IETF Logo Mail Archive

Re: [Rmt] AD evaluation comments on draft-ietf-rmt-flute-revised-06

Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 08 December 2009 09:55 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rmt@core3.amsl.com
Delivered-To: rmt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9AA483A685D for <rmt@core3.amsl.com>; Tue, 8 Dec 2009 01:55:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.189
X-Spam-Level:
X-Spam-Status: No, score=-6.189 tagged_above=-999 required=5 tests=[AWL=0.060, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9OUtI7uoE5BV for <rmt@core3.amsl.com>; Tue, 8 Dec 2009 01:55:06 -0800 (PST)
Received: from mailgw5.ericsson.se (mailgw5.ericsson.se [193.180.251.36]) by core3.amsl.com (Postfix) with ESMTP id DC9423A65A5 for <rmt@ietf.org>; Tue, 8 Dec 2009 01:55:05 -0800 (PST)
X-AuditID: c1b4fb24-b7beeae000003a71-c0-4b1e226ea42d
Received: from esealmw126.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) by mailgw5.ericsson.se (Symantec Mail Security) with SMTP id 65.7E.14961.E622E1B4; Tue, 8 Dec 2009 10:54:54 +0100 (CET)
Received: from esealmw128.eemea.ericsson.se ([153.88.254.172]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 8 Dec 2009 10:54:54 +0100
Received: from [147.214.183.163] ([147.214.183.163]) by esealmw128.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.3959); Tue, 8 Dec 2009 10:54:53 +0100
Message-ID: <4B1E226D.3090504@ericsson.com>
Date: Tue, 08 Dec 2009 10:54:53 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Vincent Roca <vincent.roca@inrialpes.fr>
References: <49E8A18F.9050803@ericsson.com> <E31FA1496F99A2428EB3FF2129F1C67749D0BE9604@NOK-EUMSG-04.mgdnok.nokia.com> <4A9D2E46.5040303@ericsson.com> <4B18EE3B.5060900@inrialpes.fr>
In-Reply-To: <4B18EE3B.5060900@inrialpes.fr>
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-OriginalArrivalTime: 08 Dec 2009 09:54:53.0944 (UTC) FILETIME=[7DC39F80:01CA77EC]
X-Brightmail-Tracker: AAAAAA==
Cc: toni.paila@nokia.com, "rmt@ietf.org" <rmt@ietf.org>
Subject: Re: [Rmt] AD evaluation comments on draft-ietf-rmt-flute-revised-06
X-BeenThere: rmt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Reliable Multicast Transport <rmt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/rmt>, <mailto:rmt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rmt>
List-Post: <mailto:rmt@ietf.org>
List-Help: <mailto:rmt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rmt>, <mailto:rmt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 09:55:07 -0000

Vincent Roca skrev:
> Magnus,
> 
> I've started going through your comments. I haven't finished yet, but
> I'd like to see opinions about the following two topics:
> 
> 
>>>>>> 2. I have basically the same comment on this document as on
>>>>>> ALC PI about mandatory to implement security solutions.
>>>>>>
>>>> [Toni] Unfortunately I have not followed that closely the review on ALC. Could you please state the needed change you want to see in FLUTE RFC?
>> Okay, the general issue comes from BCP 61 (RFC 3365) and I think the
>> sentence from the end of section 6 is the most relevant:
>>
>>    The solution is that we MUST implement strong security in all
>>    protocols to provide for the all too frequent day when the protocol
>>    comes into widespread use in the global Internet.
>>
>> To achieve this and have interoperability also in the strong security
>> mechanism the ground rule is to mandate implementation of at least one
>> mechanism, cipher suite, etc to achieve that interoperability.
>>
>> The current security consideration section does a great job of
>> discussing the threats and possible solution. But it doesn't mandate
>> which solutions MUST be implemented.
>>
>> So the question to you and the WG is can we do this for FLUTE? I know
>> this is not straight forward and certain deployments has different needs
>> and use of security.
> 
> [VR] Since FLUTE relies on ALC/LCT, and since ALC has a "MANDATORY to
> implement" requirement for IPsec (just like NORM), I think the natural
> answer is "do what ALC mandates".
> I'll kept the security risk analysis almost as such and will add a new
> section to clarify this.
> 
> However it should be noted that ALC (NORM as well) restricts the use of
> IPsec to the case of SSM. There is no mandatory to implement solution
> for the case of ASM. Since ALC only considers the case of a single sender,
> there's a good match with SSM. So I suggest to leave it like that (and it
> didn't prevent NORM to be published as an RFC).

Yes, I think that is a good suggestion.

> 
> 
>>>>>> 6. Section 3.4.1:
>>>>>>   Mandatory receiver behavior for handling FDT Instance
>>>>>>   ID wraparound and other special situations (for example, missing FDT
>>>>>>   Instance IDs resulting in larger increments than one) is outside the
>>>>>>   scope of this specification and left to individual
>>>>>> implementations of
>>>>>>   FLUTE.
>>>>>>
>>>>>> Why isn't this specified. Seem to be important for interoperable usage.
>>>>>> Seems to be a fine thing to gloss over in an experimental, but
>>>>>> not in a proposed standard.
>>>>>>
>>>> [Toni] The text states that what actions the special situation causes in the receiver is up to receiver. In a same way your web browser will typically show a different error message than my trying to access http://ww.w3.org. I see one valid
> implementation trying to recover from situation by staying longer in the session and trying to deduce what happened. Meanwhile I see another implementation possibly using out of band methods (if available) for the same. In other words, error recovery or
> concealment or similar is not in the scope of the spec.
>> Hmm, I will let it slide. Let see if anyone else in IESG bites on this,
>> clearly not impossible. As it from my perspective looks like where error
>> conditions could be avoided by specifying the correct behavior.
> 
> [VR] I agree with Toni W.R.T. the problem of FDT Instance ID wraparound
> when the two FDT Instances are non expired. It's clearly an erroneous
> situation and how to address it is out-of-scope.
> 
> There's just an (easy to fix) issue in sections 3.1 and 3.3 that say:
>      "Each File Delivery Table Instance is uniquely
>       identified by an FDT Instance ID."
> which contradicts the possibility of wraparound. I think that saying:
>      "Each non-expired..."
> solves it.
> 
> 
> Now I don't agree with Toni W.R.T. the case of missing FDT Instance ID
> (or IDs). IMHO this is not a special situation but a *common situation*.
> That's typically what terminals with intermittent connections experience.
> I suggest to make the support of this situation MANDATORY.
> 
> There are implications here, since FDT Instance management is rather
> flexible, see Section 3.2:
>   "Any FDT Instance can be equal to, a subset of, a
>    superset of, or complement any other FDT Instance.  A certain FDT
>    Instance may be repeated several times during a session, even after
>    subsequent FDT Instances (with higher FDT Instance ID numbers) have
>    been transmitted."
> So if FDT Instances complement one another rather, there could be problems.
> More precisely, imagine FDT Instance 1 describes objects A and B. Then
> object C is added. If the sender chooses to describe only object C in
> FDT Instance 2 (i.e. FDT Instances 1 and 2 complement each other) and
> not to transmit FDT Instance 1 any more (it's authorized), a receiver that
> missed FDT Instance 1 will not be able to process objects A and B, even
> if he received enough encoding symbols for them.
> Admitedly, it does not break the receiver, so it's safe, but it remains
> largely sub-optimal.
> 
> So, IMHO, we should also clarify that a FLUTE sender SHOULD NOT assume
> receivers will receive all FDT Instances, i.e. it is RECOMMENDED that
> FDT Instances be managed in such a way to make the FLUTE session robust
> in front of FDT Instance losses. One possibility is to use only
> self-sufficient FDT Instances, another one is to repeat all FDT Instances
> that complement each other at a given moment.
> 
> Having said that, I don't know if such a recommendation is in line with
> current FLUTE deployment guidelines (e.g. in DVB-IPDC) ? Any comment or
> additional piece of information here?

Vincent, I think your recommendations are good. However, also I am
lacking information about thus. However, I don't see that a
recommendation will create any serious issue for our users. They can
either accept it or explain why their usage should ignore the
recommendation.

Cheers

Magnus Westerlund

IETF Transport Area Director
----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email