[AVTCORE] EKT update, draft-ietf-avtcore-srtp-ekt-02
Dan Wing <dwing@cisco.com> Sat, 15 February 2014 00:30 UTC
Return-Path: <dwing@cisco.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 026911A00A5 for <avt@ietfa.amsl.com>; Fri, 14 Feb 2014 16:30:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.049
X-Spam-Level:
X-Spam-Status: No, score=-15.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueYjKKxXluXM for <avt@ietfa.amsl.com>; Fri, 14 Feb 2014 16:30:16 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 2A5991A00DE for <avt@ietf.org>; Fri, 14 Feb 2014 16:30:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6858; q=dns/txt; s=iport; t=1392424215; x=1393633815; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=VbfMkAjHdxLZhuM/LOikWbRoPrOr0VHOKBsvLFNHSAA=; b=R1GbfunNHwOjT3JcVP+Ox4OR9UkqnZS8qtVM3BPhuKpQt9mOrMf4dNz7 Gpdcaty5a0IEBoC4W43wTcqHIRg2cLcgQDwAQquMdGCnjUC3fOzdLegFG LydWaW/W+ly+nbXyTVwu2JmuQWPXo2mFh1l/DyWLYXhOhDzsGE06jUC7p U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhEFAOuz/lKrRDoI/2dsb2JhbABZgwY4wAmBFxZ0giUBAQEDOzoFBYE5HBKHYgcOyGoXjigBAU+CNnWBFASJSIp7g2mBMpBxg04bgSwHAhc
X-IronPort-AV: E=Sophos;i="4.95,848,1384300800"; d="scan'208";a="103210099"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 15 Feb 2014 00:30:14 +0000
Received: from sjc-vpn7-1605.cisco.com (sjc-vpn7-1605.cisco.com [10.21.150.69]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id s1F0U2lq026271; Sat, 15 Feb 2014 00:30:11 GMT
From: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 14 Feb 2014 16:30:02 -0800
Message-Id: <CB90C3F5-2F0D-4FD2-847E-E403CC45C790@cisco.com>
To: "avt@ietf.org WG" <avt@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/avt/BapjJkWbaRJpAEQC4GLxh4Ph7Us
Cc: "<draft-ietf-avtcore-srtp-ekt@tools.ietf.org>" <draft-ietf-avtcore-srtp-ekt@tools.ietf.org>
Subject: [AVTCORE] EKT update, draft-ietf-avtcore-srtp-ekt-02
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Feb 2014 00:30:19 -0000
We just posted draft-ietf-avtcore-srtp-ekt-02, http://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt-02. It contains a brief summary of changes, http://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt-02#section-1.1, In draft-ietf-avtcore-srtp-ekt-02 (this document), SRTP master keys have to be always generated randomly and never shared, MKI is no longer allowed with EKT (as MKI duplicates some of EKT's functions), and text clarifies that EKT must be negotiated during call setup. Some text was consolidated and re-written, notably Section 2.6 ("Timing and Reliability"). Additionally, -02 removed the ability to re-direct DTLS-SRTP handshake to another host ("Scaling to Large Groups" which introduced the SDP attribute dtls-srtp-host). This was removed because the only interested person never responded to my emails, and because proper support really needs ICE- or ICE-like handling for NAT traversal. If interest grows, this can be done in a separate draft, and may have value even without EKT. As you may recall, there were a bunch of great comments from Magnus, Michael, and John. Almost all of those were integrated into -02, with the exception of those I was hoping to get feedback from the working group, which I had discussed in [1], "changes planned for EKT" where I summarized some planned changes. In that post, I had written: > 1. Only use EKT over SRTP, and remove the ability to send EKT over SRTCP. As you may recall, EKT originally worked only over SRTCP, then added support for both SRTP and SRTCP. Our desire to abandon SRTCP is because of several deficiencies with carrying EKT over SRTCP compared to carrying EKT over SRTP, specifically: > - SRTCP compound packet problem described in Magnus' review (his point "G2"). See URL to his review below. > - lack of fate sharing between SRTCP (signaling the new SRTP master key) and SRTP (using the new SRTP master key). > - RTCP rate limits for AVP and AVPF profiles, which prevent sending EKT in SRTCP as aggressively as one might like when rekeying or when joining a session as a new sender. > - unsure how we might handle ISN (initial sequence number) for the key protecting SRTCP (immediately or later), because RTCP does not have a sequence number. > - implementations would have to support EKT over RTP and RTCP. Due to unidirectional audio (recvonly, sendonly), limiting EKT to only RTP means we need to send an RTP packet. While my confidence was high that we would never need or want to change the SRTCP key when using EKT (and hence not need to ever send an RTP packet with EKT), I admit this does not seem to be consensus. The authors were unable to resolve the SRTCP compound packet issue noticed by Magnus. Details of the issue are in Magnus' review, see URL below. I believe the best we can do is document this problem in the specification, and provide an additional encouragement to use EKT-over-SRTP. Comments or feedback or better ideas? I have some candidate text pointing out the problem and providing further encouragement to use EKT-over-SRTP (rather than EKT-over-SRTCP), but I am not yet happy with the text (see [2], below). The other points in the bulleted list (fate sharing, RTCP rate limits, ISN) were added to draft-ietf-avtcore-srtp-ekt-02. > 2. require SRTP master keys to always be randomly generated and never shared between sessions, ever. New text in draft-ietf-avtcore-srtp-ekt-02, All SRTP master keys MUST NOT be re-used, MUST be randomly generated according to [RFC4086], [and] MUST NOT be equal to or derived from other SRTP master keys. > 3. Remove MKI support from EKT, as they are duplicative functions. As a reminder, MKI (master key index) is defined in SRTP (RFC3711) and allows to pre-stage a key using call setup key signaling (e.g., Security Descriptions, MIKEY, DTLS-SRTP, etc.), whereas EKT has its own mechanism to perform a similar function (ISN, initial sequence number, which is when a pre-staged key will be used). Currently the EKT draft has a weak discussion of how these interact, and instead of improving this text and imposing the implementation burden for MKI support on EKT endpoints, we would like to declare MKI with EKT as unsupported and out of scope. MKI is now prohibited with EKT in draft-ietf-avtcore-srtp-ekt-02. > 4. Require EKT to be negotiated during call setup, and require endpoints to wait until receiving the EKT Full Field packet (containing the decryption key) before attempting to authenticate packets (to avoid doubling authentication effort). This avoids new joiners attempting to authenticate two packets when they join an EKT session (the first attempt using the SRTP master key from normal key-management (MIKEY, SDESC, DTLS-SRTP, whatever) and if that fails the second attempt from the EKT-provided SRTP master key). EKT is now required to be negotiated during call set-up in draft-ietf-avtcore-srtp-ekt-02. > > Review URLs: > Magnus Westerlund review, http://www.ietf.org/mail-archive/web/avt/current/msg16109.html > Michael Peck review, http://www.ietf.org/mail-archive/web/avt/current/msg16107.html > John Mattsson review, http://www.ietf.org/mail-archive/web/avt/current/msg16095.html > > [1] http://www.ietf.org/mail-archive/web/avt/current/msg16129.html [2] candidate text providing further incentive for EKT-over-SRTCP: 2.5. Transport EKT SHOULD be used over SRTP, and MAY be used over SRTCP. SRTP is preferred because it shares fate with transmitted media, because SRTP rekeying can occur without concern for RTCP transmission limits, and | because of SRTCP compound packets with RTP translators and mixers. | This specification requires the EKT SSRC match the SSRC in the RTCP | header, but Section 6.1 of [RFC3550] encourages creating SRTCP | compound packets: | | It is RECOMMENDED that translators and mixers combine individual | RTCP packets from the multiple sources they are forwarding into | one compound packet whenever feasible in order to amortize the | packet overhead (see Section 7). | | These compound SRTCP packets might have an SSRC that does not match | the EKT SSRC. There is no good solution to handling these SRTCP | compound packets, except hoping the mixer or translator round robin | between the SSRCs, but this would require several SRTCP packets, | further delaying receipt of EKT over RTCP. This impact of RTP | translators and mixers, and the inability to realibly determine an | RTP translator or mixer might be involved in an RTP session, provides | further incentive to send EKT over RTP. -d
- [AVTCORE] EKT update, draft-ietf-avtcore-srtp-ekt… Dan Wing
- Re: [AVTCORE] EKT update, draft-ietf-avtcore-srtp… John Mattsson
- Re: [AVTCORE] EKT update, draft-ietf-avtcore-srtp… Martin Thomson