Re: [rtcweb] use cases, F20 and encryption, SCTP - comments on draft-ietf-rtcweb-use-cases-and-requirements-07
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 30 April 2012 07:16 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBAD321F8569 for <rtcweb@ietfa.amsl.com>; Mon, 30 Apr 2012 00:16:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.131
X-Spam-Level:
X-Spam-Status: No, score=-106.131 tagged_above=-999 required=5 tests=[AWL=0.118, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eL+TSIh9RwMc for <rtcweb@ietfa.amsl.com>; Mon, 30 Apr 2012 00:16:31 -0700 (PDT)
Received: from mailgw7.ericsson.se (mailgw7.ericsson.se [193.180.251.48]) by ietfa.amsl.com (Postfix) with ESMTP id 07B5421F856C for <rtcweb@ietf.org>; Mon, 30 Apr 2012 00:16:30 -0700 (PDT)
X-AuditID: c1b4fb30-b7b07ae000006839-6f-4f9e3c4d7bd1
Authentication-Results: mailgw7.ericsson.se x-tls.subject="/CN=esessmw0184"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0184.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0184", Issuer "esessmw0184" (not verified)) by mailgw7.ericsson.se (Symantec Mail Security) with SMTP id AA.60.26681.D4C3E9F4; Mon, 30 Apr 2012 09:16:29 +0200 (CEST)
Received: from [127.0.0.1] (153.88.115.8) by esessmw0184.eemea.ericsson.se (153.88.115.82) with Microsoft SMTP Server id 8.3.213.0; Mon, 30 Apr 2012 09:16:29 +0200
Message-ID: <4F9E3C4B.9050904@ericsson.com>
Date: Mon, 30 Apr 2012 09:16:27 +0200
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20120420 Thunderbird/12.0
MIME-Version: 1.0
To: Dan Wing <dwing@cisco.com>
References: <0fc001cd2495$a3985950$eac90bf0$@com>
In-Reply-To: <0fc001cd2495$a3985950$eac90bf0$@com>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: AAAAAA==
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>, "draft-ietf-rtcweb-use-cases-and-requirements@tools.ietf.org" <draft-ietf-rtcweb-use-cases-and-requirements@tools.ietf.org>
Subject: Re: [rtcweb] use cases, F20 and encryption, SCTP - comments on draft-ietf-rtcweb-use-cases-and-requirements-07
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Apr 2012 07:16:32 -0000
Hi, My suggestion is that the use case document should be clarified. And I think the starting point is that the data channel must have the same security requirements as RTP media, both are media from the point of the application. Cheers Magnus On 2012-04-27 18:48, Dan Wing wrote: >> The chairs would like to ask the working group to focus on the use >> case draft. If you have use cases that need to be added to the >> document or text changes you'd like to suggest, please send them in >> for discussion before May 15th. After this round, we will look >> toward having a working group last call on the document (hopefully >> before the interim meeting). > > A few comments on draft-ietf-rtcweb-use-cases-and-requirements-07: > > > 1. Requirement F20 states: > > F20 It MUST be possible to protect streams from eavesdropping. > > Consensus in the room during my presentation to RTCWEB at IETF83 was that we > don't need to support un-encrypted media (RTP) at all, and that all media > would be SRTP. Can that be captured in F20 by re-wording, or perhaps in a > new requirement if we can't reword F20? If there is a need or desire to > validate that consensus on list, let's please ask the chairs to do that. > > > 2. I noticed there is no requirement that we have a baseline for how SRTP > media is keyed (although there is a baseline requirement for codecs). This > is a critical requirement. I suggest adding "The browser MUST support a > baseline SRTP keying mechanism." We have not reached consensus on that > keying mechanism, but the requirement is real. > > > 3. I see the document restricts its scope to media streams in the > Introduction with: > > "The document focuses on requirements related to real-time media > streams. Requirements related to privacy, signalling between the > browser and web server etc. are currently not considered." > > However, RTCWEB is also supports a data communication between browsers. I > am worried if we do not specify requirements for the data communication we > will have problems. I believe the expectation is that if the audio/video > stream works, that the data communication stream also work. We need to > capture requirements for the data communication stream somewhere: > > - a requirement to support data communication > - that the chosen data communication protocol supports multiple streams > (which is why SCTP was chosen over TCP) > - for NAT/firewall traversal of the data communication protocol (which is > why SCTP-over-UDP was chosen and another reason TCP was not chosen) > - for encrypting that data communication session > - a requirement for SCTP-over-UDP to work when UDP is blocked (aligning > with the existing F29 for audio/video) > - a requirement to do ICE connectivity checks prior to bringing up DTLS (I > don't know if that is really a requirement, but I recall it mentioned at the > RTCWEB interim in Mountain View). > > Based on the scoping of the draft-ietf-rtcweb-use-cases-and-requirements, > the omission of the data communication stream is intentional. If not in > draft-ietf-rtcweb-use-cases-and-requirements, where can we capture the > requirements for the data communication stream? > > -d > > > _______________________________________________ > rtcweb mailing list > rtcweb@ietf.org > https://www.ietf.org/mailman/listinfo/rtcweb > -- Magnus Westerlund ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden| mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] use cases, F20 and encryption, SCTP - co… Dan Wing
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Timothy B. Terriberry
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Harald Alvestrand
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Randell Jesup
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Martin Thomson
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Magnus Westerlund
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Stefan Hakansson LK