IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Tim Panton <tim@phonefromhere.com> Fri, 26 April 2013 18:42 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1908F21F985F for <rtcweb@ietfa.amsl.com>; Fri, 26 Apr 2013 11:42:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[AWL=-1.256, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_OBFU_AMP2B=2.555]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7iH+GssaMkc3 for <rtcweb@ietfa.amsl.com>; Fri, 26 Apr 2013 11:42:42 -0700 (PDT)
Received: from smtp004.apm-internet.net (smtp004.apm-internet.net [85.119.248.54]) by ietfa.amsl.com (Postfix) with ESMTP id 597AE21F9897 for <rtcweb@ietf.org>; Fri, 26 Apr 2013 11:42:41 -0700 (PDT)
Received: (qmail 14646 invoked from network); 26 Apr 2013 18:42:33 -0000
X-AV-Scan: clean
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp004.apm-internet.net with SMTP; 26 Apr 2013 18:42:33 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id 58C1518A0339; Fri, 26 Apr 2013 19:42:33 +0100 (BST)
Received: from [192.67.4.33] (unknown [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id 32D3918A0410; Fri, 26 Apr 2013 19:42:33 +0100 (BST)
Mime-Version: 1.0 (Apple Message framework v1283)
Content-Type: multipart/alternative; boundary="Apple-Mail=_1311BC98-87F7-4533-8790-449A64CAC7C1"
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <CAD5OKxv2d2DemnjHQdB8XU8NKfK-Uu913DLPq9JUT4z9kvFfTQ@mail.gmail.com>
Date: Fri, 26 Apr 2013 19:42:32 +0100
Message-Id: <829F9A35-5F23-4A0F-9831-80478F70965E@phonefromhere.com>
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <20130425202238.74EF321F96A5@ietfa.amsl.com> <AE1A6B5FD507DC4FB3C5166F3A05A48416281FDB@tk5ex14mbxc272.redmond.corp.microsoft.com> <03FBA798AC24E3498B74F47FD082A92F3BB8FAF7@US70UWXCHMBA04.zam.alcatel-lucent.com> <9F33F40F6F2CD847824537F3C4E37DDF0E6C04AF@MCHP04MSX.global-ad.net> <CAErhfrx6xi7rNmc6CZc5iyKiYv+oZbi3sBa5QywB7dUKtms2Aw@mail.gmail.com> <C643F355C8D33C48B983F1C1EA702A450B49EA@ESESSMB301.ericsson.se> <4AA3A95D6033ED488F8AE4E45F47448742B13620@WABOTH9MSGUSR8B.ITServices.sbc.com> <CALiegfmpZZigigQtaadsXup6VfWgJAF8--TJpbUwSJMmar7fRA@mail.gmail.com> <CAD5OKxv2d2DemnjHQdB8XU8NKfK-Uu913DLPq9JUT4z9kvFfTQ@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
X-Mailer: Apple Mail (2.1283)
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 18:42:43 -0000

On 26 Apr 2013, at 18:59, Roman Shpount wrote:
> 
> The arguments why SDES is required in some cases instead of DTLS are:
> 
> 1. Additional call setup delay caused by DTLS

This is a serious problem - made worse by the O/A semantics - I think we will find that in real usage
sites will pre-warm a DTLS connection so it is ready to go when the user clicks connect.

> 
> 2. High computational load on each call setup. This can be significant with high number of short calls being setup. This would be especially significant for any sort of server interfacing WebRTC or WebRTC to SIP gateway.

I would dispute this - remember exactly the same users have almost certainly logged into an https:// portal - indeed only a small 
percentage of them will start a DTLS session for during any given web session. The web seems to still be working.

> 
> 3. High complexity -- you are doubling or tripling amount of code you need in your SRTP stack to support DTLS negotiations. Most of the code in readily available libraries is not needed and represents no functional value (certificate support, unneeded encryption methods, compression, streaming, etc), but will require a significant amount of support effort and can be a security risk (I am talking about something like OpenSSL or GnuTLS which ends up in the media processing stack).

That's true to an extent, but it only applies to devices that don't already do TLS for something else. 
Webservers, web browsers, Sip/xmpp engines, anything offering an https management interface, will already have that code
in use for other purposes. The DTLS specific code is quite small. 

> 
> As it stands right now, I would prefer never to use DTLS-SRTP with any client to server communication applications, since it has no security value in such scenarios (server can access media anyway) and will cause significant usability, performance, and support issues.

There I also disagree. The ability to offer a DTLS connection that presents a browser checkable x509 certificate for yourbank.com over the
media path in a call to a bank's authorized call center agents might be a significant advantage.

T.
 

> _____________
> Roman Shpount
>  
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email