IETF Logo Mail Archive

Re: [Sframe] [dispatch] SFRame Next Steps (was SFrame proposed WG charter)

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 31 August 2020 14:06 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A6833A13C0; Mon, 31 Aug 2020 07:06:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2O2to1y27iTm; Mon, 31 Aug 2020 07:06:15 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0603.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::603]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3A193A13C5; Mon, 31 Aug 2020 07:06:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bUjcdGLKMhS1ybm07BJwPTlIm+dbNPW8oSAFHY4yWGEbcHB+XvDk/9rPoTJIfpUn2vQE7DbNuO/2kb/oZuF9qArkZghKu+ssp72urRrq1A68JhlUiMbjrzIjBix0OMkpIUDgcSBTJ6Zd2E7fXrnwnT8P4QX09v8kT3R2NyHR0mMAcHvwGDbXQifV/I7AMYcxtV2YIA5/44NpXhbg5gBJzjZzErcmkHYwyMwhVVu9Ca/N8NdBDV6vW3oI5DJrNwoaoxsi60maIJFUsvXz96WFpcuAzE2WyyDAjvyIHSYjFvKhPxdTDrNjuRDfbohU0hLTkSZ5BIPgDYWdhhNs6QKvYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mxh++eJCYuw+Q1S0kTPlhMYBGRrDHNIOjsO9kq8OOzI=; b=h6ejl7NyQibMPajJADizRTndxV4E3EDBxovuVbtFJ+SMwS4CiVmVAMIll7hEyQ7YYk+MtkVCu5cXmYj1kPmEKIs7wBmNKQGy2neLlZU8kuItqm9ANomEaqiWmQ1tDVvOZUotCOVxfWkfvsjL5zWUEWWbsVdYO5rNITTX/Ya7j/+NmF9j9hyWTV+YXGguGtDHJGqMpc7Srl35VH3hrKCtne7d/Biqc63gHjVJNhArtgGi3H/QdQ49R56ji7rYCf5xojLjEyWR3a2OC+MRwomnQAsEJZDGyMd3BeFbg2rXSaPAi2LzE/5vHTsnjeB5sUfrWUpuC5ul3byCAG6fQdzzZw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Mxh++eJCYuw+Q1S0kTPlhMYBGRrDHNIOjsO9kq8OOzI=; b=Utcou7MovFovwKsNmaYs2MjKETm4YDJGlgd3Cgna0bh9wkX+39tFries0STpRf2lIUI1YmgM1P9wpGF5etfOVBVTMUa9CC0nFA16rHcLg8HeJe9cLTbKeWEHTih8L0LmL1bBGZGTeRgslnnaLX7HXpp8t9BkQ61bGACuOH/whig=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2684.eurprd07.prod.outlook.com (2603:10a6:3:8f::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.5; Mon, 31 Aug 2020 14:06:07 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::b56f:9a8e:3399:aaa3%7]) with mapi id 15.20.3348.013; Mon, 31 Aug 2020 14:06:07 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "Alex.GOUAILLARD@cosmosoftware.io" <Alex.GOUAILLARD@cosmosoftware.io>, "rlb@ipv.sx" <rlb@ipv.sx>
CC: "ben@nostrum.com" <ben@nostrum.com>, "emadomara=40google.com@dmarc.ietf.org" <emadomara=40google.com@dmarc.ietf.org>, "dispatch@ietf.org" <dispatch@ietf.org>, "sframe@ietf.org" <sframe@ietf.org>, "sergio.garcia.murillo@gmail.com" <sergio.garcia.murillo@gmail.com>
Thread-Topic: [Sframe] [dispatch] SFRame Next Steps (was SFrame proposed WG charter)
Thread-Index: AQHWa2UvSRWiVT7MukOqMgZDT9IOv6kqyBeAgACYmgCAAjbMgIAHB3KAgB3KAwA=
Date: Mon, 31 Aug 2020 14:06:07 +0000
Message-ID: <fc46a290b86591e4e009f65f76c828028e06bd8b.camel@ericsson.com>
References: <CAHo7dC91bvRHiYuRT63uJ=HeuFU9L7XXqTcG+za5xi_BbQ0G2w@mail.gmail.com> <E2072219-1B6E-4444-A39C-287842783DBF@nostrum.com> <CAL02cgT13rEnvaB9TFMci=N8OqO35qKHthPHhMCvAccZWhCu-Q@mail.gmail.com> <ca0a7472a86cf53c78779f6153a80dc096acc4e8.camel@ericsson.com> <69181ed1-d72a-99de-8b4d-9e10276ced91@gmail.com> <771e108a9f25c1bec04d5fcdad58eb55bbb1533d.camel@ericsson.com> <CAHo7dC_b_fvmq=FRK-DMFtOji_tCV3hAnEHr+P-CY7BHtPP+MA@mail.gmail.com> <CACtMSQWR0xxV_2Worc197Ftf7yTFhwrses+732vWN+fHjN4pkQ@mail.gmail.com> <CAL02cgRnfRoYfUu78hV7X2LV_GuhaHbZvC9vpgcnyzy4D2HPVw@mail.gmail.com>
In-Reply-To: <CAL02cgRnfRoYfUu78hV7X2LV_GuhaHbZvC9vpgcnyzy4D2HPVw@mail.gmail.com>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: cosmosoftware.io; dkim=none (message not signed) header.d=none;cosmosoftware.io; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [192.176.1.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c7ff1093-c580-449c-643b-08d84db701bd
x-ms-traffictypediagnostic: HE1PR0701MB2684:
x-microsoft-antispam-prvs: <HE1PR0701MB2684D344E39D029C4A6054C995510@HE1PR0701MB2684.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y8Vgxonwb4D9UxfavlNPca0diwLzYeZeYFBWVeeePVafFCGriTFJWKrG96R1WAB0eOARWDb/UUwLF/6lcAv4ZmrWr1pfqO7eSAgXDf/nxDKjiSXrIJaVYTsy1db9wuIQSFMULvn1uuKKTCqwsgQWEwQiqY9OIh5nTTt/gqwn6B0Kw9PVTmhOZpupGhXFm20COPUxJGzsi5lymJEERcEWRxPfQ6AO28A2d1j4z0YH1rwIBjiLE3RYtT5MVeIdS14YRPa8pMWq6c2//tMPoBtMoYKwDMGHAW2XvGcuHAF44Nry7g6m3qPPlKlJ//RsVv0eRbipYZ0G4CXFC6QkZ7Vn/a3lgMS3HFBotYPQMMCpKo3RkBJv7hkjemeaf/9sMuqn
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39860400002)(376002)(346002)(366004)(8676002)(2906002)(4326008)(6506007)(5660300002)(71200400001)(66574015)(8936002)(2616005)(26005)(66946007)(44832011)(54906003)(91956017)(76116006)(86362001)(83380400001)(110136005)(316002)(6486002)(186003)(53546011)(36756003)(66476007)(66446008)(66556008)(64756008)(478600001)(6512007)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JJrrmyh8jI3FV/IWeLj06cWbCCJd8Ebo8KTKULhemlT7WjLFP2vwtDDJVIKyLjP6ZqBy4f2BTBx6ZLTmVGo0mEfSdd2zrZ4Qz48HIyoIOReERpxfsqynco3V/gV7gQVKKOPwVc7gptSZGw9T2oJzL1NWpzkGqA3o5bndYxuNDbfTnIatzVFYTyfp/PYzBoKPAnZYSAEUJd4JX4p+VfJT6XZZ7CmIyohSXg0Ub9wodE9s2BIVhzUWRvvbDnUe2I4nirEDEPVl4YBy1I62eD7NvT4vLMlp4Ma0KI7jMd8h56Od84SzFSxMjkyNew4CmrxmTGYHWouex19pizcjUnqy8tbPm3rikcLAWQYJde8W/rdsQ9yT9/M5a/bbWJIZo4OvmnFNwMPtXI/tmYO2H2pXyI5AWaARCU7nTDVp2qB30Lh3Xxtq7TpTyKqFHJjW0CkEj8c/1saJcksBlNEn/aMIoRAhX6zHemVWDroRK8DGLiVYanroCIjXstiICUcN82XASlje8OG24qglr/XGnnYdDGbj9rswibYlvO+ppQEaDulQ9pi5o1sPSWVgYDbe2x1raID1VERhJL0kyiuWHkHqiSRYXuSPXJYa7POZaisiyXyeaQayOEiWz4Dxw/RmeFMWT+oFEf9ohtmGVmTIEh/1WQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5BAF39630585E24CB8FE8BCFF2975B67@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c7ff1093-c580-449c-643b-08d84db701bd
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2020 14:06:07.4919 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ka1oWKRDcEG482p1fYTHfI1dDw+mDKL+PxbzF6Gr5wkNgA+TyD3XfZ9pDn9S5okfyafpPxopBhtg8Io8/mMCG8bItL4FYxCYEKKM7pvVYXQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2684
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/X0AokYgUjViU_zf3rwFJndwvrZY>
Subject: Re: [Sframe] [dispatch] SFRame Next Steps (was SFrame proposed WG charter)
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Aug 2020 14:06:17 -0000

Hi,

Thanks for working on addressing my comments when on vacation.

I think you mostly arravied at a good place. However, I would like to make one
remark about the added language.

When it comes to threat models it can't be the intersection of threats across
those that occur in the intended usages, it needs to be the union of threats.
The formulation added implies intersection to me. 

Cheers

Magnus

On Wed, 2020-08-12 at 11:11 -0400, Richard Barnes wrote:
> Hey all,
> 
> I agree that all of this stuff is valuable to capture somewhere.  In the
> interest of keeping the charter fairly succinct, I've added the following:
> 
> """
> The SFrame specification will detail the specific security properties that the
> encapsulation provides, and discuss their implications under common usage
> scenarios / threat models.
> """
> 
> With that, I think that all the comments we've gotten so far have been
> addressed.
> 
> --Richard
> 
> 
> On Fri, Aug 7, 2020 at 11:51 PM Alexandre GOUAILLARD <
> Alex.GOUAILLARD@cosmosoftware.io> wrote:
> > guys,
> > 
> > sorry for jumping in so late, quarantine here is very strict.
> > 
> > We had long discussions about this specific point ahead of the draft
> > submission.
> > We had reached the following consensus:
> > - there are multiple usage of media over the internet, e.g. conferencing and
> > streaming/broadcast
> > - they have very different threat/trust models, with different solutions
> > implemented today (transport layer E / E2EE / DRM / Encrypted Media
> > Extentions / ...)
> > - they all can benefit from SFrame
> > 
> > PERC was, by design, limited to RTP and to Conferencing. Many other use case
> > coul benefit from Enhanced Privacy.
> > 
> > We concluded that it would be better to keep SFrame (the media encryption
> > part, equivalent to PERC double conceptually), and to have separated
> > documents that describe the threat models and the corresponding key
> > exchange, signaling and system level decision for each use case. Emad had
> > taken an action item for example to make two additional documents to
> > describe the Video Conferencing use case, and how SFrame could be used in
> > conjunction with MLS to address that specific use case. Someone else could
> > take the different use case of the Browsers (which have a specific trust
> > model) and make a document showing how SFrame con work with Insertable Frame
> > API (and likely some more) to address that use case. CoSMo is interested in
> > doing the same thing for Real-Time streaming/Broadcasting.
> > 
> > I think it is a more reasonable approach as, even spending a lot of time
> > brainstorming with everyone around the tabel including bernard, we couldn't
> > think about one solution to fit all the different "media over internet"'s
> > threat model. In my mind, each case should first have an informal document
> > to define scope and threat model, and subsequent document to define the
> > corresponding specifications. 
> > - Secure Conferencing Threat model (emad and co.)
> > - Secure Conferencing Signalling using MLS (emad and co.)
> > - Secure Conferencing using MLS In the browser (contributed by w3c people)
> > 
> > Magnus, what do you think?
> > 
> > Regards, 
> > 
> > Dr. ALex.
> > 
> > 
> > 
> > On Fri, Aug 7, 2020 at 2:02 AM Emad Omara <
> > emadomara=40google.com@dmarc.ietf.org> wrote:
> > > Thanks Magnus. I like the idea to explicitly call out the threat model, I
> > > think it will be good foundations that control all future design
> > > decisions, however I'm not sure if the charter is the right place to call
> > > this out. I'd recommend having a separate document that describes the
> > > system architecture, goals and threat model. What do you think?
> > > 
> > > Emad
> > > 
> > > On Thu, Aug 6, 2020 at 1:56 AM Magnus Westerlund <
> > > magnus.westerlund@ericsson.com> wrote:
> > > > Hi,
> > > > 
> > > > On Wed, 2020-08-05 at 22:15 +0200, Sergio Garcia Murillo wrote:
> > > > > But shouldn't the "delayed media" attack still be transport agnostic?
> > > > I 
> > > > > mean, this can happen on QUIC and WebRTC SFUs.
> > > > 
> > > > Sorry if I gave the impression that it is not transport agnostic. It is
> > > > use case
> > > > dependent, any use case that isn't point to point, where there is more
> > > > than one
> > > > entity that can intentionally remove SFRAME creating gaps in the SFRAME
> > > > sequence. In a point to point scenario one can correlate transport
> > > > losses with
> > > > SFRAME gaps to know give a reasonably strong mitigation against any
> > > > third party
> > > > removing SFRAMEs or delaying them. That is much harder in a centralized
> > > > conference with one or more SFU.
> > > > 
> > > > > 
> > > > > Anyway, I agree that while SFrame is transport agnostic, the chapter 
> > > > > should not ignore the interactions with webrtc/quic and we must
> > > > ensure 
> > > > > that we provide a complete working solution regardless of the
> > > > transport. 
> > > > > If we identify that any further working items are required for a 
> > > > > particular transport, we should at liaise with the appropriate
> > > > working 
> > > > > group for providing a solution.
> > > > 
> > > > My main point is that SFRAME actually needs to discuss the threat model
> > > > for the
> > > > use cases it intendes to solve. And the mitigation can potentially
> > > > include
> > > > functionality on the transport level. But the risks to media security in
> > > > centralized conferencing needs to be discussed. And centralized
> > > > conferencing
> > > > will still have the semi-trusted SFUs and all the rest of the third
> > > > parties in
> > > > addition to the end-points. 
> > > > 
> > > > Also what properties one have around end-points invited into the
> > > > conference has
> > > > a number of question around security properties that needs to be
> > > > discussed and
> > > > documented. Some examples that I know are relevant:
> > > > 
> > > > - Source authentication: SRTP unless one use TESLA (which isn't really
> > > > used)
> > > > does only provided the property: Someone that has the key sent this. One
> > > > don't
> > > > know that it comes from a particular endpoint. 
> > > > 
> > > > - Confidentiality when group membership changes: So will SFRAME keying
> > > > support a
> > > > use case where only the current set of members in a conference can
> > > > decrypt the
> > > > media and one rekey the media session key for each time the membership
> > > > changes?
> > > > PERC do support this, will SFRAME? 
> > > > 
> > > > There are likely more questions that needs discussion. The PERC
> > > > discussion is a
> > > > good starting point, but I think when going transport agnostic some of
> > > > the
> > > > issues needs to be more clearly discussed as the RTP transport can have
> > > > affected
> > > > how it was discussed, and what reliance on existing mechanism. Which for
> > > > SFRAME
> > > > likely require a general discussion and then requirements on the
> > > > transport and
> > > > invovled endpoints and SFU to accomplish mitigations. And thus also what
> > > > the
> > > > risks are of having no mitigation in place. 
> > > > 
> > > > I would really propose that SFRAME is chartered with publishing a
> > > > security
> > > > consideration and threat model document that is seperate from the
> > > > solution to
> > > > give this topic full focus. The solution will of necessity need to
> > > > reference
> > > > that and document what migitagtions that exists in the SFRAME layer and
> > > > what
> > > > becomes requirements on the transport. 
> > > > 
> > > > Cheers
> > > > 
> > > > Magnus Westerlund 
> > > > 
> > > > 
> > > > ----------------------------------------------------------------------
> > > > Networks, Ericsson Research
> > > > ----------------------------------------------------------------------
> > > > Ericsson AB                 | Phone  +46 10 7148287
> > > > Torshamnsgatan 23           | Mobile +46 73 0949079
> > > > SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> > > > ----------------------------------------------------------------------
> > > > 
> > > > 
-- 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email