[secdir] Review of draft-ietf-clue-framework-24
Phillip Hallam-Baker <phill@hallambaker.com> Wed, 02 December 2015 16:35 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77591B2BB2; Wed, 2 Dec 2015 08:35:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.622
X-Spam-Level:
X-Spam-Status: No, score=0.622 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPLTs5AYqs6j; Wed, 2 Dec 2015 08:34:59 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFA021B2BA5; Wed, 2 Dec 2015 08:34:55 -0800 (PST)
Received: by lfdl133 with SMTP id l133so57690147lfd.2; Wed, 02 Dec 2015 08:34:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=V+Xst/BWT5kpFHp3Lb5RPZhW2tG1qDBFTiYoi8D8ZuE=; b=vtqXihUCNb0td2CcaY7nlbkBEeZuck3Kdpm3ijbYhNAAaU9CDxL1D32df/EpKsZVZI nanNKngOoBf4OvzfxZUV3uxiZIxzK/NC4+8AqJujC8dZHKWhPtjuBa9hneuvxSCMhDvS J+KxyJIgcxmckjeOkbYtzX94evHUm9rzo74zR5Zps1QCLwMvtdL0PXFAzjd6325mHo2c VW2Q7pgmRUD2rVqKP3ybG6KwDO5lU8Uf4/aX/GAzf+m8KbvsRZrWYraJ8B78h5f6TJl0 AmQmRvvcDXcWbbXGdk2Z8JilSvjRlwJ7d61eUI97VdLggQpoGB+9u/RPeedAdon3oYxa sq8Q==
MIME-Version: 1.0
X-Received: by 10.112.184.45 with SMTP id er13mr3460675lbc.133.1449074094103; Wed, 02 Dec 2015 08:34:54 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.112.1.227 with HTTP; Wed, 2 Dec 2015 08:34:53 -0800 (PST)
Date: Wed, 02 Dec 2015 11:34:53 -0500
X-Google-Sender-Auth: YIRYIA5wuBpb3UolCoBadKlzHg8
Message-ID: <CAMm+Lwiq-MNf4NWKn7OBS+xg5PWnLXLRMP_tqxsbGEsYV+bzrA@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: draft-ietf-clue-framework.all@ietf.org, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="001a1133f450a1e24e0525ecda98"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/b7wLPeRSS3er1gKRrqyDzVMY8BQ>
Subject: [secdir] Review of draft-ietf-clue-framework-24
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 16:35:02 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. Document editors and WG chairs should treat these comments just like any other last call comments. This standards track document describes what is essentially an enhanced data model for negotiating telepresence configurations in cases where a given party may have multiple capture devices offering multiple streams. Choice of streams may be constrained by device capabilities. A camera may offer a closeup of the speaker or a wide view of the panel but not be capable of providing both. Security considerations. One context issue I am having here is understanding what the relation of this document is to the others it is referencing. For example, there is a normative reference to draft-ietf-clue-protocol-06 <https://tools.ietf.org/html/draft-ietf-clue-protocol-06>. Is that to be considered by the IESG at this point? If so it does not have a security considerations. If the point is to publish the framework doc as an RFC so as to set the context for further discussions of the protocol, this is OK. But otherwise there is a normative reference to a document that doesn't have a security considerations section and desperately needs one. This is a big problem as the Security Considerations section in framework is pointing forward to 'authorization mechanisms' that are presumably to be described in protocol. Given this situation, these comments may be taken as input to the framework doc or the documents to be written using framework as the architecture. As a general matter, it would be easier to analyze security if terms such as 'confidentiality' and 'integrity' were used. This is particular the case when the specification in question is dealing with audio and video. for example the phrase "an endpoint attempting to listen to sessions in which it is not authorized to participate" is almost certainly intended to cover video as well which is seen and not heard. Looking at the considerations in this way gives us the following considerations: Confidentiality: Disclosure of media streams to an unauthorized endpoint. Disclosure of metadata to capture devices. Failure to terminate access to media streams at completion of a session. Integrity Modification of media stream data Introduction of spurious media streams. Service Denial of Service against capture devices Denial of service against output devices I think this approach would be helpful when it comes to writing the protocol authorization sections. As a general rule, the term 'endpoint' is now meaningless and should not be used. Yes, end-to-end security is a good thing. But you show me which are the 'endpoints' here. End to end is Alice's brain to Bob's brain. Between that we have mouth/face -> cameras/ mics -> capture host(s) -> inter-network -> output host(s) -> displays/speakers -> eyes/ears. An attacker may target any of those modules and any of the interfaces between them. Using the term 'endpoint' is ambiguous. The metadata disclosure problem can be quite insidious. Let us say we are using CLUE to collect media streams from a home security grid. I have 11 cameras on the perimeter pointing in and another 7 on the residence pointing out and one on my desk. The one on my desk can be considered to be trustworthy, if someone has compromised that, I am screwed. But that isn't the case for the perimeter net which is cobbled together from Raspberry Pis and cheapo cameras. That net is placed in a location I know is vulnerable. Lets say we have an intrusion. First thing I do is to fire up a conference call with my security contractor. I don't want someone to be able to compromise one of my perimeter cameras in a way that tips them off to the fact the intrusion has been detected. Introduction of spurious streams might be one of the best ways to attack a conferencing system. If I can see the main speaker and the audio is a little fuzzy, attacker introduces an additional stream with filtering that makes it more attractive to whatever AI is managing the conference. Now the attacker can literally put words in people's mouths. Could be fun for politicians giving town halls.
- [secdir] Review of draft-ietf-clue-framework-24 Phillip Hallam-Baker
- Re: [secdir] Review of draft-ietf-clue-framework-… Roni Even