Re: [MMUSIC] AD Evaluation of draft-ietf-mmusic-rfc4566bis-32

Ben Campbell <ben@nostrum.com> Thu, 21 March 2019 03:22 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFB4F130DE5; Wed, 20 Mar 2019 20:22:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.679
X-Spam-Level:
X-Spam-Status: No, score=-1.679 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kb4Gz4yVHG9d; Wed, 20 Mar 2019 20:22:03 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E81212008A; Wed, 20 Mar 2019 20:22:03 -0700 (PDT)
Received: from bens-macbook.lan (cpe-66-25-20-105.tx.res.rr.com [66.25.20.105]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id x2L3Ludr060815 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 20 Mar 2019 22:21:58 -0500 (CDT) (envelope-from ben@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1553138519; bh=+VhSX5igTrW4SYOucpDBp7PExnBN/pRqDoLwbvPLtYc=; h=From:Subject:Date:In-Reply-To:Cc:To:References; b=KpBjsrAgQYl86ExLo4MstRG6slS6bAnzGIGrMQdK5mguxe+L7dQ46R2DefNNn4ry0 b6kR+N2u/TmFs+fRdadd+SXK6XvJuamsS/GwAqAAANtKdZUqYXMYDSYOFyXMKX7Rsb k0KhcPwMk/Np7sZa0hePbg4jJBEVxXhSlkZfadpc=
X-Authentication-Warning: raven.nostrum.com: Host cpe-66-25-20-105.tx.res.rr.com [66.25.20.105] claimed to be bens-macbook.lan
From: Ben Campbell <ben@nostrum.com>
Message-Id: <CC5A264E-0D65-4D64-A558-3E5EDD22FBFE@nostrum.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_91ED1B39-A4C6-4BDA-AF31-57CD3FCDFD6D"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 20 Mar 2019 22:21:50 -0500
In-Reply-To: <2f297a3c-39d4-cb99-65f4-f0bcd072306a@alum.mit.edu>
Cc: draft-ietf-mmusic-rfc4566bis.all@ietf.org, mmusic WG <mmusic@ietf.org>
To: Paul Kyzivat <pkyzivat@alum.mit.edu>
References: <04CAFF8C-B6ED-4B7D-9FDD-ED37DCA2848B@nostrum.com> <2f297a3c-39d4-cb99-65f4-f0bcd072306a@alum.mit.edu>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mmusic/x5NS1RNjB0thurkcWRdfVomlXZw>
Subject: Re: [MMUSIC] AD Evaluation of draft-ietf-mmusic-rfc4566bis-32
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mmusic/>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2019 03:22:06 -0000

Hi,

Please see comments inline. Apologies for the late response, I somehow missed that this was still waiting on me.

Thanks!

Ben.


> On Feb 22, 2019, at 2:58 PM, Paul Kyzivat <pkyzivat@alum.mit.edu>; wrote:
> 
> Ben,
> 
> I just submitted -33. It attempts to address most, but not all, of your comments. See my detailed replies below. I need help for some of the remainder, specifically security considerations.
> 
> There will need to be another revision to address the remaining items.
> 
> 	Thanks,
> 	Paul
> 
> On 2/11/19 10:45 PM, Ben Campbell wrote:
>> Hi,
>> This is my AD evaluation of draft-ietf-mmusic-rfc4566bis-32. I have several minor substantive comments, and a number of editorial comments and nits. I’d like to resolve at least the substantive comments prior to IETF last call.
>> Thanks!
>> Ben.
>> ----------------------
>> *** Substantive Comments ***
>> §1, last paragraph: The statement that this update is limited to essential corrections is demonstrably untrue. For example, this version changes a lot of spellings from British English to US English. While that might be best for the sake of consistency, it would be hard to argue that it is _essential_.
> 
> I removed this claim.
> 
>> Along the same lines, §10 does not seem to capture all material changes.
> 
> I've tried to summarize all the important changes.
> 
>> §2, “Media Description”: While true, the text here is not a definition of anything but syntax. Please add a sentence or two to say what the media description semantically represents.
> 
> I've added my attempt at describing the semantics. (I posted a query about this but didn't get a response that seemed to work.
> 
> Please comment if you want a further change.

It looks good to me.

> 
>> - Deleted text formerly in §4.3: The removal of the “private sessions” section in its entirety deserves some explanatory text.
> 
> I posted a query about this. The consensus was that the removal here is right, but that more discussion is needed in the Security Considerations section. But I don't know what to write. I need some help on that

Would it make sense to say that “private sessions” have been superseded by the use of things like DTLS-SRTP and RFC 8224

> 
>> §5.2: "Unless an SDP extension for NAT traversal is used
>> (e.g., ICE [RFC8445], ICE TCP [RFC6544]), a local IP address MUST
>> NOT be used in any context where the SDP description might leave
>> the scope in which the address is meaningful”
>> That doesn’t apply to just any NAT traversal extension does it? It seems to require extensions that have scope-resolution properties similar to those of ICE.
> 
> After reading 5.2 again I realized it is talking about an address in an o= line, not c=. Hence there is no intent that anybody connect to this, and ICE doesn't apply here. The address is primarily here to add to the uniqueness of the o= line. And note that the <sess-id> is required to make up any lack of uniqueness in the combination of the other fields. And privacy is leading to people not wanting to put real addresses or names in here.
> 
> So I removed all the discussion of ICE.
> 
> Please comment if you think this isn't sufficient or appropriate.

WFM

> 
>> §5.8: "Use of the "X-" prefix is NOT RECOMMENDED: instead new (non "X-"
>> prefix) <bwtype> names SHOULD be defined, and then MUST be registered
>> with IANA in the standard namespace.”
>> “SHOULD be defined” seems to be in tension with “MUST be registered”.
> 
> I twiddled with this. Does it work for you now?

All I see in 33 is a punctuation change. Did I miss something?

> 
>> §5.13: "The "k=" line (key-field) is obsolete and MUST NOT be used.”
>> Should it be removed from the field order definition in §5?
> 
> It continues to be mentioned because implementations may need to support it for backward compatibility with 4566. In that case they need to know where it goes.
> 
> I left this unchanged.
> 

Okay.

>> §6.1: Please state what behavior is meant by “This attribute is obsoleted”. For example, MUST not send but SHOULD accept? Something different? (This pattern occurs for multiple attributes.)
> 
> I beefed up the language for this.

WFM


> 
>> §6.7.4: "Note that an RTP-based system MUST still send RTCP (if RTCP
>> is used), even if started inactive.”
>> Other similar attributes use SHOULD instead of MUST. Is the inconsistency intentional?
> 
> I brought this to the list. The feedback I got was that is change is correct.

Okay

> 
>> §7, last paragraph:
>> What is the impact of this on RFC 4568 (security descriptions)? That RFC seems to allow the use of “k=“ lines at a MAY level. Does this draft need to update that? But more importantly, is it worth distinguishing the case of E@E protection of keying material vs the HBH protection offered by security descriptions?
> 
> This text is unchanged since 4566.
> 
> I need help with this from a security person

I’m willing to accept this as legacy text. (But I guess we will see what the SEC ADs have to say.)

> 
>> §8 and subsectionsl:
>> I think there needs to be more clarity about what this draft defines vs what was defined in previous versions, and what has changed. For example, language to the effect of "XXX was originally defined in RFC 4566. This document requests IANA to change the reference to “RFC-this”.”
> 
> Done.
> 
>> §8.2: "The contact address for all parameters registered below is:
>> IETF MMUSIC working group <mmusic@ietf.org>”
>> Please consider “The IETF MMUSIC working group <mmusic@ietf.org>; or its successor as designated by the IESG.”
> 
> Done.
> 
>> §8.2.1: "Until that is done, applications SHOULD NOT use these
>> types and SHOULD NOT declare support for them in SIP capabilities
>> declarations (even though they exist in the registry created by
>> [RFC3840]).”
>> Should this spec update 3840?
> 
> Leaving 3840 as-is doesn't hurt anything. As long as these aren't used in m-lines then usage in 3840/3841 will be moot.
> 
> I left this as-is.
> 

okay

>> §8.2.4.2: This section needs some guidance about the maturity of specs needed to update attributes defined in previous specs. While the registration policy is “spec required”, what happens if someone defines FOO in a standards-track RFC, and someone else wants to update it with some lower-maturity instrument?
> 
>> Along the same line, is there any restriction from party B updating an attribute defined by party A without consent? That is clear for IETF stream RFCs where the IETF retains change control, but might not be clear for other specification forms.
> 
> Specification Required calls for a designated expert to review the registration. I revised the language to ask the expert to consider these issues.

WFM

> 
>> §8.2.8: Are telephone numbers still necessary? Under GDPR rules, we should be careful about requiring data unless there is a clear need for it.
> 
> I removed the requirement for a phone number. (This makes it consistent with the template for attribute registrations that already didn't ask for a phone number.)
> 

Okay

>> *** Editorial Comments and Nits ***
>> §3.3, 2nd paragraph: "Note that descriptions of multicast sessions made only via email or…”
>> The sentence no longer makes sense with the change from “announcement” to “description”. If you want to avoid the term “announcements”, consider something like “… descriptions of multicast sessions sent only via email…”
> 
> Done.
> 
>> §4.1: "This address and port is the destination address and destination port”: Plural disagreement. (It was correct in 4566.)
> 
> Fixed.
> 
>> §5:
>> - “… the end of the whole session description - whichever…”: A dash usually separates two independent clauses, much like a semicolon. That is not the cast here; a comma would be more appropriate.
> 
> Done
> 
>> - "Some lines in each description are REQUIRED and some are OPTIONAL,” : While I recognize these are unchanged from 4566, the REQUIRED and OPTIONAL terms seem like statements of fact rather than normative statements.
> 
> I cleaned this up and made it explicit that the ABNF is normative and this section is only a summary of the ABNF.
> 
>> - "media-, or session-specific basis” : Incorrect comma usage.
> 
> IIUC this is an "Oxford comma", and the use of it is controversial. Does IETF have a policy on its use?
> 

<channeling-Adam>
Well, yes. The RFC Editor follows the Chicago Manual of Style, which IIUC calls for use of the Oxford comma. However, this isn’t one. The Oxford comma is for a serial conjunction list, e.g. “a, b, and c”. This instance is just a normal conjunction, e.g. “a or b”. “a, or b” is generally incorrect unless there’s some other reason for the comma.
</channeling-Adam>

> (Or we can leave it for the editor to decide.)

Sure, it would make an interesting pub bet to see what they do :-)

> 
> I've left this unchanged for now.



> 
>> - "An SDP description may contain URIs”
>>  I'm not sure this change makes sense. Should it say ''session description”?
> 
> After investigating further, I realized that “session description” and “SDP description” are used synonymously through the document. So this change isn’t *wrong*. IIRC I did it to be consistent with the other usage of "SDP description" in the vicinity of this.
> 
> I suspect that “session description” might have been considered an abstract concept, with an "SDP description" being a specific realization of that. But the document doesn’t really make this distinction. And “SDP description” is redundant (Session Description Protocol description).
> 
> So perhaps every occurrence of “SDP description” should be changed to “Session Description”. Alternately, we could change every occurrence of "Session Description" to "SDP description".
> 
> For now I have left things as-is.

Okay. I read “SDP Description” as a “description of SDP”, but I see it was mean otherwise. I can live with it.

> 
>> - "Text containing fields such as the session-name-field and
>> information-field”:
>> This is ambiguous. Are we talking about text that contains fields, or text-containing fields? From context, I assume the latter.
> 
> Done.
> 
>> §5.5: "The "u=" line (uri-field) provides URI (Uniform Resource Identifier)
>> as used by WWW clients”
>> Missing article before URI
> 
> Done.
> 
>> §5.7:
>> - "The "c=" line (connection-field) contains connection data.”
>> The section heading was changed from “connection data” to “connection information”. Should that change apply here, too?
> 
> That seems pretty circular. Instead I changed it to:
> 
> "The "c=" line (connection-field) contains information necessary to establish a connection.”

WFM


> 
>> - There are a number of places in this section (and maybe elsewhere) where IPv6 was changed to IP6. While I realize 4566 was inconsistent on this, wouldn’t it make more sense to change to consistently use the more conventional “IPv6”?  (Probably also true for IP4/IPv4).
> 
> This turns out to be tricky: "IP4" and "IP6" are the encodings used in the m-line. They are also used in the names of ABNF rules such as "IP4-address" and "IP4-multicast”.

Ah, of course, My bad.

I guess we saved a lot of “v”s with those encodings. One wonders why we didn’t try to save the “I”s and “P”s. ;-)

> 
> Most of the text usage seems to be talking about these encodings or rules. Just a few seem to be talking about the abstract protocols. I’ve changed those few.
> 
> Please see if that works for you.

WFM.

> 
>> - "Multiple addresses or "c=" lines MAY be specified on a per media
>> description basis”
>> 4566 correctly hyphenated “per-media-description basis”. Why were the hyphens removed here?
> 
> I see the same text in both for this. OTOH we are using "per-media" in the same section. This led me to investigate the use of "media-level" vs. "media level" and "session-level" vs. "session-level". It turned out to be a mess. So I have attempted to regularize the usage throughout. I now use "session level" and "media level" when referring to levels, and using "media-level" and "session-level" when the usage is as an adjective.
> 
> Let me know what you think.
> 

That sounds like the correct usage.


>> §5.8: "A prefix "X-" is defined for <bwtype> names. This is intended for
>> experimental purposes only.”
>> Please consider active voice for “is defined”, since in this case it obscures the fact that this was defined by an earlier version of the spec. Would it make sense to say that previous versions defined it, but it is now deprecated?
> 
> I revised to indicate this came from 4566.
> 
> The text already says NOT RECOMMENDED which is pretty much the same as deprecated and is normative. I considered saying both in that sentence but it seemed peculiar.

Okay.

> 
>> §5.9: "A "t=" line (time-field) initiates a time description that specifies
>> the start and stop times for a session.”
>> I don't understand what it means to "intitiate" a time description. The text from 4566 seemed more clear.
> 
> I changed "initiate" to "begins".
> 
> There has been a lot of confusion and questions raised bout how t=/r=/z= work together. I revised the ABNF to clarify that, and then reworked this text to be consistent with and coordinate with the ABNF.

Okay. (Wow, that’s a lot of work for an editorial comment :-) )

> 
>> §5.13: "(Attribute scopes in addition to media- and
>> session- specific may also be defined”
>> Should “specific” be “level”?
> 
> Yes. Done.
> 
>> §5.14:
>> - "If noncontiguous
>> ports are required, they must be signaled using a
>> separate attribute. (There is currently no attribute defined that
>> can accomplish this. The "a=rtcp:" defined in [RFC3605] does not
>> handle hierarchical encoding.)”
>>  This is oddly stated. Is the point that, if non-contiguous ports are needed, someone will have to specify a new attribute?
> 
> I rewrote this to make it clearer.

WFM

> 
>> - "This implies that, unlike
>> limited past practice, there is no implicit grouping defined by
>> such means and an explicit grouping framework”
>> This does considerably more than “imply” it. It states it explicitly. Perhaps “This means that, unlike…”?
> 
> I rewrote the paragraph. Hopefully it is better.
> 

Looks good.


>> §6.7: "At most one of recvonly/sendrecv/sendonly/inactive MAY appear at
>> session level”
>> Consider something like "occurrence of recvonly, sendrecv, sendonly, or inactive”. (Please don’t use slashes to substitute for conjunctions.)
> 
> Done.
> 
>> §6.7.1: "(e.g., an RTP-based system in
>> recvonly mode SHOULD still send RTCP packets”
>> Please don’t use normative keywords in examples. Examples should never be normative.
> 
> Done.
> 
>> §11: It seems a shame to completely drop the acknowledgements from 4566, since the fact that this will obsolete it means people should no longer need to read it. I recognize that those acknowledgements do not apply to _this_ draft, but one could always include a paragraph of the form of “RFC 4566 also acknowledged…"
> 
> I went back and gathered and acknowledged all the people who authored or were acknowledged in any of the documents obsoleted by this one or 4566.
> 
> Can you think of anyone else who should be acknowledged?

Thanks, I think you have it covered.


> 
> 	Thanks,
> 	Paul
> 
> 
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic