Re: [secdir] Secdir review of draft-ietf-dart-dscp-rtp-07

"Black, David" <david.black@emc.com> Thu, 16 October 2014 17:45 UTC

Return-Path: <david.black@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AF58B1A1B73; Thu, 16 Oct 2014 10:45:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.31
X-Spam-Level:
X-Spam-Status: No, score=-4.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcRiXtb2M1gL; Thu, 16 Oct 2014 10:45:45 -0700 (PDT)
Received: from mailuogwdur.emc.com (mailuogwdur.emc.com [128.221.224.79]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC9431A1B76; Thu, 16 Oct 2014 10:45:44 -0700 (PDT)
Received: from maildlpprd51.lss.emc.com (maildlpprd51.lss.emc.com [10.106.48.155]) by mailuogwprd51.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s9GHjTlw029268 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 16 Oct 2014 13:45:31 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com s9GHjTlw029268
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1413481531; bh=w/Q71Wu8IBFbB1V8lPqUix99D5M=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:MIME-Version; b=bgaZrk+oQurj5VVP0cj+N8RzR9P0ceZD8NiDRmBIanmSWEAWM9oT6xi4nKN2BXWql ZnIovLZWNBak+f+4DVmoqpjYQ/MMSpQpvWTvQqnVv7x5Y+WBQJvjUGYHrNlm08Cu0O lgVEcasXTl5S3DW2/sBobaCS4hsRzBQPrkZpYnnA=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com s9GHjTlw029268
Received: from mailusrhubprd04.lss.emc.com (mailusrhubprd04.lss.emc.com [10.253.24.22]) by maildlpprd51.lss.emc.com (RSA Interceptor); Thu, 16 Oct 2014 13:44:50 -0400
Received: from mxhub34.corp.emc.com (mxhub34.corp.emc.com [10.254.93.82]) by mailusrhubprd04.lss.emc.com (Sentrion-MTA-4.3.0/Sentrion-MTA-4.3.0) with ESMTP id s9GHjHNj025304 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 16 Oct 2014 13:45:18 -0400
Received: from MXHUB102.corp.emc.com (10.253.58.15) by mxhub34.corp.emc.com (10.254.93.82) with Microsoft SMTP Server (TLS) id 8.3.327.1; Thu, 16 Oct 2014 13:45:17 -0400
Received: from MX104CL02.corp.emc.com ([169.254.8.131]) by MXHUB102.corp.emc.com ([::1]) with mapi id 14.03.0195.001; Thu, 16 Oct 2014 13:45:16 -0400
From: "Black, David" <david.black@emc.com>
To: Tina TSOU <Tina.Tsou.Zouting@huawei.com>, " draft-ietf-dart-dscp-rtp.all@tools.ietf.org" <draft-ietf-dart-dscp-rtp.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-dart-dscp-rtp-07
Thread-Index: AQHP6UP+vVL5nBAJ0EG0mQJHJZkKjpwy0Y5A
Date: Thu, 16 Oct 2014 17:45:16 +0000
Message-ID: <CE03DB3D7B45C245BCA0D2432779493605BAA4@MX104CL02.corp.emc.com>
References: <AEBDE45E-963A-47B5-997F-416562FE1B32@inria.fr> <2415CF56-6C71-45B6-87DE-C7907C59E73C@huawei.com>
In-Reply-To: <2415CF56-6C71-45B6-87DE-C7907C59E73C@huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.238.44.122]
Content-Type: multipart/alternative; boundary="_000_CE03DB3D7B45C245BCA0D2432779493605BAA4MX104CL02corpemcc_"
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd04.lss.emc.com
X-RSA-Classifications: DLM_1, public
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/R0E0gV5idyX7PmQK6CHCX9gjWDg
Cc: "Black, David" <david.black@emc.com>, IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-dart-dscp-rtp-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Oct 2014 17:45:51 -0000

Tina,

> IMHO, the document is almost ready. I just have minor comments:

Thank you for the review - the RFC 6274 pointer was particularly useful.

Comments inline @ "David>"

Thanks,
--David

From: Tina TSOU [mailto:Tina.Tsou.Zouting@huawei.com]
Sent: Thursday, October 16, 2014 9:21 AM
To: draft-ietf-dart-dscp-rtp.all@tools.ietf.org
Cc: IESG; secdir@ietf.org
Subject: Secdir review of draft-ietf-dart-dscp-rtp-07

Dear all,

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

IMHO, the document is almost ready. I just have minor comments:

** Technical **

* Page 6:

For IPv6, addition of the flow label [RFC6437] to network 5-tuples
results in network 6-tuples, but in practice, use of a flow label is
unlikely to result in a finer-grain traffic subset than the
corresponding network 5-tuple (e.g., the flow label is likely to
represent the combination of two ports with use of the UDP
protocol).

The flow label is different in each direction. Hence, if anything, you
should talk about 7-tuples rather than 6-tuples.

David> Yes, but many of the UDP flows involved are unidirectional.  I'll add a parenthetical "(or 7-tuples for bidirectional flows)."

* Page 6, Section 2.2:

What about the drawbacks of multiplexing? -- You don't describe any.
What about Head of Line blocking?

David> The primary purpose of the section is to explain why one would want to do this multiplexing from an RTP
David> perspective - there are plenty of drawbacks described elsewhere in the draft, but if there's something specific
David> that belongs in this section, please suggest text ;-).

David> UDP does not exhibit TCP-like Head of Line blocking problems.

* Page 13, Section 5.1:

When a protocol that provides reliable delivery receives a packet
other than the next expected packet, the protocol usually assumes
that the expected packet has been lost and respond with a
retransmission request for that packet.

Note: There is no "retransmission request" in TCP. Additionally:
s/respond/responds/

David> Definitely a concern in general, and one that was also caught by another reviewer - thank you for noticing.  New wording:
David> "the protocol usually assumes that the expected packet has been lost and updates the peer, which often causes a retransmission."

* Page 13, Section 5.1:

This should not be done for current transport protocols within a
single network 5-tuple, with the exception of UDP and UDP-Lite.

This text is rather confusing. Maybe rephrase as "This should not be
done for transport protocol instances of current protocols, except of
UDP and UDP-Lite"?

David> The 5-tuple concept should not be dropped, as the resulting text is easy to mis-read.
David> Reorganized to: "This should not be done within a single network 5-tuple for current transport protocols, with the important exception of UDP and UDP-Lite.."

* Security considerations section

Maybe Section 3.3 of RFC 6274 wuld be of use here?

David> It's not as if the draft doesn't have enough references already :-).
David> Seriously, Section 3.3.2.1 of RFC 6274 is definitely relevant - I'll add a pointer to that and the RFC 6274 reference, thanks for the suggestion.

** Nits/Editorial **

* Page 2:

The results of using multiple DSCPs to obtain different QoS
treatments within a single network 5-tuple (e.g., reordering) have
transport protocol interactions, particularly with congestion
control functionality.

Please "(e.g., reordering)" right after "treatments".

David> I prefer not to do that, as "within a single network 5-tuple" is an important modification to the scope of "different QoS  treatments."

* Page 2:

s/requirments/requirements/

David> Fixed, thanks.

* Page 3:
Please add references for VP8 and H264

David> Ok, I'll go look for these.

* Page 5:

RTP is usually carried over a datagram protocol, such as
UDP[RFC0768], UDP-Lite [RFC3828] or DCCP [RFC4340]; UDP is most
commonly used, but a non-datagram protocol (e.g., TCP) may also be
used.

Add missing space in "UDP[RFC0768]".

David> Fixed, thanks.

* Page 6:

When TURN selects use of TCP, the entire real-time communications
session is carried over a single TCP 5-tuple.

s/five-tuple/connection/

David> Good suggestion, changed to "TCP connection (i.e., 5-tuple)."

* Page 8, Section 3:

The DiffServ architecture[RFC2475] maintains distinctions among:

Please add the missing space

David> Fixed, thanks.  The way that XXE displays citations makes it easy to miss these ...

* Page 8:
s/loading/load/

David> "loading" is ok, prefer to leave as-is.

* Page 11, Section 3.2:

Better results may be achieved when DSCPs are used to spread traffic
among a smaller number of DiffServ-based traffic subsets or
aggregates, see [I-D.geib-tsvwg-diffserv-intercon] for one proposal.

Please put the "see [I-D..]" within parenthesis.

David> will change comma before "see" to a semicolon instead.

* Page 13, Section 5.1:

Reordering also affects other forms of congestion control, such as
techniques for RTP congestion control that were under development
when this memo was published, see [I-D.ietf-rmcat-cc-requirements]
for requirements.

Please put the "see [I-D..." within parethesis -- i.e. "(see [I-D..)".

David> Same change as previous comment (',' -> ';').

* Page 17, section 5.4:

SSRC

Please expand this acronym.

David> Already done when acronym first used in Section 2.1.
David> The actual expansion is "Synchronization SouRCe," which seems unhelpful to provide in camel-case.

* Page 18, Section 6:

, see Section 5.2 above.

Please put this text within parenthesis.

David> Done, and also for several other occurrences of similar text.

Thank you,
Tina