Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

Roman Shpount <roman@telurix.com> Sat, 10 September 2011 18:50 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7193521F8505 for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 11:50:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.837
X-Spam-Level:
X-Spam-Status: No, score=-2.837 tagged_above=-999 required=5 tests=[AWL=0.139, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vKicp9MG+p1L for <rtcweb@ietfa.amsl.com>; Sat, 10 Sep 2011 11:50:27 -0700 (PDT)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by ietfa.amsl.com (Postfix) with ESMTP id 9788E21F84F7 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 11:50:26 -0700 (PDT)
Received: by pzk33 with SMTP id 33so15161646pzk.18 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 11:52:25 -0700 (PDT)
Received: by 10.68.38.166 with SMTP id h6mr1866871pbk.466.1315680744902; Sat, 10 Sep 2011 11:52:24 -0700 (PDT)
Received: from mail-pz0-f45.google.com (mail-pz0-f45.google.com [209.85.210.45]) by mx.google.com with ESMTPS id f6sm29526415pbp.2.2011.09.10.11.52.20 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 10 Sep 2011 11:52:20 -0700 (PDT)
Received: by pzk33 with SMTP id 33so15161386pzk.18 for <rtcweb@ietf.org>; Sat, 10 Sep 2011 11:52:19 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.12.103 with SMTP id x7mr2097843pbb.188.1315680739808; Sat, 10 Sep 2011 11:52:19 -0700 (PDT)
Received: by 10.68.43.136 with HTTP; Sat, 10 Sep 2011 11:52:19 -0700 (PDT)
In-Reply-To: <4E6B8ED1.6040601@skype.net>
References: <A444A0F8084434499206E78C106220CA0B00FDB08B@MCHP058A.global-ad.net> <4E666926.8050705@skype.net> <43A0D702-1D1F-4B4E-B8E6-C9F1A06E3F8A@edvina.net> <033458F56EC2A64E8D2D7B759FA3E7E7020E64DC@sonusmail04.sonusnet.com> <E4EC1B17-0CC4-4F79-96DD-84E589FCC4F0@edvina.net> <4E67C3F7.7020304@jesup.org> <BE60FA11-8FFF-48E5-9F83-4D84A7FBE2BE@vidyo.com> <4E67F003.6000108@jesup.org> <7F2072F1E0DE894DA4B517B93C6A05852233E8554C@ESESSCMS0356.eemea.ericsson.se> <C3759687E4991243A1A0BD44EAC8230339CA68F054@BE235.mail.lan> <CAOJ7v-2u0UuNXh7bzmZFwiSucbsh=Ps=C3ZM5M3cJrXRmZgODA@mail.gmail.com> <CAKhHsXHXCkNdjtpxCSCk+ABbtxY15GEgouE6X6-sn-LqhnidQw@mail.gmail.com> <CABcZeBOdP6cAqBoiSV-Vdv1_EK3DfgnMamT3t3ccjDOMfELfBw@mail.gmail.com> <CAKhHsXFdU1ZaKQF8hbsOxwTS-_RfmFqQhgzGe=K4mRp+wz+_nQ@mail.gmail.com> <CAD5OKxtCMXzWLg40wV3teyh0TdiD1Xv4taW+BSguoDpAE46oJA@mail.gmail.com> <1541FDA8-C3F6-4D24-BEC4-60EDACB6B582@edvina.net> <CAD5OKxsuONT_-ZWS43BX7H8dkGscz2aM62m0uDyJauVTaUMC4g@mail.gmail.com> <4E6B8ED1.6040601@skype.net>
Date: Sat, 10 Sep 2011 14:52:19 -0400
Message-ID: <CAD5OKxukC23Vabh=0qP_6o3x=oDLUX9t5_dLHk2McRweAxxpEg@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Matthew Kaufman <matthew.kaufman@skype.net>
Content-Type: multipart/alternative; boundary=bcaec5215f832256c604ac9acb14
Cc: Randell Jesup <randell-ietf@jesup.org>, Jonathan Lennox <jonathan@vidyo.com>, "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Sep 2011 18:50:29 -0000

Yes, I did simplify things quite a bit in regard to *RTP-over-DTLS*, but the
main point was that SRTP is not the only or the most secure media transport
out there.

As far as ICE is concerned, it is backwards compatible with non-ICE end
points. The worst you can end up with (and this is not mandated, but just
the recommended procedure for selecting the default flow in the standard) is
going through a TURN server (if one is available) every time you are talking
to a non-ICE end point. If in the API we provide a way to specify STUN/TURN
servers used for media, we can effectively turn ICE off for some calls.

On the related note, I do think that specifying and providing STUN and TURN
servers should be responsibility of the RTC application developer and not
the browser configuration. TURN server can consume quite a bit of bandwidth
and one can see that they will be provided as a paid service in combination
with RTC application itself.
_____________
Roman Shpount


On Sat, Sep 10, 2011 at 12:22 PM, Matthew Kaufman <matthew.kaufman@skype.net
> wrote:

> On 9/10/2011 4:47 AM, Roman Shpount wrote:
>
>> SRTP is a simple media encryption using signaling channel exchanged keys
>> and salt to do simple counter mode AES with content signing using HMAC-SHA1.
>> It also implements a dictionary based replay protection. DTLS offers wider
>> encryption and content signing algorithm selection, end-point handshake
>> based on certificates, certificate validation using certificate authority.
>> In general, DTLS offers same protection that TLS does, while SRTP is
>> simplified and optimized for media.
>>
>
> I think you left out a description of DTLS-SRTP and made other
> simplifications.
>
>
>
>> In regard to the overall discussion, if we want interop with existing VoIP
>> infrastructure, we need to support RTP with AVP. 99% of all SIP deployments
>> do not support and cannot support SRTP.
>>
>
> They also cannot complete the ICE STUN handshake that is required to prove
> to the browser that they are willing to accept media.
>
>
>  None of the wholesale VoIP telephony carriers support SRTP (some offer VPN
>> or direct interconnects if you care about privacy).
>>
>
> Likewise regarding ICE.
>
>
>  Consumer VoIP companies (like Vonage or Comcast) do not support or use
>> SRTP for any calls from their customer equipment.
>>
>
> And again regarding ICE.
>
>
>  In places were encryption is supported (like Skype) it is often either
>> something different from SRTP. In order to connect to all those environments
>> without media proxy we need plain RTP.
>>
>
> Even if we need plain RTP, that isn't an argument for SDES-keyed SRTP.
>
> Matthew Kaufman
>
>