Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-osrtp-07
Gonzalo Camarillo <gonzalo.camarillo@ericsson.com> Tue, 23 April 2019 09:33 UTC
Return-Path: <gonzalo.camarillo@ericsson.com>
X-Original-To: sipbrandy@ietfa.amsl.com
Delivered-To: sipbrandy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EF812023C; Tue, 23 Apr 2019 02:33:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oKysTCGA8MdB; Tue, 23 Apr 2019 02:32:58 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150082.outbound.protection.outlook.com [40.107.15.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27EFB12004D; Tue, 23 Apr 2019 02:32:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HptMC+r+1pdQ0TV/MKVIQltrJp/I1rLsRR/V5fsK2JY=; b=YHvJdNAUGEbfNRvcYDwaNPQcvrUk5dqUbiGotZOd8TNeehtsMDMKoy4f6YSNrZTBoelB06mB4IW53o/d+ShCoqPnA8f8F3KJ5KQh+h1fa0JRPfts9kQHonyRJUdVe8LLzNGu/v5pHuJbCskEMOdFKqXeBGOJyf7IR7KvU7GLCAk=
Received: from AM6PR0702MB3688.eurprd07.prod.outlook.com (52.133.24.141) by AM6PR0702MB3590.eurprd07.prod.outlook.com (52.133.24.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1835.6; Tue, 23 Apr 2019 09:32:54 +0000
Received: from AM6PR0702MB3688.eurprd07.prod.outlook.com ([fe80::b42f:1195:9967:b99f]) by AM6PR0702MB3688.eurprd07.prod.outlook.com ([fe80::b42f:1195:9967:b99f%7]) with mapi id 15.20.1835.010; Tue, 23 Apr 2019 09:32:54 +0000
From: Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>
To: Andy Hutton <andyhutton.ietf@gmail.com>
CC: Ben Campbell <ben@nostrum.com>, "sipbrandy@ietf.org" <sipbrandy@ietf.org>, "draft-ietf-sipbrandy-osrtp.all@ietf.org" <draft-ietf-sipbrandy-osrtp.all@ietf.org>, Alexey Melnikov <Alexey.Melnikov@isode.com>
Thread-Topic: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-osrtp-07
Thread-Index: AQHU+beGpGJNJYZf0Uqf4kmSWBC/zg==
Date: Tue, 23 Apr 2019 09:32:54 +0000
Message-ID: <AM6PR0702MB3688AADB0C621BCD446D44D583230@AM6PR0702MB3688.eurprd07.prod.outlook.com>
References: <72C42C63-D5C4-403D-A895-429CB2238AC3@nostrum.com> <e6724bd0-1ea0-3014-8836-60dc454c2982@ericsson.com> <CAB7PXwTUXUa1Euar+hXY4EzOqZ0_U-eru=e1ApjTy4a2FCBYJg@mail.gmail.com> <CAB7PXwRSFXcB5zGdNP_zqyKWUJqZAK+bKsxeyWhK6eeogqJ8dw@mail.gmail.com> <A7A08115-5B69-4931-8C89-0EBDF3A76D10@nostrum.com> <c28ee3c0-b91d-3a12-e83b-4d3b727fc908@ericsson.com> <CAB7PXwRtAd1OC6r0AGJZ66km=ei_fq80QYUUuNbZuQGT4HmPkQ@mail.gmail.com> <741719ee-bbc6-adaf-a036-8fdd655e470f@ericsson.com> <CAB7PXwTkkN0905aHREPyoCX0YY1+adr9sbrVnGuPFp-Rgk3ONw@mail.gmail.com> <2e599cba-8f58-d1e5-3387-28013b26302d@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=gonzalo.camarillo@ericsson.com;
x-originating-ip: [185.188.8.213]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a6a1cec4-1b1a-47c3-ee78-08d6c7ceaa0a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600141)(711020)(4605104)(2017052603328)(7193020); SRVR:AM6PR0702MB3590;
x-ms-traffictypediagnostic: AM6PR0702MB3590:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <AM6PR0702MB3590948E572ACCC0F726034183230@AM6PR0702MB3590.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0016DEFF96
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(39860400002)(376002)(396003)(366004)(346002)(189003)(199004)(51914003)(3846002)(55016002)(71200400001)(86362001)(71190400001)(2906002)(6116002)(76116006)(9686003)(54906003)(6916009)(76176011)(73956011)(66446008)(66946007)(91956017)(44832011)(66476007)(64756008)(66556008)(6306002)(486006)(229853002)(8936002)(8676002)(476003)(6436002)(53936002)(7696005)(305945005)(81156014)(81166006)(74316002)(7736002)(256004)(14444005)(52536014)(102836004)(66066001)(446003)(478600001)(186003)(14454004)(316002)(93886005)(68736007)(26005)(966005)(4326008)(25786009)(6506007)(99286004)(6246003)(97736004)(53546011)(5660300002)(33656002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM6PR0702MB3590; H:AM6PR0702MB3688.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: BFdG/T+SWihIUKcgclJXwFbCRsxCI1fVzGA5rSmlw2cfyXQPpU7358JBIu9+05syV2bNDCvk851KDB+zU+79wZGvwNUzGegmq0l5K2Tb+Y80aI4N6diTPxDJyHjgfmV6Xl3Y55x9YGrwpxM1WzeL7rFJGEoZ82SNC6wpuM5JckxzI8EAq/h/IFoBfHRNwI+cmBOkaQIxsjiXHa/JvO2PYSAn29D0dcxmIfoydIq4MmXnbjgXnDsLfPr+WXprrVnTAZsRNaKWlmRBHbzDbzSbqVm5MHe5ofJU9ixfyBXN0gbpV6BUBSXVjZNX14tIUQG6cy8PmmMGa4a1TaOzIPsyk9aTiFFU1E+WnWbJvrueUmsUgKnAuJlyygzepNoj6dRuMIR+GmuppO81o08ZHO5vi3lGFOP88aAMksxFWBQMDbo=
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a6a1cec4-1b1a-47c3-ee78-08d6c7ceaa0a
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2019 09:32:54.8607 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR0702MB3590
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipbrandy/N6ydYrg81Jldk5lys7KSjagoxTQ>
Subject: Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy-osrtp-07
X-BeenThere: sipbrandy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIPBRANDY working group discussion list <sipbrandy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipbrandy>, <mailto:sipbrandy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipbrandy/>
List-Post: <mailto:sipbrandy@ietf.org>
List-Help: <mailto:sipbrandy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipbrandy>, <mailto:sipbrandy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Apr 2019 09:33:01 -0000
Hi Ben, when do you think you will be able to look into this? Thanks! Cheers, Gonzalo On 08-Apr-19 13:49, Gonzalo Camarillo wrote: > Hi Ben, > > could you please look into what Andy ways and confirm whether or not you > are happy with the current revision of the draft? Thanks! > > Cheers, > > Gonzalo > > On 08-Apr-19 13:47, Andy Hutton wrote: >> I looked at this again and I am not convinced that any further changes >> to the draft are needed but if someone wants to suggest text then I >> can include it in the draft. >> >> In the case of SDES the security considerations states that an >> encrypted signalling channel must still be used so this draft changes >> nothing with respect to intermediaries and the SDES (RFC 4568) >> security considerations still apply. >> >> Regards >> Andy >> >> On Tue, 2 Apr 2019 at 14:56, Gonzalo Camarillo >> <gonzalo.camarillo@ericsson.com> wrote: >>> >>> Hi Andy, >>> >>> Ben's response below indicates that his main substantive comment was not >>> addressed in the revision you submitted last week. Could you please look >>> into it and get back to Ben? Thanks! >>> >>>>> With regard to Ben's comment on the relaxing of the authentication >>>>> requirement then this is consistent with the Opportunistic >>>>> Security RFC 7435 and I added a reference to this as >>>>> clarification. >>>> >>>> If I recall correctly, RFC 7435 does not discuss scenarios with >>>> separate signaling and media channels, and how OS applies to each >>>> channel. I was looking more for something about the impacts of this >>>> “relaxation” specific to these sorts of scenarios with dtls-srtp and >>>> sdes, and resulting assurances. >>>> >>>> For example, dtls-srtp with no authentication does not give you >>>> assurances about who you are talking to, but it still allows >>>> encryption. SDES without encryption lets an eavesdropper potentially >>>> learn the encryption keys, etc. SDES with transport level protection >>>> (e.g. SIPS) protects from off-path eavesdroppers, but allows proxies >>>> and b2bua’s in the signaling path to learn the encryption keys. >>> >>> >>> Cheers, >>> >>> Gonzalo >>> >>> On 02-Apr-19 16:50, Andy Hutton wrote: >>>> I believe all Ben's points are addressed in the draft I submitted >>>> last week https://tools.ietf.org/html/draft-ietf-sipbrandy-osrtp-08 >>>> >>>> Regards Andy >>>> >>>> On Tue, 2 Apr 2019 at 12:03, Gonzalo Camarillo >>>> <gonzalo.camarillo@ericsson.com> wrote: >>>>> >>>>> Hi Andy, authors, >>>>> >>>>> could you please let Alexey when he should expect a new revision of >>>>> this draft that addresses Ben's point below? >>>>> >>>>> Cheers, >>>>> >>>>> Gonzalo >>>>> >>>>> On 26-Mar-19 18:10, Ben Campbell wrote: >>>>>> (+Alexey, who will take over SIPBRANDY when I step down as AD) >>>>>> >>>>>> Hi, >>>>>> >>>>>> Thanks for the response. This does not quite address my main >>>>>> substantive comment. It does address everything else :-) >>>>>> >>>>>> Please see comment in line. >>>>>> >>>>>> Thanks! >>>>>> >>>>>> Ben. >>>>>> >>>>>>> On Mar 26, 2019, at 11:58 AM, Andy Hutton >>>>>>> <andyhutton.ietf@gmail.com> wrote: >>>>>>> >>>>>>> I submitted an update in response to Ben's comments - >>>>>>> https://tools.ietf.org/html/draft-ietf-sipbrandy-osrtp-08 >>>>>>> >>>>>>> With regard to Ben's comment on the relaxing of the >>>>>>> authentication requirement then this is consistent with the >>>>>>> Opportunistic Security RFC 7435 and I added a reference to this >>>>>>> as clarification. >>>>>> >>>>>> If I recall correctly, RFC 7435 does not discuss scenarios with >>>>>> separate signaling and media channels, and how OS applies to each >>>>>> channel. I was looking more for something about the impacts of >>>>>> this “relaxation” specific to these sorts of scenarios with >>>>>> dtls-srtp and sdes, and resulting assurances. >>>>>> >>>>>> For example, dtls-srtp with no authentication does not give you >>>>>> assurances about who you are talking to, but it still allows >>>>>> encryption. SDES without encryption lets an eavesdropper >>>>>> potentially learn the encryption keys, etc. SDES with transport >>>>>> level protection (e.g. SIPS) protects from off-path >>>>>> eavesdroppers, but allows proxies and b2bua’s in the signaling >>>>>> path to learn the encryption keys. >>>>>> >>>>>> >>>>>>> >>>>>>> Hopefully we can get this to RFC status now. >>>>>>> >>>>>>> Regards Andy >>>>>>> >>>>>>> On Mon, 25 Mar 2019 at 22:26, Andy Hutton >>>>>>> <andyhutton.ietf@gmail.com> wrote: >>>>>>>> >>>>>>>> Sorry about the delay. >>>>>>>> >>>>>>>> See below. >>>>>>>> >>>>>>>> I will update the draft. >>>>>>>> >>>>>>>> Andy >>>>>>>> >>>>>>>> On Fri, 15 Feb 2019 at 08:46, Gonzalo Camarillo >>>>>>>> <gonzalo.camarillo@ericsson.com> wrote: >>>>>>>>> >>>>>>>>> Thanks for the quick review, Ben! >>>>>>>>> >>>>>>>>> Authors, please address Ben's comments below. >>>>>>>>> >>>>>>>>> Cheers, >>>>>>>>> >>>>>>>>> Gonzalo >>>>>>>>> >>>>>>>>> On 14-Feb-19 22:46, Ben Campbell wrote: >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> This is my AD Evaluation of >>>>>>>>>> draft-ietf-sipbrandy-osrtp-07. >>>>>>>>>> >>>>>>>>>> Thank you for a readable and easy to understand >>>>>>>>>> document.There is one comment I would like to resolve >>>>>>>>>> prior to IETF LC. The others can be resolved along with >>>>>>>>>> any last call feedback. >>>>>>>>>> >>>>>>>>>> *** Please resolve prior to IETF LC *** >>>>>>>>>> >>>>>>>>>> §4: The relaxation of authentication requirements for >>>>>>>>>> DTLS-SRTP and SDES could use some elaboration on why this >>>>>>>>>> acceptable. I _think_ the answer is that, since OSRTP >>>>>>>>>> doesn’t guaranty authentication, there’s no need for such >>>>>>>>>> a guaranty from the signaling channel. Is that correct? >>>>>>>>>> >>>>>>>>>> OTOH, §1 says "third mode for security between >>>>>>>>>> "cleartext” and "comprehensive protection" that allows >>>>>>>>>> encryption and authentication to be used if supported…”. >>>>>>>>>> That suggests that that authentication is sometimes >>>>>>>>>> provided. Is there a distinction between the >>>>>>>>>> authenticated case and unauthenticated case that should >>>>>>>>>> be mentioned somewhere? (For example, is there a need to >>>>>>>>>> indicate the distinction to the user?) >>>>>>>>>> >>>>>>>> >>>>>>>> $1 should I think say "allows encryption and authenticated >>>>>>>> media" but I cannot remember why we said the signalling >>>>>>>> authentication requirements are relaxed this has been in the >>>>>>>> draft from day 1 and I guess it is consistent with the best >>>>>>>> effort approach. >>>>>>>> >>>>>>>> Anyone else want to comment? >>>>>>>> >>>>>>>> >>>>>>>>>> *** Other Substantive Comments *** >>>>>>>>>> >>>>>>>>>> §2: Please use the new boilerplate from RFC 8174. >>>>>>>> >>>>>>>> Will do. >>>>>>>> >>>>>>>>>> >>>>>>>>>> §3.1: Please clarify that that the offer can contain more >>>>>>>>>> than one key management attribute. This is mentioned in >>>>>>>>>> §3.1, but not actually in the section on generating the >>>>>>>>>> offer. >>>>>>>> >>>>>>>> Will do. >>>>>>>> >>>>>>>>>> >>>>>>>>>> *** Editorial Comments *** >>>>>>>>>> >>>>>>>>>> §3: "As discussed in [RFC7435], this is the >>>>>>>>>> "comprehensive protection" for media mode.” s/this/that >>>>>>>> >>>>>>>> Thanks >>>>>>>> >>>>>>>>>> >>>>>>>>>> §3.4: "meaning that the decision to create an OSRTP type >>>>>>>>>> offer or something else should not be influenced” That’s >>>>>>>>>> referring to the decision to create a _new_ offer, right? >>>>>>>>>> Not the original offer? >>>>>>>> >>>>>>>> Correct. >>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ Sipbrandy >>>>>>>>>> mailing list Sipbrandy@ietf.org >>>>>>>>>> https://www.ietf.org/mailman/listinfo/sipbrandy >>>>>>>>>> >>>>>>>>> _______________________________________________ Sipbrandy >>>>>>>>> mailing list Sipbrandy@ietf.org >>>>>>>>> https://www.ietf.org/mailman/listinfo/sipbrandy >>>>>> >>>>> >>>> >>>> _______________________________________________ Sipbrandy mailing >>>> list Sipbrandy@ietf.org >>>> https://www.ietf.org/mailman/listinfo/sipbrandy >>>> >> >> _______________________________________________ >> Sipbrandy mailing list >> Sipbrandy@ietf.org >> https://www.ietf.org/mailman/listinfo/sipbrandy >> >
- [Sipbrandy] AD Evaluation of draft-ietf-sipbrandy… Ben Campbell
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Ben Campbell
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Ben Campbell
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Ben Campbell
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Ben Campbell
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Gonzalo Camarillo
- Re: [Sipbrandy] AD Evaluation of draft-ietf-sipbr… Andy Hutton