IETF Logo Mail Archive

Re: [rtcweb] Consensus call regarding media security

"Dan Wing" <dwing@cisco.com> Wed, 28 March 2012 16:54 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 536E421E8270 for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 09:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.432
X-Spam-Level:
X-Spam-Status: No, score=-109.432 tagged_above=-999 required=5 tests=[AWL=1.167, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx2fRV-Ro3VS for <rtcweb@ietfa.amsl.com>; Wed, 28 Mar 2012 09:54:51 -0700 (PDT)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 8B10821E8091 for <rtcweb@ietf.org>; Wed, 28 Mar 2012 09:54:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=4644; q=dns/txt; s=iport; t=1332953691; x=1334163291; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=+rvEdGC1Hla1/Qsmu5N0HXl/MfQibA9BnyNl40+QZug=; b=RMf4ns0c8Lh7zDfhYQxo10ENNfJ52NvwhqsQ8KD00fzQ+G9JcKX4AecR qp34jIGvo66gA3kvmXUheIDJ/qhIvkV5WxjpD+UKI47BYJ/5GKu5UZ49P b1/T3PKsLVCaq9X8WBTvGp6ywP2SXb7q8Qe2hTDMAfqg1rHS1FFomouH1 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhoFAFJBc0+rRDoI/2dsb2JhbAA8CakKj2KBB4IJAQEBAwEBAQEFCgEXEDQBCgUHAQMCCQ8CBAEBAScHGQ4VCgkIAQEEARILF4djBAybdZ8jim+GIwSNa4kHjTSBaIJp
X-IronPort-AV: E=Sophos;i="4.73,662,1325462400"; d="scan'208";a="37962171"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-4.cisco.com with ESMTP; 28 Mar 2012 16:54:51 +0000
Received: from dwingWS (sjc-vpn2-273.cisco.com [10.21.113.17]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id q2SGsn0Z012785; Wed, 28 Mar 2012 16:54:50 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Roman Shpount' <roman@telurix.com>, igor.faynberg@alcatel-lucent.com
References: <4F732531.2030208@ericsson.com> <CAD5OKxs6NHha2egNSTumEaHYJ0bB6qu_nfshmBM6dntx2n49HQ@mail.gmail.com> <4F733492.9040601@alcatel-lucent.com> <CAD5OKxv8PhhwmjaDHqet1NBmJ+8ndKBc7p7fjC2vogE1wXT=sg@mail.gmail.com>
In-Reply-To: <CAD5OKxv8PhhwmjaDHqet1NBmJ+8ndKBc7p7fjC2vogE1wXT=sg@mail.gmail.com>
Date: Wed, 28 Mar 2012 18:54:49 +0200
Message-ID: <0bf201cd0d03$7dabb380$79031a80$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Ac0M/fnAmFS1m3uzQZyAZ+llZHxXPQABG/GA
Content-Language: en-us
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Consensus call regarding media security
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2012 16:54:52 -0000

> -----Original Message-----
> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> Behalf Of Roman Shpount
> Sent: Wednesday, March 28, 2012 6:15 PM
> To: igor.faynberg@alcatel-lucent.com
> Cc: rtcweb@ietf.org
> Subject: Re: [rtcweb] Consensus call regarding media security
> 
> Igor,
> 
> I could not attend the meeting today, but I am responding to the call
> of consent on the list, that did not mention that or any other
> conditions on SRTP encryption support. Does it also mean that the call
> can be established using plain RTP, or is DTLS handshake, even in order
> to setup NULL encruption, is still a requirement? If DTLS handshake is
> a requirement, I still would object to it, since this will require an
> extra implementation and interop step in anything communicating with
> WebRTC.

The opposite it also true.

Specifically, if Security Descriptions is required for RTCWEB endpoints,
it requires extra implementation and interop for all RTCWEB endpoints.

> On the related note, where is SRTP profile with NULL encoding defined?
> I have seen quite a few SRTP implementations but not a single one of
> them supported NULL codec in any of its profiles.  Also, we should be
> very careful not to support NULL encoding unless it is specifically
> enabled in API. Even though I do want to support unencrypted media, I
> do not want anything that allows to bid down from encrypted to
> unencrypted connection, for instance during DTLS negotiation, unless
> specifically enabled.

During their (D)TLS handshake, the (D)TLS client and server exchange
a list of cipher suites they support, and use the strongest supported
by both the client and server.  To negotiate Null, the ClientHello needs
to include the Null cipher suite and the (D)TLS server needs to choose 
Null -- if its policy allows choosing Null.  A (D)TLS server will 
usually not allow negotiating Null, and a (D)TLS client will usually 
not include Null in its list of cipher suites.

-d

> _____________
> Roman Shpount
> 
> 
> 
> On Wed, Mar 28, 2012 at 11:56 AM, Igor Faynberg <igor.faynberg@alcatel-
> lucent.com> wrote:
> 
> 
> 
> 	Roman,
> 
> 	I think there is a misunderstanding (I assume you did not attend
> the meeting today).  It has been clarified that SRTP allows the NULL
> encryption algorithm, and that this option will be available.
> 
> 	Igor
> 
> 
> 	On 3/28/2012 11:49 AM, Roman Shpount wrote:
> 
> 		As I have mentioned before on this list I am strongly
> against making SRTP protection for RTP a requirement. I think this is
> an unnecessary requirement that serves little real purpose except
> feeding into some marketing message that most of the WebRTC users would
> not care about. Unless use of identity is also a requirement, requiring
> SRTP will provide security only in a very narrow sense of the word. At
> the same time I do believe that extra standard requirements will stifle
> innovation and  will complicate new service or application creation.
> 
> 		I have no objection to making DTLS-SRTP a required to
> implement protocol.
> 		_____________
> 		Roman Shpount
> 
> 
> 
> 		On Wed, Mar 28, 2012 at 10:50 AM, Magnus Westerlund
> <magnus.westerlund@ericsson.com> wrote:
> 
> 
> 			WG,
> 
> 			In todays RTCWEB WG meeting there was discussion
> around media security
> 			mechanism. In this meeting there was some clear
> consensus in the
> 			meeting which we would like to confirm on the list.
> 
> 			The first was that there was overwhelming consensus
> that all RTP
> 			packets SHALL be protected by SRTP.
> 
> 			Secondly that no one objected against making DTLS-
> SRTP a mandatory to
> 			implement and the default keying mechanism.
> Additional mechanisms are
> 			not precluded.
> 
> 			WG participants may state their position regarding
> these consensus calls
> 			until 12th of April when the chairs will declare the
> final consensus. If
> 			you where present in the meeting room and comment on
> this, please
> 			indicate that.
> 
> 			Best Regards
> 
> 			Magnus Westerlund
> 			For the WG chairs
> 
> 			_______________________________________________
> 			rtcweb mailing list
> 			rtcweb@ietf.org
> 			https://www.ietf.org/mailman/listinfo/rtcweb
> 
> 
> 
> 
> 		_______________________________________________
> 		rtcweb mailing list
> 		rtcweb@ietf.org
> 		https://www.ietf.org/mailman/listinfo/rtcweb
> 
> 
> 	_______________________________________________
> 	rtcweb mailing list
> 	rtcweb@ietf.org
> 	https://www.ietf.org/mailman/listinfo/rtcweb
> 
> 
>

v2.23.0 | Report a Bug | By Email