[secdir] SECDIR review of draft-ietf-avt-rtp-mps-02.txt

"Dan Harkins" <dharkins@lounge.org> Mon, 08 June 2009 23:22 UTC

Return-Path: <dharkins@lounge.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3C57A3A6A88; Mon, 8 Jun 2009 16:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.265
X-Spam-Level:
X-Spam-Status: No, score=-6.265 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5MNGQLVyu21V; Mon, 8 Jun 2009 16:22:52 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id 684CD3A63CB; Mon, 8 Jun 2009 16:22:52 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id E975EA888108; Mon, 8 Jun 2009 16:22:57 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 8 Jun 2009 16:22:57 -0700 (PDT)
Message-ID: <8ef65cd7e977e2d73a3702a524cada0b.squirrel@www.trepanning.net>
Date: Mon, 08 Jun 2009 16:22:57 -0700
From: Dan Harkins <dharkins@lounge.org>
To: iesg@ietf.org, secdir@ietf.org, avt-chars@tools.ietf.org, fluffy@cisco.com
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: frans.de.bont@phillips.com, "malte.schmidt@dolby.com" <ralph.sperschneider@iis.fraunhofer.de>, stefan.doehla@iis.fraunhofer.de
Subject: [secdir] SECDIR review of draft-ietf-avt-rtp-mps-02.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2009 23:22:58 -0000

  Hi,

  I have reviewed this document as part of the Security Directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
Security Area directors. Document editors and WG chairs should
treat these comments just like any other last call comments.

  This document extends the RTP payload format to transport MPEG
Surround multi-channel audio.

  By extending the RTP payload format, this document states that it
is "subject to the security considerations of the RTP specification"
itself. It also informatively cuts-and-pastes from the security
considerations of RFC 3640. I see no problem with that.

  While it's not an issue that needs addressing in this draft, it
seems to me that this draft takes advantage of a covert channel
in an ISO Standard on the coding of audo-visual objects-- "skip
unknown extension data" in a stream. RFC 3640 discusses the
possibility of crashing a system using this bug^H^H^Hfeature but
does not mention the covert channel possibilities. It would be nice
to mention that in a successor to RFC 3640 if there ever is one.

Minor issues:

  - missing reference to SDP, RFC 2327
  - please spell out "Advanced Audio Coding" before using the
    acronym AAC (assuming that's what it meant).
  - the term "High Efficiency AAC" is used after the acronym HE-AAC.
    Please reverse that.

  regards,

  Dan.