IETF Logo Mail Archive

Re: [rtcweb] Resolving RTP/SDES question in Paris

Roman Shpount <roman@telurix.com> Mon, 19 March 2012 18:44 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E91E921F885D for <rtcweb@ietfa.amsl.com>; Mon, 19 Mar 2012 11:44:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.746
X-Spam-Level:
X-Spam-Status: No, score=-2.746 tagged_above=-999 required=5 tests=[AWL=0.230, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id odO69zkyjrPG for <rtcweb@ietfa.amsl.com>; Mon, 19 Mar 2012 11:44:19 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by ietfa.amsl.com (Postfix) with ESMTP id 52A8C21F8790 for <rtcweb@ietf.org>; Mon, 19 Mar 2012 11:44:19 -0700 (PDT)
Received: by dakl33 with SMTP id l33so11433652dak.31 for <rtcweb@ietf.org>; Mon, 19 Mar 2012 11:44:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=PwJBtJyW/cZ2VtpHqUbnj5s4FE/J8IjucMgVov6m808=; b=oWdyww0eagSTXD454t/pEiQWSSV1fkukQuhN/u9EnkL92S8ApDnlqYIQl3VicMsUq8 6ejW0NxMzRnkJlAHJ6vVwgBZGyAYnyZtQKGWTTZ5QGw3fwIsfRnV+fg0Gmm7ea/EvEkH /1mkQEATnhVSP0ES1mEGyrVcNgBAOc16visH4sHrkI3oM3MhECelwXX+DCDVk2NC5Ay6 wxcF1ceDRbyAT8Z5JknSfRRKEuUlegb0dowicvUDYURebM8y62OF8foxUVpx4bL9wAFV sHM9GzvvgSEVfkpyJbLAnTqeCFI2gdIZ7MiZcv63CNC3ioemndnb4ul7RxHLhDyfNgXZ k2Xg==
Received: by 10.68.222.227 with SMTP id qp3mr36663145pbc.137.1332182659137; Mon, 19 Mar 2012 11:44:19 -0700 (PDT)
Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx.google.com with ESMTPS id f5sm11902357pbe.26.2012.03.19.11.44.18 (version=TLSv1/SSLv3 cipher=OTHER); Mon, 19 Mar 2012 11:44:18 -0700 (PDT)
Received: by dakl33 with SMTP id l33so11433619dak.31 for <rtcweb@ietf.org>; Mon, 19 Mar 2012 11:44:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.132.40 with SMTP id or8mr42379986pbb.34.1332182657639; Mon, 19 Mar 2012 11:44:17 -0700 (PDT)
Received: by 10.68.6.67 with HTTP; Mon, 19 Mar 2012 11:44:17 -0700 (PDT)
In-Reply-To: <52789D17-F7C7-401B-B2E8-6FE3BC5D7CB7@phonefromhere.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CALiegf=jtkDCS_D0ZFe9UpbiadQ0vsJ+4MppQSbLr-wbaXNrfQ@mail.gmail.com> <BLU169-W29E5B86F9E2C6F3126961C93420@phx.gbl> <CALiegfk2aT+6Psr4nT-hG1G7eYRBfFCcT+25On2O4HfUXJ6-ng@mail.gmail.com> <CAD6AjGSmi9j+sdGWPts20-iwGvGij05ek0OKYEPULC6B=aFpQg@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113564482A7@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CAD5OKxvuEV8Vbq3h7=ZgcKmREjmguvz5n-SpXr2n-EY7a_ddxg@mail.gmail.com> <CALiegfk1ozOKPcDjbd3H_z2Edzh4RcZpYyJSWdw_1DJ04muQXA@mail.gmail.com> <CAD5OKxu8-+0O0=eE7mD1hi=nPUpEXczGj=bRNQCQL1BW8c-c-Q@mail.gmail.com> <52789D17-F7C7-401B-B2E8-6FE3BC5D7CB7@phonefromhere.com>
Date: Mon, 19 Mar 2012 14:44:17 -0400
Message-ID: <CAD5OKxtVtzahgk5xniXNvt-WvwNXZwcLau3PuKi1jnHrq4aZAA@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Tim Panton <tim@phonefromhere.com>
Content-Type: multipart/alternative; boundary="047d7b10cde315a66804bb9cf221"
X-Gm-Message-State: ALoCoQmI1ezmYNSmHr5WPQ0YVhWWpS0Cy+YiVy0n9YXzAI24WPE57aIJaN4t/RA35HoIQRm9WzSW
Cc: rtcweb@ietf.org
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2012 18:44:20 -0000

On Mon, Mar 19, 2012 at 2:35 PM, Tim Panton <tim@phonefromhere.com> wrote:

> How many of these plain RTP only legacy devices support password verified
> ICE correctly? - I'd be shocked if you found _any_.
>
>
And how many of the SDES-SRTP devices support password verified ICE? I
doubt you would find any of them either. So, why is SDES-SRTP is OK and RTP
is not?



> With JSEP there is nothing to stop the application from encrypting the SDP
> blob in javascript before forwarding it to the far end
> over HTTP - not my preferred option, but technically possible, and it
> would definitely make a firesheep style attack a bit harder to pull off.
>
>
Once again, my point was that application developer would need to properly
develop signaling application (ie deliver it over HTTPS; don't put
encryption keys into something that can be easily accessable, etc). Unless
a lot of care is taken, SDES-SRTP is not secure.

Why do we need to support SDES-SRTP at all? I do not understand the
arguments that say RTP is bad, but SDES-SRTP is ok. If you need interop,
RTP is your best option. If you need security DTLS-SRTP is your answer.
SDES-SRTP does not serve either purpose well.
_____________
Roman Shpount

v2.23.0 | Report a Bug | By Email