Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-security-options-04
Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 30 August 2013 05:53 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55B1E11E81A2 for <avt@ietfa.amsl.com>; Thu, 29 Aug 2013 22:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.701
X-Spam-Level:
X-Spam-Status: No, score=-105.701 tagged_above=-999 required=5 tests=[AWL=0.548, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yRIdf9cjrsMG for <avt@ietfa.amsl.com>; Thu, 29 Aug 2013 22:53:25 -0700 (PDT)
Received: from mailgw1.ericsson.se (mailgw1.ericsson.se [193.180.251.45]) by ietfa.amsl.com (Postfix) with ESMTP id C454811E819E for <avt@ietf.org>; Thu, 29 Aug 2013 22:53:24 -0700 (PDT)
X-AuditID: c1b4fb2d-b7f738e000003ee3-41-522033537048
Received: from ESESSHC021.ericsson.se (Unknown_Domain [153.88.253.124]) by mailgw1.ericsson.se (Symantec Mail Security) with SMTP id 30.18.16099.35330225; Fri, 30 Aug 2013 07:53:23 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.20) by smtp.internal.ericsson.com (153.88.183.83) with Microsoft SMTP Server id 14.2.328.9; Fri, 30 Aug 2013 07:53:22 +0200
Message-ID: <52203371.3050301@ericsson.com>
Date: Fri, 30 Aug 2013 07:53:53 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Alan Johnston <alan.b.johnston@gmail.com>
References: <CAKhHsXGxXpjbdGk7otAqopm7ToPVf7U6X=xnAh-m2O6TdjMgRQ@mail.gmail.com> <A165299B-ECF8-42A9-A427-38B1283132C2@csperkins.org> <CAKhHsXGytyA9v-F6B6Gj8qVxNPH7i8e1QvU+cn-71T2qjqhGoA@mail.gmail.com>
In-Reply-To: <CAKhHsXGytyA9v-F6B6Gj8qVxNPH7i8e1QvU+cn-71T2qjqhGoA@mail.gmail.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprDLMWRmVeSWpSXmKPExsUyM+JvjW6wsUKQwbZHIhYzW1tZLF72rGS3 WP7yBKMDs8e0+/fZPHbOusvusWTJT6YA5igum5TUnMyy1CJ9uwSujLkd35kLPolVrGndx9zA +F2wi5GTQ0LARGLx2odsELaYxIV764FsLg4hgcOMEh1vF0A5yxglNhx4BFbFK6AtcfnEPxYQ m0VAVaL9xAFmEJtNwELi5o9GsBpRgWCJ9u1foeoFJU7OfAJWLyKgK7F21TN2EJtZwFSioWMq mC0s4C2xYeZcJohlpxglepb/ABvKKRAoMfv1fGaI8yQlti06BtWsJzHlagsjhC0v0bx1NliN ENBxDU0drBMYhWYh2T0LScssJC0LGJlXMbLnJmbmpJcbbmIEhvDBLb91dzCeOidyiFGag0VJ nHeT3plAIYH0xJLU7NTUgtSi+KLSnNTiQ4xMHJxSDYw1p7vV3umlLPnHueHpkns7njY1GvVV nkwpdjT7uEP13otNk5ebfePZYNr2Z3XIqesHmMVLfp25IydompS16Y1AkGA+y+tuviufp2ew vm+54Ct7onN9ZKij+SOuG8uZmGVFnyjtn7Fm77YX7jmMWZs64/pKtY/NenL6/c/Eg1cjzpV7 5iSrcf1WYinOSDTUYi4qTgQAfSlANS8CAAA=
Cc: Colin Perkins <csp@csperkins.org>, avt@ietf.org
Subject: Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-security-options-04
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Aug 2013 05:53:30 -0000
Hi, See below for proposal regarding Section 3.1.1. On 2013-08-29 15:47, Alan Johnston wrote: > On Thu, Aug 29, 2013 at 7:57 AM, Colin Perkins <csp@csperkins.org > <mailto:csp@csperkins.org>> wrote: > > > > > Numbers refer to sections in the document. > > > > 3.1.1: > > > > It is surprising no mention is made of RFC 4474 in this section > (or in the whole document) as DTLS-SRTP keying relies on an > integrity protected signaling channel provided by RFC 4474. When > mentioning RFC 4474, it needs to be pointed out that RFC 4474 is > effectively being deprecated by the STIR work and has proved to be > undeployable and also ineffective for E.164 identities. > > I have added a reference to RFC 4474 in Sections 4.1.3 and 4.1.4 as > a result of Dan Wing's comments. I'm not familiar with the STIR > work, or the other issues, can you suggest text for Section 3.1.1? > > > Here's the proposed charter for STIR: > http://datatracker.ietf.org/wg/stir/charter/ > > draft-jennings-dispatch-rfc4474bis discusses the problems with RFC 4474 > and some proposed changes. > > I would suggest text in this section mention that DTLS-SRTP relies on an > integrity protected signaling channel based on RFC 4474, but that there > is proposed underway in the IETF to try to make this workable. I tried drafting some text for this. Feedback appreciated DTLS-SRTP key management can use the signalling protocol in four ways. First, to agree on using DTLS-SRTP for media security. Secondly, to determine the network location (address and port) where each side is running a DTLS listener to let the parts perform the key-management handshakes that generate the keys used by SRTP. Thirdly, to exchange hashes of each side's certificates to bind these to the signalling, and ensure there is no man-in-the-middle attack. Finally to provide an assertable identity, e.g. [RFC4474] that can be used to prevent modification of the signalling and the exchange of certificate hashes. That way enabling binding between the key- exchange and the signalling. This usage is well defined for SIP/SDP in [RFC5763], and in most cases can be adopted for use with other bi-directions signalling solutions. It should be noted that there is work underway of revisiting the SIP Identity mechanism [RFC4474] in the STIR WG. Cheers Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [AVTCORE] Review of draft-ietf-avtcore-rtp-securi… Alan Johnston
- Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-se… Colin Perkins
- Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-se… Alan Johnston
- Re: [AVTCORE] Review of draft-ietf-avtcore-rtp-se… Magnus Westerlund