Re: [secdir] Secdir review of draft-ietf-payload-rtp-aptx-04

Tero Kivinen <kivinen@iki.fi> Thu, 23 January 2014 16:15 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DEB11A0047; Thu, 23 Jan 2014 08:15:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.436
X-Spam-Level:
X-Spam-Status: No, score=-2.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c7i68y1acQhZ; Thu, 23 Jan 2014 08:15:15 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 6D7D61A001B; Thu, 23 Jan 2014 08:15:15 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id s0NGFCNj005487 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 23 Jan 2014 18:15:12 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id s0NGFBjE002885; Thu, 23 Jan 2014 18:15:11 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21217.16399.623639.865298@fireball.kivinen.iki.fi>
Date: Thu, 23 Jan 2014 18:15:11 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "John Lindsay" <Lindsay@worldcastsystems.com>
In-Reply-To: <8C4E0C2409735E4FBC22D754A238F94D0303D9C4@APTSBS.apt.local>
References: <21152.30161.542379.749064@fireball.kivinen.iki.fi> <8C4E0C2409735E4FBC22D754A238F94D0303D9C4@APTSBS.apt.local>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Cc: iesg@ietf.org, draft-ietf-payload-rtp-aptx.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-payload-rtp-aptx-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2014 16:15:29 -0000

John Lindsay writes:
> Firstly apologies for the delay in replying, this is the first RFC draft
> I have been involved with and I was not sure of the process.
> You are correct the coded is a constant bit rate encoder and hence not
> vulnerable to the methods described in in the
> draft-ietf-avtcore-srtp-vbr-audio document.
> 
> If its felt necessary a note to this affect can be added to the security
> considerations section.

Either way is good for me. 

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi] 
> Sent: 05 December 2013 12:47
> To: iesg@ietf.org; secdir@ietf.org;
> draft-ietf-payload-rtp-aptx.all@tools.ietf.org
> Subject: Secdir review of draft-ietf-payload-rtp-aptx-04
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
> 
> This document describes how to transmit proprietary audio codec
> algorithms standard apt-X and enchanced apt-X in the RTP. The document
> has security considerations section which seems to be OK.
> 
> If I have understood correctly the codec is constant bit rate codec,
> thus it is not vulnerable to the traffic analysis attacks described for
> example in the draft-ietf-avtcore-srtp-vbr-audio document. Perhaps the
> security considerations section could note that these codecs are not
> vulnerable to those attacks (if that is in deed true).
> --
> kivinen@iki.fi

-- 
kivinen@iki.fi