Re: [rtcweb] DTLS-SRTP implementation diffusion: Why not SDES-SRTP?
Igor Faynberg <igor.faynberg@alcatel-lucent.com> Thu, 29 March 2012 12:06 UTC
Return-Path: <igor.faynberg@alcatel-lucent.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F29421F8A2B for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 05:06:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[AWL=-0.802, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rLRPGdwvlA2o for <rtcweb@ietfa.amsl.com>; Thu, 29 Mar 2012 05:06:00 -0700 (PDT)
Received: from ihemail4.lucent.com (ihemail4.lucent.com [135.245.0.39]) by ietfa.amsl.com (Postfix) with ESMTP id 1935821F88C8 for <rtcweb@ietf.org>; Thu, 29 Mar 2012 05:06:00 -0700 (PDT)
Received: from usnavsmail3.ndc.alcatel-lucent.com (usnavsmail3.ndc.alcatel-lucent.com [135.3.39.11]) by ihemail4.lucent.com (8.13.8/IER-o) with ESMTP id q2TC5wot017584 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <rtcweb@ietf.org>; Thu, 29 Mar 2012 07:05:58 -0500 (CDT)
Received: from umail.lucent.com (umail-ce2.ndc.lucent.com [135.3.40.63]) by usnavsmail3.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id q2TC5vpZ004688 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <rtcweb@ietf.org>; Thu, 29 Mar 2012 07:05:57 -0500
Received: from [135.244.32.64] (faynberg.lra.lucent.com [135.244.32.64]) by umail.lucent.com (8.13.8/TPES) with ESMTP id q2TC5uen005674; Thu, 29 Mar 2012 07:05:57 -0500 (CDT)
Message-ID: <4F745024.2010203@alcatel-lucent.com>
Date: Thu, 29 Mar 2012 08:05:56 -0400
From: Igor Faynberg <igor.faynberg@alcatel-lucent.com>
Organization: Alcatel-Lucent
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.18) Gecko/20110616 Thunderbird/3.1.11
MIME-Version: 1.0
To: rtcweb@ietf.org
References: <4F73697D.5080006@infosecurity.ch> <CALiegfnF-8TCzkE9NiDsWz8PVNXtCtmpDKPYz65YLfdGVPQTqQ@mail.gmail.com> <4F7409C4.407@infosecurity.ch> <CALiegf=czyTqs=PtkkEDWaEHLYju6K=hF35h00o6LzpqW2EM5A@mail.gmail.com>
In-Reply-To: <CALiegf=czyTqs=PtkkEDWaEHLYju6K=hF35h00o6LzpqW2EM5A@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.39
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.11
Subject: Re: [rtcweb] DTLS-SRTP implementation diffusion: Why not SDES-SRTP?
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: igor.faynberg@alcatel-lucent.com
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Mar 2012 12:06:01 -0000
+1 Igor On 3/29/2012 7:58 AM, Iñaki Baz Castillo wrote: > 2012/3/29 Fabio Pietrosanti (naif)<lists@infosecurity.ch>: > >> That's true, but it's also true that the "rtcweb world" will strictly >> inter-operate with the "sip world". >> >> It would be reasonable to expect that current existing PBX software >> would evolve also with support for Rtcweb, to provide Web phone systems. > Right, but it also reasonable to expect that those SIP PBX do > implement some security, at least SDES-SRTP. > > NOTE: I do know you are not talking about allowing plain RTP in WebRTC ;) > > > >> In particular all opensource software will setup the path for the >> adoption of the standard, as we know history will repeat. >> >> It appear me as natural behavior of diffusion of implementation, and for >> that reason i see the need to "easily" inter-operate with the SIP world >> is a key value point. >> >> Creating an incompatible "media format" would require a lot of more >> effort because the "amount of compatibility testing to be done with >> DTLS-SRTP will be significantly higher than SDES-SRTP" . > I agree. > > > >>> http://tools.ietf.org/agenda/83/slides/slides-83-rtcweb-3.pdf >> I would like to strongly argue against the SLIDE 3 statement that >> "DTLS-SRTP meets RTCWEB's technical requirements" . >> >> DTLS-SRTP doesn't meet the RTCWEB's technical requirements because: >> >> - It does NOT provide inter-operation with existing SIP endpoints >> >> This is confirmed by the October 2011 SIPit data, with 80% of >> participants supporting, with good interoperability, SDES but with 0% >> supporting DTLS-SRTP . >> >> In order to try to "try to improve it's non-interoperability issue" the >> DTLS-SRTP is re-proposing him-selves as DTLS-SRTP-EKT . >> >> To speaking about the fact that even EKT draft explain that: >> " Today, Security Descriptions [RFC4568] is used for distributing SRTP >> keys in several different IP PBX systems and is expected to be used >> by 3GPP's Long Term Evolution (LTE). " >> >> http://tools.ietf.org/html/draft-ietf-avt-srtp-ekt-01#section-6.1 >> >> So: >> - Internt is using SDES-SRTP >> - 3GPP LTE is using SDES-SRTP >> - WebRTC is going to use DTLS-SRTP >> >> I do not really see how we can rationally accept to follow this >> different direction. > Well, AFAIK the decision for WebRTC is one of the following options > (assuming that plain RTP is not allowed, for which there was consensus > yesterday in Paris): > > 1) Mandate DTLS-SRTP(-EKT?) implementation and dissalow SDES-SRTP. > > 2) Mandate DTLS-SRTP(-EKT?) implementation and allow SDES-SRTP (optional). > > 3) Mandate DTLS-SRTP(-EKT?) implementation and also SDES-SRTP. > > > I vote for option (3) so WebRTC can *already* interop with well tested > SDES-SRTP environments. Is option (3) good for you? > > > > >> The argument that DTLS is *more secure* must face the reality that >> no-one is using it and that SDES-SRTP is *widely diffused and >> interoperable*. >> >> All Internet operators will have to introduce Protocol Gateway. >> All mobile operators will have to introduce Protocol Gateway. > It's worse than that. If you read slides 34 and 35 in > http://tools.ietf.org/agenda/83/slides/slides-83-rtcweb-3.pdf, the > "Media Gateway" MUST be also a *signaling* B2BUA (cannot be a proxy) > since it needs to generate re-INVITE in one leg (for crypto key > updates) !! > > I hope I will not need that annoying stuff in order to make WebRTC to > interoperate with SIP networks (assuming SDES-SRTP in those SIP > networks, of course). > > > > >> So definitely the choice to go for DTLS-SRTP is imho a wrong choice, >> against any rationale for the diffusion of WebRTC standard, introducing >> artificially complexity where it may be possible to keep it simple. > Worse, it's not just choosing a non tested standard, but creating a > new specification. The slide 39 says: > > ------------------------ > Do part of DTLS handshake in ICE connectivity checks > – draft-thomson-rtcweb-ice-dtls > ----------------------- > > So if that *new* spec is mandatory for WebRTC, then forget > interoperability with any other network. > > > Regards. >
- [rtcweb] DTLS-SRTP implementation diffusion: Why … Fabio Pietrosanti (naif)
- Re: [rtcweb] DTLS-SRTP implementation diffusion: … Iñaki Baz Castillo
- Re: [rtcweb] DTLS-SRTP implementation diffusion: … Fabio Pietrosanti (naif)
- Re: [rtcweb] DTLS-SRTP implementation diffusion: … Iñaki Baz Castillo
- Re: [rtcweb] DTLS-SRTP implementation diffusion: … Igor Faynberg
- Re: [rtcweb] DTLS-SRTP implementation diffusion: … Randell Jesup