Re: [rtcweb] SBC hardware and SHA1

Hadriel Kaplan <> Fri, 30 September 2011 16:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B5E6721F84B3 for <>; Fri, 30 Sep 2011 09:37:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.513
X-Spam-Status: No, score=-2.513 tagged_above=-999 required=5 tests=[AWL=0.085, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 7kvOUezZPT54 for <>; Fri, 30 Sep 2011 09:37:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DE1B921F84B2 for <>; Fri, 30 Sep 2011 09:37:00 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Fri, 30 Sep 2011 12:39:53 -0400
Received: from ([]) by ([]) with mapi id 14.01.0270.001; Fri, 30 Sep 2011 12:39:54 -0400
From: Hadriel Kaplan <>
To: "Olle E. Johansson" <>
Thread-Topic: [rtcweb] SBC hardware and SHA1
Thread-Index: AQHMf4+T0nIfFzYNnUev/fZI+TeQ9w==
Date: Fri, 30 Sep 2011 16:39:51 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_C3C7D62E6BA843F4A29DFC9AF3BE689Facmepacketcom_"
MIME-Version: 1.0
X-Brightmail-Tracker: AAAAAQAAAWE=
Cc: "<>" <>
Subject: Re: [rtcweb] SBC hardware and SHA1
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Sep 2011 16:37:01 -0000

On Sep 30, 2011, at 2:36 AM, Olle E. Johansson wrote:

While on the topic of the hardware, I would like to ask how these systems handle DTLS and SRTP.

Assuming you mean terminating the SRTP, I only know of one hardware-based SBC that claims support for terminating DTLS-SRTP, but I don't know if it's real or slideware.  I know of a couple software-based ones that do. (you can probably google it to find out who)

But in general the most popular support by far is for SDES-based keying.  There are a couple of off-the-shelf chip solutions for large-scale SRTP that handle it as a bump-in-the wire, but they need to be told the keys per stream and don't handle DTLS inline themselves to do so, so naturally SDES made it a lot easier to use them.  Having said that, I do believe that more SBC vendors in the US market will be supporting DTLS-SRTP in the future because the US government has it mandated in some agency or other I've been told.  Whether other governments will do the same I don't know. (then again the US government mandates a lot that never gets used in practice)

Also, someone asked on this list if SBC vendors support SRTP to begin with.  Almost every SBC vendor I know of does support SRTP (at least with SDES keying), but it usually costs more to do so, because it's done in dedicated hardware.  So most deployed SBC systems don't do SRTP, because the people buying/deploying them have decided they don't need it and don't want to pay for it.  It's more popular in specific vertical markets, but overall it's definitely a minority today.