IETF Logo Mail Archive

Re: [AVTCORE] Registering AVP Profiles for RTP over QUIC

Roman Shpount <roman@telurix.com> Thu, 12 May 2022 01:16 UTC

Return-Path: <roman@telurix.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8890C15E6EF for <avt@ietfa.amsl.com>; Wed, 11 May 2022 18:16:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telurix.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dmDk4NR_7Onb for <avt@ietfa.amsl.com>; Wed, 11 May 2022 18:16:07 -0700 (PDT)
Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83B69C159484 for <avt@ietf.org>; Wed, 11 May 2022 18:16:07 -0700 (PDT)
Received: by mail-qk1-x729.google.com with SMTP id c1so3590814qkf.13 for <avt@ietf.org>; Wed, 11 May 2022 18:16:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telurix.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=JO7e35yDk0hkfjqNHuBnaiD/b6GDvno1oNz39rAAtyQ=; b=PsA/ZLHn3Mc2pe/0XgpxI7LUNqDph0yG4Knnhwl6Lb0fjJOFzxhXrd+DS5u/D1ipvj EC0pEqnW+xcvXKfvin6bLuIiXTW/l8DpneR/NJD9/rl9QOfjOWQMkdekk8m9GlRfuz00 zTj2CVzctRq5ZxKL6NDMbiI3I1p/B9DJrVrm8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=JO7e35yDk0hkfjqNHuBnaiD/b6GDvno1oNz39rAAtyQ=; b=1oRxvrBZi0iJhnfQL5KTD0K3rYpAU8OpwmpSP1qpZ04PzL5dRZ1/n5xYPX+rrfF0bP iJPUiNvW+rlur+dtXOZEnfGVtUN+WWuxtk7+6qTR4L8vTZkH22iWImLTEau4S1ayLHYk VMtMYmWjQrB0bKXWM2R6Knz5oC4EFFF1K6zYXQYMdL8CYSlGBaUyLBZRHqGcbPI6fUY0 VcdeAVD419OHvgmZEQzrxclbpqb1T08710D/eaK8pH7gu0xzhcs/KT/7K/jxsC3Lk3rM d9ZcXe1cTkinFVKRM7KutKO0beA2n3roXnQQruqQgLxmmWmJk1runPNM+4lNCPdYAtFD 82sA==
X-Gm-Message-State: AOAM532ZvsX636PG5kPkEudCZv2WpjG3aaLG3NmVEt5G4UrPLu4aKiuo a0tHwDzudHqQPLeBW4xDpzUU0zyyx+ezdA==
X-Google-Smtp-Source: ABdhPJxXw1MTcgiSfK3mlnd3WkLD+hNVCazi5lfMvF4AJ3PN2hGh0//lSQItyfhgmVU+QqM8X8Owqg==
X-Received: by 2002:ae9:df46:0:b0:69f:b616:762b with SMTP id t67-20020ae9df46000000b0069fb616762bmr21639849qkf.600.1652318166159; Wed, 11 May 2022 18:16:06 -0700 (PDT)
Received: from mail-yw1-f172.google.com (mail-yw1-f172.google.com. [209.85.128.172]) by smtp.gmail.com with ESMTPSA id a1-20020a05620a16c100b0069fc13ce23dsm2117144qkn.110.2022.05.11.18.16.05 for <avt@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 May 2022 18:16:05 -0700 (PDT)
Received: by mail-yw1-f172.google.com with SMTP id 00721157ae682-2f7d621d1caso39888177b3.11 for <avt@ietf.org>; Wed, 11 May 2022 18:16:05 -0700 (PDT)
X-Received: by 2002:a05:690c:16:b0:2db:cfed:de0e with SMTP id bc22-20020a05690c001600b002dbcfedde0emr29133229ywb.271.1652318165500; Wed, 11 May 2022 18:16:05 -0700 (PDT)
MIME-Version: 1.0
References: <CAKKJt-dvotzuaK66T8WQd7YgNLNr_6vqa4W8-z=5FvujpGWA=A@mail.gmail.com> <CAD5OKxvuQ+ng4YUbKE2Do5aB3pOpTs24Y59G1-2QAwSSX6HYkw@mail.gmail.com> <CAKKJt-cXMa8bW7HhwrkzX2-O=kYK2GRNwtB+cHRB-zWn+f0f+g@mail.gmail.com>
In-Reply-To: <CAKKJt-cXMa8bW7HhwrkzX2-O=kYK2GRNwtB+cHRB-zWn+f0f+g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
Date: Wed, 11 May 2022 21:15:53 -0400
X-Gmail-Original-Message-ID: <CAD5OKxsPd8w=geXBjJwFSSNUhFQ3sc-MMvte3EG6w24=tMvVPQ@mail.gmail.com>
Message-ID: <CAD5OKxsPd8w=geXBjJwFSSNUhFQ3sc-MMvte3EG6w24=tMvVPQ@mail.gmail.com>
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: IETF AVTCore WG <avt@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004f8e0f05dec64dbd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/4qIpVqf4UdP-sG0jwWXOjIbocRo>
Subject: Re: [AVTCORE] Registering AVP Profiles for RTP over QUIC
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 01:16:11 -0000

Hi Spencer,

I was thinking not about using QUIC to transport RTP, just to negotiate the
encryption keys and protocol. Once keys and protocol are negotiated,
SRTP-over-UDP sends the packets. SRTP/SRTCP packets are demultiplexed from
QUIC, and both protocols run side-by-side. This means none of the QUIC
encryption, NACK, congestion control, etc., is used for media. It is an
exact equivalent of DTLS-SRTP with QUIC being used instead of DTLS to
negotiate keys.

Even if this draft does not cover such a set-up, I think it is a viable
network configuration. Whatever protocol name you will come up with, it
should be possible to differentiate media over QUIC vs. key negotiation
over QUIC.
_____________
Roman Shpount


On Wed, May 11, 2022 at 6:41 PM Spencer Dawkins at IETF <
spencerdawkins.ietf@gmail.com> wrote:

> Hi, Roman,
>
> On Wed, May 11, 2022 at 4:12 PM Roman Shpount <roman@telurix.com> wrote:
>
>> What about using QUIC for encryption session setup and SRTP for sending
>> media, similar to DTLS-SRTP? This can be the easiest option to implement.
>>
>
> I'm not aware of a way to stop encryption in RFC 9000 QUIC, which is using
> RFC 9001 TLS for key exchange, etc, in favor of an application-level
> encryption mechanism. This has come up a number of times in conversations
> with 3GPP, who also wanted to avoid duplicate encryption (details don't
> matter, at this point), and the IETF has always said they wouldn't provide
> that.
>
> But maybe something has changed?
>
> Best,
>
> Spencer
>
>
>> Best,
>> _____________
>> Roman Shpount
>>
>>
>> On Wed, May 11, 2022 at 4:47 PM Spencer Dawkins at IETF <
>> spencerdawkins.ietf@gmail.com> wrote:
>>
>>> Dear AVTCORE,
>>>
>>> I've had an open PR in
>>> https://github.com/SpencerDawkins/sdp-rtp-quic/pull/9 for a while,so I
>>> could get a sense of how AVT profiles are supposed to work, and I'd like to
>>> push on that now (with a virtual interim meeting coming up next week)..
>>>
>>> The high-level summary of discussion in
>>> https://github.com/SpencerDawkins/sdp-rtp-quic-issues/issues/5 (note
>>> that this discussion is in a different repo, because reasons) has been
>>> roughly,"what's the difference between QUIC/RTP/AVPF and QUIC/RTP/SAVPF"?
>>>
>>> The arguments about not registering secure AVP profiles involve
>>>
>>>    -  the computational overhead of double encryption for all packets,
>>>    plus
>>>    - the payload overhead of 10 bytes per packet since you have 2 HMACs.
>>>
>>> The arguments about registering secure AVP profiles seem to revolve
>>> around
>>>
>>>    - Minimizing the impact of added QUIC support in existing
>>>    implementations that are using /RTP/SAVPF now.
>>>    - QUIC encryption protects payloads between QUIC endpoints, but
>>>    there are many multi-endpoint RTP topologies (
>>>    https://www.rfc-editor.org/rfc/rfc7667 has about 50 pages of them),
>>>    and when a middlebox receives  QUIC/RTP/AVPF, it's not obvious whether the
>>>    middlebox should
>>>       - forward the RTP payload using  RTP/AVPF (where the outgoing
>>>       AVPF matches the incoming AVPF), or
>>>       - forward the RTP payload using RTP/SAVPF, where the outgoing
>>>       SRTP encryption matches the incoming QUIC
>>>
>>> It seems to me that there are three choices:
>>>
>>>    - Use only QUIC/RTP/AVPF, and and require middleboxes receiving
>>>    QUIC/RTP/AVPF traffic to always forward that traffic over RTP/SAVPF
>>>    - Use only QUIC/RTP/AVPF, and and require senders to signal
>>>    middleboxes whether they should forward that traffic over RTP/AVPF or
>>>    RTP/SAVPF
>>>    - Register both QUIC/RTP/AVPF and QUIC/RTP/SAVPF, and if you have to
>>>    do double encryption on the QUIC/RTP paths to get RTP/SAVPF on the other
>>>    side of a middlebox, too bad
>>>
>>> So, my questions are,
>>>
>>>    - What am I missing here?
>>>    - Are any of the choices I'm listing obviously the *BEST* choice?
>>>
>>> Best,
>>>
>>> Spencer
>>> _______________________________________________
>>> Audio/Video Transport Core Maintenance
>>> avt@ietf.org
>>> https://www.ietf.org/mailman/listinfo/avt
>>>
>>

v2.23.0 | Report a Bug | By Email