Re: [rtcweb] Security Architecture: SDES support is a MUST

Roman Shpount <roman@telurix.com> Thu, 19 July 2012 20:18 UTC

Return-Path: <roman@telurix.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDBBF21F85D2 for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 13:18:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.951
X-Spam-Level:
X-Spam-Status: No, score=-2.951 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Jav0f0dDKRa for <rtcweb@ietfa.amsl.com>; Thu, 19 Jul 2012 13:18:14 -0700 (PDT)
Received: from mail-yw0-f44.google.com (mail-yw0-f44.google.com [209.85.213.44]) by ietfa.amsl.com (Postfix) with ESMTP id 003B021F8652 for <rtcweb@ietf.org>; Thu, 19 Jul 2012 13:18:13 -0700 (PDT)
Received: by yhq56 with SMTP id 56so3554645yhq.31 for <rtcweb@ietf.org>; Thu, 19 Jul 2012 13:19:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:x-gm-message-state; bh=wUjuFe9ipKjHAjs2K2RC8XXeQFwnmCzKaPm6oY1aC2M=; b=d33vbKZRDF8u3q/o7drs9pzFCL1YYdbR7Bfs5B29uYDz3oVjvm03mOQ9YbZwaka0ob 2k9W1+AEb3J6wY/Injsm3aE2dtGrsl8gk70Jw6ZJWGlm6fAlPO5azzHyk+xj2vST/+fq Fx71Q+VziAZ9VysjwicbQ89jLR7C5HScPT9RMuSP9ssjFBTnaDlcH7jk2SqBGHQWa66j 5GbK2LEQphK/lgm+EsIBIeerFypfPuN2ahWaISUn2ThBzMmuVoOWuaLu3u1RUbf3Nxb8 uJF7Ugl5pU1Vwq7Krw9U2zdHQ+qMwaxdEz4L8c224UOcqgDwYbkGfYekpKLTeeC0oDPq 2xiA==
Received: by 10.236.200.167 with SMTP id z27mr3085305yhn.131.1342729147757; Thu, 19 Jul 2012 13:19:07 -0700 (PDT)
Received: from mail-gg0-f172.google.com (mail-gg0-f172.google.com [209.85.161.172]) by mx.google.com with ESMTPS id x4sm5540429yhh.2.2012.07.19.13.19.05 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 19 Jul 2012 13:19:06 -0700 (PDT)
Received: by ggnc4 with SMTP id c4so3551191ggn.31 for <rtcweb@ietf.org>; Thu, 19 Jul 2012 13:19:04 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.221.70 with SMTP id qc6mr8103463pbc.92.1342729144392; Thu, 19 Jul 2012 13:19:04 -0700 (PDT)
Received: by 10.68.194.202 with HTTP; Thu, 19 Jul 2012 13:19:04 -0700 (PDT)
In-Reply-To: <075201cd65d8$db37a210$91a6e630$@com>
References: <201207190742.q6J7glf6008744@vivaldi29.register.it> <075201cd65d8$db37a210$91a6e630$@com>
Date: Thu, 19 Jul 2012 16:19:04 -0400
Message-ID: <CAD5OKxu1RojKD0rB01M1QocAdvAuXaNz8aywatJk6DPJSeK9Gw@mail.gmail.com>
From: Roman Shpount <roman@telurix.com>
To: Dan Wing <dwing@cisco.com>
Content-Type: multipart/alternative; boundary=047d7b2edb81ae5a2d04c5347d63
X-Gm-Message-State: ALoCoQmkkftxqF/VZv2L1OIjE3i1sO/cD4bYdNBvFUVl6Zkri2n3OqxF6S2+6ob2QcGblRFk07r+
Cc: daniele.filippi@ctiplanet.it, rtcweb@ietf.org
Subject: Re: [rtcweb] Security Architecture: SDES support is a MUST
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2012 20:18:14 -0000

On Thu, Jul 19, 2012 at 2:03 PM, Dan Wing <dwing@cisco.com> wrote:

>
> As I explained at IETF83 in Paris at the RTCWEB, interworking
> between DTLS-SRTP keying and SDESC keying can be done without
> expensive CPU operations.  Reference
> http://www.ietf.org/proceedings/83/slides/slides-83-rtcweb-3.pdf
> http://tools.ietf.org/html/draft-ietf-avtcore-srtp-ekt
>
>
Even though I understand how you can bridge DTLS-SRTP with SRTP-EKV without
re-encryption, I do not think it is possible to bridge SDES-SRTP with
DTLS-SRTP the same way. Bridging DTLS-SRTP with SRTP-EKV is completely
useless for legacy interop since old equipment is more likely to support
DTLS-SRTP then EKV, which is not even standardized yet.

This being said, I am strongly against supporting SDES-SRTP. Re-encoding is
cheap and you can do nearly 10GB/s of AES encoding on a fairly modest
modern server. Having more protocols to test and support is a much higher
cost.
_____________
Roman Shpount