Re: [rtcweb] SRTP not mandatory-to-use
Xavier Marjou <xavier.marjou@gmail.com> Wed, 14 December 2011 14:41 UTC
Return-Path: <xavier.marjou@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83BC221F863E for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 06:41:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[AWL=0.001, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xRHidfKh1hbV for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 06:41:08 -0800 (PST)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 7682221F8551 for <rtcweb@ietf.org>; Wed, 14 Dec 2011 06:41:08 -0800 (PST)
Received: by yenm7 with SMTP id m7so785247yen.31 for <rtcweb@ietf.org>; Wed, 14 Dec 2011 06:41:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7FaG+GzQZ9lT9kyssl4qFFK5uR3TaMXwcAcrcmZ6F2E=; b=J+km/iQjaT4dljI5ZCOC0ehE25yzXtwiDQatb5ulRKbamzxCfLgZCt6UnUNA0Ugpa7 KSYw2Gk7WoMk6WKwwXrRUQPwjgA89fNYJvF1hlzVijycRAxIieha1cJGElcnsRAakUJl F6kGYfSYklR9y33lIqEHOCTkFRsFoDl0B0kUg=
MIME-Version: 1.0
Received: by 10.236.155.74 with SMTP id i50mr12590943yhk.23.1323873666548; Wed, 14 Dec 2011 06:41:06 -0800 (PST)
Received: by 10.236.180.230 with HTTP; Wed, 14 Dec 2011 06:41:06 -0800 (PST)
In-Reply-To: <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com> <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com>
Date: Wed, 14 Dec 2011 15:41:06 +0100
Message-ID: <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com>
From: Xavier Marjou <xavier.marjou@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2011 14:41:09 -0000
On Wed, Dec 14, 2011 at 11:32 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > On Wed, Dec 14, 2011 at 3:18 PM, Xavier Marjou <xavier.marjou@gmail.com> wrote: > > Hi, > > > > > > During the last IETF meeting, there seemed to be many people willing to have > > SRTP mandatory-to-use in the browser. However, I would like again to > > underline that in some contexts, it is rather desirable to deactivate, via > > the WebRTC API, the use of SRTP in order not to encrypt/decrypt at multiple > > layers. > > > > > > This may be the case in the following example: a company wants to use WebRTC > > for communications between its co-workers only; the web server and the > > script using WebRTC API are located on the VPN. In such a case, there is no > > need to use SRTP. The VPN already provides encryption when needed. If > > co-workers want to remotely access the VPN, an IPsec tool can already > > provide the encryption. Furthermore, if they want to remotely access the VPN > > via a 3G network, there will be encryption at layer 2 using AKA, then IPsec > > at layer 3, and again at SRTP level if mandatory-to-use. > > I don't understand why this makes SRTP undesirable. What scarce > resource are you conserving > here by not using SRTP? As has been noted a number of times, the cost > of the crypto on > the endpoints is generally not significant. Is there any scientific reference comparing the performances (cpu) of a SRTP communication vs an RTP communication on a smartphone device, or on an interworking network server? The feedback I have is that SRTP overhead is significant, at least on interworking network servers handling several calls in parallel. One example is http://trac.pjsip.org/repos/wiki/PJMEDIA-MIPS which gives figures, perhaps non-optimized, but figures anyway: 00:59:38.531 os_core_unix.c pjlib 0.9.0-trunk for POSIX initialized MIPS test, with CPU=180Mhz, 198.0 MIPS Clock Item Time CPU MIPS Rate (usec) (%) 8KHz codec encode/decode - L16/8000/1 1704 0.170 0.34 8KHz stream TX/RX - G.711 6786 0.679 1.34 8KHz stream TX/RX - G.711 SRTP 32bit 21688 2.169 4.29 8KHz stream TX/RX - G.711 SRTP 32bit +auth 33501 3.350 6.63 8KHz stream TX/RX - G.711 SRTP 80bit 21725 2.172 4.30 8KHz stream TX/RX - G.711 SRTP 80bit +auth 33551 3.355 6.64 > > Moreover, it's not obvious that even in this setting SRTP doesn't add security > benefit. Why are you assuming that I want everyone on the same LAN > as me to be able to listen to my calls, even if they are my co-workers? > Adding more security like SRTP certainly adds more confidence and probabilities that the call is more secure. However, as most of you know, there is no guarantee that nobody can listen to your calls even with SRTP. The web server is in the path of the webrtc media IP and port advertised by the browser of the users; It thus has the possibility to modify these parameters and direct a user's browser to communicate towards an SRTP-to-SRTP gateway instead of the remote called user. The communication between the two users is made of 2 SRTP links, with an unencrypted access possible at the SRTP gateway.
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Xavier Marjou
- Re: [rtcweb] SRTP not mandatory-to-use Igor Faynberg
- Re: [rtcweb] SRTP not mandatory-to-use Roy, Radhika R USA CIV (US)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Markus.Isomaki
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Olle E. Johansson
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Stefan Hakansson LK
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- Re: [rtcweb] SRTP not mandatory-to-use Kevin P. Fleming
- Re: [rtcweb] SRTP not mandatory-to-use Alan Johnston
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Spencer Dawkins
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Muthu Arul Mozhi Perumal (mperumal)
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Iñaki Baz Castillo
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Bernard Aboba
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Justin Uberti
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- [rtcweb] JSEP draft query [was RE: SRTP not manda… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Cullen Jennings
- [rtcweb] state of libsrtp maintenance? (Re: SRTP … Harald Alvestrand
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Harald Alvestrand
- Re: [rtcweb] SRTP DTLS - SIPit Olle E. Johansson
- Re: [rtcweb] JSEP draft query [was RE: SRTP not m… Ravindran, Parthasarathi
- Re: [rtcweb] SRTP not mandatory-to-use Ravindran, Parthasarathi
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Eric Rescorla
- Re: [rtcweb] SRTP DTLS - SIPit Hannes Tschofenig
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Roman Shpount
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Randell Jesup
- Re: [rtcweb] SRTP not mandatory-to-use Ted Hardie
- Re: [rtcweb] SRTP not mandatory-to-use Eric Rescorla
- Re: [rtcweb] SRTP not mandatory-to-use Harald Alvestrand
- Re: [rtcweb] SRTP not mandatory-to-use Oscar Ohlsson
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] Security analysis of RTCWEB Eric Rescorla
- Re: [rtcweb] Security analysis of RTCWEB Igor Faynberg
- Re: [rtcweb] Security analysis of RTCWEB Bernard Aboba
- Re: [rtcweb] state of libsrtp maintenance? (Re: S… Cullen Jennings