Re: [rtcweb] Resolving RTP/SDES question in Paris

Iñaki Baz Castillo <ibc@aliax.net> Mon, 19 March 2012 19:48 UTC

Return-Path: <ibc@aliax.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB8CF21E802C for <rtcweb@ietfa.amsl.com>; Mon, 19 Mar 2012 12:48:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.625
X-Spam-Level:
X-Spam-Status: No, score=-2.625 tagged_above=-999 required=5 tests=[AWL=0.052, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id luXFt4oLTPn7 for <rtcweb@ietfa.amsl.com>; Mon, 19 Mar 2012 12:48:02 -0700 (PDT)
Received: from mail-vb0-f44.google.com (mail-vb0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id DC08621E8015 for <rtcweb@ietf.org>; Mon, 19 Mar 2012 12:48:01 -0700 (PDT)
Received: by vbbez10 with SMTP id ez10so893363vbb.31 for <rtcweb@ietf.org>; Mon, 19 Mar 2012 12:48:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding:x-gm-message-state; bh=g9EvxepFsYycukNBbfk/kFWdMkWNAolB+AmI69pdcqA=; b=ec6tgiO1bkFM6OXa+moDOC6YCNRwMdeRCtz3qt5RGj4iisyI9dTvOjq6+wcfY67/Km J/jIVj2aXyT74rXWpgmXhuevRa3WG3mQErzMzkSAZE+2EpSgSOJoC3Oz+BJIaT63TXT2 qRCXr1+L/0CkP5hVCPz4IQKra2iggzt/DMvPx4ipb6IRTQXE4SFOcVABq3pQrKitd1RU hsSfh7U07qOx0QB4+cjU5HJWqddjQqZiLkNuKdOFAmtkqAuhxhGbl2MKshETyFJukf1g cDHULWsuNWUV79fHRdocS0yk7+/vfHXmLMb61+Y58P1ceIpwoWUU6B7KYTyln4hA8uYW NsBw==
Received: by 10.52.90.111 with SMTP id bv15mr6289396vdb.34.1332186481425; Mon, 19 Mar 2012 12:48:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.170.165 with HTTP; Mon, 19 Mar 2012 12:47:41 -0700 (PDT)
In-Reply-To: <CAD5OKxtVtzahgk5xniXNvt-WvwNXZwcLau3PuKi1jnHrq4aZAA@mail.gmail.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CALiegf=jtkDCS_D0ZFe9UpbiadQ0vsJ+4MppQSbLr-wbaXNrfQ@mail.gmail.com> <BLU169-W29E5B86F9E2C6F3126961C93420@phx.gbl> <CALiegfk2aT+6Psr4nT-hG1G7eYRBfFCcT+25On2O4HfUXJ6-ng@mail.gmail.com> <CAD6AjGSmi9j+sdGWPts20-iwGvGij05ek0OKYEPULC6B=aFpQg@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113564482A7@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CAD5OKxvuEV8Vbq3h7=ZgcKmREjmguvz5n-SpXr2n-EY7a_ddxg@mail.gmail.com> <CALiegfk1ozOKPcDjbd3H_z2Edzh4RcZpYyJSWdw_1DJ04muQXA@mail.gmail.com> <CAD5OKxu8-+0O0=eE7mD1hi=nPUpEXczGj=bRNQCQL1BW8c-c-Q@mail.gmail.com> <52789D17-F7C7-401B-B2E8-6FE3BC5D7CB7@phonefromhere.com> <CAD5OKxtVtzahgk5xniXNvt-WvwNXZwcLau3PuKi1jnHrq4aZAA@mail.gmail.com>
From: Iñaki Baz Castillo <ibc@aliax.net>
Date: Mon, 19 Mar 2012 20:47:41 +0100
Message-ID: <CALiegf=xt1wAx8eid1M=wY0-wetmi9FOX+PoRF3iFd5UXmRgSA@mail.gmail.com>
To: Roman Shpount <roman@telurix.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQnu2ik6+I+0AkauniJandbx5/jzUXNpLcXf9Nj8ju4Q7dlqNruK0+kaduSkFEsS/14fKxUd
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 19:48:03 -0000

2012/3/19 Roman Shpount <roman@telurix.com>:
> Once again, my point was that application developer would need to properly
> develop signaling application (ie deliver it over HTTPS; don't put
> encryption keys into something that can be easily accessable, etc). Unless a
> lot of care is taken, SDES-SRTP is not secure.

Again in the airport with open WiFi:

- If you use SDES-SRTP and HTTPS (or secure WebSocket), so SDES keys
are not interceptable in the WiFi network, you can be sure that no one
in the airport can monitor your media (I assume the server is not
hacked by a person in the same airport!).

- If you use plain RTP you know that every one in the airport can
monitor your media (regardless there is TLS in the signaling path or
not).



> Why do we need to support SDES-SRTP at all?

In conjunction with a secure signaling path (HTTPS or secure
WebSocket) IMHO it provides a reasonable security level for avoiding
media interception.



> I do not understand the
> arguments that say RTP is bad, but SDES-SRTP is ok.

Replied above.



> If you need interop, RTP
> is your best option. If you need security DTLS-SRTP is your answer.
> SDES-SRTP does not serve either purpose well.

I'm not a fan of SDES-SRTP, I just say that IMHO it can provide a good
security level.

The only I say is that there is no reason for allowing plain RTP other
than interop with old/legacy SIP devices (those whose vendors have
decided not to implement SRTP, a spec from 2004). Is there any other
case in which using plain RTP within WebRTC context is better than
using SRTP?


Regards.


-- 
Iñaki Baz Castillo
<ibc@aliax.net>