Re: [secdir] [rmcat] Secdir last call review of draft-ietf-rmcat-nada-11

Colin Perkins <csp@csperkins.org> Fri, 16 August 2019 14:54 UTC

Return-Path: <csp@csperkins.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58C22120232; Fri, 16 Aug 2019 07:54:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RO7h8cgrZVOG; Fri, 16 Aug 2019 07:54:21 -0700 (PDT)
Received: from haggis.mythic-beasts.com (haggis.mythic-beasts.com [IPv6:2a00:1098:0:86:1000:0:2:1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77B44120086; Fri, 16 Aug 2019 07:54:21 -0700 (PDT)
Received: from [130.209.247.112] (port=49713 helo=mangole.dcs.gla.ac.uk) by haggis.mythic-beasts.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from <csp@csperkins.org>) id 1hydcL-0004V4-W7; Fri, 16 Aug 2019 15:54:18 +0100
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Colin Perkins <csp@csperkins.org>
In-Reply-To: <8EB353C0-FC34-4514-8283-0D1654EE48DD@kuehlewind.net>
Date: Fri, 16 Aug 2019 15:54:07 +0100
Cc: Gorry Fairhurst <gorry@erg.abdn.ac.uk>, Sean Turner <sean@sn3rd.com>, secdir@ietf.org, rmcat@ietf.org, draft-ietf-rmcat-nada.all@ietf.org, IETF <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <2EB42977-16EF-46AA-B1E8-EA4C420FA51A@csperkins.org>
References: <156565849881.20488.4580765481520503258@ietfa.amsl.com> <5D526D4A.5010304@erg.abdn.ac.uk> <8EB353C0-FC34-4514-8283-0D1654EE48DD@kuehlewind.net>
To: Mirja Kuehlewind <ietf@kuehlewind.net>
X-Mailer: Apple Mail (2.3445.104.11)
X-BlackCat-Spam-Score: 4
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/ZmnqZuRMbzmEmo_YHRqcWe2xwxg>
Subject: Re: [secdir] [rmcat] Secdir last call review of draft-ietf-rmcat-nada-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Aug 2019 14:54:25 -0000

Hi,

> On 16 Aug 2019, at 13:59, Mirja Kuehlewind <ietf@kuehlewind.net>; wrote:
> 
> Hi Sean, hi Gorry,
> 
> Thanks for your review and feedback. Please see below.
> 
>> On 13. Aug 2019, at 09:56, Gorry Fairhurst <gorry@erg.abdn.ac.uk>; wrote:
>> 
>> See  below:
>> 
>> On 13/08/2019, 02:08, Sean Turner via Datatracker wrote:
>>> Reviewer: Sean Turner
>>> Review result: Has Nits
>>> 
>>> Hi! I'm no congestion control expert so nothing in the main body jumped out at
>>> me.  I did take a little time to review some security considerations for other
>>> congestion control RFCs and just wanted to make sure the same kind of
>>> information is getting addressed.  I indicated the result of this review as
>>> "has nits" because there is a pretty good chance I am just suggesting some
>>> editorial tweaks.
>>> 
>>> The security considerations rightly points out that this mechanism is
>>> susceptible to the same kind of attacks as TCP (e.g., hijack, replacement) and
>>> what mitigations to use (i.e., integrity protection of the RTCP feedback
>>> messages).  But, what is missing is what happens if these attacks succeed: DoS
>>> or in the worst case congestion collapse?  So, maybe instead of:
>>> 
>>>   As such, it is vulnerable to attacks where feedback
>>>   messages are hijacked, replaces, or intentionally injected with
>>>   misleading information, similar to those that can affect TCP.
>>> 
>>> Maybe:
>>> 
>>>   As such, it is vulnerable to attacks where feedback
>>>   messages are hijacked, replaces, or intentionally injected with
>>>   misleading information resulting in denial of service, similar
>>>   to those that can affect TCP.
>>> 
>>> Also, unless I've completely misread this paragraph it seems like you are
>>> talking about two things: 1) it's just like TCP, and 2) "The modification of
>>> sending rate ...".  So, maybe split the paragraph along those lines.
> 
> I think this is actually based on text that we used for scream (now RFC8298) which is another congestion control developed in rmcat. I think we refined that text also based on a SEC (or GEN?) review comment at that time and people were at the end satisfied with it. However, your proposed change above could surely be integrated and I leave it to the authors if they want to refine the text further. 
> 
>>> 
>>> Further questions:
>>> 
>>> 1. Are there any concerns related to a greedy receiver who wants to gobble up
>>> more than its fair share of network bandwidth?
> 
> This is a very general point for all congestion control schemes, and for rmcat it is also discussed in draft-ietf-rmcat-cc-requirements (which is sitting in the RFC editor queue for a while as part of the 238 cluster…). I personally don’t see too much value in discussing this here once again (given the generic nature of the problem and very unclear definition of “fair”).
> 
>>> 
>>> 2. Seems like maybe you also need to refer to the RTP/RTCP security
>>> considerations because it seems like security primarily needs to be considered
>>> in the context of a specific transport protocol and its authentication
>>> mechanisms.
> 
> Hm, also not sure here because, while this congestion control scheme is developed for RTP/RTCP, it's defined in a more generic way and there are actually no real dependencies on a specific protocol.

For both this and the GenART review, it should maybe point to draft-ietf-avtcore-cc-feedback-message-04 as an example mechanism to carry congestion feedback. The security considerations in that draft highlight some of these issues, and point to the RTP security mechanisms needed to secure the feedback.

Colin



>>> 
>>> Cheers,
>>> 
>>> spt
>> I also think that text (or similar) would also be valuable in the security considerations section.
>> 
> 
> Gorry: Can you further explain what part this comment related to?
> 
> Thanks!
> Mirja
> 
> 
> 
>> Gorry
>> 
> 



-- 
Colin Perkins
https://csperkins.org/