Re: [Sframe] [dispatch] SFRame Next Steps (was SFrame proposed WG charter)

Emad Omara <emadomara@google.com> Thu, 06 August 2020 18:02 UTC

Return-Path: <emadomara@google.com>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F0253A0D6D for <sframe@ietfa.amsl.com>; Thu, 6 Aug 2020 11:02:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.599
X-Spam-Level:
X-Spam-Status: No, score=-17.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hXSRkONY9qfy for <sframe@ietfa.amsl.com>; Thu, 6 Aug 2020 11:02:40 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9BD753A0D6B for <sframe@ietf.org>; Thu, 6 Aug 2020 11:02:39 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id l23so22082952edv.11 for <sframe@ietf.org>; Thu, 06 Aug 2020 11:02:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=KwWIcyCIpEZLiY5RPZx1QFB0bGnEaVlxTKu1/3XZeuk=; b=tdhjNHILmReN6y3K9Uwjw5DWhVLBTd0BCb/4KF2tgIT82VqDvQQqHYMhg0Vbo/uoll 8T7Qsl3HQQzvDLXp4AqKcNfyCe/RwIMP8eWFkXvXrxmYgx3dPJ2nIMNri+tAE2LET/Qb DQcHlfHXf7wBUqj+8yQAoXCFyDqnVIIYjVq9kyrSQxzjMcKXY8aIAzIqBql7okdW1OCQ +a7oF3qlJJjwoZwsDksU6H10jgFIk0htxu4VMM6csuYoAusxz85MXGu+OkajDi1P183w FfP2pivv4TsmHU9ffArW3kHxMOeFvyxI5FCJss/vLBcRuMuGhV09n17pAj3NFThpjicE VxxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=KwWIcyCIpEZLiY5RPZx1QFB0bGnEaVlxTKu1/3XZeuk=; b=uTayyas3cYa5zJEYPV1fSFzDEOIiVYd1YRobgR+He+I8GFwTrpoLs06lN1mTULy4aU ZGUciUxBn3eMkMxOnoRZSH3Xmc/9p+Ga6OBVmSWJudbXkF8JILSRBtBSwKQ7mptNDjhs wlyfKvNOpz+NHXiSw2m13FHw7fIVDCkgrZSiuYarajHMpLXonQbsr9BKL8EO/IZaWXMH oKpkABjNuMk6WNJM4IEM/oby1E+MNgJwdRa8qx2JBsUUUNHVRNaxD1LxKfUfjjgzdumH Z7gWSLoB1G9IiyF46ymH6xHOkM9igD86dRQhqk+DKS0xUYsEyB2us8aj9sUytua1vXxL AzPw==
X-Gm-Message-State: AOAM532E75ENpPwwcFHZb5DbcP1hU4ADb0VGtBKPtm3HL3ZHsBgwIiLY mjlv09gBWaKycvb0doYT5oRGzypIVxMIy3EcXB3C
X-Google-Smtp-Source: ABdhPJxdtdp0dHp6mqoPZqKCH7Y9fCguRSV4dObIJ14Qs371M5dngjz4pYBRZg6qj29wHjKvS3brK6dN8rj4l63KxoY=
X-Received: by 2002:aa7:cd46:: with SMTP id v6mr4951572edw.21.1596736957845; Thu, 06 Aug 2020 11:02:37 -0700 (PDT)
MIME-Version: 1.0
References: <CAHo7dC91bvRHiYuRT63uJ=HeuFU9L7XXqTcG+za5xi_BbQ0G2w@mail.gmail.com> <E2072219-1B6E-4444-A39C-287842783DBF@nostrum.com> <CAL02cgT13rEnvaB9TFMci=N8OqO35qKHthPHhMCvAccZWhCu-Q@mail.gmail.com> <ca0a7472a86cf53c78779f6153a80dc096acc4e8.camel@ericsson.com> <69181ed1-d72a-99de-8b4d-9e10276ced91@gmail.com> <771e108a9f25c1bec04d5fcdad58eb55bbb1533d.camel@ericsson.com>
In-Reply-To: <771e108a9f25c1bec04d5fcdad58eb55bbb1533d.camel@ericsson.com>
From: Emad Omara <emadomara@google.com>
Date: Thu, 6 Aug 2020 11:02:26 -0700
Message-ID: <CAHo7dC_b_fvmq=FRK-DMFtOji_tCV3hAnEHr+P-CY7BHtPP+MA@mail.gmail.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
Cc: "ben@nostrum.com" <ben@nostrum.com>, "rlb@ipv.sx" <rlb@ipv.sx>, "sergio.garcia.murillo@gmail.com" <sergio.garcia.murillo@gmail.com>, "dispatch@ietf.org" <dispatch@ietf.org>, "sframe@ietf.org" <sframe@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000002c5c9f05ac394b45"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/zFNOqKvckxawi9Is4CYGjkUNNms>
Subject: Re: [Sframe] [dispatch] SFRame Next Steps (was SFrame proposed WG charter)
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Aug 2020 18:02:43 -0000

Thanks Magnus. I like the idea to explicitly call out the threat model, I
think it will be good foundations that control all future design decisions,
however I'm not sure if the charter is the right place to call this out.
I'd recommend having a separate document that describes the system
architecture, goals and threat model. What do you think?

Emad

On Thu, Aug 6, 2020 at 1:56 AM Magnus Westerlund <
magnus.westerlund@ericsson.com> wrote:

> Hi,
>
> On Wed, 2020-08-05 at 22:15 +0200, Sergio Garcia Murillo wrote:
> > But shouldn't the "delayed media" attack still be transport agnostic? I
> > mean, this can happen on QUIC and WebRTC SFUs.
>
> Sorry if I gave the impression that it is not transport agnostic. It is
> use case
> dependent, any use case that isn't point to point, where there is more
> than one
> entity that can intentionally remove SFRAME creating gaps in the SFRAME
> sequence. In a point to point scenario one can correlate transport losses
> with
> SFRAME gaps to know give a reasonably strong mitigation against any third
> party
> removing SFRAMEs or delaying them. That is much harder in a centralized
> conference with one or more SFU.
>
> >
> > Anyway, I agree that while SFrame is transport agnostic, the chapter
> > should not ignore the interactions with webrtc/quic and we must ensure
> > that we provide a complete working solution regardless of the transport.
> > If we identify that any further working items are required for a
> > particular transport, we should at liaise with the appropriate working
> > group for providing a solution.
>
> My main point is that SFRAME actually needs to discuss the threat model
> for the
> use cases it intendes to solve. And the mitigation can potentially include
> functionality on the transport level. But the risks to media security in
> centralized conferencing needs to be discussed. And centralized
> conferencing
> will still have the semi-trusted SFUs and all the rest of the third
> parties in
> addition to the end-points.
>
> Also what properties one have around end-points invited into the
> conference has
> a number of question around security properties that needs to be discussed
> and
> documented. Some examples that I know are relevant:
>
> - Source authentication: SRTP unless one use TESLA (which isn't really
> used)
> does only provided the property: Someone that has the key sent this. One
> don't
> know that it comes from a particular endpoint.
>
> - Confidentiality when group membership changes: So will SFRAME keying
> support a
> use case where only the current set of members in a conference can decrypt
> the
> media and one rekey the media session key for each time the membership
> changes?
> PERC do support this, will SFRAME?
>
> There are likely more questions that needs discussion. The PERC discussion
> is a
> good starting point, but I think when going transport agnostic some of the
> issues needs to be more clearly discussed as the RTP transport can have
> affected
> how it was discussed, and what reliance on existing mechanism. Which for
> SFRAME
> likely require a general discussion and then requirements on the transport
> and
> invovled endpoints and SFU to accomplish mitigations. And thus also what
> the
> risks are of having no mitigation in place.
>
> I would really propose that SFRAME is chartered with publishing a security
> consideration and threat model document that is seperate from the solution
> to
> give this topic full focus. The solution will of necessity need to
> reference
> that and document what migitagtions that exists in the SFRAME layer and
> what
> becomes requirements on the transport.
>
> Cheers
>
> Magnus Westerlund
>
>
> ----------------------------------------------------------------------
> Networks, Ericsson Research
> ----------------------------------------------------------------------
> Ericsson AB                 | Phone  +46 10 7148287
> <+46%2010%20714%2082%2087>
> Torshamnsgatan 23           | Mobile +46 73 0949079
> <+46%2073%20094%2090%2079>
> SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> ----------------------------------------------------------------------
>
>
>