Re: [rtcweb] Review comments on draft-ietf-rtcweb-data-protocol-03

Michael Tuexen <Michael.Tuexen@lurchi.franken.de> Tue, 13 May 2014 06:55 UTC

Return-Path: <Michael.Tuexen@lurchi.franken.de>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A9351A07EE for <rtcweb@ietfa.amsl.com>; Mon, 12 May 2014 23:55:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.202
X-Spam-Level:
X-Spam-Status: No, score=-2.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RP_MATCHES_RCVD=-0.651, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MTbUVzCSQqZv for <rtcweb@ietfa.amsl.com>; Mon, 12 May 2014 23:55:23 -0700 (PDT)
Received: from mail-n.franken.de (drew.ipv6.franken.de [IPv6:2001:638:a02:a001:20e:cff:fe4a:feaa]) by ietfa.amsl.com (Postfix) with ESMTP id D2C921A0409 for <rtcweb@ietf.org>; Mon, 12 May 2014 23:55:22 -0700 (PDT)
Received: from [192.168.1.200] (p54819945.dip0.t-ipconnect.de [84.129.153.69]) (Authenticated sender: macmic) by mail-n.franken.de (Postfix) with ESMTP id B90EF1C0E9739; Tue, 13 May 2014 08:55:12 +0200 (CEST)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Michael Tuexen <Michael.Tuexen@lurchi.franken.de>
In-Reply-To: <534D566B.3040905@ericsson.com>
Date: Tue, 13 May 2014 08:29:21 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <FB076F4A-83D9-4109-9FDC-89A4A2712553@lurchi.franken.de>
References: <530B740E.4090707@ericsson.com> <B163D4A9-AC33-454B-8F93-CC619AFB7A6F@lurchi.franken.de> <53160FBB.4070401@ericsson.com> <1904CA30-1112-44D4-8C6F-F15F1EF1BF9B@lurchi.franken.de> <534D566B.3040905@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/sYIQPFt84pklvKU98upaekmA1PI
Cc: draft-ietf-rtcweb-data-protocol@tools.ietf.org, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Review comments on draft-ietf-rtcweb-data-protocol-03
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 06:55:27 -0000

On 15 Apr 2014, at 17:55, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:

> Hi,
> 
> Please see inline for replies.
> 
> On 2014-04-10 13:50, Michael Tuexen wrote:
>> On 04 Mar 2014, at 17:39, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
>> 
>>> On 2014-02-25 17:07, Michael Tuexen wrote:
>>>> 
>>>> On Feb 24, 2014, at 5:32 PM, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
>>>>> 1. Section 4:
>>>>> Shouldn't this section discuss the priority field?
>>>> I added in the list of consistent properties:
>>>> 
>>>> <t>the priority of the data Channel.</t>
>>>> 
>>>> and in the text below that enumeration:
>>>> 
>>>> ??????
>>> 
>>> Yes, text for this needs to be figured out.
>> We don't define at this place what priority is. The only point is that both
>> sides use the same priority.
> 
> Okay, I agree, the Priority is a property of the established Data
> Channel, and the values and implication of these needs to be defined in
> the Data Channel draft and not here.
OK. The only thing we might want to change in this ID is the type of the
Priority field. It is currently a signed integer, we might want to use
an unsigned integer. But that is a different issue, which I'll need to
discuss with Randell.
> 
>>> 
>>>>> 
>>>>> 2. Section 4:
>>>>> 
>>>>> The method
>>>>> used to determine which side uses odd or even is based on the
>>>>> underlying DTLS connection role when used in WebRTC, with the side
>>>>> acting as the DTLS client using even stream identifiers.
>>>>> 
>>>>> Isn't this unnecessary using the vague word of WebRTC instead of simply
>>>>> pointing to the DTLS roles of the established data channel?
>>> 
>>>> The point is that in the WebRTC you use DCEP/SCTP/DTLS/UDP and therefore
>>>> you can refer to the DTLS role. However, you could use DCEP/SCTP/IP
>>>> or DCEP/SCTP/UDP/IP or DCEP/SCTP over something not involving DTLS.
>>>> In that case DTLS is not used and you can not refer to the DTLS role.
>>>> That is why the restriction is used.
>>> 
>>> Ok, if that concern then you still should be able to write a normative
>>> specification under the condition that it is SCTP over DTLS. If not how
>>> do you determine that? Are suggesting just to hand way or point to a
>>> higher signaling layer.
>> So what about using:
>> 
>> when using <xref target='I-D.ietf-tsvwg-sctp-dtls-encaps'/>, the method used to
>> determine which side uses odd or even is based on the underlying DTLS
>> connection role: the side acting as the DTLS client MUST use Streams with even
>> SCTP stream identifiers, the side acting as the DTLS server MUST use Streams
>> with odd SCTP stream identifiers.</t>
> 
> I think that is fine for when using over DTLS. And to my understanding
> this do require DTLS? If not we need alternative text.
Our current use-case is for SCTP/DTLS. But we don't need DTLS except for
its security properties. However, if someone doesn't use DTLS, he has to
figure out how to determine the even/odd. This is covered by:

<t>To avoid glare in opening Channels, each side MUST use Streams with 
either even or odd SCTP stream identifiers when sending a DATA_CHANNEL_OPEN
message.
When using <xref target='I-D.ietf-tsvwg-sctp-dtls-encaps'/>, the method used to
determine which side uses odd or even is based on the underlying DTLS
connection role: the side acting as the DTLS client MUST use Streams with even
SCTP stream identifiers, the side acting as the DTLS server MUST use Streams
with odd SCTP stream identifiers.</t>

However, we can't provide a method in the general case...
> 
> 
>>>>> 
>>>>> 4. Section 5.1:
>>>>> Label: Variable Length (sequence of characters)
>>>>>    The name of the channel.  This may be an empty string.
>>>>> 
>>>>> Protocol: Variable Length (sequence of characters)
>>>>>    The protocol for the channel.  If this is an empty string the
>>>>>    protocol us unspecified.  If it is an non-empty string, it
>>>>>    specifies an IANA-registered protocol (see Section 8.4).
>>>>> 
>>>>> Both of these fields are strings, shouldn't a particular encoding be
>>>>> specified here? Like UTF-8. Secondly, what values are allowed, the full
>>>>> set of Unicode?
>>> 
>>>> You are right. Any need for restrictions? We only need to be able to
>>>> transform it to a DomString.
>>>> So I changed it to:
>>>> 
>>>> <t hangText='Label: Variable Length (sequence of characters)'>
>>>> <vspace blankLines='0'/>
>>>> The name of the channel as a UTF-8 encoded string.
>>>> This may be an empty string.</t>
>>>> 
>>>> <t hangText='Protocol: Variable Length (sequence of characters)'>
>>>> <vspace blankLines='0'/>
>>>> The protocol for the channel as a UTF-8 encoded string.
>>>> If this is an empty string the protocol us unspecified.
>>>> If it is an non-empty string, it specifies an IANA-registered protocol
>>>> (see <xref target='iana_protocol'/>).</t>
>>> 
>>> I guess this is slightly overtaken by event. It have to be aligned with
>>> what the websocket sub-protocol identifier.
>> The text now reads:
>> <t hangText='Protocol: Variable Length (sequence of characters)'>
>> <vspace blankLines='0'/>
>> The sub-protocol for the channel as a UTF-8 encoded string.
>> If this is an empty string the protocol is unspecified.
>> If it is a non-empty string, it specifies an protocol registered in the
>> 'WebSocket Subprotocol Name Registry' created in
>> <xref target='RFC6455'/>.</t>
> 
> Ok.
> 
>>> 
>>>>> 
>>>>> 5. Section 6:
>>>>> All Data Channel Establishment Protocol messages MUST be sent
>>>>> requesting ordered delivery and using reliable transmission.
>>>>> 
>>>>> I wonder of the use of requesting ordered delivery and using reliable
>>>>> transmission, from an SCTP stream perspective, wouldn't using in both
>>>>> places be appropriate? Or is how object which has been requested to be
>>>>> transmitted unordered interact in SCTP with the ordered ones?
>>> 
>>>> I'm sorry, I don't understand what you are asking...
>>> 
>>> Sorry, it really is a language issue. The above sentence first states
>>> "sent 'requesting' ordered" and later "and 'using' reliable".
>>> 
>>> This inconsistency is what I reacted to.
>> I see. Changed to:
>> <t>All Data Channel Establishment Protocol messages MUST be sent using
>> ordered delivery and reliable transmission.
> 
> Ok
> 
>>> 
>>>> 
>>>>> 6. Section 7:
>>>>> 
>>>>> I think this section can be beefed up a bit. First make clear that the
>>>>> Data Channel's required usage of DTLS ensures that the message integrity
>>>>> and possible source authentication as well as confidentiality. Then
>>>>> going over any security risks with a malicous peer using this protocol.
>>>>> Can a malicous side screw up the peer using this protocol? What are the
>>>>> implications?
>>> 
>>>> Just to double check: Aren't the referenced documents the ones which
>>>> discuss all security stuff in one place?
>>> 
>>> The security document do discuss system level important aspects. But,
>>> from my perspective, details that are very specific to this protocol
>>> should be discussed in this document.
>>> 
>>> I think this is highly relevant in this document as there are others
>>> that are interested in using it.
>> OK. Any concrete suggestions what should be covered?
> 
> I can at least think of potentially relevant issues:
> 
> - Exhaustion attacks by opening all 64k Data channels
You setup 64k streams anyway and it wasn't a problem...
> - Attempting to overflow buffers by including 64k of Strings in Label
> and Protocol fields in the OPEN message.
OK.
> - Attempt to get undocumented behaviour by sending Reliability
> Parameters that aren't defined. Or use out of range Priorities or
> message types.
This is also covered explicitly in the Procedures section by

<t>If a DATA_CHANNEL_OPEN message is received on an already used SCTP stream or
there are any problems with parameters within the DATA_CHANNEL_OPEN message or
the DATA_CHANNEL_OPEN message itself is not well-formed,
the receiver MUST close the corresponding channel using the procedure described
in <xref target='I-D.ietf-rtcweb-data-channel'/> and MUST NOT send a
DATA_CHANNEL_ACK message in response to the received message.
> 
> But that I guess is most of the things I can think of to attempt to
> break the protocol.
I agree.
> 
> Then it is the question of requiring DTLS to ensure it is safe from
> Privacy, Confidentiality, Integrity and possibly source authentication
> concerns.
Sure.

So what about the following Security Considerations section:
<t>The DATA_CHANNEL_OPEN messages contains two variable length fields:
the protocol and the label. A receiver must be prepared to receive
DATA_CHANNEL_OPEN messages where these field have the maximum length of
65535 bytes. Error cases like the use of inconsistent lengths fields,
unknown parameter values or violation the odd/even rule must also be handled
by closing the corresponding channel. An end-point must also be prepared
that the peer open the maximum number of data channels.</t>
<t>When using DCEP over SCTP encapsulated in DTLS as specified in
<xref target='I-D.ietf-tsvwg-sctp-dtls-encaps'/>, security properties
like privacy, integrity, and source authentication can be provided by DTLS.
If DCEP is used without running over DTLS, this is not the case.</t>
<t>For general considerations see <xref target='I-D.ietf-rtcweb-security'/> and
<xref target='I-D.ietf-rtcweb-security-arch'/>.</t>

Does this address your issues?

Best regards
Michael
> 
> 
>>>>> 
>>>>> 11. This comments concerns the relation to the Data Channel
>>>>> specification. So my interpretation is that the WebRTC Data channel
>>>>> draft has become both the base for this specification as well as the one
>>>>> that specifies that the DCEP shall be implemented and supported. For
>>>>> WebRTC I don't think this matters much, but if someone likes to re-use
>>>>> the basic Data Channel specification, this structure makes it more
>>>>> difficult and have no need for the bi-directional negotiated parameter
>>>>> settings that the DCEP provides. In that case one have to sub-set the
>>> 
>>>> I think the data channel draft discusses the data channels independent
>>>> how they are opened. This covers data parameters, user data transmission
>>>> and closing of data channels. The data channel protocol draft discusses
>>>> an in-band protocol for setting up data channels.
>>> 
>>> I think this was discussed today. And make it clear that DCEP
>>> requirement shouldn't be from the Data Channel spec.
>>> 
>>>>> data channel specification. I wonder if it would be better to move some
>>>>> normative statements around, so that the chain of implementation
>>>>> requirement goes draft-ietf-rtcweb-transports ->
>>>>> draft-ietf-rtcweb-data-protocol -> draft-ietf-rtcweb-data-channel thus
>>>>> providing a cleaner and more modular build up of the protocols.
>>>> I think you can implement draft-ietf-rtcweb-data-channel without
>>>> draft-ietf-rtcweb-data-protocol, but not vice versa.
>>>> 
>>>> So you don't like the statement:
>>>> 
>>>>  A simple protocol for internal negotiation is specified in
>>>>  [I-D.ietf-rtcweb-data-protocol] and MUST be supported.
>>>> 
>>>> from draft-ietf-rtcweb-data-channel. What would you suggest?
>>> 
>>> I think the high level requirement on DCEP might be in -rtcweb-transports.
>> It now reads:
>> A simple protocol for in-band negotiation is specified in [I-D.ietf-rtcweb-data-protocol].
> 
> 
> Ok
> 
> 
> Cheers
> 
> 
> Magnus Westerlund
> 
> ----------------------------------------------------------------------
> Services, Media and Network features, Ericsson Research EAB/TXM
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> Färögatan 6                 | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
> 
>