Re: [AVT] Fwd: [Tsvwg] Looking for feedback on DTLS

[Mark Baugher <mbaugher at cisco.com>]

Hi Mats
   Your point is well taken about decoupling SRTP from key management, 
which varies from pairwise key management using (say) IKE or MIKEY to 
broadcast key management using subset difference.  I don't think DTLS 
has much relevance to AVT protocols and am copying the authors and 
security ADs to check my reasoning.  SSL/TLS has been successfully 
deployed for a class of client/server applications.  That is 
outstanding.  It has some vulnerabilities, however, that have been 
exploited by phishing attacks, which is bad.  But regardless of the 
pros and cons of SSL/TLS vs. IPsec, RTP has many peer-to-peer 
applications.  I think that IPsec and/or SRTP can adequately protect 
almost any real-time RTP session between peers or between clients and 
server.  I can't think of anything DTLS will do for AVT protocols 
beyond adding an unneeded alternative - and the accompanying confusion 
- to the mix.

  http://www.ietf.org/internet-drafts/draft-rescorla-dtls-01.txt should 
probably specifically state that it is not appropriate for the RTP 
family of protocols.

cheers, Mark
On Aug 14, 2004, at 6:54 AM, Mats Näslund wrote:

> Hi
>
> Lee Dilkie wrote:
>
> > Mark Baugher wrote:
> >  > I don't think avt needs to be concerned with yet another way to
> >  > authenticate/encrypt RTP packets in addition to SRTP and IPsec.  I
> >  > don't know what the advantages are of using TLS over IPsec.  If
> >  > security at the internetwork layer is not the right place, then we
> >  > have SRTP.  The only Datagram TLS application that is mentioned is
> >  > SIP.  I don't know why since DTLS does nothing to address SIP's 
> > real
> >  > security problems, which are middle-to-middle as much as 
> > end-to-end.  > But this can be properly deferred to one of the SIP 
> > WGs IMHO.
> >  >
> > Perhaps this isn't the right place for this discussion but I for one 
> > was
> > pleased to read the paper. And seeing that SRTP requires external
> > mechanism's for key exchange, this solution seems to be somewhat
> > relevant to the participants of this forum. IPsec has deployment
> > difficulities, TLS is dependant on TCP. This proposal seems to me to
> > address the problem space (secure UDP-based transport)  nicely.
>
>
> Just for the record:
>
> It was a design requirement to have srtp independent of any specific 
> key
> mgmt protocol, so a built-in one was never considered.
>
> /Mats
>
> > Not all of us are using SIP for session establishment of RTP streams.
> > regards,
> > Lee Dilkie
> > Mitel
>
>
> _______________________________________________
> Audio/Video Transport Working Group
> avt at ietf.org
> https://www1.ietf.org/mailman/listinfo/avt


_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt