Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch

Ben Campbell <ben@estacado.net> Wed, 08 September 2010 21:36 UTC

Return-Path: <ben@estacado.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 604543A67FA for <secdir@core3.amsl.com>; Wed, 8 Sep 2010 14:36:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GWbGmNOnHBmg for <secdir@core3.amsl.com>; Wed, 8 Sep 2010 14:36:44 -0700 (PDT)
Received: from estacado.net (estacado-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:266::2]) by core3.amsl.com (Postfix) with ESMTP id 62FBC3A6960 for <secdir@ietf.org>; Wed, 8 Sep 2010 14:36:33 -0700 (PDT)
Received: from dn3-174.estacado.net (dn3-174.estacado.net [172.16.3.174]) (authenticated bits=0) by estacado.net (8.14.3/8.14.2) with ESMTP id o88LarDN040332 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 8 Sep 2010 16:36:54 -0500 (CDT) (envelope-from ben@estacado.net)
Mime-Version: 1.0 (Apple Message framework v1081)
Content-Type: text/plain; charset=us-ascii
From: Ben Campbell <ben@estacado.net>
In-Reply-To: <7F2072F1E0DE894DA4B517B93C6A0585015BCA1D@ESESSCMS0356.eemea.ericsson.se>
Date: Wed, 8 Sep 2010 16:36:48 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <0B7E7D8D-CBC0-48C8-B642-A5E7A2D48BF2@estacado.net>
References: <7F2072F1E0DE894DA4B517B93C6A0585015BCA1D@ESESSCMS0356.eemea.ericsson.se>
To: Christer Holmberg <christer.holmberg@ericsson.com>
X-Mailer: Apple Mail (2.1081)
X-Mailman-Approved-At: Thu, 09 Sep 2010 08:57:29 -0700
Cc: Ted Hardie <ted.ietf@gmail.com>, The IETF <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-simple-msrp-sessmatch@tools.ietf.org" <draft-ietf-simple-msrp-sessmatch@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-simple-msrp-sessmatch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Sep 2010 21:36:49 -0000

I wanted to make a quick response to one part of this discussion--see below:

On Aug 31, 2010, at 12:39 PM, Christer Holmberg wrote:

>>>> To highlight one particular aspect, RFC 4975 does not require
>>>> session-ids to be present, a fact noted both in the ABNF and in this
>>>> text:
>>>> 
>>>> 4. The session-id part is compared as case sensitive.  A URI without
>>>>  a session-id part is never equivalent to one that includes one.
>>>> 
>>>> A matching scheme which relies on a URI section which is not
>>>> guaranteed to be present has some interesting problems ahead of it. If
>>>> this effectively makes their use mandatory, that requires a change to
>>>> the fundamental ABNF and text.
>>> 
>>> An MSRP URI in an SDP offer or answer for an MSRP session MUST include a
>>> session-id part, so I believe the comment is
>>> based on incorrect assumptions.
>> 
>> This is not indicated in the URI matching section
> 
> We will clarify that sessmatch conformant UAs do not use MSRP URI matching in
> order to perform MSRP session matching.

In fact, RFC4975 does require an MSRP URI in and SDP offer or answer to include a session ID part. Unfortunately, it does so rather obliquely.

Section 6 contains the following language:

> The MSRP URI authority field identifies a participant in a particular
>    MSRP session.  If the authority field contains a numeric IP address,
>    it MUST also contain a port.  The session-id part identifies a
>    particular session of the participant.  The absence of the session-id
>    part indicates a reference to an MSRP host device, but does not refer
>    to a particular session at that device.  

Section 8.2, in the last paragraph, says the following about the rightmost URI placed in a path attribute in the SDP (Note that 4975 does not specify MSRP relay behavior, so only the rightmost URI is in scope)

> It MUST be assigned for this particular session, and MUST NOT duplicate
>    any URI in use for any other session in which the endpoint is
>    currently participating.  It SHOULD be hard to guess, and protected
>    from eavesdroppers.  This is discussed in more detail in 
> Section 14.
> 

This, taken together, create a requirement for a session-ID for MSRP URIs used to identify a session in the SDP. I agree this should have been more strongly worded. An errata entry is probably in order. 

Thanks!

Ben.