IETF Logo Mail Archive

Re: [straw] B2BUA handling in DTLS-SRTP [was RE: IETF#90: Draft STRAW minutes]

Christer Holmberg <christer.holmberg@ericsson.com> Wed, 29 October 2014 07:23 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: straw@ietfa.amsl.com
Delivered-To: straw@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E154C1A01AE for <straw@ietfa.amsl.com>; Wed, 29 Oct 2014 00:23:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vfhkZnpU6Y5w for <straw@ietfa.amsl.com>; Wed, 29 Oct 2014 00:23:11 -0700 (PDT)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3563D1A1B73 for <straw@ietf.org>; Wed, 29 Oct 2014 00:23:10 -0700 (PDT)
X-AuditID: c1b4fb2d-f79fc6d000001087-98-545095db6725
Received: from ESESSHC013.ericsson.se (Unknown_Domain [153.88.253.124]) by sessmg23.ericsson.net (Symantec Mail Security) with SMTP id 80.F0.04231.BD590545; Wed, 29 Oct 2014 08:23:07 +0100 (CET)
Received: from ESESSMB209.ericsson.se ([169.254.9.163]) by ESESSHC013.ericsson.se ([153.88.183.57]) with mapi id 14.03.0174.001; Wed, 29 Oct 2014 08:23:07 +0100
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Lorenzo Miniero <lorenzo@meetecho.com>
Thread-Topic: [straw] B2BUA handling in DTLS-SRTP [was RE: IETF#90: Draft STRAW minutes]
Thread-Index: AQHP80inXd2FhLbyXUOt/XsOzYzXPZxGq27Q
Date: Wed, 29 Oct 2014 07:23:06 +0000
Message-ID: <7594FB04B1934943A5C02806D1A2204B1D4D27AD@ESESSMB209.ericsson.se>
References: <7594FB04B1934943A5C02806D1A2204B1D3D5B73@ESESSMB209.ericsson.se> <015701cfab96$5eb380a0$1c1a81e0$@co.in> <53D8BC2D.6050408@cs.tcd.ie> <01f701cff306$cdddeb20$6999c160$@co.in> <7594FB04B1934943A5C02806D1A2204B1D4D25F2@ESESSMB209.ericsson.se> <20141029081910.6d592960@rainpc>
In-Reply-To: <20141029081910.6d592960@rainpc>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.17]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprCIsWRmVeSWpSXmKPExsUyM+Jvje7tqQEhBp+u2Vhs37KAyWLypz5W i6l9thbT915jt7jV/JjVYse5CSwObB5ru6+yedyZ84HVY8mSn0wekzfOYvHoeHif3ePD/C/s AWxRXDYpqTmZZalF+nYJXBmzlvSwF6xKqJj3dz9jA+Mjjy5GTg4JAROJD4camCFsMYkL99az dTFycQgJHGGU6L4/hR3CWcIo0bRwEksXIwcHm4CFRPc/bZAGEQEtiRlz5zGC1DALnGSU2Dqz gxUkISwQKbG+fQMzRFGUxK8rz1khbCOJl81n2UHmsAioSvz4pg4S5hXwlTjZOg1q8VImievr TrKDJDgFdCV65mwFm8MIdN33U2uYQGxmAXGJW0/mM0FcLSCxZM95qA9EJV4+/scKMl9CQFFi eb8cRLmOxILdn9ggbG2JZQtfM0PsFZQ4OfMJywRGsVlIps5C0jILScssJC0LGFlWMYoWpxYX 56YbGeulFmUmFxfn5+nlpZZsYgRG48Etv3V3MK5+7XiIUYCDUYmHt2BCQIgQa2JZcWXuIUZp DhYlcd5F5+YFCwmkJ5akZqemFqQWxReV5qQWH2Jk4uCUamA0X2PIpvlxxmsXQcngrbm35Zot Hc+t373r04pvU35dnbBWPn3ylbccl33E7nzT/cv0P+4/AzcLu+zVq+aCK08/f9vC4Lb/tTtv Zownz7eVW7Svr5hpG3qj6IE4f/3teX5vHu5TW9H2w/356+4qh831+UIywjy1fvYyEttaZzOu 19kZfFV3QmSmEktxRqKhFnNRcSIArpvC/acCAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/straw/5IqjDJEh2pqi5xM1_DMUii3bkjw
Cc: 'Richard Barnes' <rlb@ipv.sx>, 'Sean Turner' <TurnerS@ieca.com>, "straw@ietf.org" <straw@ietf.org>, Parthasarathi R <partha@parthasarathi.co.in>, 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>
Subject: Re: [straw] B2BUA handling in DTLS-SRTP [was RE: IETF#90: Draft STRAW minutes]
X-BeenThere: straw@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Sip Traversal Required for Applications to Work \(STRAW\) working group discussion list" <straw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/straw>, <mailto:straw-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/straw/>
List-Post: <mailto:straw@ietf.org>
List-Help: <mailto:straw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/straw>, <mailto:straw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Oct 2014 07:23:15 -0000

(As co-chair)

People are of course also welcome to (actually, encouraged to) bash on the list, between meetings :)

Regards,

Christer

-----Original Message-----
From: Lorenzo Miniero [mailto:lorenzo@meetecho.com] 
Sent: 29. lokakuuta 2014 9:19
To: Christer Holmberg
Cc: Parthasarathi R; 'Stephen Farrell'; straw@ietf.org; 'Richard Barnes'; 'Sean Turner'
Subject: Re: [straw] B2BUA handling in DTLS-SRTP [was RE: IETF#90: Draft STRAW minutes]

On Wed, 29 Oct 2014 06:49:17 +0000
Christer Holmberg <christer.holmberg@ericsson.com> wrote:

> (As co-chair)
> 
> Hi,
> 
> If anyone has an issue with the general approach suggested by Partha, please indicate to on the list, so that we in Honolulu can focus on the technical aspects.
> 


I'm not convinced that we should give up on those. Media Aware and Media Termination are part of the STRAW taxonomy, and act as if they just didn't exist doesn't seem the right thing to do IMHO.

In Toronto it has been made clear that there are issues and concerns about what looked like standardizing a MITM for media. My personal feeling is that this can be considered mostly a matter of trust. The B2BUA should not necessarily be a sneaky or "transparent" component as long as participants are involved. This means that, as long as I trust the B2BUA in any scenario that involves Media Aware/Terminartion stuff, and so trust the B2BUA to secure the session on the other end or not do anything I didn't sign up for, the B2BUA is actually my "peer" in that respect. Without preventing additional mechanismsto be involved for end-to-end validation of some kind, of course. Everytihng outside of that is, I agree, MITM and shouldn't be avalled or fostered in any way.

These are just some thoughts I tried to give to the idea, and how I basically changed the related text in the RTCP draft as well to try and address the issue, so I guess there will be plenty of time to bash me when I talk about this in Honolulu :-)

Lorenzo


> Regards,
> 
> Christer
> 
> -----Original Message-----
> From: Parthasarathi R [mailto:partha@parthasarathi.co.in]
> Sent: 29. lokakuuta 2014 1:28
> To: 'Stephen Farrell'; Christer Holmberg; straw@ietf.org
> Cc: 'Richard Barnes'; 'Sean Turner'
> Subject: RE: B2BUA handling in DTLS-SRTP [was RE: [straw] IETF#90: 
> Draft STRAW minutes]
> 
> Hi all,
> 
> One of the way to address MITM issue in STRAW WG B2BUA handling of DTLS-SRTP milestone is to focus only on Media relay (Sec 3.1 of draft-ram-straw-b2bua-dtls-srtp-00) and removing "Media Aware or Media Termination" (Sec 3.2 of draft-ram-straw-b2bua-dtls-srtp-00). 
> 
> By this proposal, the scope of the work is to cover only end-to-end DTLS-SRTP through B2BUA. The media relay provides end-to-end security but there are challenges w.r.t NAT, forking, ICE, identity (RTCWeb IdP, RFC4474bis, etc.,) which shall be sorted out in this milestone. 
> 
> During IETF-90 and in the mailing alias, I haven't heard any concern for Media relay handling in B2BUA. please let me know your opinion on the same.
> 
> Thanks
> Partha
> 
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
> > Sent: Wednesday, July 30, 2014 3:05 PM
> > To: Parthasarathi R; 'Christer Holmberg'; straw@ietf.org
> > Cc: 'Richard Barnes'; 'Sean Turner'
> > Subject: Re: B2BUA handling in DTLS-SRTP [was RE: [straw] IETF#90:
> > Draft STRAW minutes]
> > 
> > 
> > on vacation, back in a week
> > 
> > terminating DTLS-SRTP is maybe fine but means being one of the 
> > endpoints intended to be involved in the TLS session. Doing a MITM 
> > on TLS is  not at all fine.
> > 
> > S.
> > 
> > On 30/07/14 02:34, Parthasarathi R wrote:
> > > Hi all,
> > >
> > >
> > >
> > > I have different view than the security folks look at this draft.
> > This draft
> > > intention is not to violate RFC 2804. In case this draft is not 
> > > standardized, all B2BUA handling DTLS-SRTP will end up in 
> > > violating
> > RFC 2804
> > > due to the lack of guidelines/standards to follow. Please look 
> > > into
> > this
> > > draft from SIP recording architecture in B2BUA (Fig 1 of RFC 7245)
> > usage
> > > perspective wherein the senders/receiver is informed about the 
> > > call recording (like call centre usage scenario) and no RFC 2804
> > violation.
> > >
> > >
> > >
> > > In IETF-90 meeting, the security concerns are raised about this 
> > > draft
> > usage.
> > > It will be good to document as part of this document if it is 
> > > really security issue. I'm not seeing any major security concerns 
> > > as B2BUA
> > is yet
> > > another UA. Please let me know the list of security concern 
> > > specific
> > to
> > > B2BUA in DTLS-SRTP.
> > >
> > >
> > >
> > > In reality, B2BUA terminating DTLS-SRTP is not avoidable because 
> > > of
> > the
> > > different codec profile between the deployed SIP UAs. Say SIPoWS 
> > > in
> > browser
> > > (WebRTC endpoint/SIP UA) uses Opus/G711/VP8 as a codec as of today
> > and SIP
> > > Mobile devices uses AMR/AMR-WB/H.264. There is a compulsion to
> > terminate the
> > > media in the middle as there is no solution exists in IETF for the
> > same. The
> > > lack of standard leads to proprietary session border controller
> > > (SBC) solutions which breaks other SIP enhancements as well.
> > >
> > >
> > >
> > > Thanks
> > >
> > > Partha
> > >
> > >
> > >
> > > From: straw [mailto:straw-bounces@ietf.org] On Behalf Of Christer
> > Holmberg
> > > Sent: Saturday, July 26, 2014 7:54 PM
> > > To: straw@ietf.org
> > > Cc: Richard Barnes (rlb@ipv.sx); Sean Turner; Stephen Farrell
> > > Subject: [straw] IETF#90: Draft STRAW minutes
> > >
> > >
> > >
> > > (Co-chair)
> > >
> > >
> > >
> > > Hi,
> > >
> > >
> > >
> > > Below are the STRAW minutes that the chairs intend to upload.
> > >
> > >
> > >
> > > However, before we do that, we would like to ask the community to
> > take a
> > > look at least at the notes associated with the DTLS-SRTP
> > presentation, as it
> > > caused lots of discussion.
> > >
> > >
> > >
> > > Note that the minutes do not contain who-said-what information 
> > > (that
> > can be
> > > found elsewhere), but if you think there are some important things
> > missing,
> > > or if you think something is wrong, please let the chairs now.
> > >
> > >
> > >
> > > Thanks!
> > >
> > >
> > >
> > > Regards,
> > >
> > >
> > >
> > > Christer & Victor
> > >
> > >
> > >
> > > -------------------
> > >
> > >
> > >
> > > IETF 90 - STRAW
> > >
> > > 1150-1320 EDT    Friday Afternoon Session I
> > >
> > >
> > >
> > >
> > >
> > > Topic:     Agenda bashing, IETF Note Well and WG status
> > >
> > > Presenter: Christer Holmberg (co-chair)
> > >
> > > Slides:
> > > http://www.ietf.org/proceedings/90/slides/slides-90-straw-0.pdf
> > >
> > > Draft:     N/A
> > >
> > >
> > >
> > >
> > >
> > > No issues were identified.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Topic:     Guidelines to support RTCP in B2BUAs
> > >
> > > Presenter: Lorenzo Miniero
> > >
> > > Slides:
> > > http://www.ietf.org/proceedings/90/slides/slides-90-straw-1.pdf
> > >
> > > Draft:     draft-ietf-straw-b2bua-rtcp
> > >
> > >
> > >
> > >
> > >
> > > It was indicated that XR needs to be looked into, to see whether
> > something
> > > needs to be covered in the draft.
> > >
> > >
> > >
> > > It was indicated that the terminology will be aligned with the 
> > > grouping-taxonomy draft. In case there are conflicts, or other 
> > > issues
> > are
> > > found, the STRAW community is requested to provide comments on the 
> > > grouping-taxonomy draft.
> > >
> > >
> > >
> > > It was requested whether the draft should also cover RTP specific
> > issues. It
> > > was indicated that the scope of the RTCP, and that we should be 
> > > very
> > careful
> > > about introducing RTP issues. It was recommended to talk to Colin
> > Perkins
> > > whether he has any opinions regarding the need to cover RTP.
> > >
> > >
> > >
> > > I was asked how the document will relate to the work on 
> > > multisource optimisation taking place in AVTEXT.
> > >
> > >
> > >
> > > It was indicated that the text recommending man in the middle
> > functionality
> > > for SRTP most likely will cause issues with IESG. After the 
> > > DTLS-SRTP discussion (see further down) it was suggested that the 
> > > RTCP draft
> > should
> > > not talk about SRTP.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Topic:     Taxonomy Discussion
> > >
> > > Presenter: Lorenzo Miniero
> > >
> > > Slides:
> > > http://www.ietf.org/proceedings/90/slides/slides-90-straw-2.pdf
> > >
> > > Draft:     All STRAW deliveries
> > >
> > >
> > >
> > >
> > >
> > > It was agreed the STRAW shall use the terms in the 
> > > avtext-grouping-
> > taxonomy
> > > document in preference to definitions elsewhere is they are
> > appropriate,
> > > with a note indicating any differences in other documents that may
> > influence
> > > understanding.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Topic:     STUN handling in B2BUAs
> > >
> > > Presenter: Lorenzo Miniero (on behalf of the draft authors)
> > >
> > > Slides:
> > > http://www.ietf.org/proceedings/90/slides/slides-90-straw-3.pdf
> > >
> > > Draft:     draft-ram-straw-b2bua-stun
> > >
> > >
> > >
> > >
> > >
> > > It was indicated that B2BUA, due to policy reasons, may strip
> > candidates
> > > from SDP.
> > >
> > >
> > >
> > > It was indicated that B2BUAs must be very careful to not perform
> > actions
> > > that will cause ICE mismatch.
> > >
> > >
> > >
> > > The chair informed the community that a WG adoption request will 
> > > be
> > sent out
> > > within the upcoming weeks.
> > >
> > >
> > >
> > > It was indicated that the group needs to follow the ICE bis work
> > taking
> > > place in MMUSIC, in case there will be any impacts on the STRAW
> > draft.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > Topic:     DTLS-SRTP handling in B2BUAs
> > >
> > > Presenter: Lorenzo Miniero (on behalf of the draft authors)
> > >
> > > Slides:
> > > http://www.ietf.org/proceedings/90/slides/slides-90-straw-4.pdf
> > >
> > > Draft:     draft-ram-straw-b2bua-dtls-srtp
> > >
> > >
> > >
> > >
> > >
> > > The presentation triggered lots of discussions and controversy, as 
> > > it
> > was
> > > seen as an attempt to standardize MITM (man in the middle
> > procedures). While
> > > people did realize such actions take place in deployments, they
> > claimed that
> > > IETF/STRAW should not standardize such procedures. It was also
> > indicated
> > > that it goes against a number of BCP specifications, and RFC 2804.
> > Others
> > > indicated that the purpose is to make sure that entities doing 
> > > this
> > kind of
> > > functionality do it in a way which does not cause interoperability
> > problems,
> > > which could cause people to not use security to begin with.
> > >
> > >
> > >
> > > It was indicated that one possible way forward could be to simply
> > document,
> > > in an informal delivery, how different vendors do things in the
> > network, but
> > > in such case the vendors should also be listed in the document.
> > >
> > >
> > >
> > > Before the draft is adopted as a WG item, further discussions need 
> > > to
> > take
> > > place. The ADs will help with finding the correct people 
> > > (security,
> > IESG,
> > > etc) to involve in such discussions. The chair indicated that the
> > draft
> > > implements a charter delivery, but that one possible outcome will 
> > > be
> > to
> > > remove/re-scope the charter delivery.
> > >
> > >
> > >
> > >
> > >
> > >
> 
> _______________________________________________
> straw mailing list
> straw@ietf.org
> https://www.ietf.org/mailman/listinfo/straw


--
Lorenzo Miniero, COB

Meetecho s.r.l.
Web Conferencing and Collaboration Tools http://www.meetecho.com

v2.23.0 | Report a Bug | By Email