Re: [straw] Alissa Cooper's Discuss on draft-ietf-straw-b2bua-dtls-srtp-09: (with DISCUSS and COMMENT)

["Ben Campbell" <ben@nostrum.com>]

A couple of quick comments on your discuss item 3 below. (I will leave 
it to the authors to respond to the rest)

On 30 Nov 2015, at 22:58, Alissa Cooper wrote:

> Alissa Cooper has entered the following ballot position for
> draft-ietf-straw-b2bua-dtls-srtp-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut 
> this
> introductory paragraph, however.)
>
>
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-straw-b2bua-dtls-srtp/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> (1)
> I have a fairly fundamental concern about this document that I'd like 
> to
> discuss. My impression is that most B2BUAs in the market today that
> handle DTLS-SRTP do so with the explicit purpose of accessing the 
> media.
> That is, if I need a box that doesn't access the media I use a SIP 
> proxy,
> and if I need one that does access it I use a B2BUA. I realize that 
> there
> are more flavors of B2BUA defined in RFC 7092, but in terms of how 
> real
> SBCs work, it seems to me that they break DTLS-SRTP intentionally if 
> they
> do so at all.
>
> If that's the case, the question then arises about the value of 
> writing
> down normative recommendations that are more than likely to be 
> ignored.
> Perhaps this document would have made more sense as informational,
> offering a non-normative explanation of what a B2BUA should do if it 
> does
> not want to break e2e security. Even as an informational document it's
> still not obvious to me that there is much at all to say here for
> media-aware B2BUAs that isn't entirely reductive -- "don't terminate
> DTLS-SRTP if you don't want to break DTLS-SRTP" -- but at least as an
> informational document it wouldn't be suggesting normative 
> requirements
> that are out of sync with real deployments.
>
> Could you articulate the reasons why someone would build a B2BUA that
> follows the recommendations in this draft? I note that the draft says
> nothing about using a TURN server as a media relay, which seems like 
> it
> would be more common than using a B2BUA for the same purpose. Aren't
> B2BUAs typically deployed *because* they are media-aware?
>
> (2)
> Taking into account the above comment, I think 3.1.2.1 and 3.1.2.2 are
> problematic. 3.1.2.1 creates a normative SHOULD NOT-level requirement 
> for
> inspection B2BUAs without explaining what the exception cases are, and
> 3.1.2.2 creates no normative requirements for modification B2BUAs. 
> It's
> not even clear to me why the distinction is being drawn between the 
> two
> kinds of B2BUAs if the bottom line is that in both cases the
> recommendation is to not terminate DTLS-SRTP. But this brings us back 
> to
> the above comment. The problem here seems to be that what the WG and 
> the
> IETF would want to say here is that B2BUAs MUST NOT terminate 
> DTLS-SRTP
> to man-in-the-middle the media, but that is what B2BUAs generally do, 
> so
> instead the text waffles and the recommendations are watered down and
> unclear.
>
> (3)
> The characterization of the RFC 4474 mechanism seems to contradict the
> way the mechanism is actually specified. The 4474 mechanism was 
> designed
> such that intermediaries would be able to provide signatures on behalf 
> of
> users (e.g., see RFC 4474 Section 3, "This specification allows either 
> a
> user agent or a proxy server to provide identity services and to 
> verify
> identities ... in the initial use of this mechanism, it is likely that
> intermediaries will instantiate the authentication service role"). So 
> the
> claim that terminating DTLS-SRTP would cause 4474 identity and 
> integrity
> checks to fail isn't true, because an SBC can decrypt and re-sign the
> request itself. A B2BUA that bridges two administrative domains can 
> check
> the validity of the signature in the domain on on side as 
> authorization
> to form a new signature that is valid in the domain in the other side.
>
> The fact that user-provided identity assertions are not guaranteed to
> persist end-to-end is one key reason for the ongoing work in the STIR 
> WG.
> The work there and elsewhere shows that it's fairly widely 
> acknowledged
> that 4474 has not seen the deployment that was hoped for when it was
> specified. Making its use a normative requirement here again seems out 
> of
> sync with deployment reality. I would encourage you to review
> draft-ietf-stir-rfc4474bis and reconsider what security mechanism 
> should
> form the basis of the recommendations in this draft.

There was discussion that a b2bua could terminate dtls-srtp if it 
provided an identity service, or acted in collusion with an identity 
service.  My understanding is that the authors felt that delving into 
special cases where it might be "okay" for a b2bua to terminate 
dtls-srtp would add too much complexity to the point. (There's also the 
fact that dtls-srtp says you SHOULD use 4474, not MUST).

I tend to agree on the complexity--but I think it would make sense to 
clarify this to say that a b2bua that is not also providing an identity 
service is likely to break things.

As far as 4474bis is concerned--they originally referenced 4474bis, and 
I suggested that they not do so. My reasoning was that both 4474 and 
4474bis (as written at that time) protected the fingerprint, which was 
the important bit here--and that since 4474bis was expected to obsolete 
4474, a reference to 4474 would "self upgrade", so to speak. Do you 
disagree with that? (But to be totally honest, my concern was entirely 
about avoiding an extended stay in MISSREF land. Maybe that's not as big 
of a concern now?)


>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 3.1.1:
>
> Is there anything new being specified here that isn't already 
> specified
> in other SIP documents?
>
> Section 3.2:
>
> Is this saying anything that RFC 5763 doesn't already say?