IETF Logo Mail Archive

Re: [Sframe] Negotiating SFrame/RTP in SDP

Sergio Garcia Murillo <sergio.garcia.murillo@cosmosoftware.io> Mon, 06 September 2021 19:14 UTC

Return-Path: <sergio.garcia.murillo@cosmosoftware.io>
X-Original-To: sframe@ietfa.amsl.com
Delivered-To: sframe@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 70F1E3A1ACF for <sframe@ietfa.amsl.com>; Mon, 6 Sep 2021 12:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cosmosoftware-io.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6O86XTVmrrO2 for <sframe@ietfa.amsl.com>; Mon, 6 Sep 2021 12:14:17 -0700 (PDT)
Received: from mail-pg1-x535.google.com (mail-pg1-x535.google.com [IPv6:2607:f8b0:4864:20::535]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0559E3A15C9 for <sframe@ietf.org>; Mon, 6 Sep 2021 12:14:12 -0700 (PDT)
Received: by mail-pg1-x535.google.com with SMTP id e7so7638866pgk.2 for <sframe@ietf.org>; Mon, 06 Sep 2021 12:14:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cosmosoftware-io.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=rJPFDKU6zjox7LvgiAmAQgXB90Qj4u1BPoeirhmwOCI=; b=iRkpgqOjQEecI70Y+5qEmo5wUI8Kqi5GuIDbpIYWXTQ18OBqYB5kERv36+yjtNO/AQ AOVkpEyiG9VJdI5DmRNCNUa1QrQmHejxASLFv5K/aPthBqIG7zLMRaAGvN0DpWsGv6I8 mxPNFN0POwmZXozaiurNvovvQ7r7eOA9io/dIARaTZBRAlLZ+WzOEiAQzUW/+8M35+qT VRCV8UuECJLGMtx3f1n63c23cRddYUrgECztGNbn9JubpQE6hGQTsGJeeU7nYFnm+VCL VKbRaTpE3ZR6msKGphdG1Ni/Z7Ti+K5nFjbPPHwxJF2rNiqiqYfQ8+FG42UUOcMRftHw D++Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=rJPFDKU6zjox7LvgiAmAQgXB90Qj4u1BPoeirhmwOCI=; b=ZM/5/te2l0HVD5OVV+1nSav7XpVCcOK8doaXB1f9Gjk2dieWad0T7WJrYmVJAqitAu lu/8EkRDISIr008V2SL+NmrOQgx25YzdskVXnryvkAYHN2G+HZoQ0Js5EXr6GFpKu4EX CYdNVogjHBG5qYsXttPsn0cDMh1UGwJm32AbO8pN5fKV2+jEosVarWwjOMn1FA6Hua6i 6iBejzAqh9HdmW37vmxkCRRJwye0VlgSQRbh0EQ9YnGE4w2c9CHSc4bZdtPlzf+REO7B c1vsUbtAmHehqlEldeH54zYgGUI9EeQScT6Nvw1mErbH/FqjGVVKF790dg5oxbRc5Zli v9PQ==
X-Gm-Message-State: AOAM5330xZ34WcWo1XidBekTSn7CW06dVU+FxduLTaVYXgrif60A9R76 8leQ5ls2G0KAArTBBRb3lwj7Ow6J76M1onBt+dzMSrXLCRo=
X-Google-Smtp-Source: ABdhPJwCVdihgLJIJ+s+ZKZ2Kouy3wFrboA/VgTMU2T9fgvYo6I3Xrt5PZ/I+3ZhWafpCL8NtNzscsXQSpCgTnBRmgw=
X-Received: by 2002:a63:6e02:: with SMTP id j2mr13547279pgc.157.1630955651375; Mon, 06 Sep 2021 12:14:11 -0700 (PDT)
MIME-Version: 1.0
References: <CAL02cgRw3OASDfqcywU1b=S+K9QDA=iJ-Pa+4uTUE--Cui5m6g@mail.gmail.com>
In-Reply-To: <CAL02cgRw3OASDfqcywU1b=S+K9QDA=iJ-Pa+4uTUE--Cui5m6g@mail.gmail.com>
From: Sergio Garcia Murillo <sergio.garcia.murillo@cosmosoftware.io>
Date: Mon, 06 Sep 2021 21:14:00 +0200
Message-ID: <CANRTqcMFUo7BY_8JA3mBMcYYLHDOgSVsEPA_kmQGw2PxkkTuqQ@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: sframe@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003eb3cf05cb587402"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sframe/KY4romrCUbHgKNSDUPMzu0QNW4k>
Subject: Re: [Sframe] Negotiating SFrame/RTP in SDP
X-BeenThere: sframe@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Secure Media Frames <sframe.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sframe>, <mailto:sframe-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sframe/>
List-Post: <mailto:sframe@ietf.org>
List-Help: <mailto:sframe-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sframe>, <mailto:sframe-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Sep 2021 19:14:23 -0000

>From my point of view, all the mechanisms described on the multi codec
payload format are required:

The ability to differentiate a RTP packet encrypted end to end (either by
SFrame or SPacket) is a must, both from a formal point of view about how
RTP works, but also to ensure that the media servers does not perform any
payload inspection that will cause malfunction (metadata gathering, layer
switching, recording..)

The optionality of the encryption also comes from various factors. First,
end to end encryption is an "endpoint" decision, the SDP negotiation with
the media server should not be the place to enforce it or not. Also, not
always the media server and the endpoints are provided by the same company
(i.e. CPaaS) and they will have to support both end to end encryption and
non end to end encryption calls. Note that it is quite a common practice in
SFUs to send an SDP offer from the media server to the endpoint, in which
case, the media server will have to offer e2e encryption as optional.

As an example, in Millicast we support both e2ee and non-e2ee streams today
(with the insertable stream per codec hacks), it is a completely optional
feature up to each customer to implement and to decide when and if it is
used. We are just carriers, and we do not want the customer to have to
configure if the stream is e2ee or not. We are not (and must not be)
involved in enforcing e2ee in any way.

Best regards
Sergio

On Thu, Sep 2, 2021 at 10:23 PM Richard Barnes <rlb@ipv.sx> wrote:

> Hi folks,
>
> One of the major work items left around SFrame is the work to specify how
> SFrame-encrypted media are carried in RTP, and how that is signaled in
> SDP.  The finer points might need to be worked out in AVTCORE / MMUSIC, but
> since this group knows the intricacies better, it seems like having some
> agreement here on general approach would be good.
>
> Sergio put together a first stab at this in
> draft-murillo-avtcore-multi-codec-payload-format [1].  He presented this at
> AVTCORE @ IETF 111 [2].  Unfortunately, the discussion there doesn't seem
> to have provided a clear path forward, thus this thread.
>
> Personally, I think the proposal in Sergio's draft is a little wide of the
> mark.  ISTM that specifying a "generic" media format and recovering the
> specificity in an RTP header is more complex than is needed. Worse, it sets
> up implementations to send the same media both encrypted and unencrypted --
> obviously not great for security.
>
> I'd like to propose a simpler approach, drawing inspiration from cryptex
> [3]:
>
> a=sframe:<frame|packet> [<keying>]
>
> Basically, just a new SDP attribute per m-line, that specifies that SFrame
> encryption is being done and how.  The desired semantic is clear for
> SPacket: Just add an SFrame protect/unprotect before you do other
> processing on the media payload.  Then you will have a payload that is as
> described in the SDP.
>
> You can *almost* describe SFrame in this way as well.  Assemble all the
> RTP packets in a frame, then do SFrame across all of their payloads (in
> particular, adding the header to the first packet and the tag to the
> last).  If you constrained the sender to construct pre-SFrame packets  that
> were properly packetized according to the rest of the SDP, then this would
> integrate cleanly with the rest of the SDP/RTP model.  The problem is that
> that constraint is incompatible with Insertable Streams.  So we need to
> decide how much we care about compatibility with IS as it is.  Personally,
> it seems like WebRTC stacks and web apps are going to have to upgrade
> *anyway* if they're going to support SDP-based negotiation of SFrame, so if
> they have to make this one extra change, it shouldn't be a big deal.
>
> How does this approach strike folks?
>
> --Richard
>
> [1]
> https://www.ietf.org/archive/id/draft-murillo-avtcore-multi-codec-payload-format-01.html
> [2] https://youtu.be/S-JR4Fa8VFY?t=3510
> [3]
> https://www.ietf.org/archive/id/draft-ietf-avtcore-cryptex-02.html#name-signaling
> --
> Sframe mailing list
> Sframe@ietf.org
> https://www.ietf.org/mailman/listinfo/sframe
>

v2.23.0 | Report a Bug | By Email