[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FW: [MMUSIC] ICE-TCP issue: DTLS-SRTP over TCP?

To: <ietf-rtpsec@xxxxxxx>
Subject: FW: [MMUSIC] ICE-TCP issue: DTLS-SRTP over TCP?
From: "Dan Wing" <dwing@xxxxxxxxx>
Date: Tue, 10 Jul 2007 00:31:43 -0700
Authentication-results: sj-dkim-2; header.From=dwing@xxxxxxxxx; dkim=pass (s ig from cisco.com/sjdkim2002 verified; );
Cc: "'Jonathan Rosenberg \(jdrosen\)'" <jdrosen@xxxxxxxxx>
Dkim-signature: v=0.5; a=rsa-sha256; q=dns/txt; l=3170; t=1184052710; x=1184916710; c=relaxed/simple; s=sjdkim2002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@xxxxxxxxx; z=From:=20=22Dan=20Wing=22=20<dwing@xxxxxxxxx> |Subject:=20FW=3A=20[MMUSIC]=20ICE-TCP=20issue=3A=20DTLS-SRTP=20over=20TC P? |Sender:=20; bh=B2HvopDnSeVBzUX4yOQcGsOGO5jPjbdFynzXz+GDkkI=; b=Tzzdp/SQVpw0P+3wZgt1fGOPvj9fxRBMyT+kv+j8gkCa8xoy2wsM7uu0KnUW/hHochgF2O6t y/DE1neuruUGUN8DgPcFmivCpCh2XqyMugDqMZgd7Cx+KkR3/0Bj0wLJ;
List-archive: <http://www.imc.org/ietf-rtpsec/mail-archive/>
List-id: <ietf-rtpsec.imc.org>
List-unsubscribe: <mailto:ietf-rtpsec-request@imc.org?body=unsubscribe>
Sender: owner-ietf-rtpsec@xxxxxxxxxxxx
Thread-index: AcfCZc9fNey4xwy0QNWeZl+u1QEvQAAXmJCQ

 

> -----Original Message-----
> From: Jonathan Rosenberg [mailto:jdrosen@xxxxxxxxx] 
> Sent: Monday, July 09, 2007 1:15 PM
> To: IETF MMUSIC WG
> Cc: 'avt@xxxxxxxx'
> Subject: [MMUSIC] ICE-TCP issue: DTLS-SRTP over TCP?
> 
> My apologies for cc'ing AVT. However this is a cross-WG issue that 
> impacts ICE and its usage with DTLS-SRTP.
> 
> ICE-tcp:
> http://www.ietf.org/internet-drafts/draft-ietf-mmusic-ice-tcp-04.txt
> DTLS-srtp:
> http://www.ietf.org/internet-drafts/draft-ietf-avt-dtls-srtp-00.txt
> 
> 
> One of the really nice features of ICE-tcp is that you can 
> offer, for an 
> RTP-based media stream, either UDP or TCP candidates. The TCP 
> ones are 
> tried as a last resort, so that you get RTP over UDP when it 
> works, and 
> RTP over TCP when it doesn't. This choice is made dynamically 
> based on 
> the results of the connectivity checks.
> 
> So, the interesting question is, what happens if the media is secure? 
> Well, clearly if UDP is selected, we end up with DTLS-SRTP. In that 
> case, the SDP offer would contain the fingerprint and setup 
> attributes. 
> What happens if ICE selects TCP instead? There are two things 
> this could 
> mean:
> 
> 1. the media is secured using RTP over a TCP/TLS connection using 
> RFC4571. This is *not* SRTP; the RTP packets are fully encrypted.
> 
> 2. the media is secured using DTLS-SRTP, run over the RFC4571 
> shim that 
> is ontop of TCP when ICE is in use. In this case, the media 
> packets are 
> SRTP and the RTP headers are in the clear as normal.
> 
> 
> In many ways, #2 is a far preferable solution. It means that the 
> mechanism for securing the media, and the associated SDP 
> parameters and 
> their meaning, are independent of the transport protocol and 
> apply for 
> UDP or TCP. With #1, the agent needs to run different 
> protocols (TLS vs. 
> DTLS) for security, depending on the transport protocol 
> selected. That 
> also has interactions with SDP capability negotiation, and it gets 
> really messy.
> 
> So, #2 is what is specified in ice-tcp. However, AFAIK, 
> DTLS-SRTP is not 
> defined over TCP. I don't think it needs to change any per se; but it 
> does need to be recognized as a valid mode.
> 
> Similarly, even ignoring a mix of UDP and TCP candidates, if 
> we are just 
> offering TCP candidates, does the media get secured using #1 
> or #2? Do 
> we allow both? Right now ICE-tcp is allowing both. However, I 
> think its 
> bad to have two ways of doing this. I'd rather settle on 
> DTLS-SRTP over 
> TCP as the one and only way of securing RTP over TCP.
> 
> Comments?
> -Jonathan R.
> 
> -- 
> Jonathan D. Rosenberg, Ph.D.                   600 Lanidex Plaza
> Cisco Fellow                                   Parsippany, NJ 
> 07054-2711
> Cisco Systems
> jdrosen@xxxxxxxxx                              FAX:   (973) 952-5050
> http://www.jdrosen.net                         PHONE: (973) 952-5000
> http://www.cisco.com
> 
> _______________________________________________
> mmusic mailing list
> mmusic@xxxxxxxx
> https://www1.ietf.org/mailman/listinfo/mmusic

Prev by Date: FW: IPR Statement RE: draft-wing-sip-identity-media-00.txt
Previous by thread: FW: IPR Statement RE: draft-wing-sip-identity-media-00.txt
Index(es):
- Date
- Thread