Re: [rtcweb] SBC hardware and SHA1

Cameron Byrne <cb.list6@gmail.com> Fri, 30 September 2011 16:47 UTC

Return-Path: <cb.list6@gmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB9221F8BF3 for <rtcweb@ietfa.amsl.com>; Fri, 30 Sep 2011 09:47:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.459
X-Spam-Level:
X-Spam-Status: No, score=-3.459 tagged_above=-999 required=5 tests=[AWL=0.140, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jrd6yOSo1TyU for <rtcweb@ietfa.amsl.com>; Fri, 30 Sep 2011 09:47:59 -0700 (PDT)
Received: from mail-qy0-f179.google.com (mail-qy0-f179.google.com [209.85.216.179]) by ietfa.amsl.com (Postfix) with ESMTP id 35BE721F8BEE for <rtcweb@ietf.org>; Fri, 30 Sep 2011 09:47:59 -0700 (PDT)
Received: by qyk33 with SMTP id 33so1866923qyk.10 for <rtcweb@ietf.org>; Fri, 30 Sep 2011 09:50:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=htrsnHvqGFK+zq9Z5IHb8bMUPRu2plr0eWV94A4UksE=; b=kI0JZkXEFzhyQabkFDnzQqjGvhYDu4GvkHootPGlToCdAnQ7T5PRsftkKM4JP+QYh0 1+xkX26c7JrvnkK1jLni1SVSVQqbN23/l3MtL6mlmCWic5i12tNq4Eh6fTdJf7vFpXG6 /9oR3/6RlP0mcrO5goXn9flnWhDN93K4uRsNw=
MIME-Version: 1.0
Received: by 10.68.36.166 with SMTP id r6mr59581415pbj.77.1317401452867; Fri, 30 Sep 2011 09:50:52 -0700 (PDT)
Received: by 10.143.2.8 with HTTP; Fri, 30 Sep 2011 09:50:52 -0700 (PDT)
In-Reply-To: <C3C7D62E-6BA8-43F4-A29D-FC9AF3BE689F@acmepacket.com>
References: <CAD5OKxtNjmWBz92bRuxka7e-BUpTPgVUvr3ahJGpmZ-U5nuPbQ@mail.gmail.com> <CAD6AjGSmz5T_F+SK2EoBQm6T-iRKp7dd4j8ZAF5JKdbbyomZQA@mail.gmail.com> <CALiegfmO54HC+g9L_DYn4jtXAAbLEvS++qxKa6TNrLDREs9SeA@mail.gmail.com> <4E80984A.903@skype.net> <CALiegfmyvTb57WVooKryS-ubfcg+w5gZ+zfO1zzBLn3609AzaA@mail.gmail.com> <4E809EE6.2050702@skype.net> <CAD5OKxvUOadaU0dnB7-Ho9cZ92VY+4Owuhj7oKPCx9Jy1iwT1Q@mail.gmail.com> <C2DF2C51-B3F7-443D-A047-7E6FB03E6D20@phonefromhere.com> <CAOJ7v-3AJJcdrCKcH4AJmv_016sZtcOPOo8yCv3Va65eJogAkQ@mail.gmail.com> <53C72381-DC23-4A6A-944C-B418791876B0@cisco.com> <CALiegf=nG+KXto9CXfn64CQSp3P5Lfm+S8c0xnA187Fhz=fcrQ@mail.gmail.com> <05B54E0C-B867-4D7F-825D-2E008E69B07F@acmepacket.com> <4E84F06B.7020705@skype.net> <2C381E05-59C5-4678-A431-CFDAC1098050@acmepacket.com> <CABcZeBMgFetriRkyvR_pOczWX6RCpMisjzjQeBsPYj9Zg3S0zQ@mail.gmail.com> <DF6B5635-BD84-4F87-9228-3EF3BBCC7129@acmepacket.com> <CD38B852-5FA5-4CFC-B941-9C4F97BED622@edvina.net> <C3C7D62E-6BA8-43F4-A29D-FC9AF3BE689F@acmepacket.com>
Date: Fri, 30 Sep 2011 09:50:52 -0700
Message-ID: <CAD6AjGSoBN7eig-RnLWJFj4q0QgS81gHwT5dqjzK-ivN9Ag5Ng@mail.gmail.com>
From: Cameron Byrne <cb.list6@gmail.com>
To: Hadriel Kaplan <HKaplan@acmepacket.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: Re: [rtcweb] SBC hardware and SHA1
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2011 16:47:59 -0000

On Fri, Sep 30, 2011 at 9:39 AM, Hadriel Kaplan <HKaplan@acmepacket.com> wrote:
>
> On Sep 30, 2011, at 2:36 AM, Olle E. Johansson wrote:
>
> Hadriel,
> While on the topic of the hardware, I would like to ask how these systems
> handle DTLS and SRTP.
>
> Assuming you mean terminating the SRTP, I only know of one hardware-based
> SBC that claims support for terminating DTLS-SRTP, but I don't know if it's
> real or slideware.  I know of a couple software-based ones that do. (you can
> probably google it to find out who)
> But in general the most popular support by far is for SDES-based keying.
>  There are a couple of off-the-shelf chip solutions for large-scale SRTP
> that handle it as a bump-in-the wire, but they need to be told the keys per
> stream and don't handle DTLS inline themselves to do so, so naturally SDES
> made it a lot easier to use them.  Having said that, I do believe that more
> SBC vendors in the US market will be supporting DTLS-SRTP in the future
> because the US government has it mandated in some agency or other I've been
> told.  Whether other governments will do the same I don't know. (then again
> the US government mandates a lot that never gets used in practice)
> Also, someone asked on this list if SBC vendors support SRTP to begin with.
>  Almost every SBC vendor I know of does support SRTP (at least with SDES
> keying), but it usually costs more to do so, because it's done in dedicated
> hardware.  So most deployed SBC systems don't do SRTP, because the people
> buying/deploying them have decided they don't need it and don't want to pay
> for it.  It's more popular in specific vertical markets, but overall it's
> definitely a minority today.
> -hadriel
>

As a service provider, i cannot imagine rolling out a solution that
lacks encryption.  Cost of bad press and unmet user expectations is
higher than a few extra boxes. If you choose not to encrypt, well...
that becomes a differentiation for those that do.

We have already bought and paid for SRTP in our existing IMS/SIP
applications that exist on the Internet and will mandate it for
anything we do with RTCWeb too, it's policy.

Cameron