Re: [secdir] Secdir review of draft-ietf-mmusic-rfc2326bis-34

"Chris Lonvick (clonvick)" <clonvick@cisco.com> Sun, 09 June 2013 22:52 UTC

Return-Path: <clonvick@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F286421F880F; Sun, 9 Jun 2013 15:52:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgiRHtlcQM+C; Sun, 9 Jun 2013 15:52:52 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id 311EF21F84F9; Sun, 9 Jun 2013 15:52:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4844; q=dns/txt; s=iport; t=1370818372; x=1372027972; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=SlXP3CW68v/BPQGUk3lsFd8gghwYicZbJWaAsSRczLU=; b=G2wgNbBOsvnXDSM1K5pTfIbSLjrUWuBE1B0lCGqTNpzULg30YtMqUIAr 39/jiz07rVBNFKxNbnrxy7/plgK6DxKR+Ey7cKMVMTHeVKCVNjLfFV9Ra DU+qDREzdszmSiurDzCjFULFzhl2Rd4zcvDty5wKhIKVeM3hNdsrqNH1m w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAHYGtVGtJV2b/2dsb2JhbABZgwl5vj56FnSCIwEBAQMBDG0FCQICAQgRBAEBAQodBxsXFAkIAQEEDgUIh38GuGkEjwMxB4J/YQOIaKAagw+CJw
X-IronPort-AV: E=Sophos;i="4.87,833,1363132800"; d="scan'208";a="220727064"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by rcdn-iport-4.cisco.com with ESMTP; 09 Jun 2013 22:52:51 +0000
Received: from xhc-aln-x02.cisco.com (xhc-aln-x02.cisco.com [173.36.12.76]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id r59Mqpje015985 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 9 Jun 2013 22:52:51 GMT
Received: from xmb-rcd-x06.cisco.com ([169.254.6.154]) by xhc-aln-x02.cisco.com ([173.36.12.76]) with mapi id 14.02.0318.004; Sun, 9 Jun 2013 17:52:51 -0500
From: "Chris Lonvick (clonvick)" <clonvick@cisco.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Thread-Topic: Secdir review of draft-ietf-mmusic-rfc2326bis-34
Thread-Index: Ac5i1CClI30rLRrtSr6OoqunYaYT0wAnKAAAAAiga1MAc+ZEFg==
Date: Sun, 9 Jun 2013 22:52:51 +0000
Message-ID: <9BB92CB59918E1418A06FD4E3269FABE116A6711@xmb-rcd-x06.cisco.com>
References: <9BB92CB59918E1418A06FD4E3269FABE116A4737@xmb-rcd-x06.cisco.com>, <51B17B3C.3090509@ericsson.com>, <FF194AD4-68FE-429C-B90F-5547702DF411@cisco.com>
In-Reply-To: <FF194AD4-68FE-429C-B90F-5547702DF411@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.88.189]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-mmusic-rfc2326bis@tools.ietf.org" <draft-ietf-mmusic-rfc2326bis@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-mmusic-rfc2326bis-34
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Jun 2013 22:52:58 -0000

Hi All,

I looked over those sections on my long-ish flight and have written up some notes while I'm waiting for my very much delayed final leg back home.

Without a thorough reading of the entire document, I'll say that I understand the intentions of Appendix C.1.4, and Section 19, but havn't fully wrapped my head around it.  I'll also say that I'm not well versed in MIKEY.  Since it stood out, I also looked at Appendix G.  Nothing stood out as being insecure and I'll say again that most of the documentation is very well done.

Below are some nits:

Appendix G

Current:
   This section provides anyone intending to define how to transport of
   RTSP messages over a unreliable transport protocol with some
   information learned by the attempt in RFC 2326 [RFC2326].  RFC 2326
   defined both an URI scheme and some basic functionality for transport
   of RTSP messages over UDP, however, it was not sufficient for
   reliable usage and successful interoperability.

   The RTSP scheme defined for unreliable transport of RTSP messages was
   "rtspu".  It has been reserved by this specification as at least one
   commercial implementation exists, thus avoiding any collisions in the
   name space.
   
   The following considerations should exist for operation of RTSP over
   an unreliable transport protocol:
   
Proposed:
   This appendix provides guidance for those who want to implement RTSP messages over unreliable transports as has been defined in RFC 2326 [RFC2326].  RFC 2326 defined the "rtspu" scheme and provided some basic information for the transport of RTSP messages over UDP.  The information is being provided here as there has been at at least one commercial implementation and compatibility with that should be maintained.
   
   The following points should be considered for an interoperable implementation:
   
   
   
CML> Throughout the document, I found an assortment of "an URI" and "a URI".  Please pick one and be consistent.  :-)

CML> Do you want to say something about using rtspu is NOT RECOMMENDED in the Security Considerations section?


Best regards,
Chris
________________________________________
From: Chris Lonvick (clonvick)
Sent: Friday, June 07, 2013 10:25 AM
To: Magnus Westerlund
Cc: iesg@ietf.org; secdir@ietf.org; draft-ietf-mmusic-rfc2326bis@tools.ietf.org
Subject: Re: Secdir review of draft-ietf-mmusic-rfc2326bis-34

Hi Magnus,

Unfortunately I did not review those sections. My travel with the day job lately has prevented me from doing that. I did want to get a review in before the deadline and what I did was all that I could accomplish right now.

I do have a long-ish flight coming up in a few days. If it would help, I could review those sections and have my notes out by next Wednesday or Thursday. Let me know.

Best regards,
Chris

Sent from my phone.

On Jun 7, 2013, at 8:17 AM, "Magnus Westerlund" <magnus.westerlund@ericsson.com> wrote:

> Hi Chris,
>
> Did you review Section 19 - Security Framework and section C.1.4 which
> are the two major sections which defines usage of security mechanisms?
>
> Thanks,
>
> Magnus
>
> On 2013-06-06 18:37, Chris Lonvick (clonvick) wrote:
>> Hi,
>>
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written primarily for the benefit of the
>> security area directors.  Document editors and WG chairs should treat
>> these comments just like any other last call comments.
>>
>> This is a lengthy document and I did not have time to fully review
>> it.  I did review the Security Considerations section and found it to
>> be well written and thorough.  I found no problems there and consider
>> that it appropriately covers the concepts in the document.
>>
>> Thanks, Chris
>
>
> --
>
> Magnus Westerlund
>
> ----------------------------------------------------------------------
> Multimedia Technologies, Ericsson Research EAB/TVM
> ----------------------------------------------------------------------
> Ericsson AB                | Phone  +46 10 7148287
> Färögatan 6                | Mobile +46 73 0949079
> SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>