Re: [secdir] secdir review of draft-stone-mgcp-vbd-07

Sandeep Sharma <S.Sharma@CableLabs.com> Sun, 27 June 2010 21:16 UTC

Return-Path: <S.Sharma@CableLabs.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 347183A6957; Sun, 27 Jun 2010 14:16:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.583
X-Spam-Level: *
X-Spam-Status: No, score=1.583 tagged_above=-999 required=5 tests=[AWL=-0.555, BAYES_50=0.001, HELO_EQ_MODEMCABLE=0.768, HOST_EQ_MODEMCABLE=1.368, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vZ0ocIZwk0Tl; Sun, 27 Jun 2010 14:16:42 -0700 (PDT)
Received: from ondar.cablelabs.com (ondar.cablelabs.com [192.160.73.61]) by core3.amsl.com (Postfix) with ESMTP id 055D93A69F0; Sun, 27 Jun 2010 14:16:41 -0700 (PDT)
Received: from kyzyl.cablelabs.com (kyzyl [10.253.0.7]) by ondar.cablelabs.com (8.14.4/8.14.4) with ESMTP id o5RLGmC8003790; Sun, 27 Jun 2010 15:16:49 -0600
Received: from srvxchg.cablelabs.com (10.5.0.15) by kyzyl.cablelabs.com (F-Secure/fsigk_smtp/303/kyzyl.cablelabs.com); Sun, 27 Jun 2010 15:16:48 -0700 (MST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/303/kyzyl.cablelabs.com)
Received: from srvxchg.cablelabs.com ([10.5.0.15]) by srvxchg ([10.5.0.15]) with mapi; Sun, 27 Jun 2010 15:16:48 -0600
From: Sandeep Sharma <S.Sharma@CableLabs.com>
To: "'Carl Wallace'" <CWallace@cygnacom.com>, "secdir@ietf.org" <secdir@ietf.org>
Date: Sun, 27 Jun 2010 15:16:48 -0600
Thread-Topic: secdir review of draft-stone-mgcp-vbd-07
Thread-Index: AcsS5SiAzRrqHLOYRH+RyifUiUWN1gDVoMPQ
Message-ID: <76AC5FEF83F1E64491446437EA81A61F7CF4A7B323@srvxchg>
References: <FAD1CF17F2A45B43ADE04E140BA83D4801008455@scygexch1.cygnacom.com>
In-Reply-To: <FAD1CF17F2A45B43ADE04E140BA83D4801008455@scygexch1.cygnacom.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_76AC5FEF83F1E64491446437EA81A61F7CF4A7B323srvxchg_"
MIME-Version: 1.0
X-Approved: ondar
X-Mailman-Approved-At: Mon, 28 Jun 2010 09:50:30 -0700
Cc: "'Flemming Andreasen \(fandreas\)'" <fandreas@cisco.com>, "rkumar@cisco.com" <rkumar@cisco.com>, "joestone@cisco.com" <joestone@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, Sumanth Channabasappa <sumanth@CableLabs.com>
Subject: Re: [secdir] secdir review of draft-stone-mgcp-vbd-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jun 2010 21:19:38 -0000

Carl,



Thanks for the review comments. I consulted with the co-authors and Flemming and our responses are indicated below.



-----Original Message-----
From: Carl Wallace [mailto:CWallace@cygnacom.com]
Sent: Wednesday, June 23, 2010 9:03 AM
To: secdir@ietf.org
Cc: iesg@ietf.org; rkumar@cisco.com; joestone@cisco.com; Sandeep Sharma
Subject: secdir review of draft-stone-mgcp-vbd-07



I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the IESG.

These comments were written primarily for the benefit of the security

area directors. Document editors and WG chairs should treat these

comments just like any other last call comments.



This document defines new MGCP packages.  This document is pretty far

outside my sandbox, but I did have a couple of questions and comments.



- Why is this an Informational document instead of Standards track?  It

seems to be defining new packages that are not already defined

elsewhere.



SJS> MGCP (RFC 3435) and other MGCP packages are Informational RFCs, so it seems consistent to have this one being informational as well.



- I struggled with the presentation a bit and found myself reading

references to understand some of the shorthand in this document.  For

example, in section 3.1 the column headers are not described in this

draft.



SJS> This is a standard MGCP package format as defined in RFC 3435 (Section 6, and in this case Section 6.6 in particular)



- The security considerations section is brief and primarily references

RFC 3435, which essentially has two security considerations: use IPSec

and use SDP encryption keys.  The latter is not recommended in the

current SDP draft.  This section should directly state the security

considerations it wants to assert.



SJS> We agree with your comments about SDP encryption keys (RFC 3435 Section 5.1). We will call out IPsec specifically and then add a few paragraphs about ways to more adequately protect RTP media streams these days (SRTP which should probably have at least a "SHOULD" recommendation here) as well as some of the specific issues that may arise if an attacker is able to modify/inject VBD data in the RTP media stream. We would also greatly appreciate if you can provide additional guidance/considerations (if any) that you believe should be addressed.