Re: [secdir] Secdir review of draft-ietf-avtcore-monarch-17

Tina TSOU <> Wed, 22 August 2012 04:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 86B6C11E80D2; Tue, 21 Aug 2012 21:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.072
X-Spam-Status: No, score=-6.072 tagged_above=-999 required=5 tests=[AWL=0.526, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ioKN-u2i1L+U; Tue, 21 Aug 2012 21:44:53 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 2970211E80A2; Tue, 21 Aug 2012 21:44:52 -0700 (PDT)
Received: from (EHLO ([]) by (MOS 4.3.5-GA FastPath) with ESMTP id AJJ11701; Tue, 21 Aug 2012 20:44:50 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.1.323.3; Tue, 21 Aug 2012 21:39:37 -0700
Received: from ([]) by ([]) with mapi id 14.01.0323.003; Tue, 21 Aug 2012 21:39:29 -0700
From: Tina TSOU <>
To: Qin Wu <>
Thread-Topic: [secdir] Secdir review of draft-ietf-avtcore-monarch-17
Thread-Index: AQHNgBtTN3CPcwvDt0SdX/BDBNBFzZdlQAPe
Date: Wed, 22 Aug 2012 04:39:28 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US, zh-CN
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_58D08DCC37CD4DE9A574719F5409153Chuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Cc: The IESG <>, "" <>, "" <>
Subject: Re: [secdir] Secdir review of draft-ietf-avtcore-monarch-17
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 22 Aug 2012 04:45:03 -0000

Here is what I meant: which parties trust each other? The other parties
will be excluded from receiving the measurements. What does each case
imply in terms of requirements for key management?

To be concrete, one case is where only the end systems trust each other.
In that case, one assumes that no intermediate systems are required, and
clearly third-party monitors are excluded from receiving the
information. Keys have to be negotiated directly between the end systems.

A second case is where intermediate systems are also trusted. Here a hop-by-hop security model is practical, where keys are negotiated between successive neighbours along the path. An alternative would be a group key management scheme (RFC 6407), such that all participants receive the same session-based key. The choice between these schemes would depend amongst other things on whether the communication spans multiple trust domains. In this case, third-party monitors are still excluded.

A final case is where third party monitors are allowed access to the RTCP flows. In this case, the basic issue is how to arrange for participation of the third party monitor in key negotiation. If it is introduced in man-in-the-middle fashion into negotiations between its upstream and downstream neighbours, care has to be taken that no compromised device can do the same thing. A group key management scheme including the third party monitor and its neighbours might safer.

An interesting side-issue is whether devices might be partially trusted, so that they are allowed access to some information but not the rest. This probably lies beyond the scope of the present document, but please give it a moment's thought.


On Aug 21, 2012, at 9:05 PM, "Qin Wu" <<>> wrote:

The security section of monarch draft is consistent with RFC3611 and doesn't conflict with the security section of RFC3611.
The 2nd paragraph in security section of monarch draft,  it talks about sensitive information exposting, which said:
   In RTP sessions, a RTP system may use its own SSRC to send its
   monitoring reports towards its next-neighbour RTP system.  Other RTP
   system in the session may have a choice as to whether they forward
   this RTP system's RTCP packets.  This present a security issue since
   the information in the report may be exposed by the other RTP system
   to any malicious node.  Therefore if the information is considered as
   sensitive, the monitoring report should be encrypted.

the resolution is to use encryption.

In the 6th paragraph in security section of RFC3611, it talks about disadvantage of encryption of
XR block, which said:
   Any encryption or filtering of XR report blocks entails a loss of
   monitoring information to third parties.  For example, a network that
   establishes a tunnel to encrypt VoIP Report Blocks denies that
   information to the service providers traversed by the tunnel.  The
   service providers cannot then monitor or respond to the quality of
   the VoIP calls that they carry, potentially creating problems for the
   network's users.  As a default, XR packets should not be encrypted or
RFC3611 said, it is at default to set XR packet no encrypted. But it doesn't say encryption is prohibited in any circumstance.
To clear your confusion to this, I like to propose the following change to the 2nd paragraph in security section of monarch draft
Therefore if the information is considered as
 sensitive, the monitoring report should be encrypted.

Therefore if the information is considered as
sensitive, encryption of the monitoring report is recommended.
Hope this addresses your comments.


>To: The IESG <iesg at<>>, "secdir at<>" <secdir at<>>, "draft-ietf-avtcore-monarch at<>" <draft-ietf-avtcore-monarch at<>>
>Subject: [secdir] Secdir review of draft-ietf-avtcore-monarch-17
>From: Tina TSOU <Tina.Tsou.Zouting at<>>


>I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the >security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

>Draft-ietf-avtcore-monarch-17 as a whole provides useful advice.
>There are a number of editorial nits that will be provided to the authors in a separate E-mail.

>Unfortunately, the Security Considerations section fails to appreciate both the more nuanced view and the contradiction exhibited by the same section of RFC 3611, to which it refers. On the one hand, the >measurements reported in XR blocks could be sensitive and one might wish to provide them with confidentiality. On the other hand, intermediate parties may have legitimate reasons to view the >measurements, so that end-to-end encryption is not always desirable.

>It would be helpful for this document to discuss the trust models that might be encountered in operation, and how confidentiality and authorized usage could co-exist within these models. Of course, it may >be legitimate to conclude that under some circumstances such coexistence may be impossible, and local policy may therefore be either to suppress the measurements or accept the consequences of their >disclosure.