Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Roman Shpount <roman@telurix.com> Sat, 10 September 2011 11:45 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7E2D21F851A for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 04:45:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.809
X-Spam-Level:
X-Spam-Status: No, score=-2.809 tagged_above=-999 required=5 tests=[AWL=0.167, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id afVD+3SdicnF for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 04:45:52 -0700 (PDT)
Received: from mail-yi0-f44.google.com (mail-yi0-f44.google.com [209.85.218.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0F00321F8515 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 04:45:51 -0700 (PDT)
Received: by yie12 with SMTP id 12so1032741yie.31 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 04:47:49 -0700 (PDT)
Received: by 10.68.0.104 with SMTP id 8mr1009524pbd.381.1315655269021; Sat, 10 Sep 2011 04:47:49 -0700 (PDT)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx.google.com with ESMTPS id i3sm19223196pbg.10.2011.09.10.04.47.46 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 10 Sep 2011 04:47:47 -0700 (PDT)
Received: by pzk33 with SMTP id 33so13680014pzk.18 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 04:47:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.43.8 with SMTP id s8mr2297224pbl.389.1315655266516; Sat, 10 Sep 2011 04:47:46 -0700 (PDT)
Received: by 10.68.43.136 with HTTP; Sat, 10 Sep 2011 04:47:46 -0700 (PDT)
In-Reply-To: <1541FDA8-C3F6-4D24-BEC4-60EDACB6B582@edvina.net>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <101C6067BEC68246B0C3F6843BCCC1E31018BF6BE2@MCHP058A.global-ad.net> <4E540FE2.7020605@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF5106423F@sonusinmail02.sonusnet.com> <4E6595E7.7060503@skype.net> <4E661C83.5000103@alcatel-lucent.com> <2E239D6FCD033C4BAF15F386A979BF510F086B@sonusinmail02.sonusnet.com> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <033458F56EC2A64E8D2D7B759FA3E7E7020E64DC@sonusmail04.sonusnet.com> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <CAD5OKxtCMXzWLg40wV3teyh0TdiD1Xv4taW+BSguoDpAE46oJA@mail.gmail.com> <1541FDA8-C3F6-4D24-BEC4-60EDACB6B582@edvina.net>
Date: Sat, 10 Sep 2011 07:47:46 -0400
Message-ID: <CAD5OKxsuONT_-ZWS43BX7H8dkGscz2aM62m0uDyJauVTaUMC4g@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: "Olle E. Johansson" <oej@edvina.net>
Content-Type: multipart/alternative; boundary=bcaec5395f24cebec204ac94dc27
Cc: Randell Jesup <randell-ietf@jesup.org>, Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2011 11:45:53 -0000

SRTP is a simple media encryption using signaling channel exchanged keys and
salt to do simple counter mode AES with content signing using HMAC-SHA1. It
also implements a dictionary based replay protection. DTLS offers wider
encryption and content signing algorithm selection, end-point handshake
based on certificates, certificate validation using certificate authority.
In general, DTLS offers same protection that TLS does, while SRTP is
simplified and optimized for media.

In regard to the overall discussion, if we want interop with existing VoIP
infrastructure, we need to support RTP with AVP. 99% of all SIP deployments
do not support and cannot support SRTP. None of the wholesale VoIP telephony
carriers support SRTP (some offer VPN or direct interconnects if you care
about privacy). Consumer VoIP companies (like Vonage or Comcast) do not
support or use SRTP for any calls from their customer equipment. In places
were encryption is supported (like Skype) it is often either something
different from SRTP. In order to connect to all those environments without
media proxy we need plain RTP. Otherwise we will need to put a media proxy
(SBC) to connect to them.

Finally, there is a reasonably low expectation of privacy as far as voice
calls are concerned. Most of the PSTN phone calls go over the wire connected
to an unlocked box outside your house. Anybody (and by this I mean anybody
walking down the street) can listen to your calls including emergency ones.
People like to raise security as concern but for 99% of the calls, as well
as for 99% of the web traffic which goes over HTTP vs HTTPS, nobody cares.
_____________
Roman Shpount


On Sat, Sep 10, 2011 at 3:54 AM, Olle E. Johansson <oej@edvina.net> wrote:

>
> 9 sep 2011 kl. 21:39 skrev Roman Shpount:
>
>  Please keep in mind that secure media is not limited to SRTP. RTP over
> DTLS is as or more secure then SRTP
>
>
> Interesting. Can you please elaborate? I haven't heard that being stated
> before and it made me curious.
>
> Thanks,
> /O
>