IETF Logo Mail Archive

Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

"Ejzak, Richard P (Richard)" <richard.ejzak@alcatel-lucent.com> Tue, 30 April 2013 15:14 UTC

Return-Path: <richard.ejzak@alcatel-lucent.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3EF821F9AD4 for <rtcweb@ietfa.amsl.com>; Tue, 30 Apr 2013 08:14:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4wIHEKSVf+H for <rtcweb@ietfa.amsl.com>; Tue, 30 Apr 2013 08:14:16 -0700 (PDT)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id 6F6D221F9BE3 for <rtcweb@ietf.org>; Tue, 30 Apr 2013 08:14:16 -0700 (PDT)
Received: from us70tusmtp2.zam.alcatel-lucent.com (h135-5-2-64.lucent.com [135.5.2.64]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id r3UFECwq007628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 30 Apr 2013 10:14:13 -0500 (CDT)
Received: from US70TWXCHHUB04.zam.alcatel-lucent.com (us70twxchhub04.zam.alcatel-lucent.com [135.5.2.36]) by us70tusmtp2.zam.alcatel-lucent.com (GMO) with ESMTP id r3UFEA1p030376 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Apr 2013 11:14:12 -0400
Received: from US70UWXCHMBA05.zam.alcatel-lucent.com ([169.254.10.44]) by US70TWXCHHUB04.zam.alcatel-lucent.com ([135.5.2.36]) with mapi id 14.02.0247.003; Tue, 30 Apr 2013 11:14:08 -0400
From: "Ejzak, Richard P (Richard)" <richard.ejzak@alcatel-lucent.com>
To: Salvatore Loreto <salvatore.loreto@ericsson.com>
Thread-Topic: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
Thread-Index: AQHOQ19D/Cgh8/1Iw0eB7cqfjULVv5jtM2PAgAFh+gCAAEqnYA==
Date: Tue, 30 Apr 2013 15:14:07 +0000
Message-ID: <03FBA798AC24E3498B74F47FD082A92F3BB9D535@US70UWXCHMBA05.zam.alcatel-lucent.com>
References: <BLU402-EAS17255F45B0904B070F0D43093B00@phx.gbl> <03FBA798AC24E3498B74F47FD082A92F3BB9C0F6@US70UWXCHMBA05.zam.alcatel-lucent.com> <517F658E.8010204@ericsson.com>
In-Reply-To: <517F658E.8010204@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.5.27.16]
Content-Type: multipart/alternative; boundary="_000_03FBA798AC24E3498B74F47FD082A92F3BB9D535US70UWXCHMBA05z_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2013 15:14:24 -0000

Hi Salvatore,
“are you proposing that when/if we will eventually use SDES we have to assure that the key exchanged
is the same key used by the DTLS session, on top of which runs Datachannel?” is a reasonable interpretation of what I am proposing, although I would have described this as my “preference” rather than a concrete proposal.  We could mix SDES for voice/video with DTLS for DataChannels in these scenarios, but an all-SDES approach (for keying) would be more efficient.

I know that this option is not currently defined, although it does seem technically feasible (which is why I asked to ekr to comment).

BR, Richard

From: Salvatore Loreto [mailto:salvatore.loreto@ericsson.com]
Sent: Tuesday, April 30, 2013 1:33 AM
To: Ejzak, Richard P (Richard)
Cc: Bernard Aboba; rtcweb@ietf.org
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

Hi Richard

I think that we have two aspects here that we have to consider and see what the working group opinion is about them:
the first is related to the use cases you are describing below in your mail..
the second is related to what means or should mean "to have an SDES option for DataChannel"

here I am considering only the latter trying to understand if

as you know the DataChannels run directly on top of the DTLS stack, so it is the DTLS sessios as such
that provides security, confidentiality etc etc..
SRTP relies on an external key management protocol to set up the key necessary to perform the job,
and SDES is just a possible exchange method.

so when you propose "to have an SDES option for DataChannel"
are you proposing that when/if we will eventually use SDES we have to assure that the key exchanged
is the same key used by the DTLS session, on top of which runs Datachannel?
or is something different ? if this is the case can you explain it?

br

/Sal



On 4/29/13 4:40 PM, Ejzak, Richard P (Richard) wrote:
I responded to this question earlier so didn’t want to repeat myself, but see now that it was either missed or otherwise not accepted.

Quoting my earlier email from 4/25:


“Legacy devices support more than just audio and video media.  We will need to occasionally transport protocols like T.140, MSRP, BFCP, and/or RTSP in some cases, and the primary options are to transport them over DataChannels or WebSockets.  A network server will be needed to do transport level interworking, of course.  It would be useful in these cases to have an SDES option for DataChannels.  Not essential, but useful.  End-to-end security is not even an issue in this case due to the need for transport level interworking.”

After further consideration, I don’t currently see a use case for RTSP, but I still do for the others.  If we have a legacy endpoint doing T.140 and audio, for example, it would be useful to be able to multiplex the audio together with T.140/DC at the browser, and to put a box in the network to adapt them as necessary for the legacy endpoint (decode, demux, DC-to-RTP i/w for T.140, possibly transcoding).  SDES for DC just makes this easier to do.

From: rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org> [mailto:rtcweb-bounces@ietf.org] On Behalf Of Bernard Aboba
Sent: Saturday, April 27, 2013 10:53 AM
To: Salvatore Loreto
Cc: rtcweb@ietf.org<mailto:rtcweb@ietf.org>
Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb

I don't understand it either.

Salvatore Loreto <salvatore.loreto@ericsson.com<mailto:salvatore.loreto@ericsson.com>> wrote:

I am also puzzled about the request for SDES also in DataChannel.

/Salvatore

On 4/26/13 2:35 PM, Iñaki Baz Castillo wrote:

SDES is obviously requested for legacy interop at RTP layer. Why do we need SDES in DataChannel if this is a complete new technology?

--
Iñaki Baz Castillo
<ibc@aliax.net<mailto:ibc@aliax.net>>
El 25/04/2013 23:55, "Ejzak, Richard P (Richard)" <richard.ejzak@alcatel-lucent.com<mailto:richard.ejzak@alcatel-lucent.com>> escribió:
I also agree that we should support SDES in addition to DTLS-SRTP.

This raises a further question about SCTP/DTLS for DataChannels.  It seems that if we support SDES-SRTP, don't we also need to provide an SDES keying mechanism for DataChannels?  Ekr: What is needed to realize this?

Richard Ejzak

> -----Original Message-----
> From: rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org> [mailto:rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org>] On
> Behalf Of Matthew Kaufman (SKYPE)
> Sent: Thursday, April 25, 2013 3:28 PM
> To: Bogineni, Kalyani; 'Cullen Jennings'; rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
>
> I agree. The ability to set the cipher suite and keys from JavaScript
> is critical for certain applications. SDES is the best we'll get with
> SDP as the API. DTLS-SRTP-only would be unacceptably limiting.
>
> Matthew Kaufman
>
> > -----Original Message-----
> > From: rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org> [mailto:rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org>] On
> > Behalf Of Bogineni, Kalyani
> > Sent: Thursday, April 25, 2013 1:21 PM
> > To: 'Cullen Jennings'; rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> > Subject: Re: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
> >
> > We would like to support the use of SDES as a keying method for
> WebRTC.
> >
> > Kalyani Bogineni
> > Verizon
> >
> > -----Original Message-----
> > From: rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org> [mailto:rtcweb-bounces@ietf.org<mailto:rtcweb-bounces@ietf.org>] On
> > Behalf Of Cullen Jennings
> > Sent: Thursday, April 25, 2013 11:57 AM
> > To: rtcweb@ietf.org<mailto:rtcweb@ietf.org>
> > Subject: [rtcweb] SDP Security Descriptions (RFC 4568) and RTCWeb
> >
> >
> > The working groups committed some time ago to have a further
> > discussion on whether SDP Security Descriptions (RFC 4568 aka SDES)
> > would be usable as a keying method for WebRTC.  As we prepare for
> that
> > discussion, we'd like to have expressions of interest or support for
> > that approach which indicate the general outlines of support
> proposed.
> > If you wish to make such an expression of support, please send it to
> the chairs or the list.
> >
> > Cullen, Magnus, & Ted <The Chairs>
> >
> >

v2.23.0 | Report a Bug | By Email