[Sframe] Implementation report: SPacket in Webex
Richard Barnes <rlb@ipv.sx> Thu, 02 September 2021 20:19 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47F0C3A0A42 for <sframe@ietfa.amsl.com>; Thu, 2 Sep 2021 13:19:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuZiYG3BTiBU for <sframe@ietfa.amsl.com>; Thu, 2 Sep 2021 13:19:33 -0700 (PDT)
Received: from mail-qv1-xf2a.google.com (mail-qv1-xf2a.google.com [IPv6:2607:f8b0:4864:20::f2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DF83A0A33 for <sframe@ietf.org>; Thu, 2 Sep 2021 13:19:33 -0700 (PDT)
Received: by mail-qv1-xf2a.google.com with SMTP id eh1so1936731qvb.11 for <sframe@ietf.org>; Thu, 02 Sep 2021 13:19:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=NXIbeu4H+W8KsZUgXfJmzcClbdCAyHwsZYsOKR2w9GI=; b=gk2zmSS6C8/orljYETn0JwR2CqR8YyrceZHpsh7Fn5ryP0VOZyIc4ksQ6PCI13JgFt UzoQRrVYzF3L2V9V2MrOnrQYjmB2oAa4g+jdIqSIKibjHm44YSEWsCvTqn4M3th77/nI KQ+ZeksN2iM2qbF5QE1wJoLSLxOq1KHF9sN3ag2z6URRv3iWENCQaaVOw8CLL3apz1kX pLM7cvybpMN0LJJq/VEei/prcKvvBUlS6kzcZ9CpR2xhZpDu9LYmdpjMEeDejoW9c0Iz QKMNuY2f2rBdLPj7rh7QEssNAkOSorcjvWNcJA+4LvKfB616hbpJ8i7USEeDXltNF8la HwqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=NXIbeu4H+W8KsZUgXfJmzcClbdCAyHwsZYsOKR2w9GI=; b=DS+dlyTpxmrNL7d3Z9d76yema7iwnPI7TIvIt+/xnSNTYa8DCVhIjcz9qd5+4Lq7T/ PJXroWn4XhuBOA5MtBpjdVTckfDDdnz2NH3Ixsx0Qpce82ZkjqZh+z3YUWUYHFIg+CjN 8wiMGkMcWpBs/UyXIY+aesD4x2nJwBmUwJzzUhqhO4aW3+2cEOAKjxJx7VhUzTPrtHEJ Kg7OHEtzXiVxn65ACJ2ow95/dh7W7NKrvy9iGszTGA/MXL9NiHbEXYeJfqFfDNceIc4n YmyrLmyyPjCsT8krl5ES59izqVZbVIVpaJjQs6zWsecEeQJWBzUcTODdSXgcWs3pOeSC zaUw==
X-Gm-Message-State: AOAM5307+W+fuHyYjK6mvRqkwYGtmdwj03ttBXrK+5XGHb426pJeR9kq Xi7ZfnPopzjf5v2C9S69qc3bnq/KPP6RS1k6E47bPW1URkpzTA==
X-Google-Smtp-Source: ABdhPJzNkdmerPZtIyZ1Xag30Th8wS5Oj/y3OaogmlX6Dj+sSOlfJXpq4F8Z8YcJ9f7uQsL8cIel6rUodbmBRwmU0HM=
X-Received: by 2002:a0c:8029:: with SMTP id 38mr52214qva.31.1630613971159; Thu, 02 Sep 2021 13:19:31 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 02 Sep 2021 16:19:19 -0400
Message-ID: <CAL02cgT+xr3DBJo8xsdeY2+uS+6SQxQYWAFz72DL_mW=hngLrw@mail.gmail.com>
To: sframe@ietf.org
Content-Type: multipart/alternative; boundary="000000000000845c8b05cb08e6d3"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/0ADJxBNYnwR_8mcyhWjVIiF5aQQ>
Subject: [Sframe] Implementation report: SPacket in Webex
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Sep 2021 20:19:39 -0000
Hi folks, I wanted to share some implementation news: Webex has shipped SFrame as part of its new end-to-end encrypted meetings feature [1], using an open-source SFrame stack in C++ [2]. It is now being used for several thousand meetings per day. A few findings: 1. Keys for SFrame are provided from an MLS group associated to the meeting. In particular, this means that the SFrame keys change whenever someone joins or leaves the meeting. This works smoothly as long as the key roll-over is coordinated so that senders don't encrypt with the new key before receivers have it to decrypt with. 2. The SFrame encryption framing is applied to individual RTP media payloads, as opposed to full frames (i.e., this is "SPacket".) This approach made integration very simple; you simply add an SFrame protect/unprotect whenever you do an SRTP protect/unprotect. Everything else, including things like recovery, works as before. 3. With the algorithms and parameters we are using (AES-GCM, E=4), the overall bandwidth overhead from SFrame in a typical meeting with voice, video, and content share is around 80kbps. Applying SFrame per-frame in this setting would reduce this to about 45kbps. With a base bandwidth of around 3Mbps, this puts SFrame at around 3% overhead per-packet / 1.5% per-frame. 4. SFrame usage is not signaled in SDP, much like the WebRTC uses of SFrame based on Insertable Streams. Overall, SFrame seems to be working well for this use case. We should carry on getting it an RFC number :) --Richard [1] https://www.cisco.com/c/en/us/solutions/collateral/collaboration/white-paper-c11-744553.html [2] https://github.com/cisco/sframe
- [Sframe] Implementation report: SPacket in Webex Richard Barnes