IETF Logo Mail Archive

Re: [siprec] Stephen Farrell's Discuss on draft-ietf-siprec-protocol-16: (with DISCUSS)

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 28 May 2015 16:33 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: siprec@ietfa.amsl.com
Delivered-To: siprec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85C1B1B2B96; Thu, 28 May 2015 09:33:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mgMScJ3hhSgD; Thu, 28 May 2015 09:32:58 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CCF1A001B; Thu, 28 May 2015 09:32:58 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CBC01BEEA; Thu, 28 May 2015 17:32:56 +0100 (IST)
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cX7qeA2nzQCd; Thu, 28 May 2015 17:32:56 +0100 (IST)
Received: from [134.226.36.180] (stephen-think.dsg.cs.tcd.ie [134.226.36.180]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 9DFA5BEBC; Thu, 28 May 2015 17:32:56 +0100 (IST)
Message-ID: <55674338.2010303@cs.tcd.ie>
Date: Thu, 28 May 2015 17:32:56 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: "Hutton, Andrew" <andrew.hutton@unify.com>, The IESG <iesg@ietf.org>
References: <20150526224118.4132.30843.idtracker@ietfa.amsl.com> <9F33F40F6F2CD847824537F3C4E37DDF1E773BAF@MCHP04MSX.global-ad.net>
In-Reply-To: <9F33F40F6F2CD847824537F3C4E37DDF1E773BAF@MCHP04MSX.global-ad.net>
OpenPGP: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/siprec/YCm2FVU3HiZSzQdDd8QqhRaOEmI>
Cc: "siprec@ietf.org" <siprec@ietf.org>, "draft-ietf-siprec-protocol.ad@ietf.org" <draft-ietf-siprec-protocol.ad@ietf.org>, "siprec-chairs@ietf.org" <siprec-chairs@ietf.org>, "draft-ietf-siprec-protocol@ietf.org" <draft-ietf-siprec-protocol@ietf.org>, "draft-ietf-siprec-protocol.shepherd@ietf.org" <draft-ietf-siprec-protocol.shepherd@ietf.org>
Subject: Re: [siprec] Stephen Farrell's Discuss on draft-ietf-siprec-protocol-16: (with DISCUSS)
X-BeenThere: siprec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: SIP Recording Working Group Discussion List <siprec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/siprec>, <mailto:siprec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/siprec/>
List-Post: <mailto:siprec@ietf.org>
List-Help: <mailto:siprec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/siprec>, <mailto:siprec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 16:33:00 -0000

Hi Andrew,

Thanks for the quick response... mine below.

S.

On 27/05/15 21:21, Hutton, Andrew wrote:
> Some responses from me below.
> 
> Regards Andy
> 
> 
> 
> 
>> -----Original Message----- From: Stephen Farrell
>> [mailto:stephen.farrell@cs.tcd.ie] Sent: 26 May 2015 23:41 To: The
>> IESG Cc: draft-ietf-siprec-protocol@ietf.org; draft-ietf-siprec- 
>> protocol.ad@ietf.org; siprec-chairs@ietf.org; br@brianrosen.net;
>> draft- ietf-siprec-protocol.shepherd@ietf.org; siprec@ietf.org 
>> Subject: Stephen Farrell's Discuss on
>> draft-ietf-siprec-protocol-16: (with DISCUSS)
>> 
>> Stephen Farrell has entered the following ballot position for 
>> draft-ietf-siprec-protocol-16: Discuss
>> 
>> When responding, please keep the subject line intact and reply to
>> all email addresses included in the To and CC lines. (Feel free to
>> cut this introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss- 
>> criteria.html for more information about IESG DISCUSS and COMMENT
>> positions.
>> 
>> 
>> The document, along with other ballot positions, can be found
>> here: https://datatracker.ietf.org/doc/draft-ietf-siprec-protocol/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>>
>> 
DISCUSS:
>> ----------------------------------------------------------------------
>>
>>
>>
>> 
(1) 5.3: How does a UA know if it's preference to not be
>> recorded has been ignored?
> 
> If the UA is a recording-aware UA (i.e. supports SIPREC) and it is
> talking to a compliant recording server then it will know via the
> "a=record" SDP attribute there is some further explanation of this in
> https://tools.ietf.org/html/draft-ietf-siprec-protocol-16#section-7.1.3.
> 

Fair enough. I think you're missing mention of a timer though as
one would be needed and we should probably tell the server how
soon it ought have stopped recording or something otherwise some
UA might drop calls precipitously. It's not hugely likely maybe
but I'd guess could happen. (I'll clear the discuss point though
as that'd not be worth blocking on.)

> 
> 
>> 
>> (2) 12.2: Why is a 2011 ([I-D.ietf-avt-srtp-ekt]) expired I-D ok as
>> the method for supporting DTLS-SRTP for the CS, esp when DTLS-SRTP
>> is our currently favoured method for handing WebRTC security? When
>> is that going to be finished? On what basis is that an informative
>> and not normative reference? And is that reference ever likely to
>> be standardised? (Given that it seems to be a form of TLS MitM - is
>> that fair?) Perhaps it'd be better to just admit that re-encryption
>> is needed and get over it?
> 
> 
> Firstly the reference appears to be wrong as I think it should point
> to https://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt-03.
> DTLS-SRTP without EKT is certainly allowed in the CS as the draft
> does not restrict the keying mechanism on the CS.  Some members of
> the WG wanted to include the EKT case to allow for the case when
> there is DTLS-SRTP on the CS and SDES on the RS without requiring
> re-encryption and I believe everybody understood that this is a
> corner case but maybe those that requested it will comment further.

So I need to go read that to understand and will but don't
have time now. Please bug me if I've not gotten back on this
in a day or two.

> 
>> 
>> (3) I'll clear once you answer: but wouldn't it be easier all
>> around to just mandate use of mutually authenticated TLS between
>> SRC and SRS in all cases?  (Even if some hop-by-hop stuff is needed
>> when there are proxies between SRC and SRS.)
>> 
> 
> I think the issue here is that the SRC and SRS will often be
> co-located in an environment where mutual authentication was just not
> necessary and therefore the WG did not want to mandate this in all
> cases.

Well, I'll clear as I said I would but I have to say I don't find
that a very compelling answer at all. Mutually authenticating two
servers isn't be hard at all (you can use PSK if you want) and the
just-not-necessary I do not accept (haven't belgacom and gemalto
taught us a lesson? Apparently not;-).

Compared to whatever it is with EKT I'd bet that in almost all
cases it'll be simpler to just de-crypt and re-encrypt for the
SRC->SRS as you would in a b2bua.

And btw, if you do ever use the same key - what prevents a
participant in the CS who also has that key from sending bogus
packets to the SRS? (Hmm, maybe I should keep the discuss point
open a wee bit longer, didn't think of that before.)

Cheers,
S.



> 
>> 
>> 
>

v2.23.0 | Report a Bug | By Email