Re: [AVT] Media over DTLS
David McGrew <mcgrew@cisco.com> Fri, 10 March 2006 16:16 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FHkIL-0005Qm-RP; Fri, 10 Mar 2006 11:16:49 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FHkIK-0005Qh-PJ for avt@ietf.org; Fri, 10 Mar 2006 11:16:48 -0500
Received: from test-iport-1.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FHkIJ-0003jS-4b for avt@ietf.org; Fri, 10 Mar 2006 11:16:48 -0500
Received: from sj-core-1.cisco.com ([171.71.177.237]) by test-iport-1.cisco.com with ESMTP; 10 Mar 2006 08:16:46 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k2AGGjw5026094; Fri, 10 Mar 2006 08:16:45 -0800 (PST)
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 10 Mar 2006 08:16:45 -0800
Received: from [192.168.1.100] ([10.32.254.210]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.211); Fri, 10 Mar 2006 08:16:43 -0800
Mime-Version: 1.0 (Apple Message framework v746.2)
Content-Type: text/plain; charset="US-ASCII"; delsp="yes"; format="flowed"
Message-Id: <03D20971-EFA6-4E0C-A62A-33DECF417863@cisco.com>
Content-Transfer-Encoding: 7bit
From: David McGrew <mcgrew@cisco.com>
Subject: Re: [AVT] Media over DTLS
Date: Fri, 10 Mar 2006 08:16:42 -0800
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.746.2)
X-OriginalArrivalTime: 10 Mar 2006 16:16:44.0128 (UTC) FILETIME=[05C88600:01C6445E]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2b2ad76aced9b1d558e34a970a85c027
Cc: AVT <avt@ietf.org>
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
Errors-To: avt-bounces@ietf.org
Eric, I have a lot of comments and questions about your work, please see below. > Hi, > > AVT working group members may be interested in the following suite > of drafts, which define a method for securing multimedia (especially) > RTP traffic using DTLS: > > http://www.ietf.org/internet-drafts/draft-fischl-sipping-media- > dtls-00.txt > http://www.ietf.org/internet-drafts/draft-tschofenig-avt-rtp- > dtls-00.txt > http://www.ietf.org/internet-drafts/draft-fischl-mmusic-sdp- > dtls-00.txt > http://www.ietf.org/internet-drafts/draft-modadugu-dtls-short-00.txt > http://www.ietf.org/internet-drafts/draft-rescorla-tls-partial-00.txt > http://www.ietf.org/internet-drafts/draft-ietf-tls-ctr-00.txt > > Why is this interesting? SIP does not have a scheme for key > negotiation > of media encryption that works with early media and forking. That's not really true. SDP security descriptions with SDP security preconditions solves these problems, but at the cost of an extra round trip in the signaling plane. As it has become evident that the preconditions approach isn't desirable, and number of other methods have been proposed. See for example draft-mcgrew-srtp-ekt-00.txt > This set of > drafts addresses these issues. Instead of inventing a new key > negotiation protocol, There's a lot of new text that you're referencing - wouldn't you consider DTLS in "SRTP Compatibility Mode" the equivalent of a new protocol? > it uses DTLS for key establishment and algorithm > negotiation while having the same on-the-wire packet format as SRTP. But unfortunately the format compatibility doesn't give us any interoperability with SRTP; please see comment number 12 below. > > HTML versions can be found at: > > http://scm.sipfoundry.org/rep/ietf-drafts/ekr/{draft}.html > > The draft of most interest to this WG is probably > draft-tschofenig-avt-rtp-dtls-00 but you may find it helpful to read > draft-fischl-sipping-media-dtls-00 first for background. > > -Ekr I've itemized my points below for convenience in discussion. Best regards, David -- 1. SRTP works in group scenarios (both multi-unicast and multicast), while RTP over DTLS only addresses point to point scenarios. 2. RTP over DTLS does not provide all of the security policy options that SRTP allows. For example, an SRTCP sender can selectively choose which SRTCP packets to encrypt, and SRTP can allow short authentication tags on conversational voice media, but long authentication tags on other data within the same session (e.g. DTMF digits). 3. RTP-over-DTLS appears not to work with Symmetric RTP [6]. That RTP method is commonly used in order to allow RTP sessions to traverse NAT and firewall devices. This facility relies on the fact that the media source behind the NAT sends data that triggers a NAT translation that allows inbound media. If the initiator of the DTLS handshake is outside of the NAT or firewall, then RTP-over-DTLS will fail. 4. The partial encryption extension [2] does not properly handle RTP header extensions. That extension negotiates some number of initial bytes that will be unencrypted in each packet. However, it is desirable to leave the RTP header extension unencrypted whenever it is present (not encrypting the header is the first goal named for "SRTP Compatibility Mode"), and this facility does not allow that. It would require the RTP application to choose in advance to use or not use an RTP header extension with some fixed length established prior to the start of the session. A security protocol for RTP should not constrain which RTP applications can be supported, but items 1,2,3 and 4 put significant constraints on the applications. SRTP is flexible enough to have been adopted for use with many diverse RTP applications, both inside and outside of the IETF; see http://srtp.sourceforge.net/spec.html#Uses for example. RTP-over-DTLS lacks the ability to work with many of these applications. 5. In Appendix A.3 of [3]. An "SRTP MKI" field is included in the DTLS packet. Is this intentional? If so, where is this field defined? 6. RTP over DTLS appears to rely on the DTLS "content type" field being distinct from the initial bits of the RTP header. Is this right? 7. The RTP over DTLS spec [3] says that "DTLS uses a 10 byte MAC and SRTP uses a 4 byte MAC". This is misleading; a ten-byte MAC is defined in the SRTP standard, and is the default and recommended value for the protocol, though a four-byte MAC has been defined and used elsewhere for use in the VoIP context. 8. The RTP over DTLS "SRTP Compatibility Mode" requires a large number of extensions to DTLS (which itself is a significant extension to TLS): The TLS partial encryption extension, with an InitialPlaintext value equal to the length of the RTP header [2], The DTLS implicit application data header [1], The TLS MAC truncation extension [4], The Counter Mode cipher [5] It is not clear whether or not the other extensions defined in [1] - sequence_number_length, no_version_field, no_length_field - are also required, or perhaps are implicitly required by the other extensions. The number and complexity of these options show that the claim "because RTP/DTLS runs over DTLS, which is based on TLS, which has seen extensive security analysis, we can have fairly high confidence in the security of the system" (Section 7 of [3]) is misleading. 9. TLS does decryption before a MAC check. When combined with partial decryption, this may be a potential security problem - at the very least, some analysis would need to be published showing that it is not. One point that needs to be considered is that a receiver that performs multiple guesses, each followed by an authentication check, is weakening the authentication in doing so. In SRTP, we very consciously did not recommend this method. [1] now says that "The "implicit_header" extension introduces some ambiguity in record receipt processing. This ambiguity can, however, be resolved by trial decryption." Shouldn't this state that the message authentication check is used to resolve the ambiguity, rather than an encryption? Or is there some redundancy check on the decrypted material, and if so, what is that check? 10. Does RTP/DTLS work with RTP Forward Error Correction [7], and if so, how? Is it capable of working with FEC with either order of processing? 11. The performance of RTP/DTLS will lag behind that of the SRTP alternatives. It will require two TLS handshakes - one for RTP, and one for RTCP - and at least one full handshake's worth of certificate validation as well as a public key encryption/decryption or a public key exchange. Another performance demerit is the fact that, because decryption precedes an authentication check, trial decryption must be done in RTP-over-DTLS, unlike SRTP. Also, self-signed certificates introduce costly additional and superfluous public key operations. 12. The "SRTP Compatibility Mode" of [3] is not really compatible with SRTP - it does not interoperate with SRTP in any way. Wouldn't it be preferable if it was compatible in an interoperable way? The advantage of RTP-over-DTLS is that it re-uses the TLS handshake, thus providing a built-in key management method. The way to achieve this advantage while retaining SRTP's advantages is to define a way to use that handshake to provide keying material to a media-protection method that is actually compatible with SRTP. This way, the advantages of the DTLS handshake could be used in scenarios in which it is useful, while other keying methods could be used in other scenarios, with only a single implementation of a media-security layer. This interface is already defined for SRTP in Section 8.2. of RFC 3711. This SRTP-interoperable method is better suited to constrained environments where SRTP is much easier to support because of its smaller code size. It also would enable significant code re-use, especially for all of the devices that already implement SRTP. There are many ways that a DTLS handshake could be used to establish SRTP keys. One simple method that is obviously secure is to pass SRTP keying material over a DTLS connection that has been established for that purpose. The following text expresses the SRTP key management interface in terms of the TLS presentation layer: enum { null_cipher, aes_128_icm, aes_128_f8 } srtp_cipher_type; enum { null_auth, hmac_sha1_80 } srtp_auth_type; enum { aes_cm } srtp_kdf_type; struct { uint32 ssrc; srtp_cipher_type cipher_type; srtp_auth_type auth_type; srtp_kdf_type kdf_type; uint8 cipher_key_size; uint8 auth_key_size; uint8 cipher_salt_size; opaque cipher_key[32]; opaque cipher_salt[32]; opaque auth_key[32]; } srtp_parameters; What disadvantage would an SRTP-interoperable method have relative to RTP-over-DTLS? References [1] Modadugu, N. and E. Rescorla, "Extensions for DTLS in Low Bandwidth Environments", draft-modadugu-dtls-short-00 (work in progress), October 2005. [2] Rescorla, E., "TLS Partial Encryption Mode", draft-rescorla-tls-partial-00 (work in progress), January 2006. [3] Tschofenig, H., Rescorla, E., "Real-Time Transport Protocol (RTP) over Datagram Transport Layer Security (DTLS)", February 25, 2006 [4] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., Wright, T., Transport Layer Security (TLS) Extensions, RFC 2246. [5] Modadugu, N. and E. Rescorla, "AES Counter Mode Cipher Suites for TLS and DTLS", draft-modadugu-tls-ctr-00 (work in progress), October 2005. [6] Wing, D., Common Local Transmit and Receive Ports (Symmetric RTP) draft-wing-behave-symmetric-rtprtcp-01 [7] J. Rosenberg, H. Schulzrinne, An RTP Payload Format for Generic Forward Error Correction, RFC 2733. _______________________________________________ Audio/Video Transport Working Group avt@ietf.org https://www1.ietf.org/mailman/listinfo/avt
- Re: [AVT] Media over DTLS Mark Baugher
- [AVT] Media over DTLS Eric Rescorla
- Re: [AVT] Media over DTLS Mark Baugher
- Re: [AVT] Media over DTLS Eric Rescorla
- Re: [AVT] Media over DTLS Mark Baugher
- Review of draft-tschofenig-avt-rtp-dtls-00 (Re: [… Lakshminath Dondeti
- Re: [AVT] Media over DTLS Eric Rescorla
- Re: [AVT] Media over DTLS Lakshminath Dondeti
- Re: [AVT] Media over DTLS David McGrew
- Re: [AVT] Media over DTLS Jonathan Rosenberg
- Re: [AVT] Media over DTLS Eric Rescorla
- Re: [AVT] Media over DTLS Eric Rescorla
- Re: [AVT] Media over DTLS Mark Baugher