Re: [AVTCORE] Notes from SRTP Header Encryption Side Meeting.
Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com> Thu, 30 July 2020 20:20 UTC
Return-Path: <sergio.garcia.murillo@gmail.com>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93C243A0CCF for <avt@ietfa.amsl.com>; Thu, 30 Jul 2020 13:20:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nf5EqNiWfcpS for <avt@ietfa.amsl.com>; Thu, 30 Jul 2020 13:20:47 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A27BD3A0CE4 for <avt@ietf.org>; Thu, 30 Jul 2020 13:20:46 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id f1so25492684wro.2 for <avt@ietf.org>; Thu, 30 Jul 2020 13:20:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language; bh=aZUiOXDoGRKBYvuldAL6gCnIb+ZISKByAy63V4VNh/A=; b=YwAjUpj1W4KSOp/MlzAaE4m2nZeYzgNo23f/EUvh2YXGxXVXUw5BCvOeNN82Mk50oq yf+uzVu50LG4rMN8NeJG1nJzSiLGmPQSN3ip/yP/XQwd5VJ2IYmV+/Bs6EUFh0qr5AQj 3BrmWdHqqGeQiXsj6AVpbu4YT38TdNcu7Zr5yQlRPAyp2wocfDEotPbYpmaVhYYoz8oz mKz25CJjyb88bVLfslA2nJQMqNOXWa4riwt4QDM/6yhyBYJU0bccv1MiOa5xx6Y/RQ2h gNn4ZP8X+R9nBLxDmc4SuvPAxh8MRrkr5ZzaTULvyb0LROZSAb/9h4BUEs7JgeYtD/er 4GPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=aZUiOXDoGRKBYvuldAL6gCnIb+ZISKByAy63V4VNh/A=; b=lcRVuwN6H7Hc6wa9S2XegAR/stogaGP/PGm9Rty5ZaM2A/rDz45coOpJcU6tjpdkU1 TKS9GKbwRyE8j685JNiRtlqknPjAhXX871lRoIiRodesoade/nFp4HXhO8TJOKrr77dU hJ1LTjClP1RQJWk6fg8IuO1FIdIvPC9Uz0wUbyWeHLDJybly7Dz1Dd5gSAiBHozwSN+h XCPRVoAuMzoYq34LFepyj1ajogAMpYfxDgwjqxA3tVwzSjd77CTCkivxCXGqMK60bhZy 8wWnfK9c+62id/g78e4K7ThIXQxt1B5k+cXULCKgCuu53FNgcbDnNzsyzEdtX+BJMihK Z6yg==
X-Gm-Message-State: AOAM5326dpM8XobMNLfXadtwuPX6ESq/syV5IGYhIA8hABchV4oim5G8 JWapRUARFZ/BkA9hqqKxCSYHOG7YVIE=
X-Google-Smtp-Source: ABdhPJwrFjh6i6WmERSmyhM+3VYICoKLARXr71GOlbOoj1u9DbjzvxoQKvSiiFaq2fW1CSheZx1Y2g==
X-Received: by 2002:adf:a11d:: with SMTP id o29mr350772wro.421.1596140444734; Thu, 30 Jul 2020 13:20:44 -0700 (PDT)
Received: from [192.168.1.36] (122.red-79-153-21.dynamicip.rima-tde.net. [79.153.21.122]) by smtp.googlemail.com with ESMTPSA id z12sm10272674wrp.20.2020.07.30.13.20.16 for <avt@ietf.org> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 30 Jul 2020 13:20:17 -0700 (PDT)
To: avt@ietf.org
References: <5DA92063-55EF-4CB4-A299-2375575A7D11@iii.ca> <CAOJ7v-2DmQ+WvXw6L8XEhGUnp+fZ3XcjaECu-zd8nBaqA7gwvg@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@gmail.com>
Message-ID: <821df6c6-7f99-98dc-b4d9-4e1eee0a644b@gmail.com>
Date: Thu, 30 Jul 2020 22:20:15 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.11.0
MIME-Version: 1.0
In-Reply-To: <CAOJ7v-2DmQ+WvXw6L8XEhGUnp+fZ3XcjaECu-zd8nBaqA7gwvg@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------82B5E06D98C37C461C5A7CC2"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/a-uf5ndiD1bnSPX9gR7ozbq9I2s>
Subject: Re: [AVTCORE] Notes from SRTP Header Encryption Side Meeting.
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jul 2020 20:20:55 -0000
What would be the best way of moving this forward, adding issues to the github repo or keep the discussion on the mailing list? I can volunteer to do the PR against libsrtp too, should we create an issue on libsrtp repo for discussing the implementation details? Best regards Sergio On 30/07/2020 19:51, Justin Uberti wrote: > Thanks Cullen for taking notes. I've created a repo for the SDP/SRTP > doc at https://github.com/juberti/cryptex. > > On Thu, Jul 30, 2020 at 10:44 AM Cullen Jennings <fluffy@iii.ca > <mailto:fluffy@iii.ca>> wrote: > > > Conclusion from the call: > ————————————— > > Option C1 from Justin's slides of encrypt CCRC plus stuff after > header extension length was the option people on call were leaning > towards. > > Prefer to negotiate turning this on and off with SDP. (could look > at negotiating in DTLS later ) > > For the WebRTC API could do on WebRTC RTCConfiguration API - or > WebRTC extension document HTA is writing. ( RTP Header Extension > Parameter ). Or it could be on Transceiver with a header policy. > > Next Steps: > ————————————— > > Justin and Cullen take stab at SDP / SRTP doc. > > Bernard & Sergio to help draft W3C doc. > > Someone to write a PR for libsrtp. ???? > > Need to improve testing on this. Need reference vectors in spec. > > Do on avtcore mailing list > > > > Notes from Discussion > --------------------------- > > > As part of general IETF move towards encryption, there are things > in RTP headers we would like to encrypt. > > RFC 6904 exists. Allows negotiation of each header separately. > Probably overkill. RFC 8285 makes it even more complicated. > > Implementors view this as complicated and have not spent time on > it. Recent bugs in webrtc / libsrp indicate this is not all easy > to do. > > That header IDs are sent as cleartext, it reveals what type of > headers you are exchanging, but not the info. > > Audio Level might want to encrypt over DTLS-SRTP particular in use > cases in SFrame. > > One proposal is start SRTP payload encryption earlier in packet. > Say, do all the headers (if it was negotated course ). > > That leads to encrypt CSRCs, everything from CSRC forward to end > of payload.. > > That leads to encrypt everything but v=2, seq num, and ssrc. > > > So the discussion was about how much of the packet do we encrypt? > > > Proposal: Encrypt everything from start of CSRC forward. > > Proposal: Encrypt everything but V=2, seq num, ssrc. > > Proposal: Encrypt from after the header extension length > > Mo points out people look at header extension length. > > Mo point out setting the x bit to zero for this so things don't > try to interpret it. > > > Questions about if changing some of fields would cause firewalls > to barf on the packets. > > We run into problem of how to send x bit when no header extension > in a given packet. > > A key issue with C is what to do if no header extension but do > have CSRC. Possible answer is have to add a null extention to > encrypt CCSRC. > > For WebRTC, would be on by default. > > > > > > > _______________________________________________ > Audio/Video Transport Core Maintenance > avt@ietf.org <mailto:avt@ietf.org> > https://www.ietf.org/mailman/listinfo/avt > > > _______________________________________________ > Audio/Video Transport Core Maintenance > avt@ietf.org > https://www.ietf.org/mailman/listinfo/avt
- [AVTCORE] Notes from SRTP Header Encryption Side … Cullen Jennings
- Re: [AVTCORE] Notes from SRTP Header Encryption S… Justin Uberti
- Re: [AVTCORE] Notes from SRTP Header Encryption S… Sergio Garcia Murillo
- Re: [AVTCORE] Notes from SRTP Header Encryption S… Justin Uberti