[Sipping] RE: DTLS-SRTP / ICE and gating/latching policy controls

["Brian Stucker" <bstucker@nortel.com>]

That seems to be the case, but from my reading of the DTLS-SRTP draft,
it's not clear if the requirement to use RFC 4474 is in all cases or
only if a self-signed certificate is used. 

For instance, if you were to use RFC-3325 to make an anonymous call, you
know certain headers (and perhaps even portions of the SDP body if
you're to do media privacy) will be changed by a middlebox (i.e. the
proxy) such that the signature calculated by the endpoint may not be
correct in that case either.

Eric?

Regards,
Brian

> -----Original Message-----
> From: Fischer, Kai [mailto:kai.fischer@siemens.com] 
> Sent: Monday, November 12, 2007 4:31 AM
> To: Stucker, Brian (RICH1:AR00); Eric Rescorla; Hannes 
> Tschofenig; Dan Wing; Audet, Francois (SC100:3055); Fries, 
> Steffen; Barnes, Mary (RICH2:AR00); Elwell, John
> Cc: sipping@ietf.org
> Subject: RE: DTLS-SRTP / ICE and gating/latching policy controls
> 
> Hi Brian,
> thanks for discussing this problem in your draft.
> By reading the text I have missed some discussions about the 
> problems and requirements to the signaling channel  part of 
> media based key management resp. DTLS-SRTP. 
> Draft-fischl-sipping-media-dtls-03 proposes to transport the 
> certificate fingerprint as attribute in SDP to identify the 
> key that will be presented during the DTLS handshake. 
> Integrity protection of the signaling channel is achieved by 
> RFC 4474, i.e. a signature is formed about some SIP header 
> fields and the complete body.
> Since middle boxes acting as NAT entities manipulate the m 
> and c lines within SDP, a signature created on the path 
> before the middle box will be broken. Consequently, this 
> would lead to the requirement, that the middle box acting as 
> outbound proxy is capable to act as Authentication Service a 
> la RFC 4474.
> 
> In Figure 4 Step 4 I think that the port in the m-line should 
> be 50000 since the inbound port in the relay is also 50000.
> 
> Kai
> 
> > -----Original Message-----
> > From: Brian Stucker [mailto:bstucker@nortel.com]
> > Sent: Montag, 12. November 2007 07:06
> > To: Eric Rescorla; Hannes Tschofenig; Dan Wing; Francois 
> Audet; Fries, 
> > Steffen; Mary Barnes; Fischer, Kai; Elwell, John
> > Cc: sipping@ietf.org
> > Subject: DTLS-SRTP / ICE and gating/latching policy controls
> > 
> > There was some discussion about this over on the SIP list, 
> but since 
> > this is going to be submitted to SIPPING I'll start the discussion 
> > over here.
> > 
> > The draft explains a couple of mechanisms (gating/latching) 
> that can 
> > complicate establishing an end-to-end media path, and hence has 
> > interactions with media path signaling protocols like ICE or 
> > DTLS-SRTP. It further goes into giving examples of such 
> complications 
> > and gives a few preliminary recommendations to dealing with these 
> > interactions.
> > 
> > If you're following the DTLS-SRTP threads, you'll want to 
> give this a 
> > look.
> > 
> > http://www.ietf.org/internet-drafts/draft-sipping-stucker-medi
> a-path-middleboxes-00.txt <http://www.ietf.org/internet-> 
> drafts/draft-sipping-stucker-media-path-middleboxes-00.txt>  
> > 
> > Regards,
> > Brian
> > 
> > 
> 


_______________________________________________
Sipping mailing list  https://www1.ietf.org/mailman/listinfo/sipping
This list is for NEW development of the application of SIP
Use sip-implementors@cs.columbia.edu for questions on current sip
Use sip@ietf.org for new developments of core SIP