IETF Logo Mail Archive

Re: [rtcweb] Tunnelling DTLS in SDP

Eric Rescorla <ekr@rtfm.com> Tue, 05 April 2016 12:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 864C512D59D for <rtcweb@ietfa.amsl.com>; Tue, 5 Apr 2016 05:40:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8pQkSO9FXWnJ for <rtcweb@ietfa.amsl.com>; Tue, 5 Apr 2016 05:40:17 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C94F12D622 for <rtcweb@ietf.org>; Tue, 5 Apr 2016 05:40:17 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id i84so8230711ywc.2 for <rtcweb@ietf.org>; Tue, 05 Apr 2016 05:40:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q5hJyywT5DTFRjP8N79fAvnQ7ZcRoyAcLMtYlbAf0Vk=; b=bKXZR/G//3N8jB02T8Xb5sysOqVMbF7ZOv7wDR4bEErhF2sgETEavG+5x7HNGCncjK YLJNVEF3obv+e/yoS0MaA6UkEQt02JAnTBGR4lvfshpk2N6NGbz+CNGJo9Wf4sxxOibW VC54Q3ZQKHB/Dl08D+q1wrJ8QENzq2Xf5XS6uUZwN4mTDim2PwKVyOiMbx/RDpe8pxRw f6nlMufpPdRb/Bks4Fpi/8cinui9FRWOi8dAMW2nT5Ews/augQoIoM0Vc1wIOnwkyvHj QhVDEpEYBFaSYIDEVGffFro/renzPO7TS82riJ+NcEs4NPmpDKPHO+RVuxquUQqSYPl3 42ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q5hJyywT5DTFRjP8N79fAvnQ7ZcRoyAcLMtYlbAf0Vk=; b=Wg0FRCAO4E/1jGwhn0+ADFOtA6vFggAF4OjuUxFhrBErih9GrURCoEZ84jM7ex9tBd Eafz3iYX0Vez40xHNR3pqecqG9BVsyZk89tV07vlHJeqyJpLGWkfL0KCFCRtKjegrOkA zbKcH9YGN8nA6xYix2HyMlt3rvW3YyhhOkLpE8GSFMEhxDcjcc+DKPbI3sSTlWqvyUFh ZCjZ5YKUhJG5DyA4ap3YUjUoCdDW7WV8s1neiOuMwwUo0GcUO5vXtQ3ccAt9xcs0/qqN dqMUiQxqNKUGrpJEArmsOJ6sccMM2pzMsrwQ7vp8uQvHW/se4Eds20jARRSWCzDoYaC0 zTzg==
X-Gm-Message-State: AD7BkJJTL8l6E16fNNuy2mdHRuREr27jf591nRO++KbK6DVmAo9ZON8tDVthg/1N6jPODv7onkd2xodnPYT61w==
X-Received: by 10.37.231.9 with SMTP id e9mr3747816ybh.57.1459860016366; Tue, 05 Apr 2016 05:40:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Tue, 5 Apr 2016 05:39:36 -0700 (PDT)
In-Reply-To: <570390ED.8080109@alvestrand.no>
References: <CABcZeBOM1KoXpXFhvjS753EVpsMENWVen3CCdFj8ry36vPH0dg@mail.gmail.com> <57038B35.8040102@alvestrand.no> <BA5D10EA-D10D-4458-9FCB-272ECB7BFCB6@phonefromhere.com> <570390ED.8080109@alvestrand.no>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 05 Apr 2016 09:39:36 -0300
Message-ID: <CABcZeBPnrA-LDkkFY-w4Vq_q+vJkb6x8V3csRpofEOP=rTs3Fg@mail.gmail.com>
To: Harald Alvestrand <harald@alvestrand.no>
Content-Type: multipart/alternative; boundary="94eb2c0b14bcb2bd59052fbc2553"
Archived-At: <http://mailarchive.ietf.org/arch/msg/rtcweb/FW0Hxo6XJoxVAmUqRobu-f-Jurw>
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Tunnelling DTLS in SDP
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2016 12:40:19 -0000

On Tue, Apr 5, 2016 at 7:18 AM, Harald Alvestrand <harald@alvestrand.no>
wrote:

> On 04/05/2016 12:04 PM, Tim Panton wrote:
>
>
> On 5 Apr 2016, at 10:53, Harald Alvestrand < <harald@alvestrand.no>
> harald@alvestrand.no> wrote:
>
> On first read, this makes sense to me.
>
> I wonder if it could/should be made into a general concept, to fit with
> the tendency in WebRTC:NG to separate signalling format even more from
> operation?
>
> We could call it "out of band DTLS setup", say that in general, a DTLS
> session can be started in one medium (SDP signalling, in this case), and
> continued in another medium (the DTLS-protected media channel), and have a
> section describing the details of carrying DTLS-over-SDP.
>
> When viewing it in this way, using the same technique with Jabber or
> proprietary signalling becomes a reasonably obvious exercise. There are
> some other twists that seem obvious too - for instance, one could continue
> the setup over the SDP channel in subsequent offer/answers if the first
> exchange failed to set up a media channel. I'm not sure that makes sense,
> though.
>
> One SDP twist: If forking happens, it could be treated like any other
> attempt to generate multiple answers to a ClientHello, I think. I'm sure
> it's well defined how to respond to that - it's an obvious attack. Only one
> leg of the fork would ever succeed, I assume.
>
>
> Doesn’t passing the DTLS Hellos through javascript open us to a whole pile
> of bid-down attacks where
> the lists of supported crypto suites and extensions are manipulated in the
> js ? E.G It  might allow the javascript to insert
> the magic extension that says "this isn’t being recorded”  without the
> browser actually being in that mode.
> Or is there a way that DTLS can detect this ?
>
>
> It certainly reduces the setup security from one where only network
> on-path attackers can do MITM attacks on the handshake to one where
> everyone with access to the Javascript can do MITM attacks on the handshake.
>

Well, attackers who control the signaling can put themselves on the network
by manipulating the
ICE parameters.


>
> Given that DTLS is supposed to be a reasonable option when you have
> on-path attackers on the network path, I certainly hope the defenses are
> adequate in this case too, but I don't know DTLS well enough to be able to
> say what those defenses are.
>

However the messages are sent, the handshake is tied to the endpoint keys.

-Ekr


>
> T.
>
>
>
>
>
> On 04/04/2016 03:10 PM, Eric Rescorla wrote:
>
> Hi folks,
>
> I wanted to call your attention to a draft I just published with a
> possibly stupid
> idea.
>
> https://tools.ietf.org/html/draft-rescorla-dtls-in-sdp-00
>
> A nontrivial fraction of call setup time in WebRTC is the DTLS handshake.
> This document describes how to piggyback the first few handshake messages
> in the SDP offer/answer exchange, thus reducing latency.
>
> Comments welcome.
>
> -Ekr
>
>
>
>
>
> _______________________________________________
> rtcweb mailing listrtcweb@ietf.orghttps://www.ietf.org/mailman/listinfo/rtcweb
>
>
>
> --
> Surveillance is pervasive. Go Dark.
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>
> Tim Panton - Web/VoIP consultant and implementor
> www.westhawk.co.uk
>
>
>
>
>
> --
> Surveillance is pervasive. Go Dark.
>
>
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>
>

v2.23.0 | Report a Bug | By Email