Re: [rtcweb] Preserving stream isolation when traversing the network

Tim Panton <tim@phonefromhere.com> Fri, 07 March 2014 10:23 UTC

Return-Path: <tim@phonefromhere.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2B4F1A018A for <rtcweb@ietfa.amsl.com>; Fri, 7 Mar 2014 02:23:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53sGCpGAYgli for <rtcweb@ietfa.amsl.com>; Fri, 7 Mar 2014 02:23:40 -0800 (PST)
Received: from smtp002.apm-internet.net (smtp002.apm-internet.net [85.119.248.221]) by ietfa.amsl.com (Postfix) with ESMTP id 39B5A1A017B for <rtcweb@ietf.org>; Fri, 7 Mar 2014 02:23:40 -0800 (PST)
Received: (qmail 14658 invoked from network); 7 Mar 2014 10:23:33 -0000
X-AV-Scan: clean
X-APM-Authkey: 83769 3468
Received: from unknown (HELO zimbra003.verygoodemail.com) (85.119.248.218) by smtp002.apm-internet.net with SMTP; 7 Mar 2014 10:23:33 -0000
Received: from zimbra003.verygoodemail.com (localhost [127.0.0.1]) by zimbra003.verygoodemail.com (Postfix) with ESMTP id E8B3018A05F2; Fri, 7 Mar 2014 10:23:32 +0000 (GMT)
Received: from limit.westhawk.co.uk (limit.westhawk.co.uk [192.67.4.33]) by zimbra003.verygoodemail.com (Postfix) with ESMTPSA id B55D018A052D; Fri, 7 Mar 2014 10:23:32 +0000 (GMT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Tim Panton <tim@phonefromhere.com>
In-Reply-To: <CABkgnnX3vnGRacpDcnhhb8MhTWRgJTZSLT7E9duG-yV7oSbtEw@mail.gmail.com>
Date: Fri, 7 Mar 2014 10:23:30 +0000
Content-Transfer-Encoding: 7bit
Message-Id: <96BB79F5-4548-4E0F-BF37-E886D09A18A2@phonefromhere.com>
References: <CABkgnnVZpOJU=2ip88jF=sa2a7K=jBhZA0zkovPo_vvTBwA-GQ@mail.gmail.com> <CABkgnnX3vnGRacpDcnhhb8MhTWRgJTZSLT7E9duG-yV7oSbtEw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.1874)
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/FnTr8uUUlu5Wk8WyyTr926oyvQI
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Preserving stream isolation when traversing the network
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Mar 2014 10:23:41 -0000

On 7 Mar 2014, at 09:59, Martin Thomson <martin.thomson@gmail.com> wrote:

> On 6 March 2014 14:21, Martin Thomson <martin.thomson@gmail.com> wrote:
>> There is another option I really just thought of, and that is to add
>> an authenticated parameter to RTP for this purpose.  Probably as an
>> RTP header extension.  This has different properties, mostly which
>> apply to the scope question.
> 
> Having thought about this, I think that we can discount it.  A
> security property of this sort needs to be reliably attached to the
> stream.  That means an extension in every SRTP packet if we do it that
> way.  In the (D)TLS handshake, it costs much less.

Where in the DTLS handshake? There is a risk that if it is too early, 
then we are raising an un encrypted flag saying to the DPI crowd 
"look at me, I'm interesting".

The whole thrust of the IETF's 'encrypt all the things' is to make encryption
default and therefor unexceptional, we shouldn't do anything that makes
isolated calls visibly 'special'.

T.


> 
> If we wanted isolation on a much more granular level, then this would
> be OK, but I don't think that we should be making it that granular.
> 
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

Tim Panton - Web/VoIP consultant and implementor
www.westhawk.co.uk