IETF Logo Mail Archive

Re: [rtcweb] Security Architecture: IdP for RTP and RTCP

Dan Wing <dwing@cisco.com> Tue, 08 July 2014 23:31 UTC

Return-Path: <dwing@cisco.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8437F1A017D for <rtcweb@ietfa.amsl.com>; Tue, 8 Jul 2014 16:31:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.951
X-Spam-Level:
X-Spam-Status: No, score=-13.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, J_CHICKENPOX_111=0.6, J_CHICKENPOX_18=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E5EZDeHZ5K9G for <rtcweb@ietfa.amsl.com>; Tue, 8 Jul 2014 16:31:13 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 849341A0083 for <rtcweb@ietf.org>; Tue, 8 Jul 2014 16:31:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11031; q=dns/txt; s=iport; t=1404862275; x=1406071875; h=mime-version:subject:from:in-reply-to:date:cc:message-id: references:to; bh=Oc3wyelddI4GI9C5F5JrRA2P57Uu7hf0qt4fPaPlISw=; b=aVuuoQBcXDdobkRA48Ktpvpduv6BFDlvWce6t9eOruZ8cdqppNWGUQ34 /K2/RHjKz6yKZQADNNtkpN1tA7XER5huaiBnnNzBaSG1Giv0jtz/X0jMv hbUcxW5mdo1y1kHbK0aEaKv2YYGmjMeFpApLT/Kvs1Hl+hc2LgBsHYzIl k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ao8xANt9vFOtJV2Q/2dsb2JhbABRCYJHR1KEZRW5MIFWAQmGHk5TAYETFnWEAwEBAQMBAQEBawsFCwsSBi4hBiIOBhOILgMJCA3BAw2HDReNGIFPWweDLYEWBYpRjiWCAIFIhUeGaYYUg2MdgTMk
X-IronPort-AV: E=Sophos;i="5.01,628,1400025600"; d="scan'208,217";a="338638526"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-8.cisco.com with ESMTP; 08 Jul 2014 23:31:14 +0000
Received: from [10.21.71.254] ([10.21.71.254]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s68NVA75010144 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 8 Jul 2014 23:31:11 GMT
Content-Type: multipart/alternative; boundary="Apple-Mail=_2D748F31-8A4D-45FA-9BD9-6F8DD3CDC3B0"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Dan Wing <dwing@cisco.com>
In-Reply-To: <CAOW+2dsVnYY2xY9A5_rW5Pqdkqkntup5vTNnKFx=XwOtbo7vKw@mail.gmail.com>
Date: Tue, 08 Jul 2014 16:31:13 -0700
Message-Id: <EE4BFB79-64FE-4FD2-ABFA-F1463D8BF566@cisco.com>
References: <CAOW+2dsVZj56aVL5+79d6RSTZFLwjfWdm=rs7FPnvdWQZHAdfA@mail.gmail.com> <CABkgnnUEXCuOcG_p5BpZf8Wz2Y-Pq92XGpmEb5304-uTz9JNuA@mail.gmail.com> <CAOW+2dsVnYY2xY9A5_rW5Pqdkqkntup5vTNnKFx=XwOtbo7vKw@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/rtcweb/_LYNYdKfVCB4DmMj7vCyZXlCAaM
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Security Architecture: IdP for RTP and RTCP
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb/>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jul 2014 23:31:15 -0000

On Jul 8, 2014, at 11:56 AM, Bernard Aboba <bernard.aboba@gmail.com> wrote:

> Martin said: 
> 
> "I think that the way that we manage identity in a multi-party
> situation probably needs something different to that.  I don't see any
> particular value in terminating RTCP when you aren't also terminating
> RTP, the two are far too tightly coupled.  They shouldn't really have
> been given different names in the first place."
> 
> [BA] You might want to take a look at the following drafts which will be discussed in AVTCORE: 
> http://tools.ietf.org/html/draft-mattsson-avtvore-cloud-conferencing-use-case
> http://tools.ietf.org/html/draft-cheng-srtp-cloud

Related, "Requirements for Secure RTP Media Switching", http://tools.ietf.org/html/draft-ismail-avtcore-media-req

-d


> 
> 
> 
> 
> On Tue, Jul 8, 2014 at 11:09 AM, Martin Thomson <martin.thomson@gmail.com> wrote:
> On 8 July 2014 10:54, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> > In the situation where RTP and RTCP are not multiplexed, distinct DTLS
> > transports and DTLS/SRTP key exchanges would occur for RTP and RTCP.
> >
> > In looking for guidance within the security architecture document, some
> > questions came to mind:
> >
> > a. Are the certificates used for RTP and RTCP DTLS Transports necessarily
> > the same on both the local and remote side? If they are supposed to be the
> > same, what happens if they aren't?
> 
> The certificates can be different.  As you might recall, one of the
> issues that we discussed was the possibility of having different
> a=fingerprint attributes on different m-lines, as well as having
> alternative a=fingerprint lines on the same m-lines.
> 
> The current draft handles this by covering multiple fingerprints by
> the identity assertion.
> 
> > b. Can different identities be asserted for the RTP and RTCP DTLS
> > Transports? Does this make sense in some circumstances? If so, when?
> 
> a=identity is a session-level attribute and they should (MUST?) only
> be one.  So no.  And I can think of any case where this makes sense in
> much the same way that having unmultiplexed RTP/RTCP doesn't make
> sense any more (if it ever did).
> 
> > The WebRTC 1.0 API Section 8.3 seems to indicate that this should always be
> > the case:
> >
> > "It is possible that different values for the "a=identity" attribute is
> > provided at a media level in SDP. A browser may either choose to treat this
> > as an error or ignore the attribute. If multiple different assertions are
> > validated, then they must produce identical identity values."
> 
> This is out of date.  I've sent the editors a pull request to have that fixed.
> 
> > However, I am wondering whether there can be legitimate cases where a
> > browser communicating with a gateway or SFU might encounter distinct
> > identities or certificates for RTP and RTCP.  For example, could an SFU
> > potentially terminate RTCP but not RTP, in which case the certificates and
> > asserted identities might be different between RTP and RTCP?
> 
> I think that the way that we manage identity in a multi-party
> situation probably needs something different to that.  I don't see any
> particular value in terminating RTCP when you aren't also terminating
> RTP, the two are far too tightly coupled.  They shouldn't really have
> been given different names in the first place.
> 
> > The WebRTC 1.0 spec seems to indicate that this should be treated as a fatal
> > error, but I'm wondering whether the browser shouldn't be "strict in what it
> > sends but liberal in handling what it receives" by just using the identity
> > and certificates for RTP, and ignoring the RTCP identities.  Trying to
> > inform the user about different asserted identities for RTP and RTCP seems
> > way too complicated to even be worth considering.
> 
> BTW, I wish that "liberal in what you permit" meme would go away.  I
> haven't found it to be particularly useful, except as a fatalistic
> acknowledgement of the messy end state that is the Internet.
> 
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb

v2.23.0 | Report a Bug | By Email