IETF Logo Mail Archive

Re: [straw] Alissa Cooper's Discuss on draft-ietf-straw-b2bua-dtls-srtp-09: (with DISCUSS and COMMENT)

"Ben Campbell" <ben@nostrum.com> Tue, 01 December 2015 18:40 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: straw@ietfa.amsl.com
Delivered-To: straw@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 474201B2ECE; Tue, 1 Dec 2015 10:40:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FbOwH6NOiZjZ; Tue, 1 Dec 2015 10:40:32 -0800 (PST)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C7411B2ECC; Tue, 1 Dec 2015 10:40:32 -0800 (PST)
Received: from [10.0.1.10] (cpe-70-119-203-4.tx.res.rr.com [70.119.203.4]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id tB1IeO7r008320 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Tue, 1 Dec 2015 12:40:24 -0600 (CST) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-119-203-4.tx.res.rr.com [70.119.203.4] claimed to be [10.0.1.10]
From: Ben Campbell <ben@nostrum.com>
To: Alissa Cooper <alissa@cooperw.in>
Date: Tue, 01 Dec 2015 12:40:23 -0600
Message-ID: <E63559A7-6A37-496C-AAD9-426AB697FD65@nostrum.com>
In-Reply-To: <20151201045818.23491.19134.idtracker@ietfa.amsl.com>
References: <20151201045818.23491.19134.idtracker@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.3r5187)
Archived-At: <http://mailarchive.ietf.org/arch/msg/straw/mtgIgZUdiW6WNV4G2rVTqhcf84g>
Cc: draft-ietf-straw-b2bua-dtls-srtp@ietf.org, christer.holmberg@ericsson.com, The IESG <iesg@ietf.org>, straw-chairs@ietf.org, straw@ietf.org
Subject: Re: [straw] Alissa Cooper's Discuss on draft-ietf-straw-b2bua-dtls-srtp-09: (with DISCUSS and COMMENT)
X-BeenThere: straw@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Sip Traversal Required for Applications to Work \(STRAW\) working group discussion list" <straw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/straw>, <mailto:straw-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/straw/>
List-Post: <mailto:straw@ietf.org>
List-Help: <mailto:straw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/straw>, <mailto:straw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2015 18:40:34 -0000

(Commenting on discuss items 1 and 2. See separate email for comments on 
3).

I think items 1 and 2 come down to having a clear scope and purpose. 
This version actually made progress in that direction (see section 1.2), 
but clearly didn't reach the goal.

Normally, I I would favor making this informational, and removing the 
normative language. But on reflection, I see that the straw charter 
calls for describing normative requirements to make certain features 
work. In this case, the "certain feature" is e2e dtls-srtp.

Alissa: Would it help if we clarified the scope along the following 
lines:

- This draft defines certain behaviors that a b2bua needs to engage (or 
not engage) in in order to allow the "feature" of e2e dtls-srtp.

- Define what we mean by e2e. I _think_ we are talking about end-user 
devices, and that we don't want to leave room for semantic games along 
the line of calling a b2bua an "end". (This would change the arguments 
around certain requirements, e.g."don't terminate srtp".)

- Recognize that there are b2buas that intentionally do not allow e2e 
protection. We cannot stop those, and we don't need to get wrapped 
around reasons why or whether that's good or bad.

We would also need to be more consistent with the use of 2119 keywords.

Authors/Shepherd/Chairs: Please indicate your thoughts. It would be 
really nice to have an idea of the way forward by Thursday's telechat.

Thanks!

Ben.


On 30 Nov 2015, at 22:58, Alissa Cooper wrote:

> Alissa Cooper has entered the following ballot position for
> draft-ietf-straw-b2bua-dtls-srtp-09: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut 
> this
> introductory paragraph, however.)
>
>
> Please refer to 
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-straw-b2bua-dtls-srtp/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> (1)
> I have a fairly fundamental concern about this document that I'd like 
> to
> discuss. My impression is that most B2BUAs in the market today that
> handle DTLS-SRTP do so with the explicit purpose of accessing the 
> media.
> That is, if I need a box that doesn't access the media I use a SIP 
> proxy,
> and if I need one that does access it I use a B2BUA. I realize that 
> there
> are more flavors of B2BUA defined in RFC 7092, but in terms of how 
> real
> SBCs work, it seems to me that they break DTLS-SRTP intentionally if 
> they
> do so at all.
>
> If that's the case, the question then arises about the value of 
> writing
> down normative recommendations that are more than likely to be 
> ignored.
> Perhaps this document would have made more sense as informational,
> offering a non-normative explanation of what a B2BUA should do if it 
> does
> not want to break e2e security. Even as an informational document it's
> still not obvious to me that there is much at all to say here for
> media-aware B2BUAs that isn't entirely reductive -- "don't terminate
> DTLS-SRTP if you don't want to break DTLS-SRTP" -- but at least as an
> informational document it wouldn't be suggesting normative 
> requirements
> that are out of sync with real deployments.
>
> Could you articulate the reasons why someone would build a B2BUA that
> follows the recommendations in this draft? I note that the draft says
> nothing about using a TURN server as a media relay, which seems like 
> it
> would be more common than using a B2BUA for the same purpose. Aren't
> B2BUAs typically deployed *because* they are media-aware?
>
> (2)
> Taking into account the above comment, I think 3.1.2.1 and 3.1.2.2 are
> problematic. 3.1.2.1 creates a normative SHOULD NOT-level requirement 
> for
> inspection B2BUAs without explaining what the exception cases are, and
> 3.1.2.2 creates no normative requirements for modification B2BUAs. 
> It's
> not even clear to me why the distinction is being drawn between the 
> two
> kinds of B2BUAs if the bottom line is that in both cases the
> recommendation is to not terminate DTLS-SRTP. But this brings us back 
> to
> the above comment. The problem here seems to be that what the WG and 
> the
> IETF would want to say here is that B2BUAs MUST NOT terminate 
> DTLS-SRTP
> to man-in-the-middle the media, but that is what B2BUAs generally do, 
> so
> instead the text waffles and the recommendations are watered down and
> unclear.
>
> (3)
> The characterization of the RFC 4474 mechanism seems to contradict the
> way the mechanism is actually specified. The 4474 mechanism was 
> designed
> such that intermediaries would be able to provide signatures on behalf 
> of
> users (e.g., see RFC 4474 Section 3, "This specification allows either 
> a
> user agent or a proxy server to provide identity services and to 
> verify
> identities ... in the initial use of this mechanism, it is likely that
> intermediaries will instantiate the authentication service role"). So 
> the
> claim that terminating DTLS-SRTP would cause 4474 identity and 
> integrity
> checks to fail isn't true, because an SBC can decrypt and re-sign the
> request itself. A B2BUA that bridges two administrative domains can 
> check
> the validity of the signature in the domain on on side as 
> authorization
> to form a new signature that is valid in the domain in the other side.
>
> The fact that user-provided identity assertions are not guaranteed to
> persist end-to-end is one key reason for the ongoing work in the STIR 
> WG.
> The work there and elsewhere shows that it's fairly widely 
> acknowledged
> that 4474 has not seen the deployment that was hoped for when it was
> specified. Making its use a normative requirement here again seems out 
> of
> sync with deployment reality. I would encourage you to review
> draft-ietf-stir-rfc4474bis and reconsider what security mechanism 
> should
> form the basis of the recommendations in this draft.
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Section 3.1.1:
>
> Is there anything new being specified here that isn't already 
> specified
> in other SIP documents?
>
> Section 3.2:
>
> Is this saying anything that RFC 5763 doesn't already say?

v2.23.0 | Report a Bug | By Email