Re: [Tsv-art] Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23

Christer Holmberg <christer.holmberg@ericsson.com> Fri, 14 August 2020 07:08 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 143EE3A05AA; Fri, 14 Aug 2020 00:08:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4pGTAMHxZDV; Fri, 14 Aug 2020 00:08:42 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70045.outbound.protection.outlook.com [40.107.7.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C82E3A058F; Fri, 14 Aug 2020 00:08:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oCbNa9icG7SgsYl3xmTKi3YsFFHJHf1tUXZOk527MF8DJsd+o5H+8OvFjWWU+XXICKCbHQ4W9BMfXs15HB4EC1VdlhTIh944HHXUjhr+68fwhPRHc3XanRriAne0fZ1veog0eDZd8mwgjK/m7v4v0ezNB1UUXxkHiH40zI+fwcnPFZSvGYirzfFnjS0o/sWjoYqcycrnfUQTTwjcgaMyYjxl0luBzZeMjuvmPcTxzmEwefYr6z+9srWhxAJ14vx9OcDD1W6JLJhV6NmuJhazn01jl4WNUxSLSAsdOQDuLxXjposWlx7pAJqgX8cgLiaX5uJLrwgR5FAf86vY1KiYpw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VZhuhNREAxlIGDbje7oyLyqFj5b7AdvK+fW+CIQ4YsA=; b=b8VvUPV0zSKGYgi7kLQsbMXSPz3Q3nbpvV3fI08o5E5Y6UDrd+LKwm6vipcob95xYvbwle+LVbn40OmuoCNHf7wgIi83Zp+FKivm0IWoz5pSNyydzVE68o9jO8SIh8sNtU8BwITU1wMAhCA87DvwTy5HCCKkZvhDH2NdaD6DAGzpVBeZLqivmqaX600yW5aaVyvEQ+XBxArzH0gIA0MnjE+yaFjt0l8DnA+YeujXVSSA6ToeFbeXM6hdVGv0XbPJ2cBJ6lVjeMQX7JxHjy5Zojpec6IXohJuf+1wrkEc5lvy+HjvQMUSl1HDSHc7G7sAMkRMD8pkAey4XftH1frKcg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VZhuhNREAxlIGDbje7oyLyqFj5b7AdvK+fW+CIQ4YsA=; b=XahpQdHMf6+k9JpkkVMY7jMoUB2ZWdIZVAsafNm1BXJX4hCdfAOnzsRJdkBuRy0y047lQYwbp4it+tncK0dqkWLi1sO7yC5xZrp63svDTufBaOygs0rwJHWg/w0IDMzdVuZ9QmyerCeZxhBHn6Vs1cOZnyfUuik/Biyn65hB6Hs=
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com (2603:10a6:208:4c::18) by AM0PR07MB6371.eurprd07.prod.outlook.com (2603:10a6:20b:15f::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.10; Fri, 14 Aug 2020 07:08:35 +0000
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::187b:7fe6:cc5a:eb00]) by AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::187b:7fe6:cc5a:eb00%5]) with mapi id 15.20.3305.016; Fri, 14 Aug 2020 07:08:35 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yoshifumi Nishida <nsd.ietf@gmail.com>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "mmusic@ietf.org" <mmusic@ietf.org>, "draft-ietf-mmusic-msrp-usage-data-channel.all@ietf.org" <draft-ietf-mmusic-msrp-usage-data-channel.all@ietf.org>
Thread-Topic: Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23
Thread-Index: AQHWcOA9R0YWMYTFSES34pJmJP8De6k0459AgACC8YCAAE57EIAAng+AgADbg3A=
Date: Fri, 14 Aug 2020 07:08:34 +0000
Message-ID: <AM0PR07MB3860ABD9F40515FB1C918C1093400@AM0PR07MB3860.eurprd07.prod.outlook.com>
References: <159726112563.26648.17930656676102307453@ietfa.amsl.com> <AM0PR07MB38606E636828DE0C77B3071A93420@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAAK044QtLDXWXgGRduEQdyNTyQS6nKhEKt6rwCAc3jQPaVQP_A@mail.gmail.com> <AM0PR07MB3860B7095F706574D138A33893430@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAAK044R-nnwTDdok6s0KPy4=L05QhY_AJTJ-pUGKuehmtJQvOw@mail.gmail.com>
In-Reply-To: <CAAK044R-nnwTDdok6s0KPy4=L05QhY_AJTJ-pUGKuehmtJQvOw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9c17a646-a50c-4e53-bbbf-08d84020dc3b
x-ms-traffictypediagnostic: AM0PR07MB6371:
x-microsoft-antispam-prvs: <AM0PR07MB63714934253D051DCB7749E293400@AM0PR07MB6371.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: K6Vhmd5PRRx8vghF7ZW4Gz70pD1vMwaX20X6XUzOYb6Uq1SNkMJKglM+AqL41sWf0AapiqY32c4EDtjWM7R0FjhI9iX9Fgvq9/WMfG/Elo/m78BNNzobzLoFnp0QfiL8Zuc+uLoMSbi0tMOxUB+2UdLmH09ZwmdmGIiAxDVHMViH7tQedMYqdFDKa3Ik5tfsL8rUicY43szvLDFkkfC100RIAURPGs8wEQWvEjQsTWPc3r1qc1XJLoImMVVyG0QOKBWMTDF4BAiOHZtCORd+sEBTLvbLtpdjYEg94sJDIGWT2ZLH1lP92wmRtWS9L0KvZPVpAJ11ZK+HP/z0RgUpBw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3860.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39860400002)(366004)(136003)(396003)(346002)(64756008)(66946007)(86362001)(66556008)(83380400001)(44832011)(76116006)(9686003)(8936002)(66476007)(8676002)(6506007)(26005)(66446008)(4326008)(54906003)(7696005)(316002)(186003)(52536014)(6916009)(55016002)(5660300002)(71200400001)(33656002)(2906002)(478600001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: deJVxdCYfVyb3PoT1mg3f8C4VvoXFGi3p5k/PMwZU5Tneyx7mMb/J92xWrPmsw2JRcatvoW5KCjxNurQxdHEQa9c8jax9VtXvibefubtO2R6hPHI6YkWBLynXQj1OXx6Xpli+v0QO4Ev4fI/PDTaQv9Z7sQuXRmizDRLKTP/Nw7/ypiTh7+J2SlDkqrDT9k9huxuy6/Nd9E1iqBsDyWpUHSLKgrsvfBECBUB/rxwEYoD39e9az/ztXZOkMZYGVMgAh4q8wDZCXgUWy6dB1AHltSZwx1KsPAH8tgjguSGGnV04Lv1U/rdrh2Tm8Ztlp4S0n797DKFCMqzFr39qshZ0uYftCbpJbyanAJtdQ4Iqy/qnZSafGmo0oeDgfEBJ9jaNg/QlXQJ9NStgt5OTmaGwFH90Qw8BhS6kl4m4oI4gTYTjulnxIXihJrrsGV7OQy4yx4Ws/8Epy5wpMYLaF6O65cuGyb2/k5w+fzonBentqykvNLCmXRKpfD8GTMG5YGVToSVywkHuFRGUzTPxsfa3v5JvbXWY5s6//bkPMYary0p9TuOWs/fMI7a2iehVwj/EGAb7bhDpiu5R4n8Z4OgCvCF/2E2EG7ST70eT8bKHsL4PODbPMtI2D2phMHxGoMWWjYQ6p/01beEP29Qr7KUfg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB3860.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9c17a646-a50c-4e53-bbbf-08d84020dc3b
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Aug 2020 07:08:34.9799 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: PWLRQQJNb3nDG1BKS6F8sF3VBBOuuwBKRkotwR9/Wsq56sScS+wr0SCjbFI+02zZiNRetuxTUfJVZGt56HIS45ZtRFPWxUZusp+ZQ4KUXTo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6371
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/cynfpKKODTa1W_8d4DlcmSSdWIo>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Aug 2020 07:08:44 -0000

Hi Yoshi,

...

>>> 2: 'If the non-data channel endpoint does not support MSRP CEMA, transport level interworking mode is not possible,
>>>   it needs to act as an MSRP B2BUA.'
>>>   -> This may sound like it falls back to B2BUA when CEMA is not available.
>>>        But, I guess there might be a case where users don't want fallback.
>>
>> I don't think the users really care. CEMA is a transport connection establishment feature. Even with legacy MSRP, there
>> could be a fallback if one of the endpoints don't support CEMA, but users are not informed about whether CEMA is used or not. 
>>
>>> I agree that users don't really care about if CEMA is used or not in general. 
>>> But, how about the cases where the gateway uses a non-secured TCP connection after it found CEMA is not available.
>>> I guess some users might care about the security level is downgraded.
>
>> The usage of TCP or TLS has nothing to do with whether CEMA is used or not. CEMA can be used with both TCP and TLS, and both TCP and TLS can be used with or without CEMA :)
>>
>>CEMA is basically about what SDP information elements you use to exchange the IP address information where to send your MSRP messages. CEMA uses generic SDP offer/answer rules, while non-CEMA uses a more MSRP-specific way.
>
> OK. I am just concerned about the situations where a user specifies msrps but msrp is used at the other endpoint and the user cannot aware of it.
> if this won't happen, I don't have any more comments here. 

Note that, with pure legacy MSRP, there is no guarantee that there will be end-to-end security. RFC 4975 says:

   "For this reason, a URI with the "msrps" scheme makes no assertion about the security properties of
   other hops, just the next hop.  The user agent knows the URI for each
   hop, so it can verify that each URI has the desired security
   properties."

Perhaps I could enhance the new text I suggested to address your comment #1:

OLD NEW:

      "MSRP traffic over data channels is secured, including
        confidentiality, integrity and source authentication, as specified 
        by [I-D.ietf-rtcweb-data-channel]. However, [RFC4975] allows transport 
        of MSRP traffic over non-secured TCP connections. In a gateway 
        scenario, unless the operator mandates usage of TLS, the MSRP traffic will 
        not be secured all the way between the MSRP endpoints. [RFC4975] describes
        the security considerations associated with non-secured MSRP traffic."

NEW NEW:

      "MSRP traffic over data channels is secured, including
        confidentiality, integrity and source authentication, as specified 
        by [I-D.ietf-rtcweb-data-channel]. However, [RFC4975] allows transport 
        of MSRP traffic over non-secured TCP connections, and does not provide 
        a mechanism to guarantee usage of TLS end-to-end. As described in [RFC4975],
        even if TLS is used between some hops TCP might still be used between other hops.
        Operators need to ensure that proper policies are established in order to ensure
        that the MSRP traffic is protected between endpoints."
        
Regards,

Christer