Re: [secdir] sec-dir review of draft-ietf-payload-rtp-opus-08

[Derek Atkins <derek@ihtfp.com>]

Roni,

I'm not an RTP guy.  To me "SRTP" is a general class of "Secure RTP"
protocols.  So let's work on that as my starting point:  implementations
SHOULD protect their RTP stream.

Based on that, how about a re-wording here?  Instead of just saying "MAY
use SRTP", how about something like "SHOULD use one of the possible RTP
Security methods (See RFC7201, RFC7202)"?  (Obviously this can be worded
better).

-derek

Roni Even <roni.even@mail01.huawei.com> writes:

> Hi,
> The reason for the may is discussed in RFC7201 and RFC 7202, it can be
> a SHOULD and these RFCs exaplain when it is not required to use SRTP.
> Maybe add a reference to these RFCs in the security section when
> saying talking about good reasons for not using SRTP
>
> Roni Even
>
> ________________________________________
> From: Jean-Marc Valin [jvalin@mozilla.com] on behalf of Jean-Marc
> Valin [jmvalin@mozilla.com]
> Sent: Tuesday, February 17, 2015 10:23 PM
> To: Derek Atkins; iesg@ietf.org; secdir@ietf.org
> Cc: payload-chairs@tools.ietf.org; koenvos74@gmail.com; jspittka@gmail.com
> Subject: Re: sec-dir review of draft-ietf-payload-rtp-opus-08
>
> Hi Derek,
>
> There was no particular reason for the MAY, the text was merely copied
> from other RTP payload RFC. I totally agree with making it a SHOULD.
>
> Thanks,
>
>         Jean-Marc
>
> On 17/02/15 02:54 PM, Derek Atkins wrote:
>> Hi,
>>
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the
>> IESG.  These comments were written with the intent of improving
>> security requirements and considerations in IETF drafts.  Comments
>> not addressed in last call may be included in AD reviews during the
>> IESG review.  Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>>
>> Summary:
>>
>> Ready to publish with a question: I question why the use of SRTP is a
>> MAY and not a SHOULD (as detailed in the Security Considerations
>> section).  Considering PERPASS I believe this should be a SHOULD;
>> someone should have a very good reason why they are NOT using SRTP.
>>
>> Details:
>>
>>    This document defines the Real-time Transport Protocol (RTP) payload
>>    format for packetization of Opus encoded speech and audio data
>>    necessary to integrate the codec in the most compatible way.
>>    Further, it describes media type registrations for the RTP payload
>>    format.
>>
>> I have no other comments on this document.
>>
>> -derek
>>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>
>

-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant