IETF Logo Mail Archive

Re: [Tsv-art] Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23

Christer Holmberg <christer.holmberg@ericsson.com> Thu, 13 August 2020 13:34 UTC

Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 220193A0C33; Thu, 13 Aug 2020 06:34:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKNWw3nIZtvT; Thu, 13 Aug 2020 06:34:57 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70084.outbound.protection.outlook.com [40.107.7.84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC4923A0C2D; Thu, 13 Aug 2020 06:34:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PG+UfrAF5aSNHoOmqkuexsboX5ppQvEkm0fTnLLE4er+Os/4uPOtWnLC/ymWduy7nrQOx+lnvaNMxsQOGysX442BwCK7wd9gpUwGna6JCl5ENjCr/eNbnpnApkaKjJYEfeVJMI/2XanF6xxE90CuvNZnGy912YTSWXUsE2f9yDv+eSiSSzeISQy3ZVnOt78L9XLAAS6zUQ7J1gTTaO7F/cYZ8QyhlzRA7hqialO97Szj6QN9ksYICzXd0TEHzxdXny3UjrD5b9hIZNsTmjT135GXyD/t98hx6tkkLs2PkszirCHMxRYzcaLcGGHAq15JIDVX+Cx6LWwq0yT6ETo9oA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pYnGLol4SlwK/uVpM0qOPXrwEG7UBjOLTmUa30BT3Q8=; b=H4Za6gka9Izwkml62uDGkWw6oyme4gu4tP7OA7zG7F/lrEY6zZ72ACrrNZSF29TqWTqrC4XCg1skWuK6Wc7zgwaNEtw8Zb95Uo3KDLyFDZ85H9IudbQqtKVnPnMLW6KwESLQQmMXqTXV55UAO988gUGbQsGhm8IWAgRjSDpYxhKhj2rag2tVLCsQ15tCSQpIjDEfj9uDSXmLoeKecCCziorpqDq9FWum0zyrqIoEL8M5R816/r6iIizW8Tk8s9sACMeaqwZPYxaGaZ8nWmA74/BCS57yh5Jm+7wSrsmjUE+HSFD5pOILvzWFsn4hwr0OgchXobjKEaB/N5m0H0O1wQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pYnGLol4SlwK/uVpM0qOPXrwEG7UBjOLTmUa30BT3Q8=; b=DQaTqzP6zbFswmPXBz8BgYQTtNxqm4LwmwhLav2eC3obLSZxqTGqmeco6dHvMqbcBR5c/n+qRs5CglCgpMTwCpv3ijpVnrYqRLhyVst+aQRhrFR6vKwWPOMGUJBNjXy09bYlydzvvobpZ3iMI2boIHS56oeGqN3WANZbLlKCX5E=
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com (2603:10a6:208:4c::18) by AM0PR07MB6404.eurprd07.prod.outlook.com (2603:10a6:20b:15c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3305.10; Thu, 13 Aug 2020 13:34:54 +0000
Received: from AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::187b:7fe6:cc5a:eb00]) by AM0PR07MB3860.eurprd07.prod.outlook.com ([fe80::187b:7fe6:cc5a:eb00%5]) with mapi id 15.20.3283.015; Thu, 13 Aug 2020 13:34:54 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yoshifumi Nishida <nsd.ietf@gmail.com>
CC: "tsv-art@ietf.org" <tsv-art@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "mmusic@ietf.org" <mmusic@ietf.org>, "draft-ietf-mmusic-msrp-usage-data-channel.all@ietf.org" <draft-ietf-mmusic-msrp-usage-data-channel.all@ietf.org>
Thread-Topic: Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23
Thread-Index: AQHWcOA9R0YWMYTFSES34pJmJP8De6k0459AgACC8YCAAE57EA==
Date: Thu, 13 Aug 2020 13:34:54 +0000
Message-ID: <AM0PR07MB3860B7095F706574D138A33893430@AM0PR07MB3860.eurprd07.prod.outlook.com>
References: <159726112563.26648.17930656676102307453@ietfa.amsl.com> <AM0PR07MB38606E636828DE0C77B3071A93420@AM0PR07MB3860.eurprd07.prod.outlook.com> <CAAK044QtLDXWXgGRduEQdyNTyQS6nKhEKt6rwCAc3jQPaVQP_A@mail.gmail.com>
In-Reply-To: <CAAK044QtLDXWXgGRduEQdyNTyQS6nKhEKt6rwCAc3jQPaVQP_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.127.223.154]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 394baf15-1ac6-46d8-2b41-08d83f8da9b7
x-ms-traffictypediagnostic: AM0PR07MB6404:
x-microsoft-antispam-prvs: <AM0PR07MB64042445B2536BA12935DB8893430@AM0PR07MB6404.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Z+Rrb9T+a3GD1vO+2sSJxbcZe80z6sCN5LyOCFCegkQgDOQugQHfNGIN+++LwZgrWSAUL1+Dp0Mu0PuOta835UajUI8tajy739UirPMBy74kGeaXbH2Nvh4VNULkCILPChy9czmSJS5G0Gb2Fm+hQHQ4ObjFPXHqhiF+fZwdHRxnB5mrKVnrLJwNNGD/F+GhEcIJ3XuMysV7KSNwRQk2lqItxU6Vs+eor98j+tXawJ/x5eCpfpOkNv8cJ5SmOMWzSHM5V7Yf9kpNZmvJK1kxObqkcoHqOi5H5t6q1aBYLayU/Ef3hTvikL3erCfq6ndxIoROIKL7VMajykpcMUbukg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR07MB3860.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(376002)(39860400002)(366004)(136003)(396003)(52536014)(4326008)(86362001)(5660300002)(66446008)(26005)(8676002)(9686003)(44832011)(55016002)(71200400001)(6506007)(64756008)(66556008)(66476007)(66946007)(76116006)(33656002)(7696005)(8936002)(54906003)(186003)(2906002)(478600001)(316002)(6916009)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: H+LyVt6V93xVSwpgBPokIWmpEUm+UWzhqxWDpR8Ea1RC9UwwHXzwbD/u7azxyhEo+XcXInaoWyPnsBnbCqvP/+ePxc12aBxNSMUAQou/Zyu6TugxH2Abs7OvbZyAY7I0cA52a0GZTdWO6Z5QpU2UFUnRiu7ev0kengSIcKs8oKHUukD0Yn1Yc6tbJ8bMlT3xQilb4ow63rS6VK0RlqkJo6e+kUb/GHVoz/qQysFnCmUK9beOHw+dy2owwVQsbk4nH/8EKSxOGCBqbhPQOsa4QAPq86RXihpnxXjUW3Q0ij4cTXcwBlqcpTWYY23RC+tDGq/dZJABVILX/B0fTY/wBR/e8Gzbi1Jw5kozwOYMPcsbMSuD+yYvq+upJ1uKl7ndAAjgGijeXzSqBzt4GyRsW0rFskMVma3K5uppb4XQedGuY8Ee+bhCyliA6msw5xPVUVGiMTZWKPtdK4FB/J5AnJFdw93mmiYdDQmm7G1OODY7wai94+X5RV8HLUqsZZNvFTCf/bhmMoLhbRUeW+Ln6mHGlYKkvoyXbOxI4Y2jhXHMSEvsAJrcGqAq9f7J/f1bZgRhE9G806bMgoAaGOPYs0LDK7BV3UH+xrivhmEoB6AzT0uPOfflKfUK/2hGOL7Lclgd/qLZSTntEeL/sjPGpA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM0PR07MB3860.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 394baf15-1ac6-46d8-2b41-08d83f8da9b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2020 13:34:54.1668 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: X4XE/7VzvWqGdfc3PiVMmpWcz11fcfWxtrfJSiu3UPv9yOWDLkzOe0P8w+oWeZX11/OyuPnUbxFJnqxpqHeA19I3hVIBOQadfQemjiso1gk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB6404
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/GXzxFgG8af-kQhdueJkEgLyzBr8>
Subject: Re: [Tsv-art] Tsvart last call review of draft-ietf-mmusic-msrp-usage-data-channel-23
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 13:34:59 -0000

Hi Yoshi ,

>>>1: If the other endpoints is on a TCP connection, It seems to me that it can look downgrading the security level of the connection.
>>>   If this is the case, do we need some guidance here?
>>
>> I assume you are talking about the gateway.
>
> Yes. 
> 
>> It is true that "legacy" MSRP allows TCP transport. RFC 4975 describe the security issues associated with that.
>>
>> I suggest to add the following text to the Security Considerations.
>>
>> OLD:
>>
>>   "MSRP traffic over data channels is secured, including
>>   confidentiality, integrity and source authentication, as specified by
>>   [I-D.ietf-rtcweb-data-channel]."
>>
>> NEW:
>>
>>   "MSRP traffic over data channels is secured, including
>>   confidentiality, integrity and source authentication, as specified by
>>   [I-D.ietf-rtcweb-data-channel]. However, [RFC4975] allows transport of
>>   MSRP traffic over non-secured TCP connections. In a gateway scenario,
>>   unless the operator mandates usage of TLS, the MSRP traffic will not be
>>   secured all the way between the MSRP endpoints. [RFC4975] describes
>>   the security considerations associated with non-secured MSRP traffic."
> 
> Thanks. Works for me.

Great.  I will modify as suggested.

---

>>> 2: 'If the non-data channel endpoint does not support MSRP CEMA, transport level interworking mode is not possible,
>>>   it needs to act as an MSRP B2BUA.'
>>>   -> This may sound like it falls back to B2BUA when CEMA is not available.
>>>        But, I guess there might be a case where users don't want fallback.
>>
>> I don't think the users really care. CEMA is a transport connection establishment feature. Even with legacy MSRP, there
>> could be a fallback if one of the endpoints don't support CEMA, but users are not informed about whether CEMA is used or not. 
>
> I agree that users don't really care about if CEMA is used or not in general. 
> But, how about the cases where the gateway uses a non-secured TCP connection after it found CEMA is not available.
> I guess some users might care about the security level is downgraded.

The usage of TCP or TLS has nothing to do with whether CEMA is used or not. CEMA can be used with both TCP and TLS, and both TCP and TLS can be used with or without CEMA :)

CEMA is basically about what SDP information elements you use to exchange the IP address information where to send your MSRP messages. CEMA uses generic SDP offer/answer rules, while non-CEMA uses a more MSRP-specific way.

---

>>> 3: As the doc mentions the use of B2BUA, it might be useful to refer security consideration in RFC7092 in Section 9.
>>
>> I assume you mean Section 6?
>
> Sorry.. I meant the security consideration section in the doc which is Section 8. But, Section 6 is also fine for me. I don't have a strong opinion here.
> My point is that I'm not worrying about the use cases without gateways and the use cases with CEMA enabled gateway. 
> But, I'm concerned about the case where B2BUA gateway is used as the draft simply mentions that it can be used. 
> So, I am thinking that something in the security consideration in RFC7092 (e.g. B2BUA can be a tempting point of attack) might be useful for readers.

Gotcha.

So, I could add the following paragraph to the Security Considerations.

"[RFC7092] describes security considerations associated with B2BUAs."

---

Thanks,
--
Yoshi 

v2.23.0 | Report a Bug | By Email