Re: [rtcweb] SBC hardware and SHA1

"Ravindran Parthasarathi" <> Mon, 03 October 2011 06:10 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4A53621F8801 for <>; Sun, 2 Oct 2011 23:10:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.496
X-Spam-Status: No, score=-2.496 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 9ZNgKepysmW1 for <>; Sun, 2 Oct 2011 23:10:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 450FC21F87D6 for <>; Sun, 2 Oct 2011 23:10:45 -0700 (PDT)
Received: from ( []) by (8.14.3/8.14.3) with ESMTP id p936EHZv011197; Mon, 3 Oct 2011 02:14:17 -0400
Received: from ([]) by with Microsoft SMTPSVC(6.0.3790.4675); Mon, 3 Oct 2011 02:13:45 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CC8193.994BE05F"
Date: Mon, 03 Oct 2011 11:43:41 +0530
Message-ID: <>
In-Reply-To: <>
Thread-Topic: [rtcweb] SBC hardware and SHA1
Thread-Index: Acx/pM9oNsnwQyfKTQaJCFUQAhuccAB7O+Aw
References: <><><><><><><><><><><><><><><><><><C3C7D62E-6BA8-43F4-A29D-FC9AF3BE689F@acme packet.c om> <>
From: Ravindran Parthasarathi <>
To: Eric Rescorla <>, Hadriel Kaplan <>
X-OriginalArrivalTime: 03 Oct 2011 06:13:45.0279 (UTC) FILETIME=[9B5004F0:01CC8193]
Subject: Re: [rtcweb] SBC hardware and SHA1
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 03 Oct 2011 06:10:47 -0000

It is possible in SBC Hardware to provide DTLS-SRTP in case customer
asks for it. IMO, The performance impacts is based on individual SBC
Hardware architecture. 





From: [] On Behalf
Of Eric Rescorla
Sent: Saturday, October 01, 2011 12:41 AM
To: Hadriel Kaplan
Cc: <>
Subject: Re: [rtcweb] SBC hardware and SHA1



On Fri, Sep 30, 2011 at 9:39 AM, Hadriel Kaplan <>


On Sep 30, 2011, at 2:36 AM, Olle E. Johansson wrote:


While on the topic of the hardware, I would like to ask how these
systems handle DTLS and SRTP.


Assuming you mean terminating the SRTP, I only know of one
hardware-based SBC that claims support for terminating DTLS-SRTP, but I
don't know if it's real or slideware.  I know of a couple software-based
ones that do. (you can probably google it to find out who)


I don't know a huge amount about how hardware-based SBCs are
constructed, but it's important

to remember that DTLS-SRTP is DTLS key management but SRTP data
transport, so the naive

way to build the system would be to do the DTLS in software and then
push the keys onto

SRTP, thus using all the normal SRTP packet processing.


Obviously, there will be some performance cost associated with this (as
there is for any

asymmetric key exchange). The typical acceleration strategy for TLS is
to have hardware

acceleration for the asymmetric operations but have the actual TLS stack
in software,

for the obvious reasons of flexibility and upgradeability. Don't know
how much that






	But in general the most popular support by far is for SDES-based
keying.  There are a couple of off-the-shelf chip solutions for
large-scale SRTP that handle it as a bump-in-the wire, but they need to
be told the keys per stream and don't handle DTLS inline themselves to
do so, so naturally SDES made it a lot easier to use them.  Having said
that, I do believe that more SBC vendors in the US market will be
supporting DTLS-SRTP in the future because the US government has it
mandated in some agency or other I've been told.  Whether other
governments will do the same I don't know. (then again the US government
mandates a lot that never gets used in practice)


	Also, someone asked on this list if SBC vendors support SRTP to
begin with.  Almost every SBC vendor I know of does support SRTP (at
least with SDES keying), but it usually costs more to do so, because
it's done in dedicated hardware.  So most deployed SBC systems don't do
SRTP, because the people buying/deploying them have decided they don't
need it and don't want to pay for it.  It's more popular in specific
vertical markets, but overall it's definitely a minority today.





	rtcweb mailing list