IETF Logo Mail Archive

Re: [AVTCORE] Registering AVP Profiles for RTP over QUIC

Martin Thomson <mt@lowentropy.net> Thu, 12 May 2022 01:19 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: avt@ietfa.amsl.com
Delivered-To: avt@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F384C15E6E2 for <avt@ietfa.amsl.com>; Wed, 11 May 2022 18:19:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=smy5Zd5Z; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=axMgdnbI
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kv-xPds8kWmL for <avt@ietfa.amsl.com>; Wed, 11 May 2022 18:18:57 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 912A3C159484 for <avt@ietf.org>; Wed, 11 May 2022 18:18:57 -0700 (PDT)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailout.nyi.internal (Postfix) with ESMTP id AF9225C0091 for <avt@ietf.org>; Wed, 11 May 2022 21:18:56 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute3.internal (MEProxy); Wed, 11 May 2022 21:18:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-type:date:date:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:sender:subject :subject:to:to; s=fm2; t=1652318336; x=1652404736; bh=2pDkORJZ0x T/SeNENPW4wwuP6+o+TLoy0LH3upQqBkY=; b=smy5Zd5Z8mm8dh3i2p1WbPHmI5 b3VidaT3Pv3LPs28Cb2OP2TKfVItVv6wQQ/tTYvE7gzbLVxr3iFINVRPzy+lLqil h2KXl7KhlVTIP2Duaxm0RPF3C7Z8FMsLO6w6dRHLTRMK8mQpTvadfYVA2mxuZgck 6/2Z68n5vk1q21bMjDHSjbko7jz5pY360G2U1VERKR8+NuKjD9RxJBeGjBpg9Kfw JXDNWVwxEFeSGUwDLH7JZfNbnvgzPm+vzTqMluBKBs3G1LnqGtbeoSPPVLGkg9fs QzzOzSS3b9jKkuuDhuy8SlRFm19XeXz/KHiPhnhzpSgWnqHs0vIv74tgQvuw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t=1652318336; x= 1652404736; bh=2pDkORJZ0xT/SeNENPW4wwuP6+o+TLoy0LH3upQqBkY=; b=a xMgdnbIN6luUOa1cWUWE1mjDb6hE1M/CpDz9LS/x9TZi+KJc3E3GlROUjbpyLtI0 liJ1E3V0urSaUurm3EJACtcZXsyHITWSdrXV/5yg/uoeHknJFZlxeGzxLoDakdho FY/ynSppDiw/tXfY8JuwaLJe2fWjBYtQcGVMTwG+mP+MWGjJTgCeqh7TvltO1aXi 2VhAjUwwCBs1z73j6yYWdwQs5xQtr/jH7X/CZ9QhsTmzt4JwweiX8XYnV+ubKFXn nM98iJWIWCZjZoJJjx+X4G0VravJWUWj9MAgOGlqZssEn4M/kjbyir+d6XgPJFYn zvw/Ssqd4A1/iaVTeuIbg==
X-ME-Sender: <xms:gGB8YmuGkx6Oaf9_nHdB4fb79szy0fRXWPMW3nkmqpJqT956SUVQJQ> <xme:gGB8Yrd5LozJ0_omn9DWcN4b94yVEnN0LUrzVXOFqpOdlIyZb1TjiGODKwEWOpiiR h1YncQPY2fdq_mjalQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrgeeigdeggecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehlohif vghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnheptdeiiedtieelfeeguedvte egveevueejfefhfeejffduiefgkeevjeefkeevkeelnecuffhomhgrihhnpehgihhthhhu sgdrtghomhdprhhftgdqvgguihhtohhrrdhorhhgpdhivghtfhdrohhrghenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmtheslhhofigvnhht rhhophihrdhnvght
X-ME-Proxy: <xmx:gGB8YhyVOE9DtdwTSBOBHJnQ9_5FIbm9424BD9TKwCLb3od3bTSo0w> <xmx:gGB8YhMRwpNFN94JbGvR4YePvjoia1FSnDSj05AWQWpECi6wHo8VjQ> <xmx:gGB8Ym8bwLg6Fa6WAZTlvrwG0wDif3EbT5CDxKgSrx9ThxcrCAPKAg> <xmx:gGB8YpIzSABpVzfTx4Gx6H77ax4BG4Wq4ptkaau5idKX3wNIpGZ2rg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8F7582340067; Wed, 11 May 2022 21:18:56 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.7.0-alpha0-591-gfe6c3a2700-fm-20220427.001-gfe6c3a27
Mime-Version: 1.0
Message-Id: <8d20301c-f227-4c0b-aaec-4f1ddf22f782@beta.fastmail.com>
In-Reply-To: <CAD5OKxsPd8w=geXBjJwFSSNUhFQ3sc-MMvte3EG6w24=tMvVPQ@mail.gmail.com>
References: <CAKKJt-dvotzuaK66T8WQd7YgNLNr_6vqa4W8-z=5FvujpGWA=A@mail.gmail.com> <CAD5OKxvuQ+ng4YUbKE2Do5aB3pOpTs24Y59G1-2QAwSSX6HYkw@mail.gmail.com> <CAKKJt-cXMa8bW7HhwrkzX2-O=kYK2GRNwtB+cHRB-zWn+f0f+g@mail.gmail.com> <CAD5OKxsPd8w=geXBjJwFSSNUhFQ3sc-MMvte3EG6w24=tMvVPQ@mail.gmail.com>
Date: Thu, 12 May 2022 11:18:36 +1000
From: Martin Thomson <mt@lowentropy.net>
To: avt@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/avt/e-i5Qryz5Lp-KUe8HnXdjta7lCY>
Subject: Re: [AVTCORE] Registering AVP Profiles for RTP over QUIC
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Audio/Video Transport Core Maintenance <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/avt/>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2022 01:19:02 -0000

Hi Roman,

I've always considered QUIC-SRTP to be a viable alternative to DTLS-SRTP.  The challenge there is that it is not specified as possible.

I think that people here are looking to pick up more of the advantages of QUIC though.  That is, even if that means losing some of the advantages of existing stuff as SCTP <-> QUIC is not a seamless transition and SRTP/QUIC has some interesting properties.

On Thu, May 12, 2022, at 11:15, Roman Shpount wrote:
> Hi Spencer,
>
> I was thinking not about using QUIC to transport RTP, just to negotiate 
> the encryption keys and protocol. Once keys and protocol are 
> negotiated, SRTP-over-UDP sends the packets. SRTP/SRTCP packets are 
> demultiplexed from QUIC, and both protocols run side-by-side. This 
> means none of the QUIC encryption, NACK, congestion control, etc., is 
> used for media. It is an exact equivalent of DTLS-SRTP with QUIC being 
> used instead of DTLS to negotiate keys.
>
> Even if this draft does not cover such a set-up, I think it is a viable 
> network configuration. Whatever protocol name you will come up with, it 
> should be possible to differentiate media over QUIC vs. key negotiation 
> over QUIC.
> _____________
> Roman Shpount
>
>
> On Wed, May 11, 2022 at 6:41 PM Spencer Dawkins at IETF 
> <spencerdawkins.ietf@gmail.com> wrote:
>> Hi, Roman, 
>> 
>> On Wed, May 11, 2022 at 4:12 PM Roman Shpount <roman@telurix.com> wrote:
>>> What about using QUIC for encryption session setup and SRTP for sending media, similar to DTLS-SRTP? This can be the easiest option to implement.
>> 
>> I'm not aware of a way to stop encryption in RFC 9000 QUIC, which is using RFC 9001 TLS for key exchange, etc, in favor of an application-level encryption mechanism. This has come up a number of times in conversations with 3GPP, who also wanted to avoid duplicate encryption (details don't matter, at this point), and the IETF has always said they wouldn't provide that. 
>> 
>> But maybe something has changed?
>> 
>> Best,
>> 
>> Spencer
>>  
>>> Best,
>>> _____________
>>> Roman Shpount
>>> 
>>> 
>>> On Wed, May 11, 2022 at 4:47 PM Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> wrote:
>>>> Dear AVTCORE, 
>>>> 
>>>> I've had an open PR in https://github.com/SpencerDawkins/sdp-rtp-quic/pull/9 for a while,so I could get a sense of how AVT profiles are supposed to work, and I'd like to push on that now (with a virtual interim meeting coming up next week).. 
>>>> 
>>>> The high-level summary of discussion in https://github.com/SpencerDawkins/sdp-rtp-quic-issues/issues/5 (note that this discussion is in a different repo, because reasons) has been roughly,"what's the difference between QUIC/RTP/AVPF and QUIC/RTP/SAVPF"?
>>>> 
>>>> The arguments about not registering secure AVP profiles involve 
>>>>  *  the computational overhead of double encryption for all packets, plus
>>>>  * the payload overhead of 10 bytes per packet since you have 2 HMACs.
>>>> The arguments about registering secure AVP profiles seem to revolve around 
>>>>  * Minimizing the impact of added QUIC support in existing implementations that are using /RTP/SAVPF now.
>>>>  * QUIC encryption protects payloads between QUIC endpoints, but there are many multi-endpoint RTP topologies (https://www.rfc-editor.org/rfc/rfc7667 has about 50 pages of them), and when a middlebox receives  QUIC/RTP/AVPF, it's not obvious whether the middlebox should
>>>>    * forward the RTP payload using  RTP/AVPF (where the outgoing AVPF matches the incoming AVPF), or 
>>>>    * forward the RTP payload using RTP/SAVPF, where the outgoing SRTP encryption matches the incoming QUIC 
>>>> It seems to me that there are three choices:
>>>>  * Use only QUIC/RTP/AVPF, and and require middleboxes receiving  QUIC/RTP/AVPF traffic to always forward that traffic over RTP/SAVPF
>>>>  * Use only QUIC/RTP/AVPF, and and require senders to signal middleboxes whether they should forward that traffic over RTP/AVPF or RTP/SAVPF
>>>>  * Register both QUIC/RTP/AVPF and QUIC/RTP/SAVPF, and if you have to do double encryption on the QUIC/RTP paths to get RTP/SAVPF on the other side of a middlebox, too bad
>>>> So, my questions are, 
>>>>  * What am I missing here?
>>>>  * Are any of the choices I'm listing obviously the *BEST* choice?
>>>> Best,
>>>> 
>>>> Spencer
>>>> _______________________________________________
>>>> Audio/Video Transport Core Maintenance
>>>> avt@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/avt
> _______________________________________________
> Audio/Video Transport Core Maintenance
> avt@ietf.org
> https://www.ietf.org/mailman/listinfo/avt

v2.23.0 | Report a Bug | By Email