IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-ietf-mmusic-sdp-mux-attributes-13

Chris Lonvick <lonvick.ietf@gmail.com> Sun, 28 August 2016 00:55 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD02C12D0CD; Sat, 27 Aug 2016 17:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dEKjzpDK0vTR; Sat, 27 Aug 2016 17:55:23 -0700 (PDT)
Received: from mail-oi0-x22a.google.com (mail-oi0-x22a.google.com [IPv6:2607:f8b0:4003:c06::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0906612D0AA; Sat, 27 Aug 2016 17:55:20 -0700 (PDT)
Received: by mail-oi0-x22a.google.com with SMTP id l203so156363419oib.1; Sat, 27 Aug 2016 17:55:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=G5M9JbFNIHTyRZOqvSpPIFrhFGYcOrc+OrNxanlxip0=; b=wPjREqL8Dgwvb6tUAEvW1NJsH/PySBBgYYyZBnhu6VFyB6GlTmdzC10KtET1KbNJ8u panr6Ap3r/+fm1UkbwevF0jA3a9DPsALDul8TswD07GcG6X9jkRDbBzO8OwUA1F3PWrC m0bFe6KbcmAz6f8NQFHRJFaZm75ZGFL2UaanMJHp31aCPEVrhbYSvuk8roY1EpdLaJ05 mHueCKB+Jszg8fCxapxr8Qc6w9tVMncEETDUNb+6Rd4Pu+x47aGohPqqlnWvnTncAcJN 7fPOZB7UoHvowkMJoZNDq6n0RIkICPbA7vNkwC2KByq+B/a99li693DJrKEnDCccyDtc 7Cvg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=G5M9JbFNIHTyRZOqvSpPIFrhFGYcOrc+OrNxanlxip0=; b=Uc1KmyAGwdo4TGXndLugQTODs7ckwJF7g0wcIsmcmpxdp1mVpfTL+gZDkGaQc2VQKW q422u2jPc/os6qguj3QYBUrSlfWJLMAMq03LxGITCvqSMKqWV+xPGvywE5SLFvH+DaiF i4We+FzPzyrplT/xVBvODOStqw8AakVgoBiZ+qnGD1P29C/mVv04Yb9XeLt35m68Bf1Y 1EkKl04r+UijALFT6A1mF0AZR5cpzMDEavp7iU24pBnQmdepvTGBqyo7nqVrZa5HkoTR BAFw5AzmLVaVhr6Y31Tz+NukTfR3FIHgtZpxj0ywb4ya3m4kk9uaCcdTWeytDImLVlfO 0xqQ==
X-Gm-Message-State: AE9vXwM5vKkr/gckGJS26Qq10ocdbYuwNJg66hwPZla5UqeIK8xdr5AdfiiOJuiTuMGWww==
X-Received: by 10.202.75.197 with SMTP id y188mr6977035oia.10.1472345719429; Sat, 27 Aug 2016 17:55:19 -0700 (PDT)
Received: from Chriss-Air.attlocal.net ([2602:306:838b:1c40:4514:17e:feee:a5cf]) by smtp.googlemail.com with ESMTPSA id w83sm12143412oif.5.2016.08.27.17.55.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 27 Aug 2016 17:55:19 -0700 (PDT)
To: "Suhas Nandakumar (snandaku)" <snandaku@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-mmusic-sdp-mux-attributes.all@ietf.org" <draft-ietf-mmusic-sdp-mux-attributes.all@ietf.org>
References: <5794D308.7010401@gmail.com> <5794D38E.90709@gmail.com> <1472148474472.98410@cisco.com>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <57C23675.9020603@gmail.com>
Date: Sat, 27 Aug 2016 19:55:17 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <1472148474472.98410@cisco.com>
Content-Type: multipart/alternative; boundary="------------030204060005080508080905"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iapK3XHb6MbuuBhatH5nHLfBvGk>
Cc: "Cullen Jennings (fluffy)" <fluffy@cisco.com>, "Flemming Andreasen (fandreas)" <fandreas@cisco.com>, Bo Burman <bo.burman@ericsson.com>
Subject: Re: [secdir] SECDIR review of draft-ietf-mmusic-sdp-mux-attributes-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Aug 2016 00:55:25 -0000

Hi Suhas,

I hope your vacation was good.  :-)

These edits look appropriate.

Best regards,
Chris

On 8/25/16 1:07 PM, Suhas Nandakumar (snandaku) wrote:
>
> ​Hello Chris
>
>
>    Apologies for the delayed response ( was on vacation :-) )
>
>
>    Please see inline for responses to your review comments (marked 
> with [[Suhas]] )​
>
>
> Thanks
>
> Suhas Nandakumar
>
>
> ------------------------------------------------------------------------
> *From:* Chris Lonvick <lonvick.ietf@gmail.com>
> *Sent:* Sunday, July 24, 2016 7:41 AM
> *To:* iesg@ietf.org; secdir@ietf.org; 
> draft-ietf-mmusic-sdp-mux-attributes.all@ietf.org
> *Subject:* Re: SECDIR review of draft-ietf-mmusic-sdp-mux-attributes-13
> Apologies for the duplication - resending to the right alias.
>
> On 7/24/16 9:39 AM, Chris Lonvick wrote:
>> Hi,
>>
>> I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG. These comments were written primarily for the benefit of the 
>> security area directors. Document editors and WG chairs should treat 
>> these comments just like any other last call comments.
>>
>> I've been rather busy and haven't had time to thoroughly review this 
>> document. But I did look at the Security Considerations section and 
>> will recommend that some additions be made. The Security 
>> Considerations section says, "This document does not add any new 
>> security considerations beyond the existing considerations in the 
>> RFCs for protocols that are being multiplexed together. " (First 
>> paragraph.) I believe that it would be helpful to readers and 
>> implementers if the specification were to give pointers to RFCs for 
>> protocols that are being multiplexed together, and their security 
>> considerations.
>>
>> [[Suhas]] - On further internal discussions, we think the above 
>> paragraph needs to be rephrased as below to be specific on the goals 
>> of this specification.
>> "This document does not add any new security considerations beyond 
>> the existing considerations in the RTP  RFCs (RFC3550 and 
>> RFC3711) referenced by this specification."
>>
>>
>> The section continues by saying, "The ways that SRTP streams are 
>> keyed is not believed to create any two-time pad vulnerability for 
>> the currently defined SRTP keying mechanism." (Second paragraph.) I 
>> may not have seen it but I don't believe that this document specifies 
>> keying for SRTP streams, but only references RFC4567 (Section 5.35) 
>> and RFC4572 (Section 5.36). If that's the case, then this document 
>> doesn't need to opine about possible vulnerabilities in that area; 
>> leave it to those or subsequent documents to make that analysis. 
>> [[Suhas]] - Agree with you. I will delete the sentence.
>>
>> It would be appropriate to reiterate that the CAUTION category may 
>> produce some problems.
>> [[Suhas]] - Sure, will add something in the lines of below 
>> "When multiplexing SDP attributes with the category "CAUTION", the 
>> implementations should be aware of possible issues as described in 
>> this specification"
>>
>>
>> For completeness, it may be good to include pointers to other mmusic 
>> and SDP documents that have addressed security aspects. A statement 
>> of how that may apply to this specification would be appropriate. I 
>> don't think this would need to be detailed.
>>
>> [[Suhas]] How about something on the lines below.
>> "The primary security for RTP including the way it is used here is 
>> described in RC3550 and RFC3711" .
>>
>> Best regards,
>> Chris
>

v2.23.0 | Report a Bug | By Email