Re: [rtcweb] use cases, F20 and encryption, SCTP - comments on draft-ietf-rtcweb-use-cases-and-requirements-07
Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com> Wed, 02 May 2012 08:47 UTC
Return-Path: <stefan.lk.hakansson@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7857421F8A95 for <rtcweb@ietfa.amsl.com>; Wed, 2 May 2012 01:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HELO_EQ_SE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud8jJPEbarwB for <rtcweb@ietfa.amsl.com>; Wed, 2 May 2012 01:47:29 -0700 (PDT)
Received: from mailgw2.ericsson.se (mailgw2.ericsson.se [193.180.251.37]) by ietfa.amsl.com (Postfix) with ESMTP id 923AE21F8A94 for <rtcweb@ietf.org>; Wed, 2 May 2012 01:47:29 -0700 (PDT)
X-AuditID: c1b4fb25-b7b18ae000000dce-2a-4fa0f4a00f78
Authentication-Results: mailgw2.ericsson.se x-tls.subject="/CN=esessmw0237"; auth=fail (cipher=AES128-SHA)
Received: from esessmw0237.eemea.ericsson.se (Unknown_Domain [153.88.253.125]) (using TLS with cipher AES128-SHA (AES128-SHA/128 bits)) (Client CN "esessmw0237", Issuer "esessmw0237" (not verified)) by mailgw2.ericsson.se (Symantec Mail Security) with SMTP id B9.D8.03534.0A4F0AF4; Wed, 2 May 2012 10:47:28 +0200 (CEST)
Received: from [150.132.142.229] (153.88.115.8) by esessmw0237.eemea.ericsson.se (153.88.115.91) with Microsoft SMTP Server id 8.3.213.0; Wed, 2 May 2012 10:47:27 +0200
Message-ID: <4FA0F49F.9090208@ericsson.com>
Date: Wed, 02 May 2012 10:47:27 +0200
From: Stefan Hakansson LK <stefan.lk.hakansson@ericsson.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:11.0) Gecko/20120410 Thunderbird/11.0.1
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <0fc001cd2495$a3985950$eac90bf0$@com> <4F9E3C4B.9050904@ericsson.com>
In-Reply-To: <4F9E3C4B.9050904@ericsson.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Brightmail-Tracker: AAAAAA==
Subject: Re: [rtcweb] use cases, F20 and encryption, SCTP - comments on draft-ietf-rtcweb-use-cases-and-requirements-07
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2012 08:47:30 -0000
On 04/30/2012 09:16 AM, Magnus Westerlund wrote: > Hi, > > My suggestion is that the use case document should be clarified. And I > think the starting point is that the data channel must have the same > security requirements as RTP media, both are media from the point of the > application. (speaking as use case doc editor): makes a lot of sense to me. > > Cheers > > Magnus > > > On 2012-04-27 18:48, Dan Wing wrote: >>> The chairs would like to ask the working group to focus on the use >>> case draft. If you have use cases that need to be added to the >>> document or text changes you'd like to suggest, please send them in >>> for discussion before May 15th. After this round, we will look >>> toward having a working group last call on the document (hopefully >>> before the interim meeting). >> >> A few comments on draft-ietf-rtcweb-use-cases-and-requirements-07: >> >> >> 1. Requirement F20 states: >> >> F20 It MUST be possible to protect streams from eavesdropping. >> >> Consensus in the room during my presentation to RTCWEB at IETF83 was that we >> don't need to support un-encrypted media (RTP) at all, and that all media >> would be SRTP. Can that be captured in F20 by re-wording, or perhaps in a >> new requirement if we can't reword F20? If there is a need or desire to >> validate that consensus on list, let's please ask the chairs to do that. >> >> >> 2. I noticed there is no requirement that we have a baseline for how SRTP >> media is keyed (although there is a baseline requirement for codecs). This >> is a critical requirement. I suggest adding "The browser MUST support a >> baseline SRTP keying mechanism." We have not reached consensus on that >> keying mechanism, but the requirement is real. >> >> >> 3. I see the document restricts its scope to media streams in the >> Introduction with: >> >> "The document focuses on requirements related to real-time media >> streams. Requirements related to privacy, signalling between the >> browser and web server etc. are currently not considered." >> >> However, RTCWEB is also supports a data communication between browsers. I >> am worried if we do not specify requirements for the data communication we >> will have problems. I believe the expectation is that if the audio/video >> stream works, that the data communication stream also work. We need to >> capture requirements for the data communication stream somewhere: >> >> - a requirement to support data communication >> - that the chosen data communication protocol supports multiple streams >> (which is why SCTP was chosen over TCP) >> - for NAT/firewall traversal of the data communication protocol (which is >> why SCTP-over-UDP was chosen and another reason TCP was not chosen) >> - for encrypting that data communication session >> - a requirement for SCTP-over-UDP to work when UDP is blocked (aligning >> with the existing F29 for audio/video) >> - a requirement to do ICE connectivity checks prior to bringing up DTLS (I >> don't know if that is really a requirement, but I recall it mentioned at the >> RTCWEB interim in Mountain View). >> >> Based on the scoping of the draft-ietf-rtcweb-use-cases-and-requirements, >> the omission of the data communication stream is intentional. If not in >> draft-ietf-rtcweb-use-cases-and-requirements, where can we capture the >> requirements for the data communication stream? >> >> -d >> >> >> _______________________________________________ >> rtcweb mailing list >> rtcweb@ietf.org >> https://www.ietf.org/mailman/listinfo/rtcweb >> > >
- [rtcweb] use cases, F20 and encryption, SCTP - co… Dan Wing
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Timothy B. Terriberry
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Harald Alvestrand
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Randell Jesup
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Martin Thomson
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Magnus Westerlund
- Re: [rtcweb] use cases, F20 and encryption, SCTP … Stefan Hakansson LK