Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Matthew Kaufman <matthew.kaufman@skype.net> Sat, 10 September 2011 16:21 UTC

Return-Path: <matthew.kaufman@skype.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EFAF21F84D9 for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 09:21:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.235
X-Spam-Level:
X-Spam-Status: No, score=-5.235 tagged_above=-999 required=5 tests=[AWL=1.364, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z5-v4FNNEFwU for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 09:21:43 -0700 (PDT)
Received: from mx.skype.net (mx.skype.net [78.141.177.88]) by ietfa.amsl.com (Postfix) with ESMTP id D4A9521F84D7 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 09:21:42 -0700 (PDT)
Received: from mx.skype.net (localhost [127.0.0.1]) by mx.skype.net (Postfix) with ESMTP id 8C2B97FE; Sat, 10 Sep 2011 18:23:38 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=skype.net; h=message-id :date:from:mime-version:to:cc:subject:references:in-reply-to :content-type:content-transfer-encoding; s=mx; bh=5/PooXDDkLIgLz 0m+7wjib1+BiU=; b=gKlX8DYeH7tWCYTTcbTjzD6KGYrIF4n3TwTFCa3f0+p1Nj rwHeK0sotxIoEsGhbCF5dfEWkjeetkYaAWs73gbQLPvXHTf+ccvoUxtyjsCAtf4d ccTz5iW9u7veQU+Y1UZGbwkRwdAC3PRj7RirEBT7D+omNowefQE419TpTLgXI=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=skype.net; h=message-id:date:from :mime-version:to:cc:subject:references:in-reply-to:content-type: content-transfer-encoding; q=dns; s=mx; b=SY9H+n56dGOjDP94tdzV02 5ZgS8Ckx7DwdvLsGXXAF62tdEyYunIhE9kmpFbgBE887vBFu4qrShYCkrkdOYhP1 UP/B6IJkwPATo8YLhAs9xufCWozWnmde0zG6b9wpO7DqaxY4/V4HrZz4NVOCl6XF Nt+9ECNQfYxweycKcsKo8=
Received: from zimbra.skype.net (zimbra.skype.net [78.141.177.82]) by mx.skype.net (Postfix) with ESMTP id 89B937F8; Sat, 10 Sep 2011 18:23:38 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1]) by zimbra.skype.net (Postfix) with ESMTP id 5F69135075D0; Sat, 10 Sep 2011 18:23:38 +0200 (CEST)
X-Virus-Scanned: amavisd-new at lu2-zimbra.skype.net
Received: from zimbra.skype.net ([127.0.0.1]) by localhost (zimbra.skype.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CiuEsxWPS780; Sat, 10 Sep 2011 18:23:37 +0200 (CEST)
Received: from [10.10.155.2] (unknown [198.202.199.254]) by zimbra.skype.net (Postfix) with ESMTPSA id 4BB7135075CE; Sat, 10 Sep 2011 18:23:36 +0200 (CEST)
Message-ID: <4E6B8ED1.6040601@skype.net>
Date: Sat, 10 Sep 2011 09:22:41 -0700
From: Matthew Kaufman <matthew.kaufman@skype.net>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2
MIME-Version: 1.0
To: Roman Shpount <roman@telurix.com>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <033458F56EC2A64E8D2D7B759FA3E7E7020E64DC@sonusmail04.sonusnet.com> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <CAD5OKxtCMXzWLg40wV3teyh0TdiD1Xv4taW+BSguoDpAE46oJA@mail.gmail.com> <1541FDA8-C3F6-4D24-BEC4-60EDACB6B582@edvina.net> <CAD5OKxsuONT_-ZWS43BX7H8dkGscz2aM62m0uDyJauVTaUMC4g@mail.gmail.com>
In-Reply-To: <CAD5OKxsuONT_-ZWS43BX7H8dkGscz2aM62m0uDyJauVTaUMC4g@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Randell Jesup <randell-ietf@jesup.org>, Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2011 16:21:44 -0000

On 9/10/2011 4:47 AM, Roman Shpount wrote:
> SRTP is a simple media encryption using signaling channel exchanged 
> keys and salt to do simple counter mode AES with content signing using 
> HMAC-SHA1. It also implements a dictionary based replay protection. 
> DTLS offers wider encryption and content signing algorithm selection, 
> end-point handshake based on certificates, certificate validation 
> using certificate authority. In general, DTLS offers same protection 
> that TLS does, while SRTP is simplified and optimized for media.

I think you left out a description of DTLS-SRTP and made other 
simplifications.

>
> In regard to the overall discussion, if we want interop with existing 
> VoIP infrastructure, we need to support RTP with AVP. 99% of all SIP 
> deployments do not support and cannot support SRTP. 

They also cannot complete the ICE STUN handshake that is required to 
prove to the browser that they are willing to accept media.

> None of the wholesale VoIP telephony carriers support SRTP (some offer 
> VPN or direct interconnects if you care about privacy). 

Likewise regarding ICE.

> Consumer VoIP companies (like Vonage or Comcast) do not support or use 
> SRTP for any calls from their customer equipment. 

And again regarding ICE.

> In places were encryption is supported (like Skype) it is often either 
> something different from SRTP. In order to connect to all those 
> environments without media proxy we need plain RTP. 

Even if we need plain RTP, that isn't an argument for SDES-keyed SRTP.

Matthew Kaufman