[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Some views on Secure RTP

To: Craig Southeren <craigs@xxxxxxxxxxxxxxxxx>
Subject: Re: Some views on Secure RTP
From: David McGrew <mcgrew@xxxxxxxxx>
Date: Tue, 13 Mar 2007 18:06:07 -0700
Authentication-results: sj-dkim-2; header.From=mcgrew@xxxxxxxxx; dkim=pass ( sig from cisco.com/sjdkim2002 verified; );
Cc: ietf-rtpsec@xxxxxxx
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=4986; t=1173834371; x=1174698371; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=mcgrew@xxxxxxxxx; z=From:=20David=20McGrew=20<mcgrew@xxxxxxxxx> |Subject:=20Re=3A=20Some=20views=20on=20Secure=20RTP |Sender:=20; bh=iWUCXvGKnNDY4mzC9wAja8qY1miGjx4AQN4f5J51g+s=; b=YsIuTR9sw5U18wYGIJ6Nj506gD61LYTynGAPBenztTaW1xekLgVelbF90CI0jgICfc4v4nNw GZPiWS17AsCL75aBzScigwiAajzfWgjTcNQldJ4neZb1A0uazS+6JMXx;
In-reply-to: <20070314011904.EAE4.CRAIGS@xxxxxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
References: <20070314011904.EAE4.CRAIGS@xxxxxxxxxxxxxxxxx>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx


Hi Craig,

as one of the authors of DTLS-SRTP, I would be grateful to you if youcould help me understand your thinking here; I also have a comment onZRTP.


On Mar 13, 2007, at 7:54 AM, Craig Southeren wrote:

To all,
I've been following the progress of secure RTP for some time,becauseI am interested in the technology and because my customers demandit. I
thought I'd share my views now before the Prague IETF meeting in the
hope that perhaps they may be interest to those who make thedecisions.
I'm seeing the same reasons over and over for why my customersprefer
ZRTP.

I'm curious: who are your customers? Are they from a particularmarket segment?

Frankly, I'm hard pressed to see why I should disagree.

1) ZRTP allows ad-hoc authentication without the need for a PKI. This

reduces the risk for enterprises as it does not require theinstallation

of a time intensive and expensive PKI.

True enough for enterprises that feel that reading the short authstring (SAS) provides a satisfactory level of security. Would it beacceptable in the scenarios that you're addressing to use DTLS-SRTPand rely on reading the fingerprint to provide security? The oneoperational difference would be that the fingerprint is longer. (Itis possible to add an SAS facility to TLS; Eric Rescorla and I havestarted that work and can bring it to the IETF if the consensus isthat it is needed in DTLS-SRTP, so your opinion counts here :-)

But, it can be upgraded easily to
use a PKI when and if required.

I respectfully disagree that it would be easy. Sure, the IETFunderstands certificates pretty well, but at present the draft onlymentions signatures ("key types and signature algorithms are forfuture study") and has not considered certificates or any of theassociated issues (for example, there are no identifiers in ZRTP thatwould naturally be used as the names in certificates and inauthorizations associated with those certs).

2) Because it is contained completely within the RTP media channel,ZRTPcan cross signalling protocol boundaries with no changes to thesignalling
infrastructure. Making a ZRTP call from a SIP endpoint to a H.323
endpoint is trivial even when the signalling entities do not have any
facility for including the additional messaging

I guess that this is one of the benefits of doing things in the mediaplane :-)

Is there a reason why this can't be done with DTLS-SRTP, assumingthat the implementation negotiates RTP via signaling, but thenattempts SRTP and falls back if the other side sends RTP? I believethat this will work (if not, I'd like to know what breaks), and Ericand I wrote our draft with that in mind. The reason that we didn'texplicitly describe this in the draft was because it is not exactlyclear that this behavior is considered desirable from a securityviewpoint. If we can get buy-off from the responsible Security Areafolks, I'm fine with adding it.

3) The alternatives to ZRTP all seem to specify a dizzying array of
keying options that require changes to signalling channel which are
mostly "yet to be defined". As an example, the capabilities for H.235.SRTPare nonsensically complex, and I'm still waiting for a clear leaderfor
SIP keying.
I'm in the process of adding support for ZRTP into the OPAL opensource
infrastructure, where it will be available for SIP and H.323 calls. In
fact, as most of the changes are only in the RTP stack only, there are
applications that will get ZRTP support simply because the use theOPAL
RTP stack, even though they use other signalling protocols.

Do you think that code re-use of TLS would be useful? Thosesignaling protocols use [D]TLS to provide their security, and Ibelieve that openh323 uses openssl. There is a DTLS-SRTPimplementation in a contrib branch of openssl (it compiles withlibsrtp); I'd be happy to point it out to you if you want to checkout it.


best regards,

David

The integration using Phils SDK has been mostly smooth sailing so far.
The only limiting factor so far as been my available time :)

   Craig
-----------------------------------------------------------------------Craig Southeren Post Increment – VoIP Consulting andSoftwarecraigs@xxxxxxxxxxxxxxxxxxxxwww.postincrement.com.au
 Phone:  +61 243654666      ICQ: #86852844
 Fax:    +61 243656905      MSN: craig_southeren@xxxxxxxxxxx
 Mobile: +61 417231046      Jabber: craigs@xxxxxxxxxx

 "It takes a man to suffer ignorance and smile.
  Be yourself, no matter what they say."   Sting

Follow-Ups:
- Re: Some views on Secure RTP
  - From: Werner Dittmann
- Re: Some views on Secure RTP
  - From: Craig Southeren

References:
- Some views on Secure RTP
  - From: Craig Southeren

Prev by Date: RE: Some views on Secure RTP
Next by Date: Re: Some views on Secure RTP
Previous by thread: Re: Some views on Secure RTP
Next by thread: Re: Some views on Secure RTP
Index(es):
- Date
- Thread