Re: [secdir] Secdir review of draft-ietf-avtcore-monarch-17

Qin Wu <bill.wu@huawei.com> Wed, 22 August 2012 04:12 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFDF811E80AE; Tue, 21 Aug 2012 21:12:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.342
X-Spam-Level:
X-Spam-Status: No, score=-3.342 tagged_above=-999 required=5 tests=[AWL=-0.509, BAYES_00=-2.599, FAKE_REPLY_C=2.012, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id umrqsz7o8V2V; Tue, 21 Aug 2012 21:12:23 -0700 (PDT)
Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) by ietfa.amsl.com (Postfix) with ESMTP id CCAEE11E80AD; Tue, 21 Aug 2012 21:12:22 -0700 (PDT)
Received: from 172.18.9.243 (EHLO dfwdlp01-ep.huawei.com) ([172.18.9.243]) by dfwrg01-dlp.huawei.com (MOS 4.3.5-GA FastPath) with ESMTP id AJT09846; Tue, 21 Aug 2012 20:12:22 -0800 (PST)
Received: from DFWEML405-HUB.china.huawei.com (10.193.5.102) by dfweml202-edg.china.huawei.com (172.18.9.108) with Microsoft SMTP Server (TLS) id 14.1.323.3; Tue, 21 Aug 2012 21:05:13 -0700
Received: from SZXEML411-HUB.china.huawei.com (10.82.67.138) by dfweml405-hub.china.huawei.com (10.193.5.102) with Microsoft SMTP Server (TLS) id 14.1.323.3; Tue, 21 Aug 2012 21:05:11 -0700
Received: from w53375 (10.138.41.149) by szxeml411-hub.china.huawei.com (10.82.67.138) with Microsoft SMTP Server (TLS) id 14.1.323.3; Wed, 22 Aug 2012 12:05:01 +0800
Message-ID: <D9F20FFCA69244C59DB1F3E69C2F48EB@china.huawei.com>
From: Qin Wu <bill.wu@huawei.com>
To: <draft-ietf-avtcore-monarch@tools.ietf.org>, <secdir@ietf.org>, The IESG <iesg@ietf.org>, Tina TSOU <Tina.Tsou.Zouting@huawei.com>
Date: Wed, 22 Aug 2012 12:05:00 +0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0127_01CD805E.5B00C270"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.5931
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.6109
X-Originating-IP: [10.138.41.149]
X-CFilter-Loop: Reflected
Subject: Re: [secdir] Secdir review of draft-ietf-avtcore-monarch-17
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2012 04:12:24 -0000

Hi,Tena:
The security section of monarch draft is consistent with RFC3611 and doesn't conflict with the security section of RFC3611.
The 2nd paragraph in security section of monarch draft,  it talks about sensitive information exposting, which said:
"
   In RTP sessions, a RTP system may use its own SSRC to send its
   monitoring reports towards its next-neighbour RTP system.  Other RTP
   system in the session may have a choice as to whether they forward
   this RTP system's RTCP packets.  This present a security issue since
   the information in the report may be exposed by the other RTP system
   to any malicious node.  Therefore if the information is considered as
   sensitive, the monitoring report should be encrypted.

"
the resolution is to use encryption.
 
In the 6th paragraph in security section of RFC3611, it talks about disadvantage of encryption of
XR block, which said:
"
   Any encryption or filtering of XR report blocks entails a loss of
   monitoring information to third parties.  For example, a network that
   establishes a tunnel to encrypt VoIP Report Blocks denies that
   information to the service providers traversed by the tunnel.  The
   service providers cannot then monitor or respond to the quality of
   the VoIP calls that they carry, potentially creating problems for the
   network's users.  As a default, XR packets should not be encrypted or
   filtered.
"
RFC3611 said, it is at default to set XR packet no encrypted. But it doesn't say encryption is prohibited in any circumstance.

To clear your confusion to this, I like to propose the following change to the 2nd paragraph in security section of monarch draft
OLD TEXT:
"
Therefore if the information is considered as
 sensitive, the monitoring report should be encrypted.
"

NEW TEXT:
"
Therefore if the information is considered as
sensitive, encryption of the monitoring report is recommended.
"
Hope this addresses your comments.

Regards!
-Qin

>To: The IESG <iesg at ietf.org>, "secdir at ietf.org" <secdir at ietf.org>, "draft-ietf-avtcore-monarch at tools.ietf.org" <draft-ietf-avtcore-monarch at tools.ietf.org> 
>Subject: [secdir] Secdir review of draft-ietf-avtcore-monarch-17 
>From: Tina TSOU <Tina.Tsou.Zouting at huawei.com> 

>Hello,

>I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the >security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

>Draft-ietf-avtcore-monarch-17 as a whole provides useful advice. 
>There are a number of editorial nits that will be provided to the authors in a separate E-mail.

>Unfortunately, the Security Considerations section fails to appreciate both the more nuanced view and the contradiction exhibited by the same section of RFC 3611, to which it refers. On the one hand, the >measurements reported in XR blocks could be sensitive and one might wish to provide them with confidentiality. On the other hand, intermediate parties may have legitimate reasons to view the >measurements, so that end-to-end encryption is not always desirable.

>It would be helpful for this document to discuss the trust models that might be encountered in operation, and how confidentiality and authorized usage could co-exist within these models. Of course, it may >be legitimate to conclude that under some circumstances such coexistence may be impossible, and local policy may therefore be either to suppress the measurements or accept the consequences of their >disclosure.

>Tina