Skip to main content

Last Call Review of draft-ietf-avtext-rid-04

Request Review of draft-ietf-avtext-rid
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2016-08-12
Requested 2016-08-04
Authors Adam Roach , Suhas Nandakumar , Peter Thatcher
I-D last updated 2016-08-11
Completed reviews Secdir Last Call review of -04 by Hilarie Orman (diff)
Opsdir Last Call review of -04 by Jürgen Schönwälder (diff)
Assignment Reviewer Hilarie Orman
State Completed
Request Last Call review on draft-ietf-avtext-rid by Security Area Directorate Assigned
Reviewed revision 04 (document currently at 09)
Result Has issues
Completed 2016-08-11
Security review of
RTP Stream Identifier Source Description (SDES)

Do not be alarmed.  I have reviewed this document as part of the
security directorate's ongoing effort to review all IETF documents
being processed by the IESG.  These comments were written primarily
for the benefit of the security area directors.  Document editors and
WG chairs should treat these comments just like any other last call

We begin by quoting from the document:

   This document defines and registers two new RTCP SDES items.  One,
   named RtpStreamId, is used for unique identification of RTP streams.
   The other, RepairedRtpStreamId, can be used to identify which stream
   a redundancy RTP stream is to be used to repair.

Security considerations:
   The actual identifiers used for RtpStreamIds (and therefore
   RepairedRtpStreamIds) are expected to be opaque."

"Opaque" seems to mean "no one cares what it is."  Nonetheless, a
protocol should give some guidance about this.  Taking the value from
a global 64-bit counter, for example, could leak information about the
global state of the machine.  Having a short counter for each session
with a starting value of 0 would probably be OK.  Having a short
counter start at a random value and wraps around would probably be OK.

The "terminology" section could be improved by EAFMA and RUP
(expanding a few more acronyms and removing unused phrases).  MSID and
SSRC are not expanded; "encoded stream" is never used.