Re: [rtcweb] SBC hardware and SHA1

["Ravindran Parthasarathi" <pravindran@sonusnet.com>]

It is possible in SBC Hardware to provide DTLS-SRTP in case customer
asks for it. IMO, The performance impacts is based on individual SBC
Hardware architecture. 

 

Thanks

Partha

 

From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
Of Eric Rescorla
Sent: Saturday, October 01, 2011 12:41 AM
To: Hadriel Kaplan
Cc: <rtcweb@ietf.org>
Subject: Re: [rtcweb] SBC hardware and SHA1

 

 

On Fri, Sep 30, 2011 at 9:39 AM, Hadriel Kaplan <HKaplan@acmepacket.com>
wrote:

 

On Sep 30, 2011, at 2:36 AM, Olle E. Johansson wrote:





Hadriel,

While on the topic of the hardware, I would like to ask how these
systems handle DTLS and SRTP.

 

Assuming you mean terminating the SRTP, I only know of one
hardware-based SBC that claims support for terminating DTLS-SRTP, but I
don't know if it's real or slideware.  I know of a couple software-based
ones that do. (you can probably google it to find out who)

 

I don't know a huge amount about how hardware-based SBCs are
constructed, but it's important

to remember that DTLS-SRTP is DTLS key management but SRTP data
transport, so the naive

way to build the system would be to do the DTLS in software and then
push the keys onto

SRTP, thus using all the normal SRTP packet processing.

 

Obviously, there will be some performance cost associated with this (as
there is for any

asymmetric key exchange). The typical acceleration strategy for TLS is
to have hardware

acceleration for the asymmetric operations but have the actual TLS stack
in software,

for the obvious reasons of flexibility and upgradeability. Don't know
how much that

helps.

 

-Ekr

 

 

	But in general the most popular support by far is for SDES-based
keying.  There are a couple of off-the-shelf chip solutions for
large-scale SRTP that handle it as a bump-in-the wire, but they need to
be told the keys per stream and don't handle DTLS inline themselves to
do so, so naturally SDES made it a lot easier to use them.  Having said
that, I do believe that more SBC vendors in the US market will be
supporting DTLS-SRTP in the future because the US government has it
mandated in some agency or other I've been told.  Whether other
governments will do the same I don't know. (then again the US government
mandates a lot that never gets used in practice)

	 

	Also, someone asked on this list if SBC vendors support SRTP to
begin with.  Almost every SBC vendor I know of does support SRTP (at
least with SDES keying), but it usually costs more to do so, because
it's done in dedicated hardware.  So most deployed SBC systems don't do
SRTP, because the people buying/deploying them have decided they don't
need it and don't want to pay for it.  It's more popular in specific
vertical markets, but overall it's definitely a minority today.

	 

	-hadriel

	 

	 

	
	_______________________________________________
	rtcweb mailing list
	rtcweb@ietf.org
	https://www.ietf.org/mailman/listinfo/rtcweb