[rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)

Harald Alvestrand <harald@alvestrand.no> Tue, 08 November 2011 22:28 UTC

Return-Path: <harald@alvestrand.no>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B474F21F85BB for <rtcweb@ietfa.amsl.com>; Tue, 8 Nov 2011 14:28:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id peeEOEqti48j for <rtcweb@ietfa.amsl.com>; Tue, 8 Nov 2011 14:28:23 -0800 (PST)
Received: from eikenes.alvestrand.no (eikenes.alvestrand.no [158.38.152.233]) by ietfa.amsl.com (Postfix) with ESMTP id 1184521F85AE for <rtcweb@ietf.org>; Tue, 8 Nov 2011 14:28:07 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by eikenes.alvestrand.no (Postfix) with ESMTP id 60CEA39E0F3; Tue, 8 Nov 2011 23:28:06 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at eikenes.alvestrand.no
Received: from eikenes.alvestrand.no ([127.0.0.1]) by localhost (eikenes.alvestrand.no [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTgp+BR4WrZe; Tue, 8 Nov 2011 23:28:05 +0100 (CET)
Received: from [192.168.0.14] (c213-89-141-213.bredband.comhem.se [213.89.141.213]) by eikenes.alvestrand.no (Postfix) with ESMTPS id 586DC39E072; Tue, 8 Nov 2011 23:28:05 +0100 (CET)
Message-ID: <4EB9ACF5.80805@alvestrand.no>
Date: Tue, 08 Nov 2011 23:28:05 +0100
From: Harald Alvestrand <harald@alvestrand.no>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Ravindran Parthasarathi <pravindran@sonusnet.com>
References: <CALiegfkVNVAs_MyU_-4koA4zRwSn1-FwLjY9g_oZVkhi9rSK5Q@mail.gmail.com> <8A61D801-D14D-408B-9875-63C37D0CC166@acmepacket.com> <CABw3bnPE=OY_h5bM7GA6wgrXiOBL8P4J0kw1jLv-GSpHAbg=Cg@mail.gmail.com> <CABcZeBNqdkh8u=gwOvKfDCQA7rXdAyQkfaM1r2Sx10787btP6A@mail.gmail.com> <B10FEFF6-0ADC-4DB1-83BB-50A11C65EC35@acmepacket.com> <CABcZeBNSXtim_VqzqAd8Z-u4zWSjaYmsVZPN=7sDYkJsgtRAHA@mail.gmail.com> <4EB7E6A5.70209@alvestrand.no> <F8003BA9-BCD8-4F02-B514-8B883FF90F91@acmepacket.com> <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com>
In-Reply-To: <387F9047F55E8C42850AD6B3A7A03C6C01349D81@inba-mail01.sonusnet.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "<rtcweb@ietf.org>" <rtcweb@ietf.org>
Subject: [rtcweb] SRTP requirement - wiretapping (Re: Let's define the purpose of WebRTC)
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2011 22:28:23 -0000

Changing the subject again to mention SRTP....

On 11/08/2011 03:30 PM, Ravindran Parthasarathi wrote:
> I agree with Hadriel that it is not required to mandate SRTP for WebRTC. My reasoning are as follows:
>
> 1) Security could be in the lower layer itself (IPsec, VPN, private MPLS cloud). For Enterprise-only-WebRTC application (no federation&  no interop), there is no need of security by specific application like WebRTC as it is ensured in the infrastructure. WebRTC security will be duplicated for these infrastructure and may leads double encryption unnecessarily.
This argument makes some sense.
>
> 2) Being in India, I'm interested in avoiding Government restriction on WebRTC proposal (Thanks to Tim for pointing this). I may not surprise to see that WebRTC mechanism is banned in India because intelligent agency struggles to break the key in each terrorist WebRTC site. (http://www.pcworld.com/businesscenter/article/235639/india_wants_to_intercept_skype_google_communications.html)
This argument is contrary to stated IETF policy (RFC 2804).

I recommend the RFC for background reading.
>
> In case there is no use case to illustrate in RTCWeb draft, let us discuss in detail.
>
>> -----Original Message-----
>> From: rtcweb-bounces@ietf.org [mailto:rtcweb-bounces@ietf.org] On Behalf
>> Of Hadriel Kaplan
>> Sent: Monday, November 07, 2011 9:12 PM
>> To: Eric Rescorla
>> Cc:<rtcweb@ietf.org>
>> Subject: Re: [rtcweb] Let's define the purpose of WebRTC
>>
>>
>> On 11/07/2011 02:50 PM, Eric Rescorla wrote:
>>> On Sun, Nov 6, 2011 at 7:20 PM, Hadriel Kaplan<HKaplan@acmepacket.com>
>> wrote:
>>>> Who said "too slow"?  There *is* an extra round-trip or two involved
>> I presume, if we're talking DTLS-SRTP, but no I didn't mean that as a
>> "hit".  I just meant the extra computing cycles for SRTP being a "hit".
>> For WebRTC-to-WebRTC I don't think that matters at all.  For WebRTC-to-
>> media-server it might, for a free game app or greeting card app that
>> don't care about it to begin with, and which use plaintext HTTP to begin
>> with.
>>> Sorry, I didn't mean to put words in your mouth. Performance
>> measurements
>>> of HTTP versus HTTPS in modern Web environments suggest that the
>> additional
>>> load for HTTPS is not significant. Do you have evidence that the
>> situation is
>>> different for SRTP versus RTP?
>> Only from the DSP guys, and those would be hardware DSPs not softDSPs.
>> It runs them anywhere from 10-25% overhead, they say, depending on the
>> vendor and what else their DSPs are doing at the time.
>>
>> But ultimately even in software I assume it's all relative to what other
>> work you're doing.  If you have to render a video stream on a screen and
>> encode camera input into a codec being sent out, then my guess is SRTP
>> overhead is a tiny factor not worth talking about.  If you're mixing
>> multiple RTP streams as a conference server, then I assume doing SRTP
>> for thousands of simultaneous audio RTP streams for multiple
>> simultaneous conferences becomes noticeable.  Or at least so they seem
>> to claim - I don't know since I don't build a media server (hardware
>> SBCs often offload SRTP onto dedicated hardware).  One large software
>> company even created their own proprietary packet format for SRTP that
>> they claimed was done for improving performance/scalability, so I assume
>> it has some impact they don't want their customers to incur.
>>
>> -hadriel
>>
>> _______________________________________________
>> rtcweb mailing list
>> rtcweb@ietf.org
>> https://www.ietf.org/mailman/listinfo/rtcweb
> _______________________________________________
> rtcweb mailing list
> rtcweb@ietf.org
> https://www.ietf.org/mailman/listinfo/rtcweb
>