IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

"Olle E. Johansson" <oej@edvina.net> Thu, 05 January 2012 20:35 UTC

Return-Path: <oej@edvina.net>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAEF121F8870 for <rtcweb@ietfa.amsl.com>; Thu, 5 Jan 2012 12:35:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.007
X-Spam-Level:
X-Spam-Status: No, score=-1.007 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, J_CHICKENPOX_16=0.6]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QPZdqZEd6cm2 for <rtcweb@ietfa.amsl.com>; Thu, 5 Jan 2012 12:35:00 -0800 (PST)
Received: from smtp7.webway.se (smtp7.webway.se [IPv6:2a02:920:212e::205]) by ietfa.amsl.com (Postfix) with ESMTP id D7A5421F85D0 for <rtcweb@ietf.org>; Thu, 5 Jan 2012 12:34:58 -0800 (PST)
Received: from [192.168.40.4] (unknown [87.96.134.129]) by smtp7.webway.se (Postfix) with ESMTPA id C83DD754A8A3; Thu, 5 Jan 2012 20:34:56 +0000 (UTC)
Mime-Version: 1.0 (Apple Message framework v1251.1)
Content-Type: text/plain; charset="iso-8859-1"
From: "Olle E. Johansson" <oej@edvina.net>
In-Reply-To: <BLU152-W533F1DA98B3F04C5EC142E93970@phx.gbl>
Date: Thu, 05 Jan 2012 08:54:56 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <FCADD9FB-D187-421D-B203-934DD456369E@edvina.net>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com>, <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com>, <CAErhfrxTKdo7Z+61x5ZcDt5ZM7C7ob5LNxMzwng_kk3Uqrp2_Q@mail.gmail.com>, <4F01A790.4060704@alvestrand.no>, <4F02A061.60905@jesup.org>, <E44893DD4E290745BB608EB23FDDB762141EF8@008-AM1MPN1-042.mgdnok.nokia.com>, <4F035DD5.3050305@jesup.org>, <CAOJ7v-1dziaA_ePCuMxjn6uhBgOH=ZVybUmLBwQi5qiuyOzDMA@mail.gmail.com>, <BLU152-W469B2EB104C104547FC42393960@phx.gbl>, <CA+9kkMBwyUMAdDyQaYZBx0NYvoe3RV+VVKxzqNCC5Ui6xNdsOA@mail.gmail.com> <BLU152-W533F1DA98B3F04C5EC142E93970@phx.gbl>
To: Bernard Aboba <bernard_aboba@hotmail.com>
X-Mailer: Apple Mail (2.1251.1)
Cc: randell-ietf@jesup.org, rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2012 20:35:00 -0000

4 jan 2012 kl. 01:28 skrev Bernard Aboba:

> 
> Ted Hardie said: 
> 
> > I'm a little lost. In a gateway implemented in a back-to-back user
> > agent, won't you end up with the same illusion?
> > 
> > The case I think you're talking about is this:
> > 
> > UA--1<-Connection1->B2BUA/Gateway<-Connection-2->UA-2
> > 
> > Do you expect that the gateway would be refuse to use SRTP on one side
> > if it intended not to use it on the other? 
> 
> 
> [BA] If the SBC needed to enable communication with a legacy endpoint, then it
> might want to negotiate security compatible with that endpoint. 
> 
> Today there are PSTN gateways that support SRTP with SDES, but interop is 
> frequently an issue (I've had to debug interop issues countless times), so 
> I've often had to advise customers to turn SRTP off until an issue was resolved. 

Interoperability with SRTP has been an issue at several SIPits. But we do see a change,
we see huge improvements in the number of successful interoperability tests.

From the summary of the latest SIPit:

"** SRTP

All implementations supported SDES for SRTP key exchange.

Good interop with many different combinations of endpoints.

Some calls were left up for an extended period so that sequence number wrapping and roc increments were tested. Once the roc had changed the call was put on hold and resumed with success. In this situation new RTP streams with different SSRCs were created and the sequence number/roc combination re-generated thus proving that support for multiple SRTP contexts exists.

Debate surrounding how to signal 'best-effort crypto' continues. Some implementations choose to advertise RTP/AVP with a=crypto attributes and then go crypto if answer also has them and non-crypto if they do not. RTP/SAVP is used to signal the desire for mandatory crypto. Another approach observed was to repeat the same media line twice, once for crypto and once for non-crypto and rely on the receiving end to only accept one of them and port reject the other. In this case both m-lines had the same port number and payload number descriptions so if a receiving end accepted both then the originator would have no clue as to whether it was receiving crypto or non-crypto traffic."

https://www.sipit.net/SIPit29_summary

The first time I personally tested SRTP at SIpit we couldn't get any calls through across vendor boundaries...

We will have to bring Webrtc to SIPit for testing :-)

/O

v2.23.0 | Report a Bug | By Email