IETF Logo Mail Archive

[secdir] SECDIR review of draft-ietf-mmusic-sdp-mux-attributes-13

Chris Lonvick <lonvick.ietf@gmail.com> Sun, 24 July 2016 14:38 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15C4812D77C; Sun, 24 Jul 2016 07:38:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K7wBH64-BRId; Sun, 24 Jul 2016 07:38:50 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 613E112D6B9; Sun, 24 Jul 2016 07:38:50 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id r9so141453368ywg.0; Sun, 24 Jul 2016 07:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version; bh=g4tkgx2a3FNClWqFsv9pwJOufZn12DILBQG2Q+AcAtw=; b=iqSmyGc/uUVno+gkaitiUZRRGGkhRKWuhKcenfnrCgcr5oXSFmbmIzAZ3hBbfB1B8w mfg00txNeaJazsPVfSFC76D5mug7Vet5RiMbeOHc5HlciUDGtZ/SkR/c+rV8LT8gww1P qfcDc2b65W7WdOD+atFEmcjAXiEOI1gQGm0j3nk8B6CnZbo/FGic6mDRg58vwEIO8QvM H9GHqKWZGOA4xMqZdgUE1/q1oaAzpqFhzzEoeC0RngK84BLdLw0CJOyZ09835IGzMglh 9npZBMkMkUnE93OTg2nSnaTCG9Asqiw7qP948fKJAKFjl2w2g7DoHhV7BfpkazGFPZUQ k/bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=g4tkgx2a3FNClWqFsv9pwJOufZn12DILBQG2Q+AcAtw=; b=Q6v6uZsIyTFUMMFltAImCUD8rJqdAQ4Tb+iLytSyRQ4/+FAjfQzYF7wZNNpMQiFb4i 2uPaV21Xu2i/YvRCSZ1kVlC4H8qklTjBVyGUBcXH/v4nQ1bKjb7Bh9lQ4tdOJWyAEsGp khxh0s0VTn2FH/10KXdUQE1skqzHL73H0OAA1uPs+gepv0D/mJwQNPxSsIUl4tfRlj2c HigGe/DpMCjidmWmgP2QQEWHvHOEMzUUrVoVtw2czQbIFkuEb26Dx6GJbTDXicogACbz E68i/T+8mEQZ0ZjxLVpGNkixzr0P/ntfpdc5GcuKRHQqMDRtNM92wS4I9T3RIIYhPj5F 4yXw==
X-Gm-Message-State: AEkooutGGKx5f7+RTKxJpRCvv2XaWR5/6INp8wFQuHvtMOBrf6WU/g3Aol907pnYRmolqA==
X-Received: by 10.37.36.197 with SMTP id k188mr5418327ybk.30.1469371129454; Sun, 24 Jul 2016 07:38:49 -0700 (PDT)
Received: from Chriss-Air.attlocal.net ([2602:306:838b:1c40:3c32:47ac:f71f:323f]) by smtp.googlemail.com with ESMTPSA id j11sm246760ywa.39.2016.07.24.07.38.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Jul 2016 07:38:49 -0700 (PDT)
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-mmusic-sdp-mux-attributes-13.all@ietf.org
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <5794D308.7010401@gmail.com>
Date: Sun, 24 Jul 2016 09:39:04 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------020507050402040909000305"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RSq4sy7Qmbrv9Ys05ms-uJ3tiE0>
Subject: [secdir] SECDIR review of draft-ietf-mmusic-sdp-mux-attributes-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Jul 2016 14:38:52 -0000

Hi,

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

I've been rather busy and haven't had time to thoroughly review this 
document. But I did look at the Security Considerations section and will 
recommend that some additions be made. The Security Considerations 
section says, "This document does not add any new security 
considerations beyond the existing considerations in the RFCs for 
protocols that are being multiplexed together. " (First paragraph.) I 
believe that it would be helpful to readers and implementers if the 
specification were to give pointers to RFCs for protocols that are being 
multiplexed together, and their security considerations.

The section continues by saying, "The ways that SRTP streams are keyed 
is not believed to create any two-time pad vulnerability for the 
currently defined SRTP keying mechanism." (Second paragraph.) I may not 
have seen it but I don't believe that this document specifies keying for 
SRTP streams, but only references RFC4567 (Section 5.35) and RFC4572 
(Section 5.36). If that's the case, then this document doesn't need to 
opine about possible vulnerabilities in that area; leave it to those or 
subsequent documents to make that analysis.

It would be appropriate to reiterate that the CAUTION category may 
produce some problems.

For completeness, it may be good to include pointers to other mmusic and 
SDP documents that have addressed security aspects. A statement of how 
that may apply to this specification would be appropriate. I don't think 
this would need to be detailed.

Best regards,
Chris

v2.23.0 | Report a Bug | By Email