IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

"Dan Wing" <dwing@cisco.com> Fri, 23 March 2012 15:02 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2076C21F857F for <rtcweb@ietfa.amsl.com>; Fri, 23 Mar 2012 08:02:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.407
X-Spam-Level:
X-Spam-Status: No, score=-109.407 tagged_above=-999 required=5 tests=[AWL=1.192, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RthhL8-XQ7N4 for <rtcweb@ietfa.amsl.com>; Fri, 23 Mar 2012 08:01:59 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id CB74D21F8572 for <rtcweb@ietf.org>; Fri, 23 Mar 2012 08:01:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=dwing@cisco.com; l=5600; q=dns/txt; s=iport; t=1332514919; x=1333724519; h=from:to:cc:references:in-reply-to:subject:date: message-id:mime-version:content-transfer-encoding; bh=fbPp4rlyGPC7jUufDOzIMpeePiEM9zZnsKV5Prw2eKE=; b=jliJ5ujvEPoJcXPMUHCTayEBhofR3x6VeGFCgBl9OdYsZnH3Kq6EXF72 qH2Oz80K6yc6yAaqNRFsOPzH5Jrmxb72Eo66OeU4HIzQO7fxvWYW1mX0V KmyqkRV3NOKtlRDGTP/UnBrfYJBSZnoFLpwZqOrBAkZA7mzgsDrfEORGQ M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFADCQbE+rRDoI/2dsb2JhbAA7Cqgjj2WBB4IJAQEBAwEBAQEFCgEXEC4GCwUHAQMCCQ8CBAEBKAcZDhUKAwEFCAIEARILEAeHYwQMmgGNUZE2ilqGKwSIV4UTljqBaIMH
X-IronPort-AV: E=Sophos;i="4.73,636,1325462400"; d="scan'208";a="34807195"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 23 Mar 2012 15:01:58 +0000
Received: from dwingWS ([10.32.240.196]) by mtv-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id q2NF1vKO025683; Fri, 23 Mar 2012 15:01:57 GMT
From: Dan Wing <dwing@cisco.com>
To: "'Ravindran, Parthasarathi'" <pravindran@sonusnet.com>, 'Roman Shpount' <roman@telurix.com>, 'Harald Alvestrand' <harald@alvestrand.no>, 'Ted Hardie' <ted.ietf@gmail.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <4F64FE98.3070605@alcatel-lucent.com> <4F685ED9.2050109@alvestrand.no> <CAD5OKxsVp7px9bHAgxgdqPMxRgppcVUDKt8JHBhyq9qqW3pAMg@mail.gmail.com> <4F68A4CC.9090306@alvestrand.no> <CAD5OKxuiApLKRASc2YuBfkM_8h8wGDPPQ3TdOYGum2yauidA5A@mail.gmail.com> <4F6AECC6.8020004@alvestrand.no> <CAD5OKxsSUeMFYXZMZVqQFWdeEB=30HJuJ=mP9GaYkksBmp1mOA@mail.gmail.com> <03fa01cd087d$57899120$069cb360$@com> <387F9047F55E8C42850AD6B3A7A03C6C0E21E8F5@inba-mail01.sonusnet.com>
In-Reply-To: <387F9047F55E8C42850AD6B3A7A03C6C0E21E8F5@inba-mail01.sonusnet.com>
Date: Fri, 23 Mar 2012 08:01:57 -0700
Message-ID: <062901cd0905$e48bb520$ada31f60$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AQHM8te6ZBG/XYsMg0C4SE+GOqsWNpZtZpyg///nIgCAAAs3AIAASYaAgADU1wCAAESDgIAACAYAgAQGRYCAADINgIAAIVYAgAAIfACAAq+sAIAAVeAAgACNQICAANeboIAAkS2w
Content-Language: en-us
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Mar 2012 15:02:04 -0000

> -----Original Message-----
> From: Ravindran, Parthasarathi [mailto:pravindran@sonusnet.com]
> Sent: Thursday, March 22, 2012 11:40 PM
> To: Dan Wing; 'Roman Shpount'; 'Harald Alvestrand'; 'Ted Hardie'
> Cc: rtcweb@ietf.org
> Subject: RE: [rtcweb] Resolving RTP/SDES question in Paris
> 
> Even in case disabling encryption is not the desired behavior, I don't
> see the problem in using RTP-IPSec instead of SRTP-DTLS.

Several.

IPsec ESP tunnel or transport mode?  With NAT-T support?  Is there
an API for applications to determine if the underlying OS provides
IPsec ESP for that flow (I know for Cisco IOS, the answer to that
API question is 'no'.  And that was my understanding in the version 
of Windows Server that we used to use for our call control system,
although of course that could have changed with Windows 7 or 8).
RTP over IPsec breaks link header compression (cRTP and ROHC),
which are used by some networks.

> I understand
> that web-browser has no standard way to identify whether plain IP or
> IPsec in Layer 3. So, it shall be configured by browser-user and it
> shall be considered as user consent. This approach helps in case in
> avoiding double encryption technically wherein IPSec is mandated. I
> know the argument that double encryption is not problem in the endpoint
> as it has huge CPU and memory resources but in case web-browser as part
> of access devices, it will have impact on performance. My issue is with
> mandating to use SRTP-DTLS in WebRTC and not with mandate to implement
> SRTP-DTLS.

'Double encryption' is done because it's the only way to achieve
security at various layers.

Let's take a simple example:  someone is using their PC at a coffee
shop or a conference, and (because the person is using a possibly-hostile
network, and the person is ostensibly working) they bring up a VPN.  All 
of the person's traffic goes into their VPN.  The person then accesses
paypal (or gmail, or hundreds of other example sites), which forces them 
to use HTTPS.  They are now "double encrypted".  

Can you see the difficulty in removing the HTTPS connection to Paypal
(or gmail, etc.).  Can you see the difficulty in the PC determining
the HTTPS connection is "good enough" and routing that outside the 
VPN -- it can't be done simply by port number or else someone could
accidentally run un-encrypted traffic on port 443.

And this person may well even be triple encryption, if the WiFi access 
point uses wireless encryption.  Taking your argument further, if we 
are running IPsec we should have a way to disable the WiFi encryption?
But the WiFi encryption is being used to protect that layer -- just
like the IPsec is used in the VPN to protect that layer and the HTTPS
to PayPal is used to protect that layer.

> Also, AFAIK HTTPS certificate is not free of cost. Whereever the cost
> matters like social welfare site, educational site and some free blogs,
> the tendency will be towards HTTP

Ok.  (Separate problem.)

> and user of those sites will have the
> consent to use RTP.

I don't see why those sites cannot use SRTP.

-d


> Thanks
> Partha
> 
> >-----Original Message-----
> >From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> Behalf
> >Of Dan Wing
> >Sent: Friday, March 23, 2012 4:14 AM
> >To: 'Roman Shpount'; 'Harald Alvestrand'; 'Ted Hardie'
> >Cc: rtcweb@ietf.org
> >Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
> >
> >> -----Original Message-----
> >> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On
> >> Behalf Of Roman Shpount
> >> Sent: Thursday, March 22, 2012 7:19 AM
> >> To: Harald Alvestrand
> >> Cc: rtcweb@ietf.org
> >> Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
> >...
> >> Yes, I was worried about supporting the interceptor. This is all
> >> related to my question of support of WebRTC applications in
> military,
> >> prisons, or financial organizations. I think WebRTC would be
> >> completely disabled in such locations unless web browser can be
> >> configured to confirm to some sort of communications and monitoring
> >> policy. I do not think enabling only certain applications is a
> >> sustainable solution, since application can only be enabled based on
> >> its URL, but this in no way implies that the actual protocol used
> for
> >> signaling exchange by this application will stay the same. In the
> best
> >> case this will result in tens of specialized monitoring rules that
> >> will need to be maintained. In the worst case, WebRTC would be
> simply
> >> disabled. At this point the only workable solution that I see is
> some
> >> sort of media proxy protocol.
> >
> >The SIPREC working group, formed in March 2010, has solutions for this
> >problem.  The problem is not created by RTCWEB.  Disabling encryption
> is
> >not necessary -- nor desirable.  "Jails" get brought up in this
> context
> >often, so using that same example, consider a prisoner at a jail
> >communicating with their lawyer.  The prisoner needs secure
> >communications with their lawyer without the risk of the
> communications
> >being leaked to the press by anyone along the media path.  For details
> >see http://tools.ietf.org/wg/siprec/
> >
> >We will have a brietf presentation on SIPREC during my session at
> >RTCWEB, explaining how it can work with RTCWEB.
> >
> >-d
> >
> >
> >
> >_______________________________________________
> >rtcweb mailing list
> >rtcweb@ietf.org
> >https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email