Re: [rtcweb] Resolving RTP/SDES question in Paris

Bernard Aboba <bernard_aboba@hotmail.com> Sat, 17 March 2012 21:17 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C061C21F86B3 for <rtcweb@ietfa.amsl.com>; Sat, 17 Mar 2012 14:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.848
X-Spam-Level:
X-Spam-Status: No, score=-101.848 tagged_above=-999 required=5 tests=[AWL=0.750, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Z8QqXLspw8C for <rtcweb@ietfa.amsl.com>; Sat, 17 Mar 2012 14:17:18 -0700 (PDT)
Received: from blu0-omc2-s38.blu0.hotmail.com (blu0-omc2-s38.blu0.hotmail.com [65.55.111.113]) by ietfa.amsl.com (Postfix) with ESMTP id 9F9A421F8596 for <rtcweb@ietf.org>; Sat, 17 Mar 2012 14:17:17 -0700 (PDT)
Received: from BLU169-W123 ([65.55.111.73]) by blu0-omc2-s38.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Sat, 17 Mar 2012 14:17:17 -0700
Message-ID: <BLU169-W123B190F35D715550978709935C0@phx.gbl>
Content-Type: multipart/alternative; boundary="_e97b2cfa-ea16-4d2d-bb02-10836add65c2_"
X-Originating-IP: [99.32.177.175]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: ekr@rtfm.com
Date: Sat, 17 Mar 2012 14:17:16 -0700
Importance: Normal
In-Reply-To: <CABcZeBPQXEUGTJAo2hSE3nq+JKnjtJdmqYj6BNAHnTiR7OQK6g@mail.gmail.com>
References: <4F4759DC.7060303@ericsson.com>, <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com>, <4F63BA4E.305@jesup.org>, <387F9047F55E8C42850AD6B3A7A03C6C0E1FEC15@inba-mail01.sonusnet.com>, <9C904CF5-EDD4-4F4C-83C3-97053B947B17@phonefromhere.com>, <387F9047F55E8C42850AD6B3A7A03C6C0E1FECFC@inba-mail01.sonusnet.com>, <CABcZeBPQXEUGTJAo2hSE3nq+JKnjtJdmqYj6BNAHnTiR7OQK6g@mail.gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 17 Mar 2012 21:17:17.0175 (UTC) FILETIME=[54B16070:01CD0483]
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 17 Mar 2012 21:17:18 -0000

EKR said: 

> Partha,
> 
> I don't find the scenario you suggest particularly compelling.
> 
> Yes, it's true that it's more secure to run your communications over
> a VPN than not, but it's not obviously the case that you necessarily
> trust everyone who is on the VPN (after all, this is why companies
> with VPNs run internal access controls on their systems). 

[BA] The NSA has made exactly this point:  it is not sufficient to run
unencrypted RTP over a VPN;  the signaling MUST be secured
(e.g. via TLS) and SRTP MUST also be used. 

I would also note that NSA allows use of SDES/SRTP over a VPN, since
this is widely support, even though this was not their originally favored solution 

For details, see:
http://www.theverge.com/2012/3/2/2838729/nsa-project-fishbowl-secure-android-devices-network