Gen-art last call review: draft-ietf-mmusic-rfc2326bis-34

[Robert Sparks]

I am the assigned Gen-ART reviewer for this draft. For background on 
Gen-ART, please see the FAQ at

<http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
Please resolve these comments along with any other Last Call comments 
you may receive.

Document: draft-ietf-mmusic-rfc2326bis-34
Reviewer: Robert Sparks
Review Date: 05-Jun-2013
IETF LC End Date: 04-Jun-2013
IESG Telechat date: not yet on a telechat

Summary: This draft is on the right track but has open issues, described 
in the review.

I have not reviewed this document at the level of detail I prefer for 
Gen-art reviews, but have tried to be thorough in the sections I have 
reviewed.

In particular,
I didn't verify the tables and the text agree
I didn't carefully check the ABNF
I haven't thought about possible edge cases and race conditions as much 
as I would have liked
I didn't closely review the security mechanisms in section 19 or the 
specialized MIKEY keying mechanism in the appendix - both need careful 
review from security experts.

One observation I would like to make before calling out issues and nits:

The document is very long, and the structure is unusual - much of the 
definition of the protocol itself is in the appendices. You are missing 
an opportunity to make this document much shorter (thereby likely 
increasing its effectiveness). Much of the jump in from RFC2326 was 
importing the description of headers and responses from HTTP, tailoring 
them to RTSP. That was a good exercise in that it highlights some issues 
that would otherwise be non-obvious (and raises a few questions below). 
But you followed the style from HTTP perhaps too closely - much shorter 
descriptions without examples might have done the job better. Overall, 
separating exposition and examples from the protocol definition would 
make it much easier for an implementer to find the definition of the 
protocol, and use the document as a reference when diagnosing a failure 
to interoperate.

Major Issues

I'm not seeing what instructs an RTSP element on how to find the server 
it would try to open a connection to given an rtsp or rtsps URI? Are you 
assuming it would be doing A or AAAA DNS lookups? Should this protocol 
use NAPTR/SRV? The document should be explicit. On a related note, (and 
maybe I missed this), but where do you talk about what an element should 
check in the server's certificate when connecting over TLS? Are you 
assuming a common name match? Or are you expecting some SubjectAltName 
processing?

The document should say more about when connection reuse is appropriate, 
particularly when the connections happened because of an rtsps uri. Two 
different names might resolve to the same IP address - reusing a 
connection formed when looking at the first name (and verifying the 
server's cert) is dangerous. A new connection needs to be formed (and 
verified) instead.

The text talks about the option to queue S->C requests if there isn't a 
connection to the client available. Ostensibly, this means the request 
can go down some future connection. It's not clear how the server can 
tell the right client connected. In particular, when using rtsps, how do 
you prevent a malicious client from getting such a queued message that 
wasn't meant for him?

Given that the text talks about queuing S-C requests, it should 
explicitly call out whether a server can queue a response if the 
connection the associated request arrived on is no longer available. I 
think what you want to say is that such a response must not be queued, 
and must be dropped.

There are several places in the text that talk about using a 503 
response with a Retry-After header to push back on traffic from an 
element (the first is section 10.7).
* It's not clear what the subject of a 503 is. Is it intended to be 
scoped to requests to the resource in the RURI of the associated 
request? Is it intended to be scoped to the domain in that resource? Or 
is it, like in SIP, intended to be scoped to the server issuing the 
response, independent of what the RURI contained?
* If the intent is that the 503 talks about the server, then you should 
clarify that a proxy doesn't simply forward 503 responses (after 
rewriting CSeqs), and should probably have a response of its own. 
Otherwise, clients that might be talking to two different servers 
through one proxy would lose access to both of them when one of the 
servers 503ed.

Section 4.9.1 lists values the Seek-Style header can take, but 18.45 
lists a completely different set (which most of the rest of the document 
uses). Should 4.9.1 be changed to use the values in 18.45? Are the right 
strings being used in sections 13.4.4 through 13.4.6? Those appear to be 
using strings from 4.9.1.

The document will not stand if you delete some of the appendices. They 
aren't supplementary material. Please consider restructuring the 
normative sections back into the main document, or clearly identifying 
which ones define protocol and which are background information.

Section 15 talks about a "transparent' proxy, but there is no 
description in this document of what protocol such a thing should 
follow. What bad thing happens if you remove all mention of 
"transparent" proxies from the document? As far as I can tell, that 
won't affect the protocol definition at all.

The list of steps for establishing an SRTP cryptographic context in 
C.1.4.1 says "This specification does not specify an explicit method for 
indicating this SRTP cryptographic context establishment method, but 
future specifications may." in the context of looking at the SDP. SDP 
_has_ methods of indicating what keying mechanism is used with SRTP - 
are you talking about something different? Why doesn't this section say 
something like "the use of SRTP with RTSP is only defined with MIKEY 
with keys established as defined in this section. Future documents may 
talk about how an RTSP implementation might treat SDP that indicates 
some other key mechanism be used"? Could you provide an example in the 
document of an RTSP message carrying SDP reflecting the use of SRTP as 
defined in this document?


Minor Issues

The document uses the notion of a "control connection" (it appears first 
in section 2.5) without defining what that is, or what kind of 
connections you might have that aren't control connections.

The update to the registration of the rtsp and rtsps schema call out 
that there are changes that can result in interoperability issues. It 
doesn't say what the issues are, or who might encounter them. I can 
infer that the point is that there might be problems if a URI following 
this updated registration were to be processed by an RTSP 1.0 
implementation (or any other application that relied on the previous 
definition). It would be better to say that explicitly, and talk about 
how a previous implementation is likely to act when presented with a URI 
that exercised these new changes. (It's not clear to me that all of the 
thread at www.ietf.org—msg01567.html 
<http://www.ietf.org/mail-archive/web/uri-review/current/msg01567.html> 
concluded - I see how the fragments question ended, but what about 
things like the addition of IPV6 literals? In particular, I'm not 
finding a response where Ted Hardie agreed that the potential for 
interoperability failure had been adequately addressed).


I think you've said something different than you mean in 5.4 item 1. I 
think you mean to say that an RTSP implementation would ignore any body 
that happened to come in message that MUST NOT contain one. What you've 
said is that the part of the parser that's doing framing has to stop 
framing at the end of the headers, and that such an errant body would be 
parsed as a separate message. As written this would keep someone from 
using an Internet Message Format parser since it would have to ignore 
any Content-Length that might have appeared, even though it wasn't 
supposed to.

In section 10.4, it looks like a server can keep an RTSP transaction 
pending forever if it sends 100 responses often enough. I assume the 
client's recourse if it doesn't want to remain involved is to close the 
connection. If that's right, it's worth calling it out explicitly in 
this section.

Somewhere, probably in section 15.2, you should be explicit that a proxy 
that is multiplexing requests MUST keep the requests in the same order 
as they are folded together. You can infer that, or things simply break, 
but saying it explicitly would be better.

Both GET_PARAMETER and SET_PARAMETER are listed as keep-alive methods in 
10.5, but the note in section 13 on table 7 only uses that as a reason 
for requiring SET_PARAMETER. Why doesn't it also apply to GET_PARAMETER? 
And why is this only required at servers? "Required" in this section 
means Mandatory to Implement, I think. If that's right, it should be 
made explicit. If that's not right, what does it mean?

Section 13.8 makes a good argument for always putting parameters to be 
retrieved in a body. Why are you keeping the complexity of also allowing 
them in headers?

Section 13.10: "That should not provide any benefit." is not clear - can 
you expand it a little?

In Section 13.10 you talk about clients _sending_ media (search for 
"send or receive media"). Do you mean anything more than possibly RTCP? 
Can you make that clear in the section?

Section 15.2's second paragraph appears to be the only place the proxy 
rewriting of CSeq in order to multiplex requests is defined, and it is 
very loose. It would be easy for a reader to fail to recognize this as 
an interoperability requirement. Please consider expanding how this is 
specified when addressing the comment about above about keeping requests 
in relative order when multiplexing.

You follow the principle of saying a client should treat a response with 
an unknown response code, the same as it would treat the x00 of that 
class (e.g. 400 for an unknown 4xx). However, you do not define what a 
response code of 300 means. How is a client supposed to handle an 
unknown 3xx response?

As written, a client and server can use HTTP Basic authentication over 
TCP that is not protected with TLS. Consider restricting it's use to TLS 
only. Are you sure you don't need to say anything RTSP specific about 
DIGEST computations (I don't think you need to go as far as SIP did 
talking about DIGEST, but I'm surprised you haven't run into issues 
relying only on 2617 literally.


How does 411 Length Required for this protocol make sense? Given that 
you've restricted the protocol to TCP and require the Content-Length 
header to be present if there is a body, in what circumstance would a 
server need to send a 411?


Section 18.19 requires senders to increment CSeq by 1. We have a 
reliable transport with no request retransmission, so there should never 
be gaps at the receiver. Should the receiver check and react some way if 
there are gaps? I think you should explicitly tell them not to even 
look. If you agree, why is incrementing by one important as long as you 
are always strictly increasing?

You call out several places where RTCP is essential to allow RTSP using 
RTP to work correctly, yet section C.1.2 sets up conditions where RTCP 
MUST NOT be sent. Why are you allowing those instead of treating the 
conditions you describe as errors?


Nits


The definition of Message still talks about connectionless transports

22.14 says "These URI schemes are defined in existing registries which 
are not created by RTSP." Should it say that they are _registered_ 
rather than defined, and "not created by this document" instead of by 
RTSP? In section 4.2 in the paragraph discussing ports 554 and 322, why 
is the language different for rtsp and rtsps? "MUST be used" vs "is 
registered and MUST be assumed"?

Consider a reference in 4.4 to where SMPTE 30 drop is defined, 
particularly for where the 1/100th frame measurement comes from.

Section 4.5 introduces NPT as indicating "the absolute position" and 
then defines something that can carry a point or a range. I suggest 
adjusting the first sentence to allow for a range.

Section 4.9.1's description of Conditional Random Access contains some 
ambiguity. It would help be more explicit. I think it's trying to say 
"would move the client's play point further away from the requested play 
point than it's play point currently is."?

Section 5 : what do you mean by "tricky" switching?

Section 7: consider octets instead of bytes

Section 10.3: what is "take appropriate action" trying to say?

The document mixes using "3rr" and "3xx" to talk about redirect 
responses. Why are there two ways to say the same thing?

(Total nit, but) The examples show dates in 1997, when there could be no 
RTSP/2.0. Are there other aspects of the examples that might not have 
been updated?

Is "will need to use" at the bottom of page 85 in section 13.5.2 trying 
to say something that should be said with 2119?

Consider saying that a client must not put a Terminate-Reason in a C->S 
Teardown request, or tweak the definition of Terminate-Reason to discuss 
client use and the possibility of C->S specific values.

These two sentences in 13.7.1 are particularly hard to parse together: 
"The time period is considered extended when it is 10 times the Session 
Timeout period. Consideration of the application of the server and its 
content should be performed when configuring what is considered as 
extended period of time." I suspect they were not written at the same 
time? Can you simplify what they are trying to say, noting that the 
suggested "10 times" is a default, and that if you want to change that 
default, you need to consider the context?

Section 14: "Interleaved binary data SHOULD only be used if RTSP is 
carried over TCP". Is this leftover from when UDP was an option?

(small nit) Section 14, you mention an ASCII dollar sign - maybe you 
should just say an octet with value 0x24?

It's not clear how far up to go with "upper-layer protocol headers" in 
section 14, given that you are trying to speak generally about carrying 
things in interleaved data. Your example for RTP may cover the only case 
that matters. Consider speaking more normatively (instead of with an 
example) for RTP and provide some guidelines about where to cut the 
prefixes for other things you might want to carry (lest you end up with 
the v6 headers too when tunneling some new foo protocol?)

In section 17, you say "Status codes that have the same meaning are not 
repeated here." But you did repeat them (see 200 OK). Should that 
sentence be deleted?

304 (section 17.3.4) probably should have been a different class 
response, maybe even a 2xx. The text does call it out as "unusual" for 
the 3xx, but it would be better to say why this ended up in this 
response class.

I might be confused, but I'm not sure the redirection semantics defined 
in this document lead to the "black hole" case discussed in 17.4.14. If 
I'm confused, could you send me an example of such a redirection black 
hole happening?

Section 18.11 first paragraph should be split into two sentences.

Is "MUST be transported over TCP" in C.2.1 stale now that no 
connectionless transport is defined?

The end of Appendix G still implies that CSeq was primarily for 
unreliable transports. There are other places that out and point to 
proxy multiplexing. All of them should acknowledge that CSeq is 
necessary for associating responses with requests.