Re: [secdir] Secdir last call review of draft-ietf-rmcat-video-traffic-model-06

Colin Perkins <> Thu, 24 January 2019 19:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D74F1277BB; Thu, 24 Jan 2019 11:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6ipCnsSkUvYo; Thu, 24 Jan 2019 11:39:56 -0800 (PST)
Received: from ( [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 838C1130F06; Thu, 24 Jan 2019 11:39:56 -0800 (PST)
Received: from [] (port=33107 helo=[]) by with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from <>) id 1gmkqs-0002Qw-KT; Thu, 24 Jan 2019 19:39:55 +0000
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Colin Perkins <>
In-Reply-To: <>
Date: Thu, 24 Jan 2019 19:39:45 +0000
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Yoav Nir <>
X-Mailer: Apple Mail (2.3273)
X-BlackCat-Spam-Score: 4
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-ietf-rmcat-video-traffic-model-06
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jan 2019 19:39:59 -0000

> On 24 Jan 2019, at 19:23, Yoav Nir <> wrote:
> Reviewer: Yoav Nir
> Review result: Has Nits
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  Document
> editors and WG chairs should treat these comments just like any other last call
> comments.
> To quote from the abstract, the document "describes two reference video traffic
> models for evaluating RTP congestion control algorithms". Indeed it does not
> describe any protocol or algorithm that is going to get deployed on the
> Internet, but rather a model for evaluating congestion control algorithm before
> they are standardized or deployed. As such, I would not expect it to have much
> to say on security, either good or bad.
> It is conceivable that a congestion control algorithm would be exploitable by
> an attacker. For example, some pattern of traffic might trigger such an
> algorithm to block or slow down traffic for a victim. It may be a good idea to
> evaluate whether such algorithms are conducive to such attacks. But speculation
> such as this are not related to the draft. This draft is about evaluating
> congestion control algorithms for their effect on video quality and frame rates.
> So what is my nit with this?  Why does the Security Considerations section
> contains what it does?
>   It is important to evaluate RTP-based congestion control schemes
>   using realistic traffic patterns, so as to ensure stable operations
>   of the network.  Therefore, it is RECOMMENDED that candidate RTP-
>   based congestion control algorithms be tested using the video traffic
>   models presented in this draft before wide deployment over the
>   Internet.
> This is interesting, but I don't think it has much to do with security. IMO it
> would be enough to say that this document introduces models for evaluation and
> doesn't have any security implications.  The existing text should go somewhere
> else.

To my mind, the security implication is that the algorithm be tested to demonstrate that it doesn’t cause denial-of-service when operating with realistic traffic. This could be, as you note above, that it disrupts the video application by forcing the sending rate to zero; but it’s also important to check that it doesn’t send overly quickly and congest the network, so denying service to other flows. 

Colin Perkins