Re: [Rum] Media security

Chris Wendt <> Fri, 04 October 2019 00:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EC224120827 for <>; Thu, 3 Oct 2019 17:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id s_c-2-HQLPLn for <>; Thu, 3 Oct 2019 17:47:34 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::831]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 80E26120814 for <>; Thu, 3 Oct 2019 17:47:34 -0700 (PDT)
Received: by with SMTP id o12so6329470qtf.3 for <>; Thu, 03 Oct 2019 17:47:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=R1pQjneXP9eRO/FD+A/6o5qykh/RqFTQGRqeG/2j7gg=; b=Oh93R+c9SEJm/rGzC20w1r+UjgSoydEsfrS5PgO3fP1p+h/RKk3XoUPgQ3tvs6DfFk xF4zp7qKIqx0HkE61/QMxTAX1Eh34WX1R8WGIz1xFu6hs7NAQzcwdmtDiKWrpccb/6GW 0mygt1EPzYjs73msVjOQvUb/k27JYGIeN3Fw2K+N/dY30MVSpFT0u6sBPefjQ1HFJbFI vApVSJpciQiwIjYeloC/yM79v1W7e2ekdB5z/KhnrEczs1rntzk4CiSiWz+PsAamlMwf tUSti09fj3rwfaeJmC1Xwf/+kkVDb4ldllqoURKeaevPQPfbFmAkz3AlOnJxCQL8fFz4 sz2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=R1pQjneXP9eRO/FD+A/6o5qykh/RqFTQGRqeG/2j7gg=; b=fkw+W+y4/vEvI9BsV/WWvK5YPY6W/rgFPm70wuRJEj48hRknaV/1oE3CvzG+S4CqG0 59I8PIpr68I+haTO85jCee0j1rLesRFckVbj0girNAQceuYWo7d7hL3U2G+RXZRIHle4 3SH7bSjKXhLW4IOH9fs3ayfqTd2hsotIfBma9K2S3ZdaADgyVQPqK7bwr6JHiEowO6y7 5tq0JfNJJRqNW5Pc5S0+/gsTdwZOeHSbTzwV8uSIKZlVQYebSHGMTpAYDEn+PXUavhTG c0kmapnrd+pah/tKtb5BO61wjXN63H1OrCL+q7M7g5kAwdmizrFekNJj84tx2x1wqhPf DrfA==
X-Gm-Message-State: APjAAAWZ6jAva4PCdTNjTeNWVEQ2FlNoNzjMNyN3ZV0lUPQ1ZJzK834x 6m1IDTTaXh8To+cBfeGOxnYgkg==
X-Google-Smtp-Source: APXvYqyF0ArnCbciJCninGUZEiPbZ4bLvns0HgP1/4TLoZvEMtdCRxNWiHoC9JaylZ+wUWTcHpcHKQ==
X-Received: by 2002:ac8:2ae9:: with SMTP id c38mr13110157qta.311.1570150053409; Thu, 03 Oct 2019 17:47:33 -0700 (PDT)
Received: from ?IPv6:2601:41:c402:39e0:350f:d864:d005:c51e? ([2601:41:c402:39e0:350f:d864:d005:c51e]) by with ESMTPSA id m186sm2791787qkb.88.2019. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Oct 2019 17:47:32 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chris Wendt <>
In-Reply-To: <>
Date: Thu, 3 Oct 2019 20:47:30 -0400
Cc: Martin C Dolly <>, "" <>
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>
To: Paul Kyzivat <>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [Rum] Media security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 04 Oct 2019 00:47:38 -0000

I would express my agreement maybe a different way.  What doesn’t make complete sense to me is the specification of RUM/RUE devices that seem to try to live in two different worlds.  What maybe i could call a traditional SIP UE/terminal world, but also trying to stick on a vision of moving to webrtc media, etc. and modern video conferencing world.

While i understand this is all possible theoretically, I’m not sure it is reality for most current webrtc supporting eco-systems.  Most i’m familiar with are using different signaling protocols, support multiple participants, simulcast and multi-bitrate stream and modern communications practices/identities etc.  I think this is why we had such a hard time finding a direction for NAANC IVC and beyond just basic IR.94 a point to point SIP protocol based eco-system, other than the standard deployment in the VRS world, this barely exists elsewhere, and I would guess is trending smaller, not larger.

So, i think it would be nice to sort of come to a reality check on where this is all going.

If we are talking about putting SBC/gateways in front of RUM/RUE devices anyway, it might be better to envision gateways into webrtc devices that look/feel more like messaging and video apps and use gateways into SIP networks for standard NNI protocol but allow for what typically seems to be proprietary SIP to webrtc gateway + app or SIP to webrtc gateway + device style deployments.  I know maybe that’s not a great message for in the IETF and the work in this group, but i think it’s really reality for most of what i know is being deployed going forward in general.  For a lot of good reasons, point to point vs multi-point calling supporting devices/apps are what people like to use.  I feel like that is what i seem to be hearing from the communities that depend on these devices and services generally as well, but i won’t claim to be an authority for that opinion.


> On Oct 1, 2019, at 7:53 PM, Paul Kyzivat <> wrote:
> On 10/1/19 4:19 PM, DOLLY, MARTIN C wrote:
>> Agree w Paul
>> Martin C. Dolly
> Thanks Martin. Can you be more explicit about what you are agreeing with?
> 	Thanks,
> 	Paul
>> Lead Member of Technical Staff
>> Government & Services Standards
>> AT&T
>> Cell: +1.609.903.3360 <tel:+1.609.903.3360>
>> Email: <>
>> On Oct 1, 2019, at 4:14 PM, Paul Kyzivat < <>> wrote:
>>> I would like to revive the point raised in the attached message that had no followup discussion.
>>> The problem with calling for mandatory media security on the RUE is that current VRS calls use insecure media. The VRS Provider Profile currently does not specify the RUE interface. It is the responsibility of the provider to interface (using SDP rewriting or media bridging) the calling RUE to either the terminating RUE or the other provider where the terminating RUE is connected. But it would be inappropriate (deceptive) to interface secure media to insecure media.
>>> There are plans to upgrade media security over the VRS Provider Profile. The following is a likely path forward, though steps 3-5 are speculation on my part:
>>> 1) The current VRS Provider Profile (v1) specifies insecure media. That is what is currently deployed by VRS providers.
>>> 2) There is a revised VRS Provider Profile (v2) in development. It hopefully will be approved by the end of this year. It calls for opportunistic media security [RFC8643] between providers. The reason is to allow gradual migration of providers to the revised profile.
>>> 3) Based on past history it may well take a year or more to accomplish a complete migration of all providers to the new profile. At that time all calls will be using secure media.
>>> 4) Once that migration is complete it will be possible to make a further revision to the profile (v3) that mandates offering unprovisional media security while still allowing the acceptance of offers of provisional media security. Again this is to allow a phase-in period.
>>> 5) Once that is complete, a v4 of the profile could then mandate unprovisional media security.
>>> If the new RUE spec isn't introduced until step (5) then media security can be achieved without any bridging or SDP rewriting. But that will likely be multiple years in the future.
>>> To incorporate the new RUE spec earlier some compromises will be required.
>>> It would be easy to change the RUE spec to use opportunistic media security. This would still result in secure media if all entities on the signaling path support it. It that won't be assured until step (3). Getting this to work with a WebRTC-based RUE (that requires secure media) will require at least SDP rewriting.
>>> Thoughts?
>>>    Thanks,
>>>    Paul
>>> On 9/5/19 4:31 PM, Paul Kyzivat wrote:
>>>> On 9/4/19 10:37 AM, Brian Rosen wrote:
>>>>> Yes, for sure T.140 (RFC4103).
>>>>> The providers have SBCs that anchor media, so they can handle security on one side but not the other.  That’s not a great answer, but it’s an answer.  Transcoding video is not reasonable.
>>>> The soon to be released updated version of the Provider Profile specifies opportunistic media security [RFC8643].
>>>> Also, while providers use SBCs, some of them can set up e2e media for point to point calls, where the media won't be anchored and security can't be twiddled.
>>>> I think this can be a problem if RUM requires the RUE to signal mandatory media security, which (I think) WebRTC requires.
>>>>     Thanks,
>>>>     Paul
>>>>> Brian
>>>>>> On Sep 4, 2019, at 10:35 AM, Gunnar Hellström < <> <>> wrote:
>>>>>> Den 2019-09-04 kl. 15:54, skrev Brian Rosen:
>>>>>>> I think our consensus is MTI:
>>>>>>> Audio: G.711 and Opus
>>>>>>> Video: H.264
>>>>>>  Real-time text: T.140        (I think you said it is mandatory for clients, and optional for services.)
>>>>>> All these need then transport and security details specified to assure interop with RUM.
>>>>>> How can you hope for backward compatibility with legacy devices when it is said in RUM that the security requirements must be met?
>>>>>> Regards
>>>>>> Gunnar
>>>>>>> We need to get into the details of H.264 to maintain compatibility with the WebRTC specs and as much backwards compatibility as possible.
>>>>>>> Anyone object?
>>>>>>>> On Sep 3, 2019, at 10:48 AM, Paul Kyzivat < <> <>> wrote:
>>>>>>>> On 9/2/19 4:39 AM, James Hamlin wrote:
>>>>>>>>> Just to add: the VRS industry supports a variety of endpoints, many of which are hardware based and not built by VRS providers themselves. H.264 and G..711 therefore need to be in the MTI list.
>>>>>>>>> I believe the FCC order related to compensation by compliant providers not that every call had to come from a compliant endpoint.
>>>>>>>> Sorry if I got that wrong. I wrote that from memory and perhaps my memory is faulty.
>>>>>>>> Thanks,
>>>>>>>> Paul
>>>>>>>>> Best Regards
>>>>>>>>> James
>>>>>>>>> ________________________________________
>>>>>>>>> From: Rum < <> <>> on behalf of Paul Kyzivat < <> <>>
>>>>>>>>> Sent: 28 August 2019 16:48
>>>>>>>>> To: <> <>
>>>>>>>>> Subject: Re: [Rum] Codec requirements in draft-rosen-rue-01
>>>>>>>>> On 8/28/19 11:25 AM, Eric Burger wrote:
>>>>>>>>>> I guess the question is whether we want today’s devices to have a chance of being RUM compatible. I don’t think anyone will be surprised if a five-year-old device is history. Is it realistic for current devices to get VP8 upgrade? [Would be nice for some manufacturers or others building such devices to pipe in here.]
>>>>>>>>> Lets be clear about what we mean by "RUM compatible".
>>>>>>>>> When Henning and I were working on this with the providers in 2014 and
>>>>>>>>> 2015 there was an expectation that the providers would be required to
>>>>>>>>> support the defined RUE devices, but they would also be permitted to
>>>>>>>>> support their existing proprietary devices. The RUE devices could have
>>>>>>>>> requirements that their existing devices don't meet. But calls between
>>>>>>>>> the two were expected to work.
>>>>>>>>> There was great consternation when subsequently the FCC issued a
>>>>>>>>> proposed order that said only VRS calls involving RUE-compatible devices
>>>>>>>>> would be compensated. (But that was in 2015. I presume it has not happened.)
>>>>>>>>> If there is an intent to exclude non-RUM-compliant devices from use in
>>>>>>>>> VRS calls then there needs to be a migration plan to get from here to there.
>>>>>>>>>         Thanks,
>>>>>>>>>         Paul
>>>>>>>>>>> On Aug 28, 2019, at 10:38 AM, Brian Rosen < <> <>> wrote:
>>>>>>>>>>> If we require OPUS and G.711 as MTI and we require both H.264 and VP8 as MTI, then we get backwards compatibility without transcoding and forwards compatibility with WebRTC.  Isn’t that what we want?
>>>>>>>>>>> Brian
>>>>>>>>>>>> On Aug 28, 2019, at 10:15 AM, Paul Kyzivat < <> <>> wrote:
>>>>>>>>>>>> Inline...
>>>>>>>>>>>> On 8/27/19 5:57 PM, Adam Roach wrote:
>>>>>>>>>>>>> I certainly have thoughts. The executive summary is that I personally believe RUM should specify Opus as the one audio codec MTI, and match RFC 7742's "Non-Browser" requirements for the video codec MTI. Rationale below.
>>>>>>>>>>>>>  From an interop perspective, the important thing is that any given profile has (at least) one MTI video codec and (at least) one MTI audio codec.. I know there is a strong desire -- one that I share -- that these endpoints can talk to/be implemented in web browsers without the need for media transcoding.
>>>>>>>>>>>>> For audio: WebRTC selected G.711 and Opus as both MTI; the former because it works without transcoding to landline PSTN destinations, and the latter because it sounds much, much better. RUM could make the same decision; or it could decide to move away from a codec that is as old as I am and opt to designate Opus as the only MTI. Given that RUM inherently needs to deploy into audio/video environments, backwards compatibility with the PSTN seems to be unnecessary baggage.
>>>>>>>>>>>> Please keep in mind where we are coming from. The RUM will be a new interface to the *existing* VRS infrastructure. That infrastructure currently has proprietary devices that serve the RUE function, deployed to VRS users and to Communications Assistants (CAs, Interpreters). These have G.711 MTI, and also *recommend* G.722.2.
>>>>>>>>>>>> Making OPUS the only MTI audio codec would be problematic.
>>>>>>>>>>>>> For video: While specifying either VP8 or H.264 would be sufficient for system interop, and for interop with compliant WebRTC endpoints, I'd really prefer not to re-live the WebRTC video codec wars. Concretely, what I would propose is that RUM indicate that the video codec requirements are defined to be identical to those defined for "WebRTC Non-Browsers" in Section 5 of RFC 7742. It should be made clear that RUM endpoints *are* *not* WebRTC Non-Browsers per se; merely that they comply with the same video codec requirements as WebRTC Non-Browsers.
>>>>>>>>>>>> Continuing my comment above, existing devices have H.264 Constrained Baseline Profile, Level 1.3, packetization mode 1 as the MTI codec. Odds are many of these devices aren't capable of VP8.
>>>>>>>>>>>> We can't realistically require a wholesale swap out of existing devices before the RUE defined by RUM can work. We can *discuss* whether forcing the providers to transcode is a practical way forward. I'm dubious.
>>>>>>>>>>>>     Thanks,
>>>>>>>>>>>>     Paul
>>>>>>>>>>>>> /a
>>>>>>>>>>>>> On 8/27/19 2:34 PM, Brian Rosen wrote:
>>>>>>>>>>>>>> Well, we certainly want interoperability, and I think we can only get that with MTI codecs.
>>>>>>>>>>>>>> I think we really are talking about a WebRTC-compatible endpoint, but we want interoperability with a WebRTC browser endpoint.
>>>>>>>>>>>>>> Not sure how to say this.  Maybe Adam can help.
>>>>>>>>>>>>>> Brian
>>>>>>>>>>>>>>> On Aug 12, 2019, at 4:20 PM, Paul Kyzivat < <> <>> wrote:
>>>>>>>>>>>>>>> draft-rosen-rue-01 changes the video codec requirements. It now simply references webrtc RFC7742.
>>>>>>>>>>>>>>> RFC7742 distinguishes three types of endpoints: "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". AFAIK it assumes that each end is one of these.
>>>>>>>>>>>>>>> Is the expectation here that both the RUE and the provider comply with one of these? In particular, that the provider may simply be a "WebRTC-compatible endpoint? Notably:
>>>>>>>>>>>>>>>    "WebRTC-compatible endpoints" are free to implement any video codecs
>>>>>>>>>>>>>>>    they see fit.  This follows logically from the definition of "WebRTC-
>>>>>>>>>>>>>>>    compatible endpoint".  It is, of course, advisable to implement at
>>>>>>>>>>>>>>>    least one of the video codecs that is mandated for WebRTC browsers,
>>>>>>>>>>>>>>>    and implementors are encouraged to do so.
>>>>>>>>>>>>>>> Similarly, the audio requirements have been changed to reference webrtc RFC7874. That one doesn't have the distinction between "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". It applies the same requirements to all. In particular, it requires OPUS support. I don't know why it doesn't make the same endpoint distinctions as for video.
>>>>>>>>>>>>>>> I think simply referencing these documents isn't sufficient. Seems like we need a more nuanced specification of what is required, though we may still reference these docs with qualifications.
>>>>>>>>>>>>>>>     Thanks,
>>>>>>>>>>>>>>>     Paul
>>>>>>>>>>> -- 
>>>>>>>>>>> Rum mailing list
>>>>>>>>>>> <> <>
>>>>>>>>> -- 
>>>>>>>>> Rum mailing list
>>>>>>>>> <> <>
>>>>>>>> -- 
>>>>>>>> Rum mailing list
>>>>>>>> <> <>
>>>>>> -- 
>>>>>> -----------------------------------------
>>>>>> Gunnar Hellström
>>>>>> Omnitor
>>>>>> <> <>
>>>>>> +46 708 204 288
>>> -- 
>>> Rum mailing list
>>> <>
> -- 
> Rum mailing list