[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[AVT] Comments on draft-wing-avt-dtls-srtp-key-transport-01

To: avt at ietf.org
Subject: [AVT] Comments on draft-wing-avt-dtls-srtp-key-transport-01
From: Eric Rescorla <ekr at networkresonance.com>
Date: Tue, 11 Mar 2008 10:19:04 -0400
Delivered-to: ietfarch-avt-web-archive at core3.amsl.com
Delivered-to: avt at core3.amsl.com
List-help: <mailto:avt-request@ietf.org?subject=help>
List-id: Audio/Video Transport Working Group <avt.ietf.org>
List-post: <mailto:avt@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
Sender: avt-bounces at ietf.org
User-agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)

$Id: draft-wing-avt-dtls-key-transport-01-rev.txt,v 1.1 2008/03/11 13:57:27 ekr Exp $

GENERAL COMMENTS
DTLS-SRTP was explicitly designed for point-to-point sessions in which
there were two communication parties. This implies that a number of
RTP settings (e.g., conference bridges/mixers), need to be implemented
as a number of pairwise DTLS-SRTP connections. Thus, for instance,
when a single caller on a conference bridge speaks, the bridge needs
to reencrypt the data for all recipients separately. There has been
debate about how serious this performance issue is, but people
certainly have been concerned about it.

This draft describes a mechanism which allows one side of a DTLS-SRTP
association to impose a key of its choice on the other side. Thus, for
instance, the mixer/bridge could give each caller the same receiving
key (the one that the bridge uses to send/encrypt). Thus, the bridge
can only perform one encryption instead of one for each recipient.
This doesn't seem like a crazy idea.

That said, I have two major concerns about the particular mechanism
described in this document:

- It's specified at the DTLS layer but it's only useful for DTLS-SRTP,
  and doesn't really affect the DTLS part at all. I would prefer to
  see this either specified as a TLS extension that applies to TLS in
  all contexts, or to be specified purely as a feature of SRTP
  (a la EKT, though I'm not claiming it's adequate as-is).
- The mechanism described here seems a lot more complicated 
  (the ability to request keys, convey SSRCs, etc.) than required
  by the requirements I'm aware of.


DETAILED COMMENTS
S 4.1.
   After successful negotiation of the key_transport extension, the DTLS
   client and server MAY exchange SRTP packets, encrypted using the KDF
   described in [I-D.ietf-avt-dtls-srtp].  This is normal and expected,

I wouldn't write this as "encrypted using the KDF". The keys are generated
with a KDF, but the packets aren't.


S 4.2.
What's the need to request a new key.

I don't understand why the SSRC needs to be communicated, given that
DTLS-SRTP already describes mechanisms for SSRC->Key Material mapping.
Also, this breaks the general RTP model that implies that new SSRCs
can be introduced at any time, which (though I'm no RTP expert)
seems like it's going to be a lot worse in mutiparty cases. 

I don't understand wy keys need to be deleted.

Under what circumstances would these messages be large enough to
exceed 512 bytes and thus potentially need fragmentation?

-Ekr
_______________________________________________
Audio/Video Transport Working Group
avt at ietf.org
https://www.ietf.org/mailman/listinfo/avt

Follow-Ups:
- Re: [AVT] Comments on draft-wing-avt-dtls-srtp-key-transport-01
  - From: Dan Wing

Prev by Date: Re: [AVT] Timestamp in UEMCLIP
Next by Date: Re: [AVT] comments on draft-ietf-avt-rtp-speex-05.txt
Previous by thread: [AVT] Ad-hoc meeting in Philadelphia to discuss SVC Tuesady 9:00 room 302
Next by thread: Re: [AVT] Comments on draft-wing-avt-dtls-srtp-key-transport-01
Index(es):
- Date
- Thread