Re: [rtcweb] AVPF [was: Encryption mandate (and offer/answer)]

[Roman Shpount <roman@telurix.com>]

Yes, I did simplify things quite a bit in regard to *RTP-over-DTLS*, but the
main point was that SRTP is not the only or the most secure media transport
out there.

As far as ICE is concerned, it is backwards compatible with non-ICE end
points. The worst you can end up with (and this is not mandated, but just
the recommended procedure for selecting the default flow in the standard) is
going through a TURN server (if one is available) every time you are talking
to a non-ICE end point. If in the API we provide a way to specify STUN/TURN
servers used for media, we can effectively turn ICE off for some calls.

On the related note, I do think that specifying and providing STUN and TURN
servers should be responsibility of the RTC application developer and not
the browser configuration. TURN server can consume quite a bit of bandwidth
and one can see that they will be provided as a paid service in combination
with RTC application itself.
_____________
Roman Shpount


On Sat, Sep 10, 2011 at 12:22 PM, Matthew Kaufman <matthew.kaufman@skype.net
> wrote:

> On 9/10/2011 4:47 AM, Roman Shpount wrote:
>
>> SRTP is a simple media encryption using signaling channel exchanged keys
>> and salt to do simple counter mode AES with content signing using HMAC-SHA1.
>> It also implements a dictionary based replay protection. DTLS offers wider
>> encryption and content signing algorithm selection, end-point handshake
>> based on certificates, certificate validation using certificate authority.
>> In general, DTLS offers same protection that TLS does, while SRTP is
>> simplified and optimized for media.
>>
>
> I think you left out a description of DTLS-SRTP and made other
> simplifications.
>
>
>
>> In regard to the overall discussion, if we want interop with existing VoIP
>> infrastructure, we need to support RTP with AVP. 99% of all SIP deployments
>> do not support and cannot support SRTP.
>>
>
> They also cannot complete the ICE STUN handshake that is required to prove
> to the browser that they are willing to accept media.
>
>
>  None of the wholesale VoIP telephony carriers support SRTP (some offer VPN
>> or direct interconnects if you care about privacy).
>>
>
> Likewise regarding ICE.
>
>
>  Consumer VoIP companies (like Vonage or Comcast) do not support or use
>> SRTP for any calls from their customer equipment.
>>
>
> And again regarding ICE.
>
>
>  In places were encryption is supported (like Skype) it is often either
>> something different from SRTP. In order to connect to all those environments
>> without media proxy we need plain RTP.
>>
>
> Even if we need plain RTP, that isn't an argument for SDES-keyed SRTP.
>
> Matthew Kaufman
>
>