Re: [Perc] Secdir last call review of draft-ietf-perc-dtls-tunnel-08
"Paul E. Jones" <paulej@packetizer.com> Fri, 11 June 2021 17:55 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: perc@ietfa.amsl.com
Delivered-To: perc@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EDA33A0C49; Fri, 11 Jun 2021 10:55:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.398
X-Spam-Level:
X-Spam-Status: No, score=-4.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TxHJi8kaZeWw; Fri, 11 Jun 2021 10:54:58 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [IPv6:2600:1f18:24d6:2e01:e842:9b2b:72a2:d2c6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D94CD3A0C3C; Fri, 11 Jun 2021 10:54:57 -0700 (PDT)
Received: from authuser (localhost [127.0.0.1])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1623434094; bh=W8S+2aAc8tGPox24RkAR4oooIKJG04G5Kyp/W4ZWG8Q=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=fbGxtqLm5L7gNnJzq9HKMdhNy4KwX4v3zp+5GL4TraE3z22cEeIJuBPVTOVw2f5D3 GVEBtT2W9FvP8zwECx4NQ6g3QDG2+cDEhI+p3aNP2Y+rl67yJV51FuBdp3TROR78WY +ThKr6f8bIRowVaB1bx7+FM7oB+pPmtxKmMgqHLk=
From: "Paul E. Jones" <paulej@packetizer.com>
To: Shawn Emery <shawn.emery@gmail.com>
Cc: secdir <secdir@ietf.org>, draft-ietf-perc-dtls-tunnel.all@ietf.org, last-call@ietf.org, perc@ietf.org
Date: Fri, 11 Jun 2021 17:54:51 +0000
Message-Id: <em064c7e00-0462-478a-930c-0caee8726d63@sydney>
In-Reply-To: <CAChzXmaLej44C8W8pDMvAtLoY+p0NxUsptKEA7WaMRwExa329w@mail.gmail.com>
References: <162302724403.5524.7530871359171917876@ietfa.amsl.com> <em199c2ab4-ef2f-4756-b044-35572ddfe7c2@sydney> <CAChzXmaLej44C8W8pDMvAtLoY+p0NxUsptKEA7WaMRwExa329w@mail.gmail.com>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/8.2.1473.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB152C625B-E598-4159-8696-D44D7A117755"
Archived-At: <https://mailarchive.ietf.org/arch/msg/perc/29HaQG5PtuTFKROFv5O0eiiIulo>
Subject: Re: [Perc] Secdir last call review of draft-ietf-perc-dtls-tunnel-08
X-BeenThere: perc@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Privacy Enhanced RTP Conferencing <perc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/perc>, <mailto:perc-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/perc/>
List-Post: <mailto:perc@ietf.org>
List-Help: <mailto:perc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/perc>, <mailto:perc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2021 17:55:04 -0000
Thanks! I fixed those. Paul ------ Original Message ------ From: "Shawn Emery" <shawn.emery@gmail.com> To: "Paul E. Jones" <paulej@packetizer.com> Cc: "secdir" <secdir@ietf.org>; draft-ietf-perc-dtls-tunnel.all@ietf.org; last-call@ietf.org; perc@ietf.org Sent: 6/11/2021 12:20:25 AM Subject: Re: Secdir last call review of draft-ietf-perc-dtls-tunnel-08 > >Thank you for incorporating the requested changes into the Security >Considerations section. Looks better. A few more nits with the latest >update: > >s/the the/the/g >s/"EndpointDisconect"/"EndpointDisconnect"/ >s/document rely/document relies/ > >Shawn. >-- > >On Mon, Jun 7, 2021 at 4:50 PM Paul E. Jones <paulej@packetizer.com> >wrote: >>Shawn, >> >>Thanks for the review. Russ also had comments on the security >>considerations section. I have changed that substantially and welcome >>any additional input. See these changes: >> >>https://github.com/percwg/perc-wg/compare/paulej_ietf_lc >> >>Paul >> >>------ Original Message ------ >>From: "Shawn Emery via Datatracker" <noreply@ietf.org> >>To: secdir@ietf.org >>Cc: draft-ietf-perc-dtls-tunnel.all@ietf.org; last-call@ietf.org; >>perc@ietf.org >>Sent: 6/6/2021 8:54:04 PM >>Subject: Secdir last call review of draft-ietf-perc-dtls-tunnel-08 >> >> >Reviewer: Shawn Emery >> >Review result: Not Ready >> > >> >I have reviewed this document as part of the security directorate's >>ongoing >> >effort to review all IETF documents being processed by the IESG. >>These >> >comments were written primarily for the benefit of the security area >>directors. >> >Document editors and WG chairs should treat these comments just like >>any other >> >last call comments. >> > >> >This draft specifies a DTLS tunneling protocol for Privacy-Enhanced >>RTP >> >Conferencing (PERC). This entails a key exchange between the >>conference >> >end-points and the key distributor through a delegate, media >>distributor. >> > >> >The security considerations section does exist and describes that the >>media >> >distributor does not introduce any additional security issues given >>that it is >> >just on-path with the key exchange between the endpoint and the key >> >distributor. Secondly, the key material between the media >>distributor and key >> >distributor is protected through the mutually authenticated >>connection between >> >the two entities. Thirdly, the meta data exchanged between the media >> >distributor and key distributor is not sensitive information, but is >>still >> >protected through the TLS connection. I agree with the above >>assertions. >> >Besides the concerns described in the genart review about the impact >>of key >> >material disclosure, the authors should consider the various other >>forms of >> >security issues against the protocol, such as downgrade/DoS attacks >>from >> >profile negotiation, etc. The section could list and simply refer to >>the base >> >RFCs, 5764, 8871, etc., to provide remediation against these attacks. >> > >> >General comments: >> > >> >The example message flow and binary coding was helpful, thank you. >> > >> >Editorial comments: >> > >> >s/might might/might/ >> >s/!@RFC4566/RFC4566/g >> >s/An value/A value/ >> >s/!@RFC8126/RFC8126/ >> >s/material This/material. This/ >> > >> > >> > >>
- [Perc] Secdir last call review of draft-ietf-perc… Shawn Emery via Datatracker
- Re: [Perc] Secdir last call review of draft-ietf-… Paul E. Jones
- Re: [Perc] Secdir last call review of draft-ietf-… Shawn Emery
- Re: [Perc] Secdir last call review of draft-ietf-… Paul E. Jones