Re: [ppsp] Kathleen Moriarty's Discuss on draft-ietf-ppsp-base-tracker-protocol-10: (with DISCUSS)

"Huangyihong (Rachel)" <> Tue, 27 October 2015 08:20 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 78BAB1B37E7; Tue, 27 Oct 2015 01:20:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id VtnoAV5Vlx1y; Tue, 27 Oct 2015 01:20:32 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 61F441B37E4; Tue, 27 Oct 2015 01:20:31 -0700 (PDT)
Received: from (EHLO ([]) by (MOS 4.3.7-GA FastPath queued) with ESMTP id CDD04498; Tue, 27 Oct 2015 08:20:29 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 27 Oct 2015 08:20:28 +0000
Received: from ([]) by ([]) with mapi id 14.03.0235.001; Tue, 27 Oct 2015 16:20:17 +0800
From: "Huangyihong (Rachel)" <>
To: Kathleen Moriarty <>, The IESG <>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-ppsp-base-tracker-protocol-10: (with DISCUSS)
Thread-Index: AQHRBiI52+mCUzz410GGH3yAKx0y7Z5zvO6Q
Date: Tue, 27 Oct 2015 08:20:16 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Cc: "" <>, "" <>, "" <>
Subject: Re: [ppsp] Kathleen Moriarty's Discuss on draft-ietf-ppsp-base-tracker-protocol-10: (with DISCUSS)
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: discussing to draw up peer to peer streaming protocol <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 27 Oct 2015 08:20:34 -0000

Hi Kathleen,

Thank you so much for the valuable comments and I'm sorry for my late replies. Please see them inline.


> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Thanks for your work on this draft, I have a few things I'd like to discuss that we
> should be able to resolve quickly.  I'll try where possible to offer suggestions,
> but please do let me know if there is a good reason why they don't make sense.
> 1. Section 5.2.7
> Please make mention and reference to security provisions for SNMP and Syslog.
> RFC5424 is just for syslog, so a pointer for SNMP security considerations should
> be added in this section as well. They use a boilerplate for the text and add
> considerations specific to a draft.
> Benoit - do you have a good reference for them to use?  A more generic SNMP
> draft might not be up-to-date with the latest boilerplate text.  If that's the
> case, the recent changes are small and could be stated with a pointer to an
> RFC with the older boilerplate text.

[Rachel]: How about referencing to [RFC3411]? 

> 2. Are there any considerations for the statistics collected, can they be used in
> a malicious way?  I would think so and that this would be an important
> security consideration.  Mentioning possible issues would be helpful to the
> reader.

[Rachel]: You're right. How about following change?


   The statistics collected about the operation of PPSP-TP can be used
   for detecting attacks, such as the receipt of malformed messages,
   messages out of order, or messages with invalid timestamps.

The statistics collected about the operation of PPSP-TP can be used for detecting attacks, such as the receipt of malformed messages, messages out of order, or messages with invalid timestamps. However, collecting such endpoint properties may also raise some security issues. For example, the statistics collected by the tracker may be disclosed to an unauthorized third party which has some malicious intention. To address such risk, the provider of the tracker should evaluate how much information is revealed and the associated risks. And confidentiality mechanism must be provided by HTTP over TLS to guarantee the confidentiality of PPSP-TP.

> Section 6
> Reference to RFC2616 isn't enough for the security considerations of HTTP
> since that's a really old RFC.  If you want authentication options, you could
> point to the HTTPAuth documents, which include updated versions of HTTP
> basic (RFC7616) and digest (RFC7617).  While there are still lots of security
> issues with these options, the RFCs spell out what the actual considerations
> are, which are helpful to the reader.  This raises the need for TLS 1.2 as well to
> provide session protection for the session (passive and active attacks) as well
> as for the authentication used.

[Rachel]: You're right. Here we mean the security consideration for general HTTP architecture and messaging. So I should point to [RFC7230]? And the authentication is discussed in Section 6.1.

> Section 6.1
> Why isn't TLS a must here to protect the session data?
> If you are relying on OAuth Bearer tokens, they offer no security protection
> without TLS, so to rely on this, I'd say TLS really should be a MUST.  The
> authentication types to get a bearer token (at least in RFC documentation and
> in the registry) are all pretty weak and require TLS protection to have any level
> of security.

[Rachel]: Ok. How about changing the 3rd paragraph from

   A channel-oriented security mechanism should be used in the
   communication between peers and tracker, such as the Transport Layer
   Security (TLS) to provide privacy and data integrity.

Transport Layer Security (TLS) [RFC5246] MUST be used in the communication between peers and tracker to provide privacy and data integrity.

> With the TLS MUST, we are recommending TLS 1.2 as the minimum in drafts.
> It would be good to see a mention of TLS 1.2 as a minimum recommendation
> and a reference to the BCP for TLS 1.2 configurations RFC7525 (it even includes
> cipher suite recommendations).

[Rachel]: So for mentioning TLS, we should point to TLS 1.2 [RFC5246], right?  And we can add following words into 3rd paragraph of section 6.1 for mentioning the BCP.

Software engineers developing and service providers deploying the tracker should make themselves familiar with the Best Current Practices (BCP) on configuring HTTP over TLS [RFC7525].

> Privacy
> I would have expected some discussion on the protection of the 2 ID types and
> the tracker capabilities and that session encryption (TLS) ought to be used
> when this is a consideration.  Is there a reason this isn't covered?  If it's not
> a concern, I'd like to understand why.

[Rachel]: It should be considered. I have replied Ben's mail in which privacy consideration in Section 6 is proposed. Please see following

Section 6.5  Privacy for Peers

The PPSP-TP provides mechanisms in which the peers can send message containing IP addresses, ports and other information to the tracker. A tracker or a third party who is able to intercept such messages can store and process the obtained information in order to analyze peers' behaviors and communication patterns. Such analysis can lead to privacy risks. For example, an unauthorized party may snoops on the data transmission from the peer to a tracker in order to introduce some corrupted chunks. 

The PPSP peer protocol [RFC7574] has already included some mechanisms to protect the streamed content, see section 12.3 and 12.4 of [RFC7574]. For PPSP-TP, peer implementations as well as tracker implementations MUST support the "https" URI scheme [RFC2818] and Transport Layer Security (TLS) [RFC5246]. In addition, a peer should be cognizant about potential tracker tracking through queries of peers, e.g., by using HTTP cookies. The PPSP-TP protocol specified in this document does not rely on HTTP cookies. Thus, peers MAY decide not to return cookies received from the tracker, in order to making some additional tracking more difficult.