=1601927722; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=eMDqWltUFWDl/YaUxRDIansLXJ6jLbnvVOUwf7+vkCc=; b=QV6mjBcERP2QmaZ3aL6bf7j9sIKyv4uw5aqNpYoyupr9tAGRAPKbGlge okNoN875M/hR7KVYxijut1AnQRDHhp/AgEGCGDi0TeBoTMt71Y0qoc01t hx7ENP/Z0rMbveIi5M5uzEjiLCkKIYFOPXhMolFLfK3LLRGVX2z2P8UvD k=;
X-IronPort-AV: E=Sophos;i="5.77,287,1596499200"; d="scan'208,217";a="736915191"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Sep 2020 19:55:21 +0000
Received: from [10.118.10.20] (rtp-fandreas-2-8813.cisco.com [10.118.10.20]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTP id 08LJtKOF014217; Mon, 21 Sep 2020 19:55:20 GMT
To: "David Nguyen (davidtng)" <davidtng@cisco.com>, RFC Errata System <rfc-editor@rfc-editor.org>, "mbaugher@cisco.com" <mbaugher@cisco.com>, "dwing-ietf@fuggles.com" <dwing-ietf@fuggles.com>, "superuser@gmail.com" <superuser@gmail.com>, "barryleiba@computer.org" <barryleiba@computer.org>, "bo.burman@ericsson.com" <bo.burman@ericsson.com>
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
References: <20200916174633.E62DCF40776@rfc-editor.org> <5DE9F3A3-D36A-484D-B4A6-69B1DD8C63B9@cisco.com>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <64d7b6aa-9473-f8b8-d975-8617f14615ba@cisco.com>
Date: Mon, 21 Sep 2020 15:55:20 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:68.0) Gecko/20100101 Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <5DE9F3A3-D36A-484D-B4A6-69B1DD8C63B9@cisco.com>
Content-Type: multipart/alternative; boundary="------------B9C88596D99609145A7FF863"
Content-Language: en-US
X-Outbound-SMTP-Client: 10.118.10.20, rtp-fandreas-2-8813.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/tyjptAT9GONyEGBK5t3uSIdcPhE>
Subject: Re: [MMUSIC] [Technical Errata Reported] RFC4568 (6291)
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Sep 2020 19:55:25 -0000
Hi David It is indeed - we will take a closer look and get back to you. Thanks -- Flemming On 9/21/20 12:45 PM, David Nguyen (davidtng) wrote: > Hi All, > > I was just wondering if this mailing list is still active? > > Thanks, > David > > On 9/16/20, 10:46 AM, "RFC Errata System" <rfc-editor@rfc-editor.org> wrote: > > The following errata report has been submitted for RFC4568, > "Session Description Protocol (SDP) Security Descriptions for Media Streams". > > -------------------------------------- > You may review the report below and at: > https://www.rfc-editor.org/errata/eid6291 > > -------------------------------------- > Type: Technical > Reported by: David Nguyen <davidtng@cisco.com> > > Section: 7.1.4 > > Original Text > ------------- > If the offerer includes an IP address and/or port that differs from > that used previously for a media stream (or FEC stream), the offerer > MUST include a new master key with the offer (and in so doing, it > will be creating a new crypto context where the ROC is set to zero). > Similarly, if the answerer includes an IP address and/or port that > differs from that used previously for a media stream (or FEC stream), > the answerer MUST include a new master key with the answer (and hence > create a new crypto context with the ROC set to zero). The reason > for this is that when the answerer receives an offer or the offerer > receives an answer with an updated IP address and/or port, it is not > possible to determine if the other side has access to the old crypto > context parameters (and in particular the ROC). For example, if one > side is a decomposed media gateway, or if a SIP back-to-back user > agent is involved, it is possible that the media endpoint changed and > no longer has access to the old crypto context. By always requiring > a new master key in this case, the answerer/offerer will know that > the ROC is zero for this offer/answer, and any key lifetime > constraints will trivially be satisfied too. Another consideration > here applies to media relays; if the relay changes the media endpoint > on one side transparently to the other side, the relay cannot operate > as a simple packet reflector but will have to actively engage in SRTP > packet processing and transformation (i.e., decryption and re- > encryption, etc.). > Finally, note that if the new offer is rejected, the old crypto > parameters remain in place. > > > Corrected Text > -------------- > > > Notes > ----- > (and in so doing, it > will be creating a new crypto context where the ROC is set to zero). > -Which crypto context for which direction? Logically this would be the crypto context for media towards the new IP address ? > > (and hence > create a new crypto context with the ROC set to zero). > -What if the offerer stays the same and only the answerer changes the IP address? > New crypto context in direction towards new IP address? > > By always requiring > a new master key in this case, the answerer/offerer will know that > the ROC is zero for this offer/answer, > -Is this resetting crypto context for both directions of media flow? > > Is this section based on having offer and answerer both change the IP address. > What if the offerer did not change the IP address but the answerer does change it. > What is the expected behavior for media/crypto context/ROC for both sides? > > What is expected for IP address of 0.0.0.0 for hold, should this reset crypto context as well? > > How should all of this be handled for the case of switching to MoH server and then back to original call? > SBC ------------- CUCM ------------ EXP (signaling) > SBC --------------------------------- EXP (media stream 1) > SBC --------------------------------- MOH (media stream 2) > > SBC ------------- CUCM ------------ EXP > <--------------------SDP with IP1ofEXP part of early offer from SBC > Crypto context for media towards EXP > <--------------------SDP with IP2ofMoH part of delayed offer from CUCM and additional early offer CUCM. CUCM initiates MoH signaling towards SBC. > Crypto context for media towards MoH (only SBC and MoH know about this) > <--------------------SDP with IP1ofEXP part of delayed offer from CUCM > Crypto context for media towards EXP. Should this be the same as the original if SSRC did not change for media from SBC towards Expressway? > > Instructions: > ------------- > This erratum is currently posted as "Reported". If necessary, please > use "Reply All" to discuss whether it should be verified or > rejected. When a decision is reached, the verifying party > can log in to change the status and edit the report, if necessary. > > -------------------------------------- > RFC4568 (draft-ietf-mmusic-sdescriptions-12) > -------------------------------------- > Title : Session Description Protocol (SDP) Security Descriptions for Media Streams > Publication Date : July 2006 > Author(s) : F. Andreasen, M. Baugher, D. Wing > Category : PROPOSED STANDARD > Source : Multiparty Multimedia Session Control RAI > Area : Real-time Applications and Infrastructure > Stream : IETF > Verifying Party : IESG >
- [MMUSIC] [Technical Errata Reported] RFC4568 (629… RFC Errata System
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Flemming Andreasen
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Flemming Andreasen
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Flemming Andreasen
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Roman Shpount
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Flemming Andreasen
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Flemming Andreasen
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Roman Shpount
- Re: [MMUSIC] [Technical Errata Reported] RFC4568 … Patrick Kinane (pkinane)