Re: [AVT] Fwd: [Tsvwg] Looking for feedback on DTLS

[Lee Dilkie <dilkiel at dilkie.com>]

I can see I missed a lot over the weekend...

Mark Baugher wrote:

> Eric
>   I have no idea why you are discussing http over IPsec.  I think this 
> topic should have zero interest for this working group.  I am not 
> saying that DTLS is a bad thing.  I am saying that I don't think the 
> value of DTLS has yet been shown for RTP.  
> http://www.ietf.org/internet-drafts/draft-rescorla-dtls-01.txt does 
> not motivate DTLS for RTP, it mentions SIP.  I doubt that DTLS for SIP 
> will be any more useful than RFC 2487 has been for SMTP, but that's 
> also largely beside the point for this WG.
>
>   The onus should be on you to tell us why DTLS is important for RTP 
> and not for us to explain why it is not.  So, I'll ask again:  RTP has 
> two security alternatives, IPsec and SRTP, what's the value for adding 
> DTLS as a third?
>
> Mark

Both IPsec and SRTP have shortcomings. IPsec is unable to provide the 
flexability and deployability required for RTP. SRTP lacks any key 
exchange/authentication (which I'm grateful for, BTW). DTLS gives the 
flexability of TLS (being tied to host names instead of IP addresses is 
a big plus over IPsec), the security of TLS (the most deployed security 
solution out there) and over a UDP transport, something we've been 
needing for a long time now.

Up until recently, any discussion regarding security for RTP has 
generally punted to IPsec as the solution. After (how many years), here 
we sit, still pointing to IPsec but the reality is that it just doesn't 
get deployed. Why? Because it isn't a good security solution for media 
streams.

Would I use DTLS over SRTP to secure RTP? Maybe. I can think of a few 
cases where that would be a better solution that trying to securely 
transport SRTP keys myself. SRTP is better in other cases (low 
bandwidth, for example). I think DTLS might be a better solution to 
secure media control streams (SIP was the example given but there are 
others). Certainly it's better(easier) than IPsec and probably easier 
than S/MIME.

Please don't just dismiss this outright because you think you've already 
got this problem covered.

regards,

-lee

> On Aug 15, 2004, at 6:57 PM, Eric Rescorla wrote:
>
> > Mark Baugher <mbaugher at cisco.com> wrote:
> >
> > > On Aug 14, 2004, at 10:01 AM, Eric Rescorla wrote:
> > >
> > > > Mark Baugher <mbaugher at cisco.com> wrote:
> > > >
> > > > > Hi Mats
> > > > >     Your point is well taken about decoupling SRTP from key
> > > > >     management, which varies from pairwise key management using (say)
> > > > >     IKE or MIKEY to broadcast key management using subset difference.
> > > > >     I don't think DTLS has much relevance to AVT protocols and am
> > > > >     copying the authors and security ADs to check my reasoning.
> > > > >     SSL/TLS has been successfully deployed for a class of
> > > > >     client/server applications.  That is outstanding.  It has some
> > > > >     vulnerabilities, however, that have been exploited by phishing
> > > > >     attacks, which is bad.
> > > >
> > > >
> > > > Phishing is a social attack, not an attack on anything specific
> > > > to SSL.
> > >
> > >
> > > Phishing might use more than social engineering, there's a class
> > > attack against browsers that wrongly route requests such as
> > > http://www.example.com/some-other-address to some-other-address
> > > and not to example.com.  The URI comes from a message with a forged
> > > RFC 2822 from address with example.com as the domain part.  The
> > > machine at some-other-address is own3d by an attacker, who posts
> > > a web page that looks like an www.example.com registration web page.
> > > So far, no SSL is involved in the attack.  It may not be
> > > needed to fool many users who usually expect the server to
> > > initiate the session and authenticate _them_ rather than vice
> > > versa.  I guess this is a social attack, but it's made possible
> > > because of the nature of the global security system that uses SSL.
> > > It relies on natural language names and asymmetric authorization/
> > > authentication where the server typically initiates the secure
> > > session and then gets much more information from the client than
> > > the client gets from the server.  The security problems with
> > > natural language names are considered in section 2 of RFC 2693;
> > > the problem of asymmetric authorization has been discussed in
> > > Risks and other places.
> >
> >
> > All of which would be true with, say, HTTP over IPsec.  Moreover SSL
> > offers certificate-based client authentication, so it's perfectly
> > possible to avert this attack using mechanisms already present
> > in SSL.
> >
> >
> > > > It would work just as well against, say, HTTP over IPsec.
> > >
> > >
> > > It depends on the authorization and credential system, doesn't
> > > it?
> >
> >
> > In some theoretical sense, I suppose. In practice, any HTTP over
> > IPsec system that anyone would be likely use would have similar
> > properties.
> >
> >
> > > > >     But regardless of the pros and cons of
> > > > >     SSL/TLS vs. IPsec, RTP has many peer-to-peer applications.  I
> > > > >     think that IPsec and/or SRTP can adequately protect almost any
> > > > >     real-time RTP session between peers or between clients and 
> > > > > server.
> > > > >     I can't think of anything DTLS will do for AVT protocols beyond
> > > > >     adding an unneeded alternative - and the accompanying confusion -
> > > > >     to the mix.
> > > > >
> > > > >    http://www.ietf.org/internet-drafts/draft-rescorla-dtls-01.txt
> > > > >    should probably specifically state that it is not appropriate for
> > > > >    the RTP family of protocols.
> > > >
> > > >
> > > > I don't understand the argument here. Unless there's some technical
> > > > reason why DTLS won't work for these applications, I don't understand
> > > > why the existence of alternative mechnisms requires a statement
> > > > that DTLS is inappropriate...
> > >
> > >
> > > Today, there are two practical alternatives for securing SRTP and
> > > these are IPsec and SRTP.  I think we satisfy the concerns of
> > > [WHYIPSEC] that are mentioned in draft-rescorla-dtls-01.txt.  Is it
> > > generally true that having two security protocol alternatives is better
> > > than three for reasons of relative simplicity of the implementations,
> > > improved interoperability, and lower development/maintenance costs.
> > > Why would we add a 3rd protocol?
> >
> >
> > Are you suggesting that a generic datagram security mechanism is a
> > bad thing?
> >
> >
> > -Ekr
> >
> > _______________________________________________
> > Audio/Video Transport Working Group
> > avt at ietf.org
> > https://www1.ietf.org/mailman/listinfo/avt

--
                     __|__
              -- at --@--(_)-- at --@--
"You can't be a real country unless you have a BEER and an airline. It
helps if you have some kind of a football team, or some nuclear weapons,
but at the very least you need a BEER."
--Frank Zappa 
                     __|__
              -- at --@--(_)-- at --@--


_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www1.ietf.org/mailman/listinfo/avt