IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Dan Wing <dwing@cisco.com> Mon, 06 May 2013 15:38 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354CF21F89DE for <rtcweb@ietfa.amsl.com>; Mon, 6 May 2013 08:38:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id teyc248sOiOo for <rtcweb@ietfa.amsl.com>; Mon, 6 May 2013 08:38:52 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 3EB3C21F8596 for <rtcweb@ietf.org>; Mon, 6 May 2013 08:38:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4364; q=dns/txt; s=iport; t=1367854732; x=1369064332; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=M4YgIXXScMsMzKGE5u8iBjlTZCIWn3lQdRbYDmlBu1Q=; b=G7VHISeYxNxWzjXXdpIIQTVpasGcXgmjZydb2HcbW6oJ3PgbrT//H7gB gZBTyEc5OrHrwD27O0F8LG5Fba9sJKvX61577RhoXqDpGYDmD5IEveNq5 8SZKovRB7EKuTX2D99sxu+V02s/weUUvfw8AT8b/aduALFPP04U27V+V3 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ag4FACzNh1GrRDoI/2dsb2JhbAA6DQmDBze+fIECFnSCHwEBAQIBAQEBAWsLBQcECxEEAQEBExQHJx8JCAYTCRKHawUNv2KNZw+BCDMHBoJsYQOJGopFg0+GF4sdgy0c
X-IronPort-AV: E=Sophos;i="4.87,622,1363132800"; d="scan'208";a="77859507"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-3.cisco.com with ESMTP; 06 May 2013 15:38:49 +0000
Received: from [10.32.240.194] ([10.32.240.194]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id r46FclKD004605; Mon, 6 May 2013 15:38:48 GMT
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 6.3 \(1503\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <F3005B7CDE1DA5498B794C655CE1641E0885DB@GENSJZMBX03.msg.int.genesyslab.com>
Date: Mon, 06 May 2013 08:38:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0AE0AD36-C111-4582-A0C3-0BB4045C168D@cisco.com>
References: <3FA2E46D-C98E-4FC0-9F1D-AD595A861CE1@iii.ca> <74300615-2293-4DCE-82A7-475F1A5A8256@gmail.com> <91B4F744-2201-4361-A8D8-7D36F47B865C@cisco.com> <CALiegfnqW26gEMYNpjJyzu=Nd6z9wCjvZbuY1N2tYvbfQiHyPA@mail.gmail.com> <95219856-8365-4A7E-BD0B-4EECE8868498@phonefromhere.com> <517A820F.9050807@alvestrand.no> <22E6A779-1573-4EDE-82D6-B1A831CE4833@cisco.com> <F3005B7CDE1DA5498B794C655CE1641E088481@GENSJZMBX03.msg.int.genesyslab.com> <9D36A7FF-DFF0-4CDC-A4D2-01159FA246AA@cisco.com> <F3005B7CDE1DA5498B794C655CE1641E0885DB@GENSJZMBX03.msg.int.genesyslab.com>
To: Henry Lum <Henry.Lum@genesyslab.com>
X-Mailer: Apple Mail (2.1503)
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 May 2013 15:38:58 -0000

On May 6, 2013, at 8:28 AM, Henry Lum <Henry.Lum@genesyslab.com> wrote:

> To clarify, the case where contact center does not control an endpoint recording a call, recording would happen on a media bridge (a SIP B2BUA) in the contact center. Using DTLS-SRTP can prove that it is a media bridge from the contact center while SDES does not as you pointed out. 
> 
> Does EKT provide any benefit in this case?

No, EKT doesn't provide strong identity unless the SRTP keying provides strong identity (e.g., MIKEY-RSA, DTLS-SRTP).

-d


> 
> Henry
> 
> -----Original Message-----
> From: Dan Wing [mailto:dwing@cisco.com] 
> Sent: May-06-13 10:57 AM
> To: Henry Lum
> Cc: Harald Alvestrand; rtcweb@ietf.org
> Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
> 
> 
> On May 6, 2013, at 7:30 AM, Henry Lum <Henry.Lum@genesyslab.com> wrote:
> 
>> Chiming in late.
>> 
>> Speaking from a contact center perspective, a lot of calls are required to be recorded. In order to allow active recording (such as SIPREC), the contact center has to provide a media endpoint for bridging media so that a copy of the media can be created. The users will have to trust the contact center to handle the media anyways, and the media must be decrypted and re-encrypted by some media element within the contact center to perform recording. To me DTLS-SRTP-EKT does not provide any additional benefit over SDES for this type of use case.
> 
> Only DTLS-SRTP proves the call is actually to the call center (bank, stock broker, reservation company).  Security Descriptions cannot prove the call is actually to the call center.  That's a big difference in security to know the call is terminated at the call center (which does call recording or whatever it needs to do), versus trusting every SIP hop along the path to not record the media, not inject audio ("buy 100 shares" turned into "buy 100 thousand shares"), and to not lie about where media terminates.  Both can be recorded by the call center, which is one of the parties involved with the call.
> 
> -d
> 
> 
> 
>> 
>> Regards,
>> Henry 
>> 
>> -----Original Message-----
>> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf Of Dan Wing
>> Sent: April-26-13 9:57 AM
>> To: Harald Alvestrand
>> Cc: rtcweb@ietf.org
>> Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
>> 
>> 
>> On Apr 26, 2013, at 6:33 AM, Harald Alvestrand <harald@alvestrand.no> wrote:
>> 
>>> On 04/26/2013 03:16 PM, Tim Panton wrote:
>>>> 
>>>> On 26 Apr 2013, at 12:37, Iñaki Baz Castillo wrote:
>>>> 
>>>>> Such a solution requires a very expensive gateway. Good for vendors but bad for all the rest.
>>>>> 
>>>> 
>>>> I don't understand why the DTLS gateway would be so expensive. It is _exactly_ the same
>>>> (conceptually) as the ICE processing - you filter off a few UDP packets from the stream, do some
>>>> stuff, send replies then once you are happy you punt some dynamic settings back up to the (s)rtp
>>>> layer.
>>> 
>>> So you're saying that the gateway doesn't have to decrypt and re-encrypt the packets?
>> 
>> Correct - the gateway does not have to decrypt and re-encrypt the SRTP packets.  The gateway only has to interwork the signaling between SDES and DTLS-SRTP-EKT.  Such signaling interworking is necessary when the call is initially set up and when the SRTP key is changed (e.g., a new person joins a call using their own key, or the SRTP key is exhausted [pretty unlikely, even with video]).  This was summarized in http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb-3.pdf
>> 
>> 
>>> 
>>> I think EKT may be a problem, as Inaki pointed out, but I have less qualms about supporting DTLS and making it optional to use EKT on some calls than I have about mandating support for SDES.
>> 
>> -d
>> 
>> 
>>> _______________________________________________
>>> rtcweb mailing list
>>> rtcweb@ietf.org
>>> https://www.ietf.org/mailman/listinfo/rtcweb
>> 
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
>> 
> 
>

v2.23.0 | Report a Bug | By Email