Re: [secdir] [Fwd: SECDIR review of draft-ietf-avt-rtp-mps-02.txt]
"Dan Harkins" <dharkins@lounge.org> Thu, 11 June 2009 00:24 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E4963A69B2; Wed, 10 Jun 2009 17:24:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.115
X-Spam-Level:
X-Spam-Status: No, score=-6.115 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C9E1RnIJz0p0; Wed, 10 Jun 2009 17:24:13 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id CAA933A67DD; Wed, 10 Jun 2009 17:24:13 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 453B210224074; Wed, 10 Jun 2009 17:24:20 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 10 Jun 2009 17:24:20 -0700 (PDT)
Message-ID: <d3e614ab624c524f40e084ba2d058c72.squirrel@www.trepanning.net>
In-Reply-To: <4A2FD682.3050808@iis.fraunhofer.de>
References: <7d80ec7de2f05820800f98692962ab00.squirrel@www.trepanning.net> <19FE62CE8D62CF4B96C845DC556B88132FB6C98CA9@NLCLUEXM01.connect1.local> <f57b58c6b8579947fb022b0f2fb728e0.squirrel@www.trepanning.net> <4A2FD682.3050808@iis.fraunhofer.de>
Date: Wed, 10 Jun 2009 17:24:20 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Stefan Döhla <stefan.doehla@iis.fraunhofer.de>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: Cullen Jennings <fluffy@cisco.com>, "Schmidt , Malte" <malte.schmidt@dolby.com>, "secdir@ietf.org" <secdir@ietf.org>, Ralph Sperschneider <ralph.sperschneider@iis.fraunhofer.de>, "Bont, Frans de" <frans.de.bont@philips.com>, "iesg@ietf.org" <iesg@ietf.org>, "avt-chairs@ietf.org" <avt-chairs@ietf.org>
Subject: Re: [secdir] [Fwd: SECDIR review of draft-ietf-avt-rtp-mps-02.txt]
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Jun 2009 00:24:15 -0000
Hi Stefan, That looks great. I would only suggest s/unwanted/unauthorized/ to highlight that it's not just some proprietary cruft a manufacturer would add that could be understood by his decoders, it's something that was not placed there by the participants in the protocol. regards, Dan. On Wed, June 10, 2009 8:51 am, Stefan Döhla wrote: > Hi Dan, > > thanks for pointing us into the right direction. Normally, SRTP is > recommended in RTP payload formats so that this "hitch-hiking" is not > possible for the RTP-streamed phase in the end-to-end model. > > Would an additional sentence in the spirit of this > > The AAC audio codec includes an extension mechanism to transmit extra > data within a stream that is gracefully skipped by decoders that do > not support this extra data. This covert channel may be used to > transmit unwanted data in an otherwise valid stream and it is hence > recommended to use SRTP [RFC3711] for stream encryption, > authentication, and integrity check. > > help? The overall end-to-end integrity check is probably out-of-scope > for IETF matters, since we probably cannot stop an encoder to add > proprietary data to the stream that is e.g. only understood by decoders > that conform to a specific application standard etc. > > Something like the proposed sentence above is btw. already part of the > document - but it just refers to the weak RTP encryption. > > Cheers > - Stefan > > Dan Harkins wrote: >> Hi Frans, >> >> RFC 3640 only considers one security issue associated with gracefully >> disregarding unknown content. It's correct to mention that this >> capability >> can be used to compromise or crash a receiver but there's another >> security >> consideration that I think deserve mention. Something along the lines >> of: >> >> An attacker can exploit the requirement that a decoder skip over >> unknown extensions to create a covert channel and transmit >> unauthorized data. >> >> So even if you properly address the issue of potentially crashing there >> is still another security issue to consider. Given the nature of >> audio/video equipment it might be remote but to this naive reader it >> deserved mention. >> >> It's like a hitch-hiker. One must take into account that a hitch-hiker >> might kill you but even if you properly address that threat you still >> have consider the fact that you might need to explain to law enforcement >> that those drugs/firearms/etc in the dufflebag in your car aren't really >> yours. >> >> regards, >> >> Dan. >> >> On Wed, June 10, 2009 12:51 am, Bont, Frans de wrote: >> >>> Hi Dan, >>> >>> Thanks for your review, we will update the draft accordingly. >>> >>> With respect to your 'covert channel' comment we want to make >>> the following remark. >>> >>> RFC 3640 says: >>> >>>> However, it is possible to inject non-compliant MPEG streams (Audio, >>>> Video, and Systems) so that the receiver/decoder's buffers are >>>> overloaded, which might compromise the functionality of the >>>> receiver >>>> or even crash it. >>>> >>> This is a general remark that hold for all audio/video formats, this >>> is not different for the format described in this draft. >>> >>> The mentioned 'covert channel', in ISO/IEC 14496-3 (MPEG-4 Audio) >>> implemented by means of the extension_payload(), is defined as a >>> backward compatible mechanism for transport of extension data inside >>> AAC >>> payloads. Streams using this mechanism are fully compliant MPEG-4 Audio >>> streams and code points, the extension identifiers in ISO/IEC 14496-3, >>> that are not supported by a decoder are gracefully skipped. >>> >>> Best regards, >>> Frans >>> >>> >>> >>>> -----Original Message----- >>>> From: Dan Harkins [mailto:dharkins@lounge.org] >>>> Sent: 2009 Jun 09 1:29 AM >>>> To: avt-chairs@ietf.org; Bont, Frans de >>>> Subject: [Fwd: [secdir] SECDIR review of >>>> draft-ietf-avt-rtp-mps-02.txt] >>>> >>>> >>>> Hi, >>>> >>>> I fat-fingered your addresses in the following-- chars and phillips. >>>> Sorry about that. >>>> >>>> Dan. >>>> >>>> ---------------------------- Original Message >>>> ------------------------- >>>> --- >>>> Subject: [secdir] SECDIR review of draft-ietf-avt-rtp-mps-02.txt >>>> From: "Dan Harkins" <dharkins@lounge.org> >>>> Date: Mon, June 8, 2009 4:22 pm >>>> To: iesg@ietf.org >>>> secdir@ietf.org >>>> avt-chars@tools.ietf.org >>>> fluffy@cisco.com >>>> Cc: frans.de.bont@phillips.com >>>> "malte.schmidt@dolby.com" >>>> <ralph.sperschneider@iis.fraunhofer.de> >>>> stefan.doehla@iis.fraunhofer.de >>>> ----------------------------------------------------------------------- >>>> --- >>>> >>>> >>>> Hi, >>>> >>>> I have reviewed this document as part of the Security Directorate's >>>> ongoing effort to review all IETF documents being processed by the >>>> IESG. These comments were written primarily for the benefit of the >>>> Security Area directors. Document editors and WG chairs should >>>> treat these comments just like any other last call comments. >>>> >>>> This document extends the RTP payload format to transport MPEG >>>> Surround multi-channel audio. >>>> >>>> By extending the RTP payload format, this document states that it >>>> is "subject to the security considerations of the RTP specification" >>>> itself. It also informatively cuts-and-pastes from the security >>>> considerations of RFC 3640. I see no problem with that. >>>> >>>> While it's not an issue that needs addressing in this draft, it >>>> seems to me that this draft takes advantage of a covert channel >>>> in an ISO Standard on the coding of audo-visual objects-- "skip >>>> unknown extension data" in a stream. RFC 3640 discusses the >>>> possibility of crashing a system using this bug^H^H^Hfeature but >>>> does not mention the covert channel possibilities. It would be nice >>>> to mention that in a successor to RFC 3640 if there ever is one. >>>> >>>> Minor issues: >>>> >>>> - missing reference to SDP, RFC 2327 >>>> - please spell out "Advanced Audio Coding" before using the >>>> acronym AAC (assuming that's what it meant). >>>> - the term "High Efficiency AAC" is used after the acronym HE-AAC. >>>> Please reverse that. >>>> >>>> regards, >>>> >>>> Dan. >>>> >>>> >>>> >>>> _______________________________________________ >>>> secdir mailing list >>>> secdir@ietf.org >>>> https://www.ietf.org/mailman/listinfo/secdir >>>> >>>> >>> The information contained in this message may be confidential and >>> legally >>> protected under applicable law. The message is intended solely for the >>> addressee(s). If you are not the intended recipient, you are hereby >>> notified that any use, forwarding, dissemination, or reproduction of >>> this >>> message is strictly prohibited and may be unlawful. If you are not the >>> intended recipient, please contact the sender by return e-mail and >>> destroy >>> all copies of the original message. >>> >>> >> >> >> > > > -- > Dipl.-Ing. Stefan Döhla | Email: stefan.doehla@iis.fraunhofer.de > Multimedia Transport | Phone: +49 (0)9131 776 6042 (!NEW!) > Audio Department | Fax: +49 (0)9131 776 6099 (!NEW!) > Fraunhofer IIS | > Am Wolfmantel 33 | > 91058 Erlangen, Germany | Web: http://www.iis.fraunhofer.de/amm > >
- [secdir] SECDIR review of draft-ietf-avt-rtp-mps-… Dan Harkins
- Re: [secdir] [Fwd: SECDIR review of draft-ietf-av… Bont, Frans de
- Re: [secdir] [Fwd: SECDIR review of draft-ietf-av… Dan Harkins
- Re: [secdir] [Fwd: SECDIR review of draft-ietf-av… Stefan Döhla
- Re: [secdir] [Fwd: SECDIR review of draft-ietf-av… Dan Harkins