IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-mmusic-sdp-miscellaneous-caps-05

<Simo.Veikkolainen@nokia.com> Fri, 31 May 2013 11:19 UTC

Return-Path: <Simo.Veikkolainen@nokia.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D797821F8717; Fri, 31 May 2013 04:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qYEknXHpVEWr; Fri, 31 May 2013 04:19:00 -0700 (PDT)
Received: from mgw-da01.nokia.com (smtp.nokia.com [147.243.128.24]) by ietfa.amsl.com (Postfix) with ESMTP id C5D1821F8EFE; Fri, 31 May 2013 04:18:59 -0700 (PDT)
Received: from vaebh105.NOE.Nokia.com (in-mx.nokia.com [10.160.244.31]) by mgw-da01.nokia.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id r4VBIqLf012606; Fri, 31 May 2013 14:18:56 +0300
Received: from smtp.mgd.nokia.com ([65.54.30.48]) by vaebh105.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Fri, 31 May 2013 14:19:02 +0300
Received: from 008-AM1MPN1-026.mgdnok.nokia.com ([169.254.6.223]) by 008-AM1MMR1-014.mgdnok.nokia.com ([2002:4136:1e30::4136:1e30]) with mapi id 14.02.0328.011; Fri, 31 May 2013 11:19:54 +0000
From: Simo.Veikkolainen@nokia.com
To: catherine.meadows@nrl.navy.mil, iesg@ietf.org, secdir@ietf.org, draft-ietf-mmusic-sdp-miscellaneous-caps.all@tools.ietf.org
Thread-Topic: Secdir review of draft-ietf-mmusic-sdp-miscellaneous-caps-05
Thread-Index: AQHOXXildvNZ2EoTpkCVEr5L56e6dZkfI/ow
Date: Fri, 31 May 2013 11:19:53 +0000
Message-ID: <D09DAE6B636851459F7575D146EFB54B2405E532@008-AM1MPN1-026.mgdnok.nokia.com>
References: <C809039F-341E-478C-BFD2-11FF553D58A6@nrl.navy.mil>
In-Reply-To: <C809039F-341E-478C-BFD2-11FF553D58A6@nrl.navy.mil>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-titus-version: 3.5.9.3
x-tituslabs-classifications-30: TLPropertyRoot=Nokia; Confidentiality=Nokia Internal Use Only; Project=None;
x-headerinfofordlp: None
x-tituslabs-classificationhash-30: VgNFIFU9Hx+/nZJb9Kg7IpQCv9FX5PeIK/RR4/BbKzm/H1vuz873kAI8XNEuuGYLNsphiUF3B0u6NaMLQCrjfso5MRg7U/4xkmeCFs/FbHm3yHA2KrzzT60UNhIV4kW5ewaFWVwjqSTyYUeuwMZHSB2bGdFBjxbOE/fj2hzAeHpur34XC570mYq8Agn90wFmH20bS8s6PmEKJbwZbHhwmgn2NFgTd7Yi2LwRlJWj6qxuFZ38SGx1shd3xIX1SQ/UvPUFrvGrbniy6zikLiEwYV+FrQVmjDYWwN/+UpTQnr8=
x-originating-ip: [172.21.81.112]
Content-Type: multipart/alternative; boundary="_000_D09DAE6B636851459F7575D146EFB54B2405E532008AM1MPN1026mg_"
MIME-Version: 1.0
X-OriginalArrivalTime: 31 May 2013 11:19:02.0370 (UTC) FILETIME=[A77ACC20:01CE5DF0]
X-Nokia-AV: Clean
X-Mailman-Approved-At: Fri, 31 May 2013 04:36:34 -0700
Subject: Re: [secdir] Secdir review of draft-ietf-mmusic-sdp-miscellaneous-caps-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 May 2013 11:19:06 -0000

Hello Catherine,

Thank you for the comments, please see my answers below prefixed with [SV].

From: ext Catherine Meadows [mailto:catherine.meadows@nrl.navy.mil]
Sent: 30. toukokuuta 2013 23:58
To: iesg@ietf.org; secdir@ietf.org; draft-ietf-mmusic-sdp-miscellaneous-caps.all@tools.ietf.org
Cc: Catherine Meadows
Subject: Secdir review of draft-ietf-mmusic-sdp-miscellaneous-caps-05

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


This ID defines three new capabilities that can be negotiated in the Session Description Protocols (SDP) using the SDP offer/answer
procedure.  These are bandwidth capability (proposed bandwidth to be used by session or media), connection capability (network type, address
type, and address), and title capability (human-readable textual information about the session).

None of these are directly security-related, although the authors point out that an attacker who
is able to modify traffic could modify the bandwidth value so that then network winds up being under-utilized
or over-utilized.  They recommend using on of the security mechanisms recommended in RFC5939 (which defines SDP capability negotiation
in general) in case
it is necessary to protect the bandwidth value.

I think this is a very appropriate recommendation for this ID, but perhaps the authors should consider offering similar recommendations
for the other capabilities.  For example, in the connection capability it is possible to offer an address together with a number of alternatives.
What happens if an attacker removes some or most of the addresses?  Could this lead to overuse of the remaining addresses?  Likewise, one of the reasons the human-readable
title capability is provided is so that a human can make choices about which media configurations to choose.  If the attacker tampers with a label so that the human is caused to make wrong choices, this could again
cause problems.  I think it could be worthwhile to point out that there may be cases for both connection and title capabilities where adversarial tampering could have harmful effects,
and if this is the case the security mechanisms in RFC5939 should be applied as well.

[SV] I agree that just addressing the possible misuse of the bandwidth capability might give an impression that there are no foreseen threats with the two other capabilities. For the connection address capability ("ccap") attribute, the most harmful threat would actually that the attacker tricks the endpoint to send media to an unaware destination. This type of DoS attack in the context of voice over IP (called the "voice hammer") is discussed in RFC5245.

[SV] I have modified the relevant paragraphs and added new text to read:

                The bandwidth capability attribute may be used for reserving
                resources at endpoints and intermediaries which inspect the
                SDP. Modification of the bandwidth value by an attacker can
                lead to the network being underutilized (too high bandwidth
                value) or congested (too low bandwidth value).

                Similarly, by modifying the alternative connection
                address(es), an attacker would be able direct media streams to
                a desired endpoint, thus launching a version of the well known
                voice hammer attack (see Section 18.5.1 of [RFC5245]).

                The title capability provides for alternative "i=" line
                information, which is intended for human consumption. However,
                manipulating the textual information could be misused to
                provide false information, leading to bad user experience or
                the person using the service making wrong the choice
                regarding the available media streams.

                In case it is essential to protect the capability attribute
                values, one of the security mechanisms proposed in [RFC5939]
               SHOULD be used.

Regards,
Simo


Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>

v2.23.0 | Report a Bug | By Email