Re: [Rum] Media security

Eric Burger <> Fri, 04 October 2019 14:03 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E15A51200A3 for <>; Fri, 4 Oct 2019 07:03:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.69
X-Spam-Status: No, score=-1.69 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=neutral reason="invalid (public key: not available)"
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DzsgABvCZr5O for <>; Fri, 4 Oct 2019 07:03:48 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 65CA3120071 for <>; Fri, 4 Oct 2019 07:03:48 -0700 (PDT)
Received: from ([]) by with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from <>) id 1iGOB5-000wvX-NJ for; Fri, 04 Oct 2019 10:03:48 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=default; h=Message-Id:In-Reply-To:To:References:Date: Subject:Mime-Version:Content-Type:From:Sender:Reply-To:Cc: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8EVD3X0Blo2heFwcUJt92eJTJthgm0nKbXPX+IssQkA=; b=mdLsnzoBvwmsZoFN5994D00Gy ZnqQlFwI8BVN35gkx2hu/F0LpLvfwHszEjXqgcQylm2tnUZOwAV0M9qJ5Z7pKugGWzJeubkAnHmDi aGo1JJ9Krsso6G64Z5rclmSh55MI96VQfFC8XJAqujTXm+q4Dng+4pkvWbXHoPy+LhihI=;
Received: from [] (port=9318 helo=[]) by with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.92) (envelope-from <>) id 1iGOAo-007FWE-U8 for; Fri, 04 Oct 2019 07:03:18 -0700
From: Eric Burger <>
Content-Type: multipart/signed; boundary="Apple-Mail=_572ABE8A-4AD1-466C-BF4D-3108DAD08039"; protocol="application/pgp-signature"; micalg=pgp-sha256
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 4 Oct 2019 10:03:08 -0400
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: "" <>
In-Reply-To: <>
Message-Id: <>
X-Mailer: Apple Mail (2.3445.104.11)
X-OutGoing-Spam-Status: No, score=-0.2
X-Get-Message-Sender-Via: authenticated_id: user confirmed/virtual account not confirmed
Authentication-Results:; auth=pass
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.31)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0dWQ8c9lblW44odAlK6ziUapSDasLI4SayDByyq9LIhVlueqnRQlcnPA ZGhFy6RcuUTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDwzmmD1lPZONmDbVrCI7lkOfH zJ6mVE7ewsipSVIfs4Yc/kxLVEzUfT4GEKd5QUMNgyWFxOA5dILPypvKxNVhWW9iu9q1oNVH8nhC o/XpZxc/iXnuUw31frArk475PTzt0p8T4Nd45j4kJRgJ8MJ6+Md4EfSeS8yJNluG6jX3DLoRxK5O dUqDGvgvOW0ZV5+ajPA51CucGfCwfE7cCW8pKMnZ2EaDA1PmQopv7SCYWfjpxOsB8gG0slV7ra6j I4BSinhxldfhg28HAKUUgnPcbwGLnc+yV7lxSY64lkQzDsaYVVWBZ0FcqQQfT778mFH9Br4UQT5O ZMr/oeXfpj/bf7wqyT5p50x81ZKcmzCu2U3UDXCzB2RvHsONj9xE9zz/uLl5G81TJjfecGPYmAYi sSCv9TR+UxzLZWL8hwGBjhoI3W+YcuHfP5PkZb5A+wE5qGdpH54Oa3V8I76VOEvlwLZ8DTogwQ+H /c7sp+LxSn8PVEt4gmaG2RjwYKjjPoxP4nuZrRf7bMi0WRR6pZ+nWQE+L26KIUIpqMXu7LLX/Pa1 iWtCOy8M+6OCBxZTXpHJW5KaEOQNGmvIwzdiYUcqNlp7/Kmr4kFmhc2FzNwaRbfpsjwkpA5KFRsg cb2fEpSR7+os1iUt1gaukab36nH0kgG7Eq6LSIf7Fi4kMqfo4VeReoFxWEGsi1V1FGos/w8r+Omg Y9x9gmn57R8zjzBPVyG7X+t1TW39Ja77LGPpOwBxiOahCAHxu+EG+tWGsedsdzYrUh8gH+Su3lfX 3GGqPPMzfUNUUo/smy/GT3Vsn3D71WYfjIt2Mg/U0mvo5fsx/73cIb08xkVb3ZKCv/rl/p4LmTGI +05EviYz0ob+L9BHzq3YSILobAzCzsa++jPAA9a5xIXWLWP5TEF+bN/aB965dj1POfQw0ScCQmri GAT9v9INL9TP6gaX4C90lPb59jihx+Za/cV70jOJzN2r4A==
Archived-At: <>
Subject: Re: [Rum] Media security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Oct 2019 14:03:51 -0000

Said a different way, since we know it takes a while for implementors to build to specifications once the specifications are complete, why not specify what we need, and leave transition to industry organizations?

Using Paul’s terminology, we would specify V3 here, and in the VRS case V2 could be negotiated by industry and, in the U.S. case, perhaps the FCC?

The point being that since it takes years to get a standard done, and year (singular) to release product, we set the target and let the laggards in industry (because there will always be a vendor or two and open source that will have it done before the document pops out of the RFC Editor queue) catch up?

> On Oct 3, 2019, at 8:47 PM, Chris Wendt <>; wrote:
> I would express my agreement maybe a different way.  What doesn’t make complete sense to me is the specification of RUM/RUE devices that seem to try to live in two different worlds.  What maybe i could call a traditional SIP UE/terminal world, but also trying to stick on a vision of moving to webrtc media, etc. and modern video conferencing world.
> While i understand this is all possible theoretically, I’m not sure it is reality for most current webrtc supporting eco-systems.  Most i’m familiar with are using different signaling protocols, support multiple participants, simulcast and multi-bitrate stream and modern communications practices/identities etc.  I think this is why we had such a hard time finding a direction for NAANC IVC and beyond just basic IR.94 a point to point SIP protocol based eco-system, other than the standard deployment in the VRS world, this barely exists elsewhere, and I would guess is trending smaller, not larger.
> So, i think it would be nice to sort of come to a reality check on where this is all going.
> If we are talking about putting SBC/gateways in front of RUM/RUE devices anyway, it might be better to envision gateways into webrtc devices that look/feel more like messaging and video apps and use gateways into SIP networks for standard NNI protocol but allow for what typically seems to be proprietary SIP to webrtc gateway + app or SIP to webrtc gateway + device style deployments.  I know maybe that’s not a great message for in the IETF and the work in this group, but i think it’s really reality for most of what i know is being deployed going forward in general.  For a lot of good reasons, point to point vs multi-point calling supporting devices/apps are what people like to use.  I feel like that is what i seem to be hearing from the communities that depend on these devices and services generally as well, but i won’t claim to be an authority for that opinion.
> -Chris
>> On Oct 1, 2019, at 7:53 PM, Paul Kyzivat <>; wrote:
>> On 10/1/19 4:19 PM, DOLLY, MARTIN C wrote:
>>> Agree w Paul
>>> Martin C. Dolly
>> Thanks Martin. Can you be more explicit about what you are agreeing with?
>> 	Thanks,
>> 	Paul
>>> Lead Member of Technical Staff
>>> Government & Services Standards
>>> AT&T
>>> Cell: +1.609.903.3360 <tel:+1.609.903.3360>
>>> Email: <>
>>> On Oct 1, 2019, at 4:14 PM, Paul Kyzivat < <>> wrote:
>>>> I would like to revive the point raised in the attached message that had no followup discussion.
>>>> The problem with calling for mandatory media security on the RUE is that current VRS calls use insecure media. The VRS Provider Profile currently does not specify the RUE interface. It is the responsibility of the provider to interface (using SDP rewriting or media bridging) the calling RUE to either the terminating RUE or the other provider where the terminating RUE is connected. But it would be inappropriate (deceptive) to interface secure media to insecure media.
>>>> There are plans to upgrade media security over the VRS Provider Profile. The following is a likely path forward, though steps 3-5 are speculation on my part:
>>>> 1) The current VRS Provider Profile (v1) specifies insecure media. That is what is currently deployed by VRS providers.
>>>> 2) There is a revised VRS Provider Profile (v2) in development. It hopefully will be approved by the end of this year. It calls for opportunistic media security [RFC8643] between providers. The reason is to allow gradual migration of providers to the revised profile.
>>>> 3) Based on past history it may well take a year or more to accomplish a complete migration of all providers to the new profile. At that time all calls will be using secure media.
>>>> 4) Once that migration is complete it will be possible to make a further revision to the profile (v3) that mandates offering unprovisional media security while still allowing the acceptance of offers of provisional media security. Again this is to allow a phase-in period.
>>>> 5) Once that is complete, a v4 of the profile could then mandate unprovisional media security.
>>>> If the new RUE spec isn't introduced until step (5) then media security can be achieved without any bridging or SDP rewriting. But that will likely be multiple years in the future.
>>>> To incorporate the new RUE spec earlier some compromises will be required.
>>>> It would be easy to change the RUE spec to use opportunistic media security. This would still result in secure media if all entities on the signaling path support it. It that won't be assured until step (3). Getting this to work with a WebRTC-based RUE (that requires secure media) will require at least SDP rewriting.
>>>> Thoughts?
>>>>   Thanks,
>>>>   Paul
>>>> On 9/5/19 4:31 PM, Paul Kyzivat wrote:
>>>>> On 9/4/19 10:37 AM, Brian Rosen wrote:
>>>>>> Yes, for sure T.140 (RFC4103).
>>>>>> The providers have SBCs that anchor media, so they can handle security on one side but not the other.  That’s not a great answer, but it’s an answer.  Transcoding video is not reasonable.
>>>>> The soon to be released updated version of the Provider Profile specifies opportunistic media security [RFC8643].
>>>>> Also, while providers use SBCs, some of them can set up e2e media for point to point calls, where the media won't be anchored and security can't be twiddled.
>>>>> I think this can be a problem if RUM requires the RUE to signal mandatory media security, which (I think) WebRTC requires.
>>>>>    Thanks,
>>>>>    Paul
>>>>>> Brian
>>>>>>> On Sep 4, 2019, at 10:35 AM, Gunnar Hellström < <> <>> wrote:
>>>>>>> Den 2019-09-04 kl. 15:54, skrev Brian Rosen:
>>>>>>>> I think our consensus is MTI:
>>>>>>>> Audio: G.711 and Opus
>>>>>>>> Video: H.264
>>>>>>> Real-time text: T.140        (I think you said it is mandatory for clients, and optional for services.)
>>>>>>> All these need then transport and security details specified to assure interop with RUM.
>>>>>>> How can you hope for backward compatibility with legacy devices when it is said in RUM that the security requirements must be met?
>>>>>>> Regards
>>>>>>> Gunnar
>>>>>>>> We need to get into the details of H.264 to maintain compatibility with the WebRTC specs and as much backwards compatibility as possible.
>>>>>>>> Anyone object?
>>>>>>>>> On Sep 3, 2019, at 10:48 AM, Paul Kyzivat < <> <>> wrote:
>>>>>>>>> On 9/2/19 4:39 AM, James Hamlin wrote:
>>>>>>>>>> Just to add: the VRS industry supports a variety of endpoints, many of which are hardware based and not built by VRS providers themselves. H.264 and G..711 therefore need to be in the MTI list.
>>>>>>>>>> I believe the FCC order related to compensation by compliant providers not that every call had to come from a compliant endpoint.
>>>>>>>>> Sorry if I got that wrong. I wrote that from memory and perhaps my memory is faulty.
>>>>>>>>> Thanks,
>>>>>>>>> Paul
>>>>>>>>>> Best Regards
>>>>>>>>>> James
>>>>>>>>>> ________________________________________
>>>>>>>>>> From: Rum < <> <>> on behalf of Paul Kyzivat < <> <>>
>>>>>>>>>> Sent: 28 August 2019 16:48
>>>>>>>>>> To: <> <>
>>>>>>>>>> Subject: Re: [Rum] Codec requirements in draft-rosen-rue-01
>>>>>>>>>> On 8/28/19 11:25 AM, Eric Burger wrote:
>>>>>>>>>>> I guess the question is whether we want today’s devices to have a chance of being RUM compatible. I don’t think anyone will be surprised if a five-year-old device is history. Is it realistic for current devices to get VP8 upgrade? [Would be nice for some manufacturers or others building such devices to pipe in here.]
>>>>>>>>>> Lets be clear about what we mean by "RUM compatible".
>>>>>>>>>> When Henning and I were working on this with the providers in 2014 and
>>>>>>>>>> 2015 there was an expectation that the providers would be required to
>>>>>>>>>> support the defined RUE devices, but they would also be permitted to
>>>>>>>>>> support their existing proprietary devices. The RUE devices could have
>>>>>>>>>> requirements that their existing devices don't meet. But calls between
>>>>>>>>>> the two were expected to work.
>>>>>>>>>> There was great consternation when subsequently the FCC issued a
>>>>>>>>>> proposed order that said only VRS calls involving RUE-compatible devices
>>>>>>>>>> would be compensated. (But that was in 2015. I presume it has not happened.)
>>>>>>>>>> If there is an intent to exclude non-RUM-compliant devices from use in
>>>>>>>>>> VRS calls then there needs to be a migration plan to get from here to there.
>>>>>>>>>>        Thanks,
>>>>>>>>>>        Paul
>>>>>>>>>>>> On Aug 28, 2019, at 10:38 AM, Brian Rosen < <> <>> wrote:
>>>>>>>>>>>> If we require OPUS and G.711 as MTI and we require both H.264 and VP8 as MTI, then we get backwards compatibility without transcoding and forwards compatibility with WebRTC.  Isn’t that what we want?
>>>>>>>>>>>> Brian
>>>>>>>>>>>>> On Aug 28, 2019, at 10:15 AM, Paul Kyzivat < <> <>> wrote:
>>>>>>>>>>>>> Inline...
>>>>>>>>>>>>> On 8/27/19 5:57 PM, Adam Roach wrote:
>>>>>>>>>>>>>> I certainly have thoughts. The executive summary is that I personally believe RUM should specify Opus as the one audio codec MTI, and match RFC 7742's "Non-Browser" requirements for the video codec MTI. Rationale below.
>>>>>>>>>>>>>> From an interop perspective, the important thing is that any given profile has (at least) one MTI video codec and (at least) one MTI audio codec.. I know there is a strong desire -- one that I share -- that these endpoints can talk to/be implemented in web browsers without the need for media transcoding.
>>>>>>>>>>>>>> For audio: WebRTC selected G.711 and Opus as both MTI; the former because it works without transcoding to landline PSTN destinations, and the latter because it sounds much, much better. RUM could make the same decision; or it could decide to move away from a codec that is as old as I am and opt to designate Opus as the only MTI. Given that RUM inherently needs to deploy into audio/video environments, backwards compatibility with the PSTN seems to be unnecessary baggage.
>>>>>>>>>>>>> Please keep in mind where we are coming from. The RUM will be a new interface to the *existing* VRS infrastructure. That infrastructure currently has proprietary devices that serve the RUE function, deployed to VRS users and to Communications Assistants (CAs, Interpreters). These have G.711 MTI, and also *recommend* G.722.2.
>>>>>>>>>>>>> Making OPUS the only MTI audio codec would be problematic.
>>>>>>>>>>>>>> For video: While specifying either VP8 or H.264 would be sufficient for system interop, and for interop with compliant WebRTC endpoints, I'd really prefer not to re-live the WebRTC video codec wars. Concretely, what I would propose is that RUM indicate that the video codec requirements are defined to be identical to those defined for "WebRTC Non-Browsers" in Section 5 of RFC 7742. It should be made clear that RUM endpoints *are* *not* WebRTC Non-Browsers per se; merely that they comply with the same video codec requirements as WebRTC Non-Browsers.
>>>>>>>>>>>>> Continuing my comment above, existing devices have H.264 Constrained Baseline Profile, Level 1.3, packetization mode 1 as the MTI codec. Odds are many of these devices aren't capable of VP8.
>>>>>>>>>>>>> We can't realistically require a wholesale swap out of existing devices before the RUE defined by RUM can work. We can *discuss* whether forcing the providers to transcode is a practical way forward. I'm dubious.
>>>>>>>>>>>>>    Thanks,
>>>>>>>>>>>>>    Paul
>>>>>>>>>>>>>> /a
>>>>>>>>>>>>>> On 8/27/19 2:34 PM, Brian Rosen wrote:
>>>>>>>>>>>>>>> Well, we certainly want interoperability, and I think we can only get that with MTI codecs.
>>>>>>>>>>>>>>> I think we really are talking about a WebRTC-compatible endpoint, but we want interoperability with a WebRTC browser endpoint.
>>>>>>>>>>>>>>> Not sure how to say this.  Maybe Adam can help.
>>>>>>>>>>>>>>> Brian
>>>>>>>>>>>>>>>> On Aug 12, 2019, at 4:20 PM, Paul Kyzivat < <> <>> wrote:
>>>>>>>>>>>>>>>> draft-rosen-rue-01 changes the video codec requirements. It now simply references webrtc RFC7742.
>>>>>>>>>>>>>>>> RFC7742 distinguishes three types of endpoints: "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". AFAIK it assumes that each end is one of these.
>>>>>>>>>>>>>>>> Is the expectation here that both the RUE and the provider comply with one of these? In particular, that the provider may simply be a "WebRTC-compatible endpoint? Notably:
>>>>>>>>>>>>>>>>   "WebRTC-compatible endpoints" are free to implement any video codecs
>>>>>>>>>>>>>>>>   they see fit.  This follows logically from the definition of "WebRTC-
>>>>>>>>>>>>>>>>   compatible endpoint".  It is, of course, advisable to implement at
>>>>>>>>>>>>>>>>   least one of the video codecs that is mandated for WebRTC browsers,
>>>>>>>>>>>>>>>>   and implementors are encouraged to do so.
>>>>>>>>>>>>>>>> Similarly, the audio requirements have been changed to reference webrtc RFC7874. That one doesn't have the distinction between "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". It applies the same requirements to all. In particular, it requires OPUS support. I don't know why it doesn't make the same endpoint distinctions as for video.
>>>>>>>>>>>>>>>> I think simply referencing these documents isn't sufficient. Seems like we need a more nuanced specification of what is required, though we may still reference these docs with qualifications.
>>>>>>>>>>>>>>>>    Thanks,
>>>>>>>>>>>>>>>>    Paul
>>>>>>>>>>>> --
>>>>>>>>>>>> Rum mailing list
>>>>>>>>>>>> <> <>
>>>>>>>>>> --
>>>>>>>>>> Rum mailing list
>>>>>>>>>> <> <>
>>>>>>>>> --
>>>>>>>>> Rum mailing list
>>>>>>>>> <> <>
>>>>>>> --
>>>>>>> -----------------------------------------
>>>>>>> Gunnar Hellström
>>>>>>> Omnitor
>>>>>>> <> <>
>>>>>>> +46 708 204 288
>>>> --
>>>> Rum mailing list
>>>> <>
>> --
>> Rum mailing list
> --
> Rum mailing list