Re: [MMUSIC] Where to apply encryption?

"Dan Wing" <dwing@cisco.com> Thu, 28 February 2013 22:51 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: mmusic@ietfa.amsl.com
Delivered-To: mmusic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 614ED21F8858 for <mmusic@ietfa.amsl.com>; Thu, 28 Feb 2013 14:51:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.218
X-Spam-Level:
X-Spam-Status: No, score=-110.218 tagged_above=-999 required=5 tests=[AWL=0.381, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TO7WOoUGlu-Y for <mmusic@ietfa.amsl.com>; Thu, 28 Feb 2013 14:51:54 -0800 (PST)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 751B521F884F for <mmusic@ietf.org>; Thu, 28 Feb 2013 14:51:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1799; q=dns/txt; s=iport; t=1362091912; x=1363301512; h=from:to:references:in-reply-to:subject:date:message-id: mime-version:content-transfer-encoding; bh=eAt65xz6FdnKaQ8Jh4IT8cEmrxczrubbuxN9Tpg/oFo=; b=fnJ5aCswv4mXqUDOMoFA2ls5OzG5G0kCzAPhGbEL4xzTgFnywWLY5Lju wESlb8KQYsWyaib++/fJmJ9ZKJbaqzIDeTxvN+hbxjcneTeV0Hr4Ad7K3 VAlp0ZVH8sJda6wBiL27CECoK7KYleGbKE6KJ+SMW/hzOyMWwWt4DKYCi Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAOzdL1GrRDoH/2dsb2JhbABFwjN9FnOCHwEBAQMBAQEBBQIwLQcQBwEDAgkRBAEBKAcZDh8JCAIEARILBYd9BQ3BNASPCRIGgzoDiGqFLYgqkGqDKQ
X-IronPort-AV: E=Sophos;i="4.84,757,1355097600"; d="scan'208";a="73652360"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 28 Feb 2013 22:51:52 +0000
Received: from DWINGWS01 ([10.156.16.168]) by mtv-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id r1SMpqCa016575; Thu, 28 Feb 2013 22:51:52 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Dale R. Worley'" <worley@ariadne.com>, mmusic@ietf.org
References: <201302272158.r1RLw6t72679355@shell01.TheWorld.com>
In-Reply-To: <201302272158.r1RLw6t72679355@shell01.TheWorld.com>
Date: Thu, 28 Feb 2013 14:51:52 -0800
Message-ID: <0ed301ce1606$33062a60$99127f20$@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQH1cqWZvkvgjV7WYvae28mXmIpmPJhBJTxg
Content-Language: en-us
Subject: Re: [MMUSIC] Where to apply encryption?
X-BeenThere: mmusic@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Multiparty Multimedia Session Control Working Group <mmusic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mmusic>, <mailto:mmusic-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mmusic>
List-Post: <mailto:mmusic@ietf.org>
List-Help: <mailto:mmusic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mmusic>, <mailto:mmusic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Feb 2013 22:52:01 -0000

> -----Original Message-----
> From: mmusic-bounces@ietf.org [mailto:mmusic-bounces@ietf.org] On Behalf
> Of Dale R. Worley
> Sent: Wednesday, February 27, 2013 1:58 PM
> To: mmusic@ietf.org
> Subject: [MMUSIC] Where to apply encryption?
> 
> Current bundling proposals seem to expect that the packets on the wire
> will be either SRTP/SRTCP or SCTP-within-DTLS.  Of course, this provides
> encryption of the carried media.
> 
> But it seems to me that it would be more straightforward to multiplex
> RTP/RTCP and SCTP packets, and than as a lower layer, have one DTLS
> association that encrypts all of those packets indifferently.  It would
> also provide privacy regarding the number and types of the bundled media
> streams.

SRTP (RFC3711) was carefully and purposefully designed so the RTP header 
remains in the clear, and DTLS-SRTP was also purposefully designed so
after the DTLS-SRTP handshake establishes the SRTP keys, the SRTP packets
flow over the wire exactly like they would for any other keying 
mechanism (ZRTP, MIKEY-*, Security Descriptions).

By sending SRTP packets with their RTP header in the clear, it allows:
  * the RTP header to be compressed (cRTP [RFC2508], ECRTP [RFC3545])
  * analysis devices to see where, on a network path, SRTP packets 
    are lost, delayed, or get mis-ordered.
  * analysis devices to see SRTCP receiver reports and sender reports,
    which are typically authenticated but in the clear.

> But my knowledge of crypto is thin, and maybe there's a reason that
> using one DTLS association to encrypt the multiplexed packet stream
> wouldn't work as well.

-d

> Dale
> _______________________________________________
> mmusic mailing list
> mmusic@ietf.org
> https://www.ietf.org/mailman/listinfo/mmusic