Re: [dispatch] Fwd: I-D Action: draft-johnston-dispatch-osrtp-00.txt

Eric Rescorla <ekr@rtfm.com> Wed, 08 July 2015 18:01 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CB6B1A21A2 for <dispatch@ietfa.amsl.com>; Wed, 8 Jul 2015 11:01:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.377
X-Spam-Level:
X-Spam-Status: No, score=-1.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maRDGgBMPA9X for <dispatch@ietfa.amsl.com>; Wed, 8 Jul 2015 11:01:35 -0700 (PDT)
Received: from mail-wi0-f182.google.com (mail-wi0-f182.google.com [209.85.212.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 714EF1A212D for <dispatch@ietf.org>; Wed, 8 Jul 2015 11:01:34 -0700 (PDT)
Received: by wifm2 with SMTP id m2so97057566wif.1 for <dispatch@ietf.org>; Wed, 08 Jul 2015 11:01:33 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=MVIJAVv7451HsoKFM9juPQFfZKRR55OvYx3g+4Z0w0w=; b=UmozpQ7irW8OiRZhcu7MixNQrD9SrmX9iyW7k3SxBXeaPUveaCymsjpDlPrQVxNa87 qpbz6aJe52E+ipq0ALikLckUvwj+cpRRB82yeVzVQOKWtE9Y1ouTfZFuwGffy2UNftuR UDnTYKGZK0tlFY9qKXoW7lUc4Ch9/BGNaAcLMBbIZCOIh0gMty2XIxzWi1imIXHhI8uQ /ek0ZKRdmWUTlMj0eMjgpgbF9lYXieVvv4+pwEStr2vUxTE0XaJCVzD8XmxstNQfbGUp 6xZ/aET6rcxgwL/Dx/zeNuL/2gAQVnEO24VyteQoq6e6tmqAn+6ZRzW6w7//cQuWYLJO tAeg==
X-Gm-Message-State: ALoCoQk30q7TlpUf93AiMWm3jOejwagfk51UaLBB+ayOUTJH+pBFPSBTQXU9qxwYiqJQzWMHNB0L
X-Received: by 10.180.72.179 with SMTP id e19mr117677926wiv.53.1436378493196; Wed, 08 Jul 2015 11:01:33 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.95.211 with HTTP; Wed, 8 Jul 2015 11:00:53 -0700 (PDT)
In-Reply-To: <CAKhHsXHK-ufE3_ZnC587e_xqdXor0mpSBANz-DmYecRSGq173w@mail.gmail.com>
References: <20150706184857.15450.31472.idtracker@ietfa.amsl.com> <CAKhHsXH73Uf7_dafmwwDk+CShHHfF7mMhsD1X1aVjXm7pjR8mg@mail.gmail.com> <CABkgnnX50CktRF=Xa9A6DeQWfN5Cmm4R3XkXwok4YQygJysg+g@mail.gmail.com> <CAKhHsXHK-ufE3_ZnC587e_xqdXor0mpSBANz-DmYecRSGq173w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 08 Jul 2015 11:00:53 -0700
Message-ID: <CABcZeBP+0g++fZ+krwRNHsN4oQ4=ojN_uhK8B=wcUQurC4dzyw@mail.gmail.com>
To: Alan Johnston <alan.b.johnston@gmail.com>
Content-Type: multipart/alternative; boundary="f46d043c7ba2d9b3af051a60edea"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dispatch/Pc17cC4itfFjyZE0cIu9dNWeQIE>
Cc: DISPATCH <dispatch@ietf.org>
Subject: Re: [dispatch] Fwd: I-D Action: draft-johnston-dispatch-osrtp-00.txt
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2015 18:01:37 -0000

This seems like a good idea.

I have three comments:

1. You should forbid the answerer from sending back two types of
keying parameters (e.g., a=crypto and a=fingerprint) because that creates
confusion.

2. You probably shouldn't relax the need to send SDES over HTTPS because
the security properties there are still fairly bad.

3. I would suggest that failure to negotiate a secure channel (for DTLS-SRTP
and ZRTP) should lead to media failure not falling back. There's basically
no good reason for this to fail and it seems like it will make diagnosing
issues easier.

-Ekr


On Wed, Jul 8, 2015 at 9:17 AM, Alan Johnston <alan.b.johnston@gmail.com>
wrote:

> Hi Martin,
>
> It is the version of the draft that is actually implemented and used.
> There are also a few slight differences due to the way that Opportunistic
> Security is defined.
>
> - Alan -
>
> On Wed, Jul 8, 2015 at 11:14 AM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
>
>> How does this differ from:
>> https://tools.ietf.org/html/draft-kaplan-mmusic-best-effort-srtp-01
>>
>> On 8 July 2015 at 04:02, Alan Johnston <alan.b.johnston@gmail.com> wrote:
>> > All,
>> >
>> > Many of us have been talking about "Best Effort SRTP" for many years,
>> and
>> > there are a number of deployments.  In addition, the IMTC has
>> recommended
>> > it, and the SIP Forum would like to recommend it in SIPconnect 2.0
>> which for
>> > the first time includes SRTP media.  With the publication of RFC 7435
>> > (https://tools.ietf.org/html/rfc7435) the IETF has endorsed this
>> approach
>> > as Opportunistic Security (OS), so it would be nice to bring standards
>> in
>> > line with industry practice.
>> >
>> > Comments on the draft, "An Opportunistic Approach for Secure Real-time
>> > Transport Protocol (OSRTP)" and the best way forward are most welcome!
>> >
>> > - Alan -
>> >
>> > ---------- Forwarded message ----------
>> > From: <internet-drafts@ietf.org>
>> > Date: Mon, Jul 6, 2015 at 1:48 PM
>> > Subject: I-D Action: draft-johnston-dispatch-osrtp-00.txt
>> > To: i-d-announce@ietf.org
>> >
>> >
>> >
>> > A New Internet-Draft is available from the on-line Internet-Drafts
>> > directories.
>> >
>> >
>> >         Title           : An Opportunistic Approach for Secure Real-time
>> > Transport Protocol (OSRTP)
>> >         Authors         : Alan Johnston
>> >                           Bernard Aboba
>> >                           Andy Hutton
>> >                           Laura Liess
>> >                           Thomas Stach
>> >         Filename        : draft-johnston-dispatch-osrtp-00.txt
>> >         Pages           : 8
>> >         Date            : 2015-07-06
>> >
>> > Abstract:
>> >    Opportunistic Secure Real-time Transport Protocol (OSRTP) allows
>> >    encrypted media to be used in environments where support for
>> >    encryption is not known in advance, and not required.  OSRTP is an
>> >    implementation of Opportunistic Security, as defined in RFC 7435.
>> >    OSRTP does not require advanced SDP extensions or features and is
>> >    fully backwards compatible with existing secure and insecure
>> >    implementations.  OSRTP is not specific to any key management
>> >    technique for SRTP.
>> >
>> >
>> > The IETF datatracker status page for this draft is:
>> > https://datatracker.ietf.org/doc/draft-johnston-dispatch-osrtp/
>> >
>> > There's also a htmlized version available at:
>> > https://tools.ietf.org/html/draft-johnston-dispatch-osrtp-00
>> >
>> >
>> > Please note that it may take a couple of minutes from the time of
>> submission
>> > until the htmlized version and diff are available at tools.ietf.org.
>> >
>> > Internet-Drafts are also available by anonymous FTP at:
>> > ftp://ftp.ietf.org/internet-drafts/
>> >
>> > _______________________________________________
>> > I-D-Announce mailing list
>> > I-D-Announce@ietf.org
>> > https://www.ietf.org/mailman/listinfo/i-d-announce
>> > Internet-Draft directories: http://www.ietf.org/shadow.html
>> > or ftp://ftp.ietf.org/ietf/1shadow-sites.txt
>> >
>> >
>> > _______________________________________________
>> > dispatch mailing list
>> > dispatch@ietf.org
>> > https://www.ietf.org/mailman/listinfo/dispatch
>> >
>>
>
>
> _______________________________________________
> dispatch mailing list
> dispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/dispatch
>
>