Re: [rtcweb] Resolving RTP/SDES question in Paris

Eric Rescorla <ekr@rtfm.com> Tue, 20 March 2012 15:02 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9143D21F85ED for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 08:02:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.889
X-Spam-Level:
X-Spam-Status: No, score=-102.889 tagged_above=-999 required=5 tests=[AWL=-0.212, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4jyEzfQKsWRW for <rtcweb@ietfa.amsl.com>; Tue, 20 Mar 2012 08:02:28 -0700 (PDT)
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id D79D521F85DB for <rtcweb@ietf.org>; Tue, 20 Mar 2012 08:02:27 -0700 (PDT)
Received: by vcbfk13 with SMTP id fk13so140137vcb.31 for <rtcweb@ietf.org>; Tue, 20 Mar 2012 08:02:27 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:from:date :message-id:subject:to:cc:content-type:content-transfer-encoding :x-gm-message-state; bh=ygv21MzQr7XCvNFSSaZIlFBuxQNYbmPDb/gAQKqMSzo=; b=IwDTaWG8Pkzl1t/Gy+jaiqsSVNVT19mw+yD6EMBDKV4NskjYol/ERZ2qw7kq2i3Fhj wqNfseIq9TD7dnU6GUc8JCgQjNeNYONc7bdBLr4NHgc8ePsv8uT4ZXqkVPRjQXXvMsLP oVPa5CmeXq709cqzKFcfs3TOb7mm0wp2HU94yZ4Fib4Qxm10y58cWXijNzVY8imiJhj7 e2nYaTjEFD24YCh2ijFWtfoDodhpss/hR0A454Wrxxz6fDGpSen2FV/74lN1C2bvjSRR FBtgmbnWv82Lt8gfzt0ZIhrgjcDu4jKgjiOEzaS4S4KxeEoWgWz5uWQCws3poEH8vo2h D3dw==
Received: by 10.220.151.67 with SMTP id b3mr54926vcw.51.1332255747294; Tue, 20 Mar 2012 08:02:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.22.195 with HTTP; Tue, 20 Mar 2012 08:01:43 -0700 (PDT)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CALiegfkfLchSosSwZ+J-zc355fjBuRi5X-Z+fMznzCZjs8f=bw@mail.gmail.com>
References: <4F4759DC.7060303@ericsson.com> <387F9047F55E8C42850AD6B3A7A03C6C0E1FEB69@inba-mail01.sonusnet.com> <CALiegfnkYVEpmPV-zSL_4wOY-HiFZN-qJCQCiioaS=5NaqhLZw@mail.gmail.com> <CAD5OKxvtOAxMBx6xDnyfTnEq76oDEm6uj1xL6wGjjrtKUAHy3g@mail.gmail.com> <CABcZeBNZiotPmCfT53uEo+O0xw4xv6tXW1M_G-3A5BHuncsduA@mail.gmail.com> <CAD5OKxvYOY5JZ2mYNGiH1poUBQkyOOycePFijH5H+SxtcdqujQ@mail.gmail.com> <CABkgnnVe-b6Sv=R67bMJk_NQqQwdrRUn6rBm7Gu_CMcfPQwtEg@mail.gmail.com> <CAD5OKxvZbEJ7sV4WPAYoQapzMR_QwAftj-oKg=ioMKHNT792wQ@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113563C5A92@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <CALiegf=jtkDCS_D0ZFe9UpbiadQ0vsJ+4MppQSbLr-wbaXNrfQ@mail.gmail.com> <BLU169-W29E5B86F9E2C6F3126961C93420@phx.gbl> <CALiegfk2aT+6Psr4nT-hG1G7eYRBfFCcT+25On2O4HfUXJ6-ng@mail.gmail.com> <CAD6AjGSmi9j+sdGWPts20-iwGvGij05ek0OKYEPULC6B=aFpQg@mail.gmail.com> <6F428EFD2B8C2F49A2FB1317291A76C113564482A7@USNAVSXCHMBSA1.ndc.alcatel-lucent.com> <ADBB75F3-E20C-4EC4-B9C3-EF2E4BFF409C@phonefromhere.com> <CAD5OKxvuEV8Vbq3h7=ZgcKmREjmguvz5n-SpXr2n-EY7a_ddxg@mail.gmail.com> <CALiegfk1ozOKPcDjbd3H_z2Edzh4RcZpYyJSWdw_1DJ04muQXA@mail.gmail.com> <CAD5OKxu8-+0O0=eE7mD1hi=nPUpEXczGj=bRNQCQL1BW8c-c-Q@mail.gmail.com> <D75A384B-0F38-4E30-8C03-12E903A69B64@acmepacket.com> <CAD5OKxustPmGJRMKoUU4kXosALpG8RzHC50-sjb5KKUPq3L3XA@mail.gmail.com> <CABcZeBNHY8k5YNiZt2=wqKo1Bkecxvyw4kyGi9W235fmdhwjGw@mail.gmail.com> <CAD5OKxujAoGaqpAG62X6EQVu5bS5m2a+9DYBP=LYjo1qGtQS6w@mail.gmail.com> <CALiegfkd5q2OzDTddQX2emhycVkwpnAD1SrF-iofVe6wVJD1pw@mail.gmail.com> <CAD5OKxv9_k6CU-_UC_pm+tx9aGJ3SEiB_amzKbgp9UKuJb4MwQ@mail.gmail.com> <CALiegfkfLchSosSwZ+J-zc355fjBuRi5X-Z+fMznzCZjs8f=bw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 20 Mar 2012 08:01:43 -0700
Message-ID: <CABcZeBNKJ=v-nMQ70EEzh1gCuHGBmxrPrpw-uRsrPYnZznVZTA@mail.gmail.com>
To: Iñaki Baz Castillo <ibc@aliax.net>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQms8JCcf4Y4rtb1btxZNgP2CPqL4FUfkhEz64d/mwQ1WObjoog5Tu4dj/C8Xj+cuAd0a/qd
Cc: "rtcweb@ietf.org" <rtcweb@ietf.org>
Subject: Re: [rtcweb] Resolving RTP/SDES question in Paris
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2012 15:02:28 -0000

On Tue, Mar 20, 2012 at 7:16 AM, Iñaki Baz Castillo <ibc@aliax.net> wrote:
> 2012/3/20 Roman Shpount <roman@telurix.com>:
>> The other proposal was not to use DTLS at all, since it is an overkill both
>> complexity and feature wise. DTLS is designed the way it is primarily to
>> extend TLS to UDP. DTLS-SRTP is a bolt on of SRTP into DTLS. So we actually
>> got a protocol twice reused with design goals changing dramatically in the
>> process. The desired attribute of DTLS-SRTP is that encryption keys are not
>> transmitted in clear text. The rest (security handshake separated from
>> signaling and ICE handshake, support for data encryption schemes other then
>> SRTP, support for certificate validation, etc) is actually just a liability.
>> All of those things imply slower setup and interop problems. So, my second
>> proposal was not to use DTLS at all, just include the public keys for
>> supported key exchange protocols in the SDP and send the encrypted SRTP
>> private key in the ICE message. Or something similar to that. This will
>> definitely not interop with DTLS, but will make implementation of encryption
>> very simple.
>
> So that proposal would modify even ICE protocol, am I right? Too much
> dramatic IMHO :)
>
> Ok, given the fact that DTLS is still an utopia (all the people know
> about it but it seems that nobody has seen it in action),

This is not true for DTLS in general. It's been in stacks for
a while now and is widely used in VPNs.

There certainly is rather less use of DTLS-SRTP, but it isn't unknown
either, as I believe Cullen has mentioned on the list before.

-Ekr