Re: [Rum] Media security

"DOLLY, MARTIN C" <> Tue, 01 October 2019 20:19 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 254E3120824 for <>; Tue, 1 Oct 2019 13:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id YCw_XHQHLCPv for <>; Tue, 1 Oct 2019 13:19:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 74C4412082E for <>; Tue, 1 Oct 2019 13:19:45 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id x91KGBKM037775; Tue, 1 Oct 2019 16:19:41 -0400
Received: from ( []) by with ESMTP id 2vcd3v95ew-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 01 Oct 2019 16:19:40 -0400
Received: from (localhost []) by (8.14.5/8.14.5) with ESMTP id x91KJdYY006449; Tue, 1 Oct 2019 16:19:40 -0400
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id x91KJYiE006256 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 1 Oct 2019 16:19:35 -0400
Received: from ( []) by (Service) with ESMTP id D695C400B577; Tue, 1 Oct 2019 20:19:34 +0000 (GMT)
Received: from (unknown []) by (Service) with ESMTPS id B1573400B575; Tue, 1 Oct 2019 20:19:34 +0000 (GMT)
Received: from ([]) by ([]) with mapi id 14.03.0468.000; Tue, 1 Oct 2019 16:19:34 -0400
From: "DOLLY, MARTIN C" <>
To: Paul Kyzivat <>
CC: "" <>
Thread-Topic: [Rum] Media security
Thread-Index: AQHVeJTTLeR0fhZF0EKk1KwKUDVVbqdGOelW
Date: Tue, 1 Oct 2019 20:19:33 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
Content-Type: multipart/alternative; boundary="_000_86E626A9C13D4106B42398223BF26D84attcom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-01_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910010166
Archived-At: <>
Subject: Re: [Rum] Media security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Relay User Machine <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Oct 2019 20:19:59 -0000

Agree w Paul

Martin C. Dolly
Lead Member of Technical Staff
Government & Services Standards
Cell: +1.609.903.3360<tel:+1.609.903.3360>

On Oct 1, 2019, at 4:14 PM, Paul Kyzivat <<>> wrote:

I would like to revive the point raised in the attached message that had no followup discussion.

The problem with calling for mandatory media security on the RUE is that current VRS calls use insecure media. The VRS Provider Profile currently does not specify the RUE interface. It is the responsibility of the provider to interface (using SDP rewriting or media bridging) the calling RUE to either the terminating RUE or the other provider where the terminating RUE is connected. But it would be inappropriate (deceptive) to interface secure media to insecure media.

There are plans to upgrade media security over the VRS Provider Profile. The following is a likely path forward, though steps 3-5 are speculation on my part:

1) The current VRS Provider Profile (v1) specifies insecure media. That is what is currently deployed by VRS providers.

2) There is a revised VRS Provider Profile (v2) in development. It hopefully will be approved by the end of this year. It calls for opportunistic media security [RFC8643] between providers. The reason is to allow gradual migration of providers to the revised profile.

3) Based on past history it may well take a year or more to accomplish a complete migration of all providers to the new profile. At that time all calls will be using secure media.

4) Once that migration is complete it will be possible to make a further revision to the profile (v3) that mandates offering unprovisional media security while still allowing the acceptance of offers of provisional media security. Again this is to allow a phase-in period.

5) Once that is complete, a v4 of the profile could then mandate unprovisional media security.

If the new RUE spec isn't introduced until step (5) then media security can be achieved without any bridging or SDP rewriting. But that will likely be multiple years in the future.

To incorporate the new RUE spec earlier some compromises will be required.

It would be easy to change the RUE spec to use opportunistic media security. This would still result in secure media if all entities on the signaling path support it. It that won't be assured until step (3). Getting this to work with a WebRTC-based RUE (that requires secure media) will require at least SDP rewriting.



On 9/5/19 4:31 PM, Paul Kyzivat wrote:
On 9/4/19 10:37 AM, Brian Rosen wrote:
Yes, for sure T.140 (RFC4103).
The providers have SBCs that anchor media, so they can handle security on one side but not the other.  That’s not a great answer, but it’s an answer.  Transcoding video is not reasonable.
The soon to be released updated version of the Provider Profile specifies opportunistic media security [RFC8643].
Also, while providers use SBCs, some of them can set up e2e media for point to point calls, where the media won't be anchored and security can't be twiddled.
I think this can be a problem if RUM requires the RUE to signal mandatory media security, which (I think) WebRTC requires.

On Sep 4, 2019, at 10:35 AM, Gunnar Hellström <<> <>> wrote:

Den 2019-09-04 kl. 15:54, skrev Brian Rosen:
I think our consensus is MTI:
Audio: G.711 and Opus
Video: H.264

 Real-time text: T.140        (I think you said it is mandatory for clients, and optional for services.)

All these need then transport and security details specified to assure interop with RUM.

How can you hope for backward compatibility with legacy devices when it is said in RUM that the security requirements must be met?



We need to get into the details of H.264 to maintain compatibility with the WebRTC specs and as much backwards compatibility as possible.

Anyone object?

On Sep 3, 2019, at 10:48 AM, Paul Kyzivat <<> <>> wrote:

On 9/2/19 4:39 AM, James Hamlin wrote:
Just to add: the VRS industry supports a variety of endpoints, many of which are hardware based and not built by VRS providers themselves. H.264 and G..711 therefore need to be in the MTI list.
I believe the FCC order related to compensation by compliant providers not that every call had to come from a compliant endpoint.
Sorry if I got that wrong. I wrote that from memory and perhaps my memory is faulty.


Best Regards
From: Rum <<> <>> on behalf of Paul Kyzivat <<> <>>
Sent: 28 August 2019 16:48
To:<> <>
Subject: Re: [Rum] Codec requirements in draft-rosen-rue-01
On 8/28/19 11:25 AM, Eric Burger wrote:
I guess the question is whether we want today’s devices to have a chance of being RUM compatible. I don’t think anyone will be surprised if a five-year-old device is history. Is it realistic for current devices to get VP8 upgrade? [Would be nice for some manufacturers or others building such devices to pipe in here.]
Lets be clear about what we mean by "RUM compatible".
When Henning and I were working on this with the providers in 2014 and
2015 there was an expectation that the providers would be required to
support the defined RUE devices, but they would also be permitted to
support their existing proprietary devices. The RUE devices could have
requirements that their existing devices don't meet. But calls between
the two were expected to work.
There was great consternation when subsequently the FCC issued a
proposed order that said only VRS calls involving RUE-compatible devices
would be compensated. (But that was in 2015. I presume it has not happened.)
If there is an intent to exclude non-RUM-compliant devices from use in
VRS calls then there needs to be a migration plan to get from here to there.
On Aug 28, 2019, at 10:38 AM, Brian Rosen <<> <>> wrote:

If we require OPUS and G.711 as MTI and we require both H.264 and VP8 as MTI, then we get backwards compatibility without transcoding and forwards compatibility with WebRTC.  Isn’t that what we want?


On Aug 28, 2019, at 10:15 AM, Paul Kyzivat <<> <>> wrote:


On 8/27/19 5:57 PM, Adam Roach wrote:
I certainly have thoughts. The executive summary is that I personally believe RUM should specify Opus as the one audio codec MTI, and match RFC 7742's "Non-Browser" requirements for the video codec MTI. Rationale below.
 From an interop perspective, the important thing is that any given profile has (at least) one MTI video codec and (at least) one MTI audio codec.. I know there is a strong desire -- one that I share -- that these endpoints can talk to/be implemented in web browsers without the need for media transcoding.
For audio: WebRTC selected G.711 and Opus as both MTI; the former because it works without transcoding to landline PSTN destinations, and the latter because it sounds much, much better. RUM could make the same decision; or it could decide to move away from a codec that is as old as I am and opt to designate Opus as the only MTI. Given that RUM inherently needs to deploy into audio/video environments, backwards compatibility with the PSTN seems to be unnecessary baggage.
Please keep in mind where we are coming from. The RUM will be a new interface to the *existing* VRS infrastructure. That infrastructure currently has proprietary devices that serve the RUE function, deployed to VRS users and to Communications Assistants (CAs, Interpreters). These have G.711 MTI, and also *recommend* G.722.2.

Making OPUS the only MTI audio codec would be problematic.

For video: While specifying either VP8 or H.264 would be sufficient for system interop, and for interop with compliant WebRTC endpoints, I'd really prefer not to re-live the WebRTC video codec wars. Concretely, what I would propose is that RUM indicate that the video codec requirements are defined to be identical to those defined for "WebRTC Non-Browsers" in Section 5 of RFC 7742. It should be made clear that RUM endpoints *are* *not* WebRTC Non-Browsers per se; merely that they comply with the same video codec requirements as WebRTC Non-Browsers.
Continuing my comment above, existing devices have H.264 Constrained Baseline Profile, Level 1.3, packetization mode 1 as the MTI codec. Odds are many of these devices aren't capable of VP8.

We can't realistically require a wholesale swap out of existing devices before the RUE defined by RUM can work. We can *discuss* whether forcing the providers to transcode is a practical way forward. I'm dubious.


On 8/27/19 2:34 PM, Brian Rosen wrote:
Well, we certainly want interoperability, and I think we can only get that with MTI codecs.

I think we really are talking about a WebRTC-compatible endpoint, but we want interoperability with a WebRTC browser endpoint.

Not sure how to say this.  Maybe Adam can help.


On Aug 12, 2019, at 4:20 PM, Paul Kyzivat <<> <>> wrote:

draft-rosen-rue-01 changes the video codec requirements. It now simply references webrtc RFC7742.

RFC7742 distinguishes three types of endpoints: "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". AFAIK it assumes that each end is one of these.

Is the expectation here that both the RUE and the provider comply with one of these? In particular, that the provider may simply be a "WebRTC-compatible endpoint? Notably:

   "WebRTC-compatible endpoints" are free to implement any video codecs
   they see fit.  This follows logically from the definition of "WebRTC-
   compatible endpoint".  It is, of course, advisable to implement at
   least one of the video codecs that is mandated for WebRTC browsers,
   and implementors are encouraged to do so.

Similarly, the audio requirements have been changed to reference webrtc RFC7874. That one doesn't have the distinction between "WebRTC browser", "WebRTC non-browser", and "WebRTC-compatible endpoint". It applies the same requirements to all. In particular, it requires OPUS support. I don't know why it doesn't make the same endpoint distinctions as for video.

I think simply referencing these documents isn't sufficient. Seems like we need a more nuanced specification of what is required, though we may still reference these docs with qualifications.


Rum mailing list<> <>

Rum mailing list<> <>
Rum mailing list<> <>

Gunnar Hellström
Omnitor<> <>
+46 708 204 288

Rum mailing list<>