Re: [Rmt] AD comments on draft-ietf-rmt-pi-alc-revised-06

[Magnus Westerlund <magnus.westerlund@ericsson.com>]

Hi Vincent,

See inline.

Vincent Roca skrev:
> Hello Mark, Magnus and others,
> 
> 
> A few comments concerning this I-D and the discussion.
> Regards,
> 
>    Vincent
> 
> 
>>> A question is if we need to specify one mandatory to implement FEC
>>> encoding?
> 
> Current DVB-H specifications have identified a single mandatory
> to support FEC scheme: NULL-FEC. I don't see any reason to do a
> different choice. In any case yes, we should mandate its support.
> 
> 
>>> For security, as with NORM, we have text defining 'Baseline secure ALC
>>> operation'. Do you think we should mandate support for this ?
>> Yes, I think so. But I definitely would like to get WG input into this
>> question.
> 
> I don't really understand what "mandate" means in this context.
> I see several options, which one is appropriate?
> 
> 1- all ALC sessions MUST use the IPsec configuration of section 5.1.1
> 2- for any insecure ALC session, there MUST be a parallel ALC session
>    secured with the IPsec configuration of section 5.1.1, so that a
>    receiver can choose what version he wants
> 3- for any ALC implementation, the host on which this ALC server or
>    client runs MUST be able to use the IPsec configuration of
>    section 5.1.1
> 
> I think option 3- is the right one. However since the ALC and IPsec
> building blocks belong to different layers, it does not impose anything
> to ALC developers (as a developer, I'm happy ;-)). And it does not say
> anything about its actual use...

I mean 3, mandatory to implement.

> 
> Additionally, is such a requirement compatible with current DVB-*
> deployments? I'm not sure, unless we restrict the target and say
> that such a requirement is specific to "Internet" use-cases...

What IETF puts in its standards track documents are after all what we
think is required for secure and functional operation in most network
environments. There will always be cases where one security solution can
be replaced by another for specific deployments.

> 
> More fundamentally, I have two comments:
> 
> First of all, do we agree that packet source authentication/packet
> integrity is the most fundamental security service that is required
> by ALC? It means we don't need to mandate confidentiality (even if
> it's often desired).
> 
> Then, what about the solution consisting in mandating the simplest
> technical solution, even if it does not fulfill all possible use-cases?
> If this is the case, then the "group MAC" scheme proposed in the
> simple-auth-for-alc-norm I-D is a good choice.
> But here also, it's not compatible with current DVB-* deployments
> unless we restrict the target to "Internet" use-cases... It's what
> I'd recommend here today.
> 

I definitely would like to see others opinions about this.

Cheers

Magnus Westerlund

IETF Transport Area Director & TSVWG Chair
----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVM
----------------------------------------------------------------------
Ericsson AB                | Phone  +46 10 7148287
Färögatan 6                | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------