Re: [rtcweb] SBC hardware and SHA1

Eric Rescorla <> Fri, 30 September 2011 19:08 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7E6D121F8BB9 for <>; Fri, 30 Sep 2011 12:08:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.903
X-Spam-Status: No, score=-102.903 tagged_above=-999 required=5 tests=[AWL=0.073, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id zEHWkB-F4tOa for <>; Fri, 30 Sep 2011 12:08:49 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 5823721F8CC1 for <>; Fri, 30 Sep 2011 12:08:49 -0700 (PDT)
Received: by wwf22 with SMTP id 22so2220686wwf.13 for <>; Fri, 30 Sep 2011 12:11:43 -0700 (PDT)
Received: by with SMTP id gc9mr14030484wbb.91.1317409901809; Fri, 30 Sep 2011 12:11:41 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 30 Sep 2011 12:11:00 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
From: Eric Rescorla <>
Date: Fri, 30 Sep 2011 12:11:00 -0700
Message-ID: <>
To: Hadriel Kaplan <>
Content-Type: multipart/alternative; boundary="0015174be9a638926904ae2d6573"
Cc: "<>" <>
Subject: Re: [rtcweb] SBC hardware and SHA1
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 30 Sep 2011 19:08:50 -0000

On Fri, Sep 30, 2011 at 9:39 AM, Hadriel Kaplan <>wrote:

>  On Sep 30, 2011, at 2:36 AM, Olle E. Johansson wrote:
>   Hadriel,
>  While on the topic of the hardware, I would like to ask how these systems
> handle DTLS and SRTP.
>  Assuming you mean terminating the SRTP, I only know of one hardware-based
> SBC that claims support for terminating DTLS-SRTP, but I don't know if it's
> real or slideware.  I know of a couple software-based ones that do. (you can
> probably google it to find out who)

I don't know a huge amount about how hardware-based SBCs are constructed,
but it's important
to remember that DTLS-SRTP is DTLS key management but SRTP data transport,
so the naive
way to build the system would be to do the DTLS in software and then push
the keys onto
SRTP, thus using all the normal SRTP packet processing.

Obviously, there will be some performance cost associated with this (as
there is for any
asymmetric key exchange). The typical acceleration strategy for TLS is to
have hardware
acceleration for the asymmetric operations but have the actual TLS stack in
for the obvious reasons of flexibility and upgradeability. Don't know how
much that


> But in general the most popular support by far is for SDES-based keying.
>  There are a couple of off-the-shelf chip solutions for large-scale SRTP
> that handle it as a bump-in-the wire, but they need to be told the keys per
> stream and don't handle DTLS inline themselves to do so, so naturally SDES
> made it a lot easier to use them.  Having said that, I do believe that more
> SBC vendors in the US market will be supporting DTLS-SRTP in the future
> because the US government has it mandated in some agency or other I've been
> told.  Whether other governments will do the same I don't know. (then again
> the US government mandates a lot that never gets used in practice)
>  Also, someone asked on this list if SBC vendors support SRTP to begin
> with.  Almost every SBC vendor I know of does support SRTP (at least with
> SDES keying), but it usually costs more to do so, because it's done in
> dedicated hardware.  So most deployed SBC systems don't do SRTP, because the
> people buying/deploying them have decided they don't need it and don't want
> to pay for it.  It's more popular in specific vertical markets, but overall
> it's definitely a minority today.
>  -hadriel
> _______________________________________________
> rtcweb mailing list