IETF Logo Mail Archive

[Sip] media-security-requirements and lawful intercept

"Dan Wing" <dwing@cisco.com> Tue, 06 November 2007 17:50 UTC

Return-path: <sip-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpSZd-0004HT-EW; Tue, 06 Nov 2007 12:50:49 -0500
Received: from sip by megatron.ietf.org with local (Exim 4.43) id 1IpSZb-0004H8-Qt for sip-confirm+ok@megatron.ietf.org; Tue, 06 Nov 2007 12:50:47 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IpSZb-0004H0-HH for sip@ietf.org; Tue, 06 Nov 2007 12:50:47 -0500
Received: from sj-iport-1-in.cisco.com ([171.71.176.70] helo=sj-iport-1.cisco.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IpSZY-0002Mk-6H for sip@ietf.org; Tue, 06 Nov 2007 12:50:47 -0500
X-IronPort-AV: E=Sophos;i="4.21,379,1188802800"; d="scan'208";a="30535905"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 06 Nov 2007 09:50:43 -0800
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id lA6HohpQ000837 for <sip@ietf.org>; Tue, 6 Nov 2007 09:50:43 -0800
Received: from dwingwxp01 ([10.32.240.196]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id lA6HohQ6028499 for <sip@ietf.org>; Tue, 6 Nov 2007 17:50:43 GMT
From: Dan Wing <dwing@cisco.com>
To: 'IETF SIP List' <sip@ietf.org>
Date: Tue, 06 Nov 2007 09:50:42 -0800
Message-ID: <06c101c8209d$8d543700$c4f0200a@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
Thread-Index: AcggnYz0vr1y5PPGSTSoHa6HBVInvw==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1191; t=1194371443; x=1195235443; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20media-security-requirements=20and=20lawful=20intercept |Sender:=20; bh=XikQeHRa5pJOI8YS69TpGNianY0wNsq4Yg7ixhs41Y8=; b=BbSrO5XPn+tHIfWXeWEjQf13dDKrbbjHgElFohKh7jnY1gP1L5ojJbPRMiD3+TrdsbyuHJPw XjhzUV/ib0j2/zuQJldQTw4rXjymjmQRT136ZyzVZ2DIWeODvy4d82gk3kuNYtPcQOjXRKE8XI Ep2kUbQ2MohJ+XNCmEQC1PvmU=;
Authentication-Results: sj-dkim-1; header.From=dwing@cisco.com; dkim=pass (s ig from cisco.com/sjdkim1004 verified; );
X-Spam-Score: -4.0 (----)
X-Scan-Signature: ea4ac80f790299f943f0a53be7e1a21a
Subject: [Sip] media-security-requirements and lawful intercept
X-BeenThere: sip@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Session Initiation Protocol <sip.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:sip@ietf.org>
List-Help: <mailto:sip-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/sip>, <mailto:sip-request@ietf.org?subject=subscribe>
Errors-To: sip-bounces@ietf.org

Other SDOs have lawful intercept requirements, which are currently
captured in requirement R24 in 
draft-ietf-sip-media-security-requirements-00:

   "R24:   The media security key management protocol SHOULD 
           NOT allow end users to determine whether their 
           end-to-end interaction is subject to lawful 
           interception."

DTLS-SRTP was selected by IETF as the IETF's preferred mechanism
to establish SRTP keys for unicast, point-to-point SRTP sessions.

There appear to be two methods to meet R24 with DTLS-SRTP.  They
are:

   a. provide a network element on every SRTP call which relays
      media, performs a DTLS handshake, and decrypts and re-encrypts
      SRTP, or;

   b. have endpoints perform key disclosure for every call (using a 
      technique similar to draft-wing-sipping-srtp-key), and perform
      validation of that disclosed key on every call.

If these methods to meet R24 are deemed acceptable to other SDOs,
we don't find any reason for those SDOs to reject IETF's decision
to use DTLS-SRTP as the preferred mechanism to establish SRTP
keys for unicast, point-to-point SRTP sessions.

Comments welcome.
-d


_______________________________________________
Sip mailing list  https://www1.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sipping@ietf.org for new developments on the application of sip

v2.23.0 | Report a Bug | By Email