| < draft-ietf-straw-b2bua-dtls-srtp-11.txt | draft-ietf-straw-b2bua-dtls-srtp-12.txt > | |||
|---|---|---|---|---|
| STRAW R. Ravindranath | STRAW R. Ravindranath | |||
| Internet-Draft T. Reddy | Internet-Draft T. Reddy | |||
| Intended status: Standards Track G. Salgueiro | Intended status: Standards Track G. Salgueiro | |||
| Expires: September 8, 2016 Cisco | Expires: October 1, 2016 Cisco | |||
| V. Pascual | V. Pascual | |||
| Quobis | Oracle | |||
| Parthasarathi. Ravindran | Parthasarathi. Ravindran | |||
| Nokia Networks | Nokia Networks | |||
| March 7, 2016 | March 30, 2016 | |||
| DTLS-SRTP Handling in Session Initiation Protocol (SIP) Back-to-Back | DTLS-SRTP Handling in Session Initiation Protocol (SIP) Back-to-Back | |||
| User Agents (B2BUAs) | User Agents (B2BUAs) | |||
| draft-ietf-straw-b2bua-dtls-srtp-11 | draft-ietf-straw-b2bua-dtls-srtp-12 | |||
| Abstract | Abstract | |||
| Session Initiation Protocol (SIP) Back-to-Back User Agents (B2BUA) | Session Initiation Protocol (SIP) Back-to-Back User Agents (B2BUA) | |||
| exist on the signaling and media paths between the endpoints. This | exist on the signaling and media paths between the endpoints. This | |||
| document describes the behavior of B2BUAs when Secure Real-time | document describes the behavior of B2BUAs when Secure Real-time | |||
| Transport (SRTP) security context is set up with the Datagram | Transport (SRTP) security context is set up with the Datagram | |||
| Transport Layer Security (DTLS) protocol. | Transport Layer Security (DTLS) protocol. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 8, 2016. | This Internet-Draft will expire on October 1, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 25 ¶ | skipping to change at page 3, line 25 ¶ | |||
| referred to as media plane B2BUAs. [RFC7092] describes two different | referred to as media plane B2BUAs. [RFC7092] describes two different | |||
| categories of media plane B2BUAs, according to the level of | categories of media plane B2BUAs, according to the level of | |||
| activities performed on the media plane. | activities performed on the media plane. | |||
| When B2BUAs are present in a call between two SIP User Agents (UAs) | When B2BUAs are present in a call between two SIP User Agents (UAs) | |||
| they often make end-to-end DTLS-SRTP sessions impossible. End-to-end | they often make end-to-end DTLS-SRTP sessions impossible. End-to-end | |||
| DTLS-SRTP session means that man-in-middle devices cannot break the | DTLS-SRTP session means that man-in-middle devices cannot break the | |||
| DTLS-SRTP session between the endpoints. In other words, the man-in- | DTLS-SRTP session between the endpoints. In other words, the man-in- | |||
| middle device cannot create a separate DTLS-SRTP session between the | middle device cannot create a separate DTLS-SRTP session between the | |||
| client and the middle device, on one side, and the middle device and | client and the middle device, on one side, and the middle device and | |||
| the remote peer on the other side. However, there are certain B2BUAs | the remote peer on the other side. B2BUAs may be deployed for | |||
| that are typically deployed for address hiding or media latching, as | address hiding or media latching [RFC7362], although TURN (and ICE) | |||
| described in [RFC7362], and such B2BUAs are able to perform their | is expected to be used more often for this purpose as it provides | |||
| better security properties. Such B2BUAs are able to perform their | ||||
| functions without requiring termination of DTLS-SRTP sessions i.e. | functions without requiring termination of DTLS-SRTP sessions i.e. | |||
| these B2BUAs need not act as DTLS proxy and decrypt the RTP payload. | these B2BUAs need not act as DTLS proxy and decrypt the RTP payload. | |||
| 1.2. Goals and Scope of this Document | 1.2. Goals and Scope of this Document | |||
| A B2BUA could be deployed for address hiding or media latching, as | A B2BUA could be deployed for address hiding or media latching, as | |||
| described in [RFC7362]. Such B2BUAs only terminate the media plane | described in [RFC7362]. Such B2BUAs only terminate the media plane | |||
| at the IP and transport (UDP/TCP) layers and may inspect the RTP | at the IP and transport (UDP/TCP) layers and may inspect the RTP | |||
| headers or RTP Control Protocol (RTCP) packets. The goal of this | headers or RTP Control Protocol (RTCP) packets. The goal of this | |||
| specification is to provide guidance on how such B2BUAs function | specification is to provide guidance on how such B2BUAs function | |||
| without breaking the end-to-end DTLS-SRTP session. A B2BUA could | without breaking the end-to-end DTLS-SRTP session. A B2BUA could | |||
| also terminate the media or modify the RTP headers or RTP Control | also terminate the media or modify the RTP headers or RTP Control | |||
| Protocol (RTCP) packets. Such B2BUAs will not allow end-to-end DTLS- | Protocol (RTCP) packets. Such B2BUAs will not allow end-to-end DTLS- | |||
| SRTP. Those B2BUAs terminating DTLS-SRTP sessions are outside the | SRTP. The recommendations made in this document are not expected to | |||
| scope of this document. | be applied by B2BUAs terminating DTLS-SRTP sessions given deployment | |||
| reality. | ||||
| This specification assumes that a B2BUA is not providing identity | This specification assumes that a B2BUA is not providing identity | |||
| assurance and is not authorized to terminate the DTLS-SRTP session. | assurance and is not authorized to terminate the DTLS-SRTP session. | |||
| A B2BUA that provides identity assurance on behalf of endpoints | A B2BUA that provides identity assurance on behalf of endpoints | |||
| behind it can modify any portion of SIP and SDP before it generates | behind it can modify any portion of SIP and SDP before it generates | |||
| the identity signature. As the B2BUA is generating the identity | the identity signature. As the B2BUA is generating the identity | |||
| signature it is not possible to detect if a B2BUA has terminated the | signature it is not possible to detect if a B2BUA has terminated the | |||
| DTLS-SRTP session. B2BUAs providing identity assurance and | DTLS-SRTP session. B2BUAs providing identity assurance and | |||
| terminating DTLS-SRTP session are out of scope of this document. | terminating DTLS-SRTP session are out of scope of this document. | |||
| skipping to change at page 5, line 27 ¶ | skipping to change at page 5, line 29 ¶ | |||
| that it does not modify any of the headers used to construct the | that it does not modify any of the headers used to construct the | |||
| identity signature. | identity signature. | |||
| 4. Both media relays and media-aware relays MUST NOT modify the | 4. Both media relays and media-aware relays MUST NOT modify the | |||
| authenticated portion of RTP and RTCP packets, and MUST NOT | authenticated portion of RTP and RTCP packets, and MUST NOT | |||
| modify the authentication tag in the RTP and RTCP packets. | modify the authentication tag in the RTP and RTCP packets. | |||
| 4. Signaling Plane B2BUA Handling of DTLS-SRTP | 4. Signaling Plane B2BUA Handling of DTLS-SRTP | |||
| Section 3.1 of [RFC7092] describes different categories of signaling | Section 3.1 of [RFC7092] describes different categories of signaling | |||
| plane B2BUAs. This section explains the impact these B2BUAs can have | plane B2BUAs. This section explains how these B2BUAs are expected to | |||
| on end-to-end DTLS-SRTP sessions. | comply with the recommendations in Section 3. | |||
| 4.1. Proxy-B2BUAs | 4.1. Proxy-B2BUAs | |||
| Proxy-B2BUAs, as defined in Section 3.1.1 of [RFC7092], modify only | Proxy-B2BUAs, as defined in Section 3.1.1 of [RFC7092], modify only | |||
| the Via and Record-Route SIP headers. These B2BUAs can continue to | the Via and Record-Route SIP headers. These B2BUAs can continue to | |||
| perform their function and still allow end-to-end DTLS-SRTP sessions | perform their function and still allow end-to-end DTLS-SRTP sessions | |||
| since it does not modify any of the headers used to construct the | since it does not modify any of the headers used to construct the | |||
| identity signature. | identity signature. | |||
| 4.2. Signaling-only and SDP-modifying Signaling-only B2BUAs | 4.2. Signaling-only and SDP-modifying Signaling-only B2BUAs | |||
| skipping to change at page 6, line 9 ¶ | skipping to change at page 6, line 9 ¶ | |||
| B2BUA can modify the Contact URI. Such B2BUAs are likely to violate | B2BUA can modify the Contact URI. Such B2BUAs are likely to violate | |||
| rule 2 or rule 3 in Section 3. Depending upon the application | rule 2 or rule 3 in Section 3. Depending upon the application | |||
| requirements, such a B2BUA may be able to limit modification of | requirements, such a B2BUA may be able to limit modification of | |||
| header fields to those allowed to be modified by [RFC4474] or | header fields to those allowed to be modified by [RFC4474] or | |||
| [I-D.ietf-stir-rfc4474bis]. | [I-D.ietf-stir-rfc4474bis]. | |||
| 5. Media Plane B2BUA Handling of DTLS-SRTP | 5. Media Plane B2BUA Handling of DTLS-SRTP | |||
| 5.1. General | 5.1. General | |||
| This section describes the DTLS-SRTP handling by the different types | This section describes how the different types of media plane B2BUAs | |||
| of media plane B2BUAs defined in [RFC7092]. | defined in [RFC7092] are expected to comply with the recommendations | |||
| in Section 3. | ||||
| 5.1.1. Media Relay | 5.1.1. Media Relay | |||
| A media relay, as defined in Section 3.2.1 of [RFC7092], from an | A media relay, as defined in Section 3.2.1 of [RFC7092], from an | |||
| application layer point-of-view, forwards all packets it receives on | application layer point-of-view, forwards all packets it receives on | |||
| a negotiated connection, without inspecting or modifying the packet | a negotiated connection, without inspecting or modifying the packet | |||
| contents. A media relay only modifies the transport layer (UDP/TCP) | contents. A media relay only modifies the transport layer (UDP/TCP) | |||
| and IP headers. | and IP headers. | |||
| A media relay B2BUA, as described in Section 3, forwards the | A media relay B2BUA follows the rule 1 mentioned in Section 3 and | |||
| certificate fingerprint and SDP setup attribute it receives from one | forwards the certificate fingerprint and SDP setup attribute it | |||
| endpoint unmodified towards the other endpoint and vice-versa. The | receives from one endpoint unmodified towards the other endpoint and | |||
| example below shows a SIP call establishment flow, with both SIP | vice-versa. The example below shows a SIP call establishment flow, | |||
| endpoints (user agents) using DTLS-SRTP, and a media relay B2BUA. | with both SIP endpoints (user agents) using DTLS-SRTP, and a media | |||
| relay B2BUA. | ||||
| +-------+ +------------------+ +-----+ | +-------+ +------------------+ +-----+ | |||
| | Alice | | MediaRelay B2BUA | | Bob | | | Alice | | MediaRelay B2BUA | | Bob | | |||
| +-------+ +------------------+ +-----+ | +-------+ +------------------+ +-----+ | |||
| |(1) INVITE | (3)INVITE | | |(1) INVITE | (3)INVITE | | |||
| | a=setup:actpass | a=setup:actpass | | | a=setup:actpass | a=setup:actpass | | |||
| | a=fingerprint1 | a=fingerprint1 | | | a=fingerprint1 | a=fingerprint1 | | |||
| | (alice's IP/port) | (B2BUAs IP/port) | | | (alice's IP/port) | (B2BUAs IP/port) | | |||
| |------------------------>|-------------------------->| | |------------------------>|-------------------------->| | |||
| | | | | | | | | |||
| skipping to change at page 11, line 49 ¶ | skipping to change at page 11, line 49 ¶ | |||
| [I-D.ietf-avtext-rtp-grouping-taxonomy] | [I-D.ietf-avtext-rtp-grouping-taxonomy] | |||
| Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and | Lennox, J., Gross, K., Nandakumar, S., Salgueiro, G., and | |||
| B. Burman, "A Taxonomy of Semantics and Mechanisms for | B. Burman, "A Taxonomy of Semantics and Mechanisms for | |||
| Real-Time Transport Protocol (RTP) Sources", draft-ietf- | Real-Time Transport Protocol (RTP) Sources", draft-ietf- | |||
| avtext-rtp-grouping-taxonomy-08 (work in progress), July | avtext-rtp-grouping-taxonomy-08 (work in progress), July | |||
| 2015. | 2015. | |||
| [I-D.ietf-stir-rfc4474bis] | [I-D.ietf-stir-rfc4474bis] | |||
| Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, | Peterson, J., Jennings, C., Rescorla, E., and C. Wendt, | |||
| "Authenticated Identity Management in the Session | "Authenticated Identity Management in the Session | |||
| Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-07 | Initiation Protocol (SIP)", draft-ietf-stir-rfc4474bis-08 | |||
| (work in progress), February 2016. | (work in progress), March 2016. | |||
| [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, | |||
| A., Peterson, J., Sparks, R., Handley, M., and E. | A., Peterson, J., Sparks, R., Handley, M., and E. | |||
| Schooler, "SIP: Session Initiation Protocol", RFC 3261, | Schooler, "SIP: Session Initiation Protocol", RFC 3261, | |||
| DOI 10.17487/RFC3261, June 2002, | DOI 10.17487/RFC3261, June 2002, | |||
| <http://www.rfc-editor.org/info/rfc3261>. | <http://www.rfc-editor.org/info/rfc3261>. | |||
| [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | [RFC4474] Peterson, J. and C. Jennings, "Enhancements for | |||
| Authenticated Identity Management in the Session | Authenticated Identity Management in the Session | |||
| Initiation Protocol (SIP)", RFC 4474, | Initiation Protocol (SIP)", RFC 4474, | |||
| skipping to change at page 13, line 22 ¶ | skipping to change at page 13, line 22 ¶ | |||
| Gonzalo Salgueiro | Gonzalo Salgueiro | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| 7200-12 Kit Creek Road | 7200-12 Kit Creek Road | |||
| Research Triangle Park, NC 27709 | Research Triangle Park, NC 27709 | |||
| US | US | |||
| Email: gsalguei@cisco.com | Email: gsalguei@cisco.com | |||
| Victor Pascual | Victor Pascual | |||
| Quobis | Oracle | |||
| Barcelona, Spain | ||||
| Email: victor.pascual.avila@gmail.com | Email: victor.pascual.avila@oracle.com | |||
| Parthasarathi Ravindran | Parthasarathi Ravindran | |||
| Nokia Networks | Nokia Networks | |||
| Bangalore, Karnataka | Bangalore, Karnataka | |||
| India | India | |||
| Email: partha@parthasarathi.co.in | Email: partha@parthasarathi.co.in | |||
| End of changes. 13 change blocks. | ||||
| 23 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||