[rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items
Magnus Westerlund <magnus.westerlund@ericsson.com> Thu, 06 October 2016 13:55 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0576129523 for <rtcweb@ietfa.amsl.com>; Thu, 6 Oct 2016 06:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tKGhfUuJpbOU for <rtcweb@ietfa.amsl.com>; Thu, 6 Oct 2016 06:55:21 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6037412964D for <rtcweb@ietf.org>; Thu, 6 Oct 2016 06:55:11 -0700 (PDT)
X-AuditID: c1b4fb3a-ab7ff7000000099a-2c-57f657bd7d00
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.183.45]) by (Symantec Mail Security) with SMTP id 76.DC.02458.DB756F75; Thu, 6 Oct 2016 15:55:09 +0200 (CEST)
Received: from [127.0.0.1] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.47) with Microsoft SMTP Server id 14.3.319.2; Thu, 6 Oct 2016 15:55:09 +0200
To: "rtcweb@ietf.org" <rtcweb@ietf.org>
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Message-ID: <e536bad2-08b1-4f77-8c75-6bc3b639c398@ericsson.com>
Date: Thu, 06 Oct 2016 15:55:07 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmplluLIzCtJLcpLzFFi42KZGbFdV3dv+Ldwg/4OE4u1/9rZHRg9liz5 yRTAGMVlk5Kak1mWWqRvl8CVsfPfRraCLp6KWzdOsDcwPuXsYuTkkBAwkZjd+Zqti5GLQ0hg PaPE7RerWSGcZYwS336cZAapEhFQl7j88AI7iM0mYCFx80cjG4gtLBAscXblFFYQm1fAXuL2 ic1MIDaLgIrEsc0XwWpEBWIkrj97xAZRIyhxcuYTli5GDg5moPoHW8tAwswC8hLNW2eDrRIS 0JZoaOpgncDIOwtJxyyEjllIOhYwMq9iFC1OLS7OTTcy0kstykwuLs7P08tLLdnECAycg1t+ W+1gPPjc8RCjAAejEg/vAvuv4UKsiWXFlbmHGCU4mJVEeDnCvoUL8aYkVlalFuXHF5XmpBYf YpTmYFES5zVbeT9cSCA9sSQ1OzW1ILUIJsvEwSnVwKh17keHXCDzh20fshSjbk278DPh1RHz Tw11N+UL/+Ynih6ffy/qcYmK+KYvx28vmGNxUXCScrpB9ge1Hbwfbuhd9Et9cEFxd94Mh+M+ ZYrRLAzr1BWXaU1QkgnZbeOoO2G+RcCHxQ+szNoftuRd8rb5cuIB15SGDEnx466XxZls10xy u2iz8YUSS3FGoqEWc1FxIgCrDFxoGAIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtcweb/Xqxg_qcXW9fqj0-goWac9YSVFhw>
Subject: [rtcweb] Mandating encryption of RTP header extensions for MID and RID SDES items
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 13:55:23 -0000
WG, After discussion in AVTEXT and MMUSIC regarding the inclusion of MID and RID as SDES items that this do exposes labels that previously only have existed in the signalling plane in the media plane. And especially in the RTP header extensions, where even if the media payload is encrypted the header extension is not encrypted. The risk with this is primarily a privacy and fingerprinting risk. And the proposed mitgation is encryption of the RTP header extensions in both the bundle and avtext-rid documents. This leads to the conclusion that for RTCWeb, we must consider to act on these recommendations and decide on which implementation and usage requirement the protection of these field should have. My proposal is that implementation and use of RFC6904 encryption of the RTP header extensions are REQUIRED. For RTCP it is actually unclear if there is mandatory to use encrypted SRTCP. I think it should be required and that can be clarified in Section 5.5 of draft-ietf-rtcweb-security-arch. Opinions? Cheers Magnus Westerlund ---------------------------------------------------------------------- Services, Media and Network features, Ericsson Research EAB/TXM ---------------------------------------------------------------------- Ericsson AB | Phone +46 10 7148287 Färögatan 6 | Mobile +46 73 0949079 SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
- [rtcweb] Mandating encryption of RTP header exten… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings
- Re: [rtcweb] Mandating encryption of RTP header e… Bernard Aboba
- Re: [rtcweb] Mandating encryption of RTP header e… Mo Zanaty (mzanaty)
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings (fluffy)
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Cullen Jennings (fluffy)
- Re: [rtcweb] Mandating encryption of RTP header e… Jonathan Lennox
- Re: [rtcweb] Mandating encryption of RTP header e… Magnus Westerlund
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg
- Re: [rtcweb] Mandating encryption of RTP header e… Christer Holmberg