Re: [secdir] SECDIR Review of draft-ietf-avt-rtp-svc-23 -- here: active content
Stephan Wenger <stewe@stewe.org> Tue, 02 November 2010 14:12 UTC
Return-Path: <stewe@stewe.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 00A833A687F; Tue, 2 Nov 2010 07:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[AWL=-0.699, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3S3DVh4RBT3c; Tue, 2 Nov 2010 07:12:49 -0700 (PDT)
Received: from stewe.org (stewe.org [85.214.122.234]) by core3.amsl.com (Postfix) with ESMTP id 4F7723A69A8; Tue, 2 Nov 2010 07:12:45 -0700 (PDT)
Received: from [172.16.7.203] (unverified [160.79.219.114]) by stewe.org (SurgeMail 3.9e) with ESMTP id 11731-1743317 for multiple; Tue, 02 Nov 2010 15:11:38 +0100
User-Agent: Microsoft-MacOutlook/14.0.0.100825
Date: Tue, 02 Nov 2010 10:07:11 -0400
From: Stephan Wenger <stewe@stewe.org>
To: Gonzalo Camarillo <Gonzalo.Camarillo@ericsson.com>, julienl@qualcomm.com, draft-ietf-avt-rtp-svc@tools.ietf.org, secdir@ietf.org, iesg@ietf.org
Message-ID: <C8F5934F.23FAB%stewe@stewe.org>
Thread-Topic: SECDIR Review of draft-ietf-avt-rtp-svc-23 -- here: active content
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3371537497_25055"
X-Originating-IP: 160.79.219.114
X-Authenticated-User: stewe@stewe.org
X-Mailman-Approved-At: Thu, 04 Nov 2010 10:23:15 -0700
Cc: Ye-Kui Wang <yekuiwang@huawei.com>, Alex Eleftheriadis <alex@vidyo.com>, Thomas Schierl <schierl@hhi.fhg.de>, avt-chairs@tools.ietf.org, "rjsparks@nostrum.com" <rjsparks@nostrum.com>
Subject: Re: [secdir] SECDIR Review of draft-ietf-avt-rtp-svc-23 -- here: active content
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2010 14:12:50 -0000
Hi all, This is the companion email related to the one point of Julien's secdir review where we are a bit reluctant to make a non-editorial change. >> Decoders MUST exercise caution with respect to the handling of >> reserved NAL unit types and reserved SEI messages, particularly if >> they contain active elements, and MUST restrict their domain of >> applicability to the presentation containing the stream. The safest >> way is to simply discard these NAL units and SEI messages. > > Maybe this is due to my ignorance about coding but I find this > underspecified, notably given the presence of the MUST key word. How > about spelling exactly what a decoder MUST do, as opposed to say > "exercise caution". E.g., "Decoders MUST discard NAL units and SEI > messages.", and then explain why, or point to > [I-D.ietf-avt-rtp-rfc3984bis] if there's a good explanation there. The language of this paragraph has been taken from RFC3984, section 9, fourth paragraph, and has been adapted to changes in H.264 video standard terminology. Back in 2004, this paragraph (as the rest of RFC 3984's security consideration section) has been subject to lengthily deliberations in AVT. What we arrived at was considered both sufficiently flexible for implementers and sufficiently cautious to keep security risks at bay. A compromise, that was deemed sensible by everyone involved. We would like to keep the spirit of this compromise. The technical issue is as follows: as most video compression standards, SVC allows to include data into its bitstream that is not intuitively video related. For example, there is a copyright message SEI--which almost certainly has no negative security implications. However, there is also an URI SEI message. If a stupidly designed system would use the URI in the bitstream without being cautious--ie copying the URI into a web browser just to see what happens--then all kinds of evil things could happen. Further, there are open codepoints both in the SEI message format and in the NAL unit tables that can and, historically, have be used for vendor specific extensions. Vender specific extensions may include stuff such as Java code. This is what is meant with "active". The purpose of the paragraph is to advise implementers not to blindly use any URI they find in the SEI messages, or the vendor specific extensions, to the non-video decoding part of the system. On the other hand, both the SEI messages and the extension mechanisms are there for a reason. Simply requiring discarding information conveyed in these fields (that may, and in most cases will, have been put there by an encoder for a reason beyond malicious intent) may well degenerate the performance of a system to a point where it becomes useless. Simply requiring discarding these bits is not a good choice for the RFC, because such a requirement would not be sensible to many implementations and, therefore, would be ignored. We could add explanatory language to the above extent to the draft, and if you were insisting, we would do so. However, please bear in mind that the situation described above is, we believe, well enough understood in the codec implementer community, and that the draft will be implemented by a codec guy, and not a protocol guy, because of the close interaction between codec technology and the payload format. Further, codec guys are used to work with the type of dense documents like this draft, that include very little explanation or justification. Therefore, we suggest that adding more information will simply bloat the draft, without adding any critical information, and suggest to leave that part of the draft as is. Please let us know you wish us to proceed. Thanks, Stephan
- Re: [secdir] SECDIR Review of draft-ietf-avt-rtp-… Stephan Wenger