IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

Iñaki Baz Castillo <ibc@aliax.net> Tue, 20 March 2012 14:16 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EFEBD21F8702 for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 07:16:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.309
X-Spam-Level:
X-Spam-Status: No, score=-2.309 tagged_above=-999 required=5 tests=[AWL=-0.232, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_44=0.6, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y3hQo1AZZsyr for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 07:16:32 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0EACE21F8720 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 07:16:31 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so34312vbb.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 07:16:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=FuuNtKPmbHX66/3djahVglPM9v/HSVEWpAvAnyX+vX8=; b=M82iqKsP2vOX0yyWMVpIJbelj7480p3mTnlm2++fbaz/JUM9Tx6axkat0H4OaIUoId wB1xqQiYFMP8IIKXeJrOyDIlUKyZ/wpcrmIDOv9d2po7VXhC5zhQcZlLc4Cli62LP4sz R/OAg3iF8yR0J8SLBQ6o/T6lnt0a82pBWN0hH1GC02g+a0aiCA8kK1w3YnDCAjzWIt50 ycNIP7GQw2kyl2I+VtiVO3nxxvz/f980rNpxRqDioqC7g/o7I1B2viHfhwVCiKCNuUeZ tnuoDPplg8yA+zphcSV6+yYiPcUu9Yv9CQtrYyWcGH0W8YO2tp3gXWqQPCo9cBB6xmfw moDg==
Received: by 10.220.152.205 with SMTP id h13mr36722vcw.12.1332252991488; Tue, 20 Mar 2012 07:16:31 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Tue, 20 Mar 2012 07:16:11 -0700 (PDT)
In-Reply-To: <CAD5OKxv9_k6CU-_UC_pm+tx9aGJ3SEiB_amzKbgp9UKuJb4MwQ@mail.gmail.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CALiegf=jtkDCS_D0ZFe9UpbiadQ0vsJ+4MppQSbLr-wbaXNrfQ@mail.gmail.com> <BLU169-W29E5B86F9E2C6F3126961C93420@phx.gbl> <CALiegfk2aT+6Psr4nT-hG1G7eYRBfFCcT+25On2O4HfUXJ6-ng@mail.gmail.com> <CAD6AjGSmi9j+sdGWPts20-iwGvGij05ek0OKYEPULC6B=aFpQg@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113564482A7@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <ADBB75F3-E20C-4EC4-B9C3-EF2E4BFF409C@phonefromhere.com> <CAD5OKxvuEV8Vbq3h7=ZgcKmREjmguvz5n-SpXr2n-EY7a_ddxg@mail.gmail.com> <CALiegfk1ozOKPcDjbd3H_z2Edzh4RcZpYyJSWdw_1DJ04muQXA@mail.gmail.com> <CAD5OKxu8-+0O0=eE7mD1hi=nPUpEXczGj=bRNQCQL1BW8c-c-Q@mail.gmail.com> <D75A384B-0F38-4E30-8C03-12E903A69B64@acmepacket.com> <CAD5OKxustPmGJRMKoUU4kXosALpG8RzHC50-sjb5KKUPq3L3XA@mail.gmail.com> <CABcZeBNHY8k5YNiZt2=wqKo1Bkecxvyw4kyGi9W235fmdhwjGw@mail.gmail.com> <CAD5OKxujAoGaqpAG62X6EQVu5bS5m2a+9DYBP=LYjo1qGtQS6w@mail.gmail.com> <CALiegfkd5q2OzDTddQX2emhycVkwpnAD1SrF-iofVe6wVJD1pw@mail.gmail.com> <CAD5OKxv9_k6CU-_UC_pm+tx9aGJ3SEiB_amzKbgp9UKuJb4MwQ@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Tue, 20 Mar 2012 15:16:11 +0100
Message-ID: <CALiegfkfLchSosSwZ+J-zc355fjBuRi5X-Z+fMznzCZjs8f=bw@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQkVjc+9S2B8TD/NiuQSOUnTi2zF/MMfj2B6eegB/7K9ztYCQPlJTZ6oHoZ/hY1uLZSBbHDM
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 14:16:33 -0000

2012/3/20 Roman Shpount <roman@telurix.com>:
> The other proposal was not to use DTLS at all, since it is an overkill both
> complexity and feature wise. DTLS is designed the way it is primarily to
> extend TLS to UDP. DTLS-SRTP is a bolt on of SRTP into DTLS. So we actually
> got a protocol twice reused with design goals changing dramatically in the
> process. The desired attribute of DTLS-SRTP is that encryption keys are not
> transmitted in clear text. The rest (security handshake separated from
> signaling and ICE handshake, support for data encryption schemes other then
> SRTP, support for certificate validation, etc) is actually just a liability.
> All of those things imply slower setup and interop problems. So, my second
> proposal was not to use DTLS at all, just include the public keys for
> supported key exchange protocols in the SDP and send the encrypted SRTP
> private key in the ICE message. Or something similar to that. This will
> definitely not interop with DTLS, but will make implementation of encryption
> very simple.

So that proposal would modify even ICE protocol, am I right? Too much
dramatic IMHO :)

Ok, given the fact that DTLS is still an utopia (all the people know
about it but it seems that nobody has seen it in action), why not to
leave it for a future version of WebRTC and go now with SDES +
encrypted signaling path? In this way:

- We get interoperability with other technologies *already*
implementing SDES+SRTP (so ***tested***).

- DTLS can be added once it's mature/tested/widely-implemented and we
can learn from other implementations (what do they implement, interop
problems, bugs...?).

- Adding DTLS later to WebRTC does not break nothing since its usage
would be still negotiable during the session initiation.


Yes, I do know that SDES+SRTP is not the best solution, but I've never
seen a scenario in which all the cool and fantastic features of DTLS
are required. Given the comments about DTLS in this long thread it
seems that choosing DTLS would be a risk (WebRTC would become a DTLS
beta-tester...).


Regards.

-- 
Iñaki Baz Castillo
<ibc@aliax.net>

v2.23.0 | Report a Bug | By Email