Re: [MMUSIC] Where to apply encryption?

Martin Thomson <martin.thomson@gmail.com> Wed, 27 February 2013 22:11 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CC9E21F87E5 for <mmusic@ietfa.amsl.com>; Wed, 27 Feb 2013 14:11:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.612
X-Spam-Level:
X-Spam-Status: No, score=-6.612 tagged_above=-999 required=5 tests=[AWL=-3.013, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qzvB2rRl0p2p for <mmusic@ietfa.amsl.com>; Wed, 27 Feb 2013 14:11:28 -0800 (PST)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) by ietfa.amsl.com (Postfix) with ESMTP id B7B2921F87E0 for <mmusic@ietf.org>; Wed, 27 Feb 2013 14:11:22 -0800 (PST)
Received: by mail-wg0-f49.google.com with SMTP id 15so935152wgd.16 for <mmusic@ietf.org>; Wed, 27 Feb 2013 14:11:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=bXGIKVypcwUBxqR4gd9/UJYCeve7geMQQGqYD7rBEXI=; b=H76c5RIeF2bC+ivvhE2S4REL2ugOPc4NcaNokZUHihNZoi/jE5BI9z4X3DTngQquyK /iHhzanhqFdRXqCXx+U1rvHTU8EeE0LFZBKeKdp9x0MJQNABXdIa9IZnBaO/3f5FNbfK 8QTwlZ0+bobBI6oYhE9Lahyes3lOJfmJ+KH8N10O8gwA6CsQV0EMGtnZUnmw08ifoR/v EmD4owVLSlVxV6OEoQ9xeisHbIrPRKTurDrzMgzdBXpBpFl01vBCn6QEfqT3reAyjMez LEim3o4iIzk9L/rW2lbg0Fx9XcWgtl+/NIVX2rD5Pi5+Z3X4d30rjJ082o6QnI2NLlZv gUOQ==
MIME-Version: 1.0
X-Received: by 10.194.91.211 with SMTP id cg19mr6970268wjb.43.1362003081962; Wed, 27 Feb 2013 14:11:21 -0800 (PST)
Received: by 10.194.5.135 with HTTP; Wed, 27 Feb 2013 14:11:21 -0800 (PST)
In-Reply-To: <201302272158.r1RLw6t72679355@shell01.TheWorld.com>
References: <201302272158.r1RLw6t72679355@shell01.TheWorld.com>
Date: Wed, 27 Feb 2013 14:11:21 -0800
Message-ID: <CABkgnnVsHifGvpoucOvKKtp8ZC3Jsr=pheLhyMRbU_LiDQSuMQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Dale R. Worley" <worley@ariadne.com>
Content-Type: text/plain; charset="UTF-8"
Cc: "mmusic@ietf.org" <mmusic@ietf.org>
Subject: Re: [MMUSIC] Where to apply encryption?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Feb 2013 22:11:29 -0000

There are no security reasons why this wouldn't work.  Some
applications already do this.

The actual problems are manifold:

 - SRTP was designed to have a low per-packet overhead.  The DTLS
record layer has a larger per-packet overhead.
 - SRTP exposes certain attributes in clear text for intermediaries to
use.  Intentionally.  Using DTLS would lose this.
 - SRTP enjoys wide support.  This would harm interoperability with
existing communication devices, forcing the use of more complex
gateways.

--Martin

On 27 February 2013 13:58, Dale R. Worley <worley@ariadne.com> wrote:
> Current bundling proposals seem to expect that the packets on the wire
> will be either SRTP/SRTCP or SCTP-within-DTLS.  Of course, this
> provides encryption of the carried media.
>
> But it seems to me that it would be more straightforward to multiplex
> RTP/RTCP and SCTP packets, and than as a lower layer, have one DTLS
> association that encrypts all of those packets indifferently.  It
> would also provide privacy regarding the number and types of the
> bundled media streams.
>
> But my knowledge of crypto is thin, and maybe there's a reason that
> using one DTLS association to encrypt the multiplexed packet stream
> wouldn't work as well.
>
> Dale
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic