Re: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)

"Ravindran, Parthasarathi" <pravindran@sonusnet.com> Wed, 09 November 2011 12:13 UTC

Return-Path: <pravindran@sonusnet.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC1A21F8B52 for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 04:13:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.153
X-Spam-Level:
X-Spam-Status: No, score=-2.153 tagged_above=-999 required=5 tests=[AWL=-0.503, BAYES_00=-2.599, HTML_MESSAGE=0.001, SARE_UNSUB22=0.948]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Va-iEpbJOB7 for <rtcweb@ietfa.amsl.com>; Wed, 9 Nov 2011 04:13:00 -0800 (PST)
Received: from mail-ma01.sonusnet.com (sonussf2.sonusnet.com [208.45.178.27]) by ietfa.amsl.com (Postfix) with ESMTP id B2E0721F8C51 for <rtcweb@ietf.org>; Wed, 9 Nov 2011 04:12:59 -0800 (PST)
Received: from sonusmail05.sonusnet.com (sonusmail05.sonusnet.com [10.128.32.155]) by sonuspps2.sonusnet.com (8.14.3/8.14.3) with ESMTP id pA9CDXkD022912; Wed, 9 Nov 2011 07:13:33 -0500
Received: from sonusinmail02.sonusnet.com ([10.70.51.30]) by sonusmail05.sonusnet.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 9 Nov 2011 07:12:56 -0500
Received: from INBA-HUB01.sonusnet.com ([10.70.51.86]) by sonusinmail02.sonusnet.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 9 Nov 2011 17:43:05 +0530
Received: from INBA-MAIL01.sonusnet.com ([fe80::8d0f:e4f9:a74f:3daf]) by inba-hub01.sonusnet.com ([fe80::5cbc:2823:f6cc:9ce7%11]) with mapi id 14.01.0339.001; Wed, 9 Nov 2011 17:43:05 +0530
From: "Ravindran, Parthasarathi" <pravindran@sonusnet.com>
To: Cameron Byrne <cb.list6@gmail.com>
Thread-Topic: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)
Thread-Index: AQHMnoiMLXoobGtfx0Kkx8oSZTnrRJWj1oYw//+vPwCAAI2ocA==
Date: Wed, 9 Nov 2011 12:13:04 +0000
Message-ID: <387F9047F55E8C42850AD6B3A7A03C6C0134A379@inba-mail01.sonusnet.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com> <CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <CABcZeBNqdkh8u=gwOvKfDCQA7rXdAyQkfaM1r2Sx10787btP6A@mail.gmail.com> <B10FEFF6-0ADC-4DB1-83BB-50A11C65EC35@acmepacket.com> <CABcZeBNSXtim_VqzqAd8Z-u4zWSjaYmsVZPN=7sDYkJsgtRAHA@mail.gmail.com> <4EB7E6A5.70209@alvestrand.no> <F8003BA9-BCD8-4F02-B514-8B883FF90F91@acmepacket.com> <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com> <4EB9ACF5.80805@alvestrand.no> <387F9047F55E8C42850AD6B3A7A03C6C01349F60@inba-mail01.sonusnet.com> <CAD6AjGTn2WPaVQh01y-PVYZtpVYKopocqzQBSEMQadozjEd-Tw@mail.gmail.com> <387F9047F55E8C42850AD6B3A7A03C6C01349FE6@inba-mail01.sonusnet.com> <CAD6AjGSWESndhzbtXc71Rb=GwFejnk2_YiSo57kjeTjfp0_2vg@mail.gmail.com>
In-Reply-To: <CAD6AjGSWESndhzbtXc71Rb=GwFejnk2_YiSo57kjeTjfp0_2vg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.70.54.164]
Content-Type: multipart/alternative; boundary="_000_387F9047F55E8C42850AD6B3A7A03C6C0134A379inbamail01sonus_"
MIME-Version: 1.0
X-OriginalArrivalTime: 09 Nov 2011 12:13:05.0552 (UTC) FILETIME=[EF855900:01CC9ED8]
Cc: "&lt,rtcweb@ietf.org&gt," <rtcweb@ietf.org>
Subject: Re: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Nov 2011 12:13:01 -0000

Cb,

Please read inline.

Thanks
Partha

From: Cameron Byrne [mailto:cb.list6@gmail.com]
Sent: Wednesday, November 09, 2011 8:58 AM
To: Ravindran Parthasarathi
Cc: &lt,rtcweb@ietf.org&gtg&gt,
Subject: RE: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)


On Nov 8, 2011 6:50 PM, "Ravindran Parthasarathi" <pravindran@sonusnet.com<mailto:pravindran@sonusnet.com>> wrote:
>
> Cameron,
>
>
>
> I guess that we are in the same w.r.t IETF privacy policy and it is main reason, I take back my comment #2. But, Please look into comment #1 for Enterprise WebRTC application wherein SRTP is not required to be mandated.
>
>
>
> > >> 1) Security could be in the lower layer itself (IPsec, VPN, private
> > >MPLS cloud). For Enterprise-only-WebRTC application (no federation&  no
> > >interop), there is no need of security by specific application like
> > >WebRTC as it is ensured in the infrastructure. WebRTC security will be
> > >duplicated for these infrastructure and may leads double encryption
> > >unnecessarily.
>
> Thanks
>
> Partha
>

I don't believe we can assume other crypto measures are in place

Bob and Alice work for Toobigtofail Inc. They are on the same LAN segment and using webrtc to communicate about making a large investment. On that same LAN segment there is a compromised host intercepting all traffic (it did some arp spoofing or something like that )

No problem here since Bob and Alice are using srtp.

If they did not, the financial info would have been exposed

<partha> I guess that your argument is not specific to webRTC but includes all real-time communication in Enterprise. My point is that this security concern is not generic enough as mentioned in the other mail thread.  </partha>

Cb
>
>
> From: Cameron Byrne [mailto:cb.list6@gmail.com<mailto:cb.list6@gmail.com>]
> Sent: Wednesday, November 09, 2011 8:07 AM
> To: Ravindran Parthasarathi
> Cc: &lt,rtcweb@ietf.org<mailto:rtcweb@ietf.org>&gt,
> Subject: Re: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)
>
>
>
>
> On Nov 8, 2011 5:21 PM, "Ravindran Parthasarathi" <pravindran@sonusnet.com<mailto:pravindran@sonusnet.com>> wrote:
> >
> > Thanks to Harald/Cullen for pointing out RFC 2804. I take back my #2 comment based on RFC 2804 wiretapping policy.
> >
> > I wish to clarify why I gave this comment before closing on #2:
> >
> > It is the common practice in India to buy computer to talk/chat with the relatives who are outside India by using Skype/Gtalk/Yahoo (avoiding International subscriber dialing charges). Of course, Cell phone is more popular than Computer and cheap (~$100) Wi-Fi enabled (Android) Smartphones are available in market. WebRTC will bring the new innovative way of communicating using Smartphone (like free WebRTC session to street provisional store). Browser in Smartphone is the platform for making outgoing session towards provisional store. I really don't want these kind of WebRTC service are forbidden by Government laws unnecessarily due to security (SRTP) reasons.
> >
> >
>
> Getting into murky waters here.
>
> I believe the ietf values privacy and I would like srtp to be mandatory since I value privacy.
>
> If not supporting privacy is a requirement for your government, then perhaps webrtc is not for you.
>
> Cb
>
> > >-----Original Message-----
> > >From: Harald Alvestrand [mailto:harald@alvestrand.no<mailto:harald@alvestrand.no>]
> > >Sent: Wednesday, November 09, 2011 3:58 AM
> > >To: Ravindran Parthasarathi
> > >Cc: Hadriel Kaplan; Eric Rescorla; <rtcweb@ietf.org<mailto:rtcweb@ietf.org>>
> > >Subject: SRTP requirement - wiretapping (Re: [rtcweb] Let's define the
> > >purpose of WebRTC)
> > >
> > >Changing the subject again to mention SRTP....
> > >
> > >On 11/08/2011 03:30 PM, Ravindran Parthasarathi wrote:
> > >> I agree with Hadriel that it is not required to mandate SRTP for
> > >WebRTC. My reasoning are as follows:
> > >>
> > >> 1) Security could be in the lower layer itself (IPsec, VPN, private
> > >MPLS cloud). For Enterprise-only-WebRTC application (no federation&  no
> > >interop), there is no need of security by specific application like
> > >WebRTC as it is ensured in the infrastructure. WebRTC security will be
> > >duplicated for these infrastructure and may leads double encryption
> > >unnecessarily.
> > >This argument makes some sense.
> > >>
> > >> 2) Being in India, I'm interested in avoiding Government restriction
> > >on WebRTC proposal (Thanks to Tim for pointing this). I may not surprise
> > >to see that WebRTC mechanism is banned in India because intelligent
> > >agency struggles to break the key in each terrorist WebRTC site.
> > >(http://www.pcworld.com/businesscenter/article/235639/india_wants_to_int
> > >ercept_skype_google_communications.html)
> > >This argument is contrary to stated IETF policy (RFC 2804).
> > >
> > >I recommend the RFC for background reading.
> > >>
> > >> In case there is no use case to illustrate in RTCWeb draft, let us
> > >discuss in detail.
> > >>
> > >>> -----Original Message-----
> > >>> From: rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org> [mailto:rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org>] On
> > >Behalf
> > >>> Of Hadriel Kaplan
> > >>> Sent: Monday, November 07, 2011 9:12 PM
> > >>> To: Eric Rescorla
> > >>> Cc:<rtcweb@ietf.org<mailto:rtcweb@ietf.org>>
> > >>> Subject: Re: [rtcweb] Let's define the purpose of WebRTC
> > >>>
> > >>>
> > >>> On 11/07/2011 02:50 PM, Eric Rescorla wrote:
> > >>>> On Sun, Nov 6, 2011 at 7:20 PM, Hadriel
> > >Kaplan<HKaplan@acmepacket.com<mailto:HKaplan@acmepacket.com>>
> > >>> wrote:
> > >>>>> Who said "too slow"?  There *is* an extra round-trip or two
> > >involved
> > >>> I presume, if we're talking DTLS-SRTP, but no I didn't mean that as a
> > >>> "hit".  I just meant the extra computing cycles for SRTP being a
> > >"hit".
> > >>> For WebRTC-to-WebRTC I don't think that matters at all.  For WebRTC-
> > >to-
> > >>> media-server it might, for a free game app or greeting card app that
> > >>> don't care about it to begin with, and which use plaintext HTTP to
> > >begin
> > >>> with.
> > >>>> Sorry, I didn't mean to put words in your mouth. Performance
> > >>> measurements
> > >>>> of HTTP versus HTTPS in modern Web environments suggest that the
> > >>> additional
> > >>>> load for HTTPS is not significant. Do you have evidence that the
> > >>> situation is
> > >>>> different for SRTP versus RTP?
> > >>> Only from the DSP guys, and those would be hardware DSPs not
> > >softDSPs.
> > >>> It runs them anywhere from 10-25% overhead, they say, depending on
> > >the
> > >>> vendor and what else their DSPs are doing at the time.
> > >>>
> > >>> But ultimately even in software I assume it's all relative to what
> > >other
> > >>> work you're doing.  If you have to render a video stream on a screen
> > >and
> > >>> encode camera input into a codec being sent out, then my guess is
> > >SRTP
> > >>> overhead is a tiny factor not worth talking about.  If you're mixing
> > >>> multiple RTP streams as a conference server, then I assume doing SRTP
> > >>> for thousands of simultaneous audio RTP streams for multiple
> > >>> simultaneous conferences becomes noticeable.  Or at least so they
> > >seem
> > >>> to claim - I don't know since I don't build a media server (hardware
> > >>> SBCs often offload SRTP onto dedicated hardware).  One large software
> > >>> company even created their own proprietary packet format for SRTP
> > >that
> > >>> they claimed was done for improving performance/scalability, so I
> > >assume
> > >>> it has some impact they don't want their customers to incur.
> > >>>
> > >>> -hadriel
> > >>>
> > >>> _______________________________________________
> > >>> rtcweb mailing list
> > >>> rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> > >>> https://www.ietf.org/mailman/listinfo/rtcweb
> > >> _______________________________________________
> > >> rtcweb mailing list
> > >> rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> > >> https://www.ietf.org/mailman/listinfo/rtcweb
> > >>
> >
> > _______________________________________________
> > rtcweb mailing list
> > rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> > https://www.ietf.org/mailman/listinfo/rtcweb