IETF Logo Mail Archive

Re: [rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 17 October 2016 08:46 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE62212947F for <rtcweb@ietfa.amsl.com>; Mon, 17 Oct 2016 01:46:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H41RHXr4BrRA for <rtcweb@ietfa.amsl.com>; Mon, 17 Oct 2016 01:46:46 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F1E612956D for <rtcweb@ietf.org>; Mon, 17 Oct 2016 01:46:46 -0700 (PDT)
X-AuditID: c1b4fb2d-5b107980000009f7-e3-58048ff48156
Received: from ESESSHC012.ericsson.se (Unknown_Domain [153.88.183.54]) by (Symantec Mail Security) with SMTP id 09.D4.02551.4FF84085; Mon, 17 Oct 2016 10:46:45 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.56) with Microsoft SMTP Server id 14.3.319.2; Mon, 17 Oct 2016 10:46:37 +0200
To: "Cullen Jennings (fluffy)" <fluffy@cisco.com>
References: <e536bad2-08b1-4f77-8c75-6bc3b639c398@ericsson.com> <998B7677-E967-45B0-8FE5-FD71930C380F@cisco.com> <dca597f3-e23a-3dc6-f0e0-5c588729d7e1@ericsson.com> <3C0E8E83-3623-4D5C-A093-B26981F13477@cisco.com>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <9d7c976f-ad3c-4731-1447-c2eaa934d711@ericsson.com>
Date: Mon, 17 Oct 2016 10:46:36 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <3C0E8E83-3623-4D5C-A093-B26981F13477@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrELMWRmVeSWpSXmKPExsUyM2K7me7XfpYIgz3PWS06JrNZrP3Xzu7A 5DHl90ZWjyVLfjIFMEVx2aSk5mSWpRbp2yVwZTw88p6pYKF2xZIfKxgbGDcpdTFyckgImEh8 3r2PrYuRi0NIYD2jxOMnHewQznJGiabdDUwgVcICCRK/5nxgBLFFBAwlmvbMY4Ious0ocXnH TTaQBLOAosSX5fPBbDYBC4mbPxrBbF4Be4kN92aB2SwCqhJ3bk0FGyoqECNx/dkjqBpBiZMz n7B0MXJwcArYShz+wwpiMgO1PthaBjFdXqJ562xmEFtIQFuioamDdQKjwCwkzbMQOmYh6VjA yLyKUbQ4tbg4N93IWC+1KDO5uDg/Ty8vtWQTIzAkD275rbuDcfVrx0OMAhyMSjy8D5YxRQix JpYVV+YeYpTgYFYS4X1fwxIhxJuSWFmVWpQfX1Sak1p8iFGag0VJnNds5f1wIYH0xJLU7NTU gtQimCwTB6dUA+OSxoyA/AVKJ2Rbv+ztk+wW89D7t1DoipOPptT8rb+++aV+EGhwq+J5/8xX M2XGExH2w6FxjWe23/jVbsFSzHFNNS5g1mPFE6u+Hps61+jtDWft2SK5xvFzRF+sCO65+LBj ZuGMIEfl+N3sTpWbbq+Qr3+qsm21kE9S3Jun7qnnD02v3GT5Ok2JpTgj0VCLuag4EQAkw/eY RQIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/2I039NxQM58esCbC1L68mHDAc-4>
Cc: RTCWeb IETF <rtcweb@ietf.org>
Subject: Re: [rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Oct 2016 08:46:50 -0000

Den 2016-10-14 kl. 15:08, skrev Cullen Jennings (fluffy):
>
>> On Oct 14, 2016, at 2:26 AM, Magnus Westerlund
>> <magnus.westerlund@ericsson.com> wrote:
>>
>> Den 2016-10-13 kl. 20:12, skrev Cullen Jennings (fluffy):
>>>
>>> I think this is huge complexity that is not currently supported
>>> and not needed. How about we generate the RID such that the RID
>>> for the n'th m line is n. Or generate it as a random number. Do
>>> you see any problem with this?
>>>
>>> I think this removes all the fingerprinting issues. I'm fine
>>> with advice that say how to generate the RID in a way that is
>>> privacy sensitive but I'm not a fan of making RID require support
>>> for RTP header encryption.
>>>
>>
>> So, let disregard the fingerprinting issue for now. It is clear
>> that I am in the rough and that this whole issue would benefit from
>> a broad review on what we leak when using ICE and RTP/RTCP.
>
> That broad review was largely done as part of PERC.
>

I do not agree that review happened in that context. I can't remember 
that we discussed fingerprinting at all. We quickly put any effort of 
privacy in regards to that the communication occurs out of scope. All 
the focus in PERC is to my understanding on maintaining confidentiality 
of the media content as well as preventing third party injection, 
modifications (other than sub selection of content)  and replay attacks.



>>
>> What I don't understand here is that people have argued and agreed
>> that we should encrypt the RTP and RTCP packets per default. Then
>> when we comes to RTP header extensions we are no longer ready to
>> provide that protection per default by ensuring RFC6904
>> implementation support. So RID and MID may not be the most
>> sensitive fields if it has well constructed values. Then we have
>> the audio level extensions where Client to mixer is RECOMMENDED to
>> be implemented and REQUIRES RFC6904.
>
> So the audio levels are recommended in WebRTC but this MID stuff is a
> very generic mechanism that will like be broadly used to deal with
> RTP lack of extensibility of size PT space. Lot of stuff does not
> implement audio levels and some stuff that implements it does not
> encrypt it. The 6904 mechanism is not exactly elegant, not easy to
> implement, and doubles the size the headers which is not great for
> audio. I think it is fair to say we might do it differently if doing
> it over again.
>

I think Jonathan had an excellent reply on this.

>>
>> So what is the issue, is it that you currently lack RFC6904
>> implementations, and thus this require more implementation work, or
>> are there additional reasons for wanting to expose this
>> information?
>
> Yes this adds needless security complexity that people don't see the
> value in thus it becomes difficult to convince implementors to do
> it.
>
>>
>> To conclude, I personally think default usage of RFC6904 on header
>> extensions would be a good thing. I currently see no reasons for
>> changing the requirements that RFC 7941 puts on WebRTC, forcing the
>> usage of RFC6904 encryption. If you want to something else, please
>> provide a proposal for what that alternative would be.
>
> Originally MID was not a SDES items, I'd propose just moving it back
> to a normal RTP Header. In looking at trying to use this in
> deployments, it's hard to see what value transporting it in RTCP as
> well as RTP provided.  When that was originally proposed, I don't
> think anyone realized that mean encrypting it and did not really care
> if it was normal or SDES as it was about the same work. But if SDES
> means it needs to be encrypted, then I think we need to reconsider
> that.
>

So, I think moving away from SDES item is a bad idea. As that would 
create additional implementation burden, rather than having the same 
processing for a number of SDES items of similar type. RID, MID and 
CNAME all need similar processing for initial startup handling. So 
moving RID out, while still having the other two just creates an 
additional cases to implement.

When it comes to RTCP inclusion of these SDES items I know of two reasons.

Reason one, is that one can actually use RTCP to send these for an SSRC 
prior to having RTP data to send for it. That enables one to have the 
association in place prior to actually having to handle media data.

Reason two is the saftey net RTCP provides. It enables a receiver to 
detect if its state is out of sync. Yes, this could be realized using 
periodic repeats in the RTP header extension also. However, that doesn't 
work if the SSRC currently don't have any data to send.

Considering the state that draft-ietf-avtext-rid is in. Deciding to 
change it to not be an SDES item is going be an equal if not greater 
hassle to actually pull it back to the WG to include a beef up of the 
security consdieration with an motivation why the rules in RFC7941 do 
not apply to it. Assuming that is what the consensus ends up being.

Cheers

Magnus Westerlund

----------------------------------------------------------------------
Services, Media and Network features, Ericsson Research EAB/TXM
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Färögatan 6                 | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email