IETF Logo Mail Archive

Re: [straw] Alissa Cooper's Discuss on draft-ietf-straw-b2bua-dtls-srtp-09: (with DISCUSS and COMMENT)

Alissa Cooper <alissa@cooperw.in> Wed, 02 December 2015 14:07 UTC

Return-Path: <alissa@cooperw.in>
X-Original-To: straw@ietfa.amsl.com
Delivered-To: straw@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AF511A904E for <straw@ietfa.amsl.com>; Wed, 2 Dec 2015 06:07:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vIsgNDaiLtGn for <straw@ietfa.amsl.com>; Wed, 2 Dec 2015 06:07:09 -0800 (PST)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C0691A9050 for <straw@ietf.org>; Wed, 2 Dec 2015 06:07:06 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 70E6120B6D for <straw@ietf.org>; Wed, 2 Dec 2015 09:07:05 -0500 (EST)
Received: from frontend1 ([10.202.2.160]) by compute6.internal (MEProxy); Wed, 02 Dec 2015 09:07:05 -0500
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=cooperw.in; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=JU8ifJFvH6ELIpmaGfSEYYXIXPw=; b=PVBUob Ke4McQM6C09NpErOP4sqKNpg9pbzLNkjOEPgGrke4f14iS1AX8bDbtYI83rOWAyd YnL/9yFEeTd2Yc0X1FfTGdfS4i909NMvOlcWSS6NYXaweEMkA6hIaGtj1O6rbhaF aPI2NfWN6LxCr7poX4vBYpk5pdcXs9yM1GJCg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=JU8ifJFvH6ELIpm aGfSEYYXIXPw=; b=hel4UO1V3jzfoVlZoQ5Evu9WNcJkFKNk0oJ337Z0PxTi5Me f5UY7zW70XSKok2Iq0T9V9mLGVWCiyHUP2NZCsBfoAtD/h4LOUJCZqKGO5hkbXUc /TfpKvHQSjlcBKl9LpCB+X+fFXQXwBYjAjvhLxUaqdMVuXTufdegbcrdZOqM=
X-Sasl-enc: kh9wxJj4a4hPHeCDrqQ2rMZ741lMyk0/TjZJQlQbJ8Yw 1449065224
Received: from [192.168.1.203] (c-24-6-61-198.hsd1.ca.comcast.net [24.6.61.198]) by mail.messagingengine.com (Postfix) with ESMTPA id 3281CC016DA; Wed, 2 Dec 2015 09:07:04 -0500 (EST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Alissa Cooper <alissa@cooperw.in>
In-Reply-To: <E63559A7-6A37-496C-AAD9-426AB697FD65@nostrum.com>
Date: Wed, 02 Dec 2015 06:07:06 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <A08E60B6-578A-45F5-9AB1-6991443D0F0E@cooperw.in>
References: <20151201045818.23491.19134.idtracker@ietfa.amsl.com> <E63559A7-6A37-496C-AAD9-426AB697FD65@nostrum.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/straw/wq3snUn2yc3_rAcN2LivyJxIf_w>
Cc: draft-ietf-straw-b2bua-dtls-srtp@ietf.org, christer.holmberg@ericsson.com, IESG <iesg@ietf.org>, straw-chairs@ietf.org, straw@ietf.org
Subject: Re: [straw] Alissa Cooper's Discuss on draft-ietf-straw-b2bua-dtls-srtp-09: (with DISCUSS and COMMENT)
X-BeenThere: straw@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Sip Traversal Required for Applications to Work \(STRAW\) working group discussion list" <straw.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/straw>, <mailto:straw-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/straw/>
List-Post: <mailto:straw@ietf.org>
List-Help: <mailto:straw-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/straw>, <mailto:straw-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 14:07:13 -0000

> On Dec 1, 2015, at 10:40 AM, Ben Campbell <ben@nostrum.com> wrote:
> 
> (Commenting on discuss items 1 and 2. See separate email for comments on 3).
> 
> I think items 1 and 2 come down to having a clear scope and purpose. This version actually made progress in that direction (see section 1.2), but clearly didn't reach the goal.
> 
> Normally, I I would favor making this informational, and removing the normative language. But on reflection, I see that the straw charter calls for describing normative requirements to make certain features work. In this case, the "certain feature" is e2e dtls-srtp.
> 
> Alissa: Would it help if we clarified the scope along the following lines:
> 
> - This draft defines certain behaviors that a b2bua needs to engage (or not engage) in in order to allow the "feature" of e2e dtls-srtp.

I think the underlying question is, if such a document were written, would it say anything that isn’t entirely reductive, obvious, or already documented elsewhere? As I inquired about in my comments, it seems as though the substance of 3.1.1 and 3.2 may already be documented elsewhere. Presumably 3.1.2 would disappear in the approach you suggest, since the behavior amounts to “don’t do anything” or “be a proxy,” roughly.

> 
> - Define what we mean by e2e. I _think_ we are talking about end-user devices, and that we don't want to leave room for semantic games along the line of calling a b2bua an "end". (This would change the arguments around certain requirements, e.g."don't terminate srtp”.)

Yes, that was my assumption in reading the document.

> 
> - Recognize that there are b2buas that intentionally do not allow e2e protection. We cannot stop those, and we don't need to get wrapped around reasons why or whether that's good or bad.
> 
> We would also need to be more consistent with the use of 2119 keywords.
> 
> Authors/Shepherd/Chairs: Please indicate your thoughts. It would be really nice to have an idea of the way forward by Thursday's telechat.

Yep, I’d like to understand where people see the value in publishing this or what impact they expect it to have on existing B2BUA implementations.

Thanks,
Alissa

> 
> Thanks!
> 
> Ben.
> 
> 
> On 30 Nov 2015, at 22:58, Alissa Cooper wrote:
> 
>> Alissa Cooper has entered the following ballot position for
>> draft-ietf-straw-b2bua-dtls-srtp-09: Discuss
>> 
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>> 
>> 
>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>> for more information about IESG DISCUSS and COMMENT positions.
>> 
>> 
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-straw-b2bua-dtls-srtp/
>> 
>> 
>> 
>> ----------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> (1)
>> I have a fairly fundamental concern about this document that I'd like to
>> discuss. My impression is that most B2BUAs in the market today that
>> handle DTLS-SRTP do so with the explicit purpose of accessing the media.
>> That is, if I need a box that doesn't access the media I use a SIP proxy,
>> and if I need one that does access it I use a B2BUA. I realize that there
>> are more flavors of B2BUA defined in RFC 7092, but in terms of how real
>> SBCs work, it seems to me that they break DTLS-SRTP intentionally if they
>> do so at all.
>> 
>> If that's the case, the question then arises about the value of writing
>> down normative recommendations that are more than likely to be ignored.
>> Perhaps this document would have made more sense as informational,
>> offering a non-normative explanation of what a B2BUA should do if it does
>> not want to break e2e security. Even as an informational document it's
>> still not obvious to me that there is much at all to say here for
>> media-aware B2BUAs that isn't entirely reductive -- "don't terminate
>> DTLS-SRTP if you don't want to break DTLS-SRTP" -- but at least as an
>> informational document it wouldn't be suggesting normative requirements
>> that are out of sync with real deployments.
>> 
>> Could you articulate the reasons why someone would build a B2BUA that
>> follows the recommendations in this draft? I note that the draft says
>> nothing about using a TURN server as a media relay, which seems like it
>> would be more common than using a B2BUA for the same purpose. Aren't
>> B2BUAs typically deployed *because* they are media-aware?
>> 
>> (2)
>> Taking into account the above comment, I think 3.1.2.1 and 3.1.2.2 are
>> problematic. 3.1.2.1 creates a normative SHOULD NOT-level requirement for
>> inspection B2BUAs without explaining what the exception cases are, and
>> 3.1.2.2 creates no normative requirements for modification B2BUAs. It's
>> not even clear to me why the distinction is being drawn between the two
>> kinds of B2BUAs if the bottom line is that in both cases the
>> recommendation is to not terminate DTLS-SRTP. But this brings us back to
>> the above comment. The problem here seems to be that what the WG and the
>> IETF would want to say here is that B2BUAs MUST NOT terminate DTLS-SRTP
>> to man-in-the-middle the media, but that is what B2BUAs generally do, so
>> instead the text waffles and the recommendations are watered down and
>> unclear.
>> 
>> (3)
>> The characterization of the RFC 4474 mechanism seems to contradict the
>> way the mechanism is actually specified. The 4474 mechanism was designed
>> such that intermediaries would be able to provide signatures on behalf of
>> users (e.g., see RFC 4474 Section 3, "This specification allows either a
>> user agent or a proxy server to provide identity services and to verify
>> identities ... in the initial use of this mechanism, it is likely that
>> intermediaries will instantiate the authentication service role"). So the
>> claim that terminating DTLS-SRTP would cause 4474 identity and integrity
>> checks to fail isn't true, because an SBC can decrypt and re-sign the
>> request itself. A B2BUA that bridges two administrative domains can check
>> the validity of the signature in the domain on on side as authorization
>> to form a new signature that is valid in the domain in the other side.
>> 
>> The fact that user-provided identity assertions are not guaranteed to
>> persist end-to-end is one key reason for the ongoing work in the STIR WG.
>> The work there and elsewhere shows that it's fairly widely acknowledged
>> that 4474 has not seen the deployment that was hoped for when it was
>> specified. Making its use a normative requirement here again seems out of
>> sync with deployment reality. I would encourage you to review
>> draft-ietf-stir-rfc4474bis and reconsider what security mechanism should
>> form the basis of the recommendations in this draft.
>> 
>> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Section 3.1.1:
>> 
>> Is there anything new being specified here that isn't already specified
>> in other SIP documents?
>> 
>> Section 3.2:
>> 
>> Is this saying anything that RFC 5763 doesn't already say?

v2.23.0 | Report a Bug | By Email