IETF Logo Mail Archive

Re: [rtcweb] SRTP not mandatory-to-use

Eric Rescorla <ekr@rtfm.com> Wed, 14 December 2011 10:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6491C21F8505 for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 02:33:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aKn-RhEzS4kd for <rtcweb@ietfa.amsl.com>; Wed, 14 Dec 2011 02:33:27 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id C00EE21F84DB for <rtcweb@ietf.org>; Wed, 14 Dec 2011 02:33:27 -0800 (PST)
Received: by vbbez10 with SMTP id ez10so540465vbb.31 for <rtcweb@ietf.org>; Wed, 14 Dec 2011 02:33:27 -0800 (PST)
Received: by 10.52.94.75 with SMTP id da11mr3583662vdb.111.1323858807176; Wed, 14 Dec 2011 02:33:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.157.3 with HTTP; Wed, 14 Dec 2011 02:32:46 -0800 (PST)
X-Originating-IP: [14.139.163.25]
In-Reply-To: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com>
References: <CAErhfrwu322=HTS0JZhum9EGfb73KmYS6CU_KMESyzEWhtvg2w@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 14 Dec 2011 16:02:46 +0530
Message-ID: <CABcZeBOeg-O+6===5tk0haxC8nLxUQyEUFRES2FAoFEf00fKng@mail.gmail.com>
To: Xavier Marjou <xavier.marjou@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] SRTP not mandatory-to-use
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Dec 2011 10:33:28 -0000

On Wed, Dec 14, 2011 at 3:18 PM, Xavier Marjou <xavier.marjou@gmail.com> wrote:
> Hi,
>
>
> During the last IETF meeting, there seemed to be many people willing to have
> SRTP mandatory-to-use in the browser. However, I would like again to
> underline that in some contexts, it is rather desirable to deactivate, via
> the WebRTC API, the use of SRTP in order not to encrypt/decrypt at multiple
> layers.
>
>
> This may be the case in the following example: a company wants to use WebRTC
> for communications between its co-workers only; the web server and the
> script using WebRTC API are located on the VPN. In such a case, there is no
> need to use SRTP. The VPN already provides encryption when needed. If
> co-workers want to remotely access the VPN, an IPsec tool can already
> provide the encryption. Furthermore, if they want to remotely access the VPN
> via a 3G network, there will be encryption at layer 2 using AKA, then IPsec
> at layer 3, and again at SRTP level if mandatory-to-use.

I don't understand why this makes SRTP undesirable. What scarce
resource are you conserving
here by not using SRTP? As has been noted a number of times, the cost
of the crypto on
the endpoints is generally not significant.

Moreover, it's not obvious that even in this setting SRTP doesn't add security
benefit. Why are you assuming that I want everyone on the same LAN
as me to be able to listen to my calls, even if they are my co-workers?

-Ekr

v2.23.0 | Report a Bug | By Email