Re: [AVT] Sockets in multicast DTLS-SRTP
Romain Biehlmann <romain.biehlmann@gmail.com> Fri, 07 May 2010 08:35 UTC
Return-Path: <romain.biehlmann@gmail.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42E473A6AF4; Fri, 7 May 2010 01:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_12=0.6, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jksxsCAHwBLN; Fri, 7 May 2010 01:35:43 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id A3C4A3A6ABE; Fri, 7 May 2010 01:35:42 -0700 (PDT)
Received: by wyb32 with SMTP id 32so635243wyb.31 for <multiple recipients>; Fri, 07 May 2010 01:35:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BcL9LpI/EMiFY2/nTONAnMw+dDJIE3Q1LSfEhGjPMjI=; b=NcXP6nV0r0ccu374dyoH6qMDU8v1PHVTT4EvmLaGiX7Skdqc0dwVWEjI7sqWtV3g5m yZQhpV4+lh2Ll6Cdrk1KHhaBSCzCNUzKchk2cmgWn87posyJvq/73XQKpjjfTckBffTG Y2LpeRUZyfKeIMH9KDrwZaZrndSwtgHTlJJ3g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=VsPUDKmwP6hyyR6lPqBMHToZid5jNyGPTrLZabaQsD0QBaErW1W2To1oD8SrtaW24B nzAJgH68TC0eQLHJKPMrqGzcJCbPRXiR5sMtaeAIYDUyPrl2s+UrIaYWxGi9zeP7Rj16 9eJ4iwnUqKkznsN+j99PIXHg3oBYG4SYQzq4I=
MIME-Version: 1.0
Received: by 10.216.86.71 with SMTP id v49mr5473809wee.14.1273221326181; Fri, 07 May 2010 01:35:26 -0700 (PDT)
Received: by 10.216.169.195 with HTTP; Fri, 7 May 2010 01:35:26 -0700 (PDT)
In-Reply-To: <009201caed66$6fef95e0$38a66b80@cisco.com>
References: <9a06dcf1003230527q39fc7f9bye2ca616599e95cac@mail.gmail.com> <00f101cacad0$9d93fc10$1143150a@cisco.com> <9a06dcf1003240120g29db1b1bxb0f0a3e719336720@mail.gmail.com> <009201caed66$6fef95e0$38a66b80@cisco.com>
Date: Fri, 07 May 2010 10:35:26 +0200
Message-ID: <q2p9a06dcf1005070135k7d2d133el8516cb8689761c50@mail.gmail.com>
From: Romain Biehlmann <romain.biehlmann@gmail.com>
To: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Flemming Andreasen <fandreas@cisco.com>, avt@ietf.org, mmusic@ietf.org
Subject: Re: [AVT] Sockets in multicast DTLS-SRTP
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 08:35:44 -0000
Hi Dan, Thank you for your answer: the first solution could solve the problem. I now wonder about KTR: do you consider (a) as a replacement for (b)? (a) a=dtls-srtp-ktr a=dtls-srtp IP4 192.168.0.1 12345 (b) a=dtls-srtp-ktr a=dtls-srtp-ktr-server:12345 IN IP4 192.168.0.1 Romain On Thu, May 6, 2010 at 11:52 PM, Dan Wing <dwing@cisco.com> wrote: > Romain, > > (added MMUSIC, as this is mostly about SDP in this post.) > > I talked with Flemming about this and there isn't an existing SDP mechanism we > could easily extend to allow unicast keying of a multicast session. The > problem isn't just with multicast; there are some unicast scenarios, such as > really large unicast groups, where having the 'speaker' or 'mixer' do the > keying doesn't scale very well (and doing DTLS in a separate device can > improve things). > > So, we would need to define a new SDP attribute that indicates the DTLS-SRTP > peer for keying, something like this (which shows a DTLS-SRTP-encrypted > multicast audio session), > > v=0 > o=- 25678 753849 IN IP4 192.0.2.1 > s= > t=0 0 > m=audio 41000 UDP/TLS/RTP/SAVP 98 > c=IN IP4 233.252.0.2/255 > a=dtls-srtp IP4 192.0.2.2 556677 <<<<<<< > a=dtls-srtp IP6 2001:db8:abcd::1234 556677 <<<<<<< > > The Answerer would choose IPv6 or IPv4, and initiate a DTLS-SRTP handshake > with that address. However, this won't work well if the DTLS-SRTP 'server' is > behind a NAT, and almost begs for ICE to support that situation. There seem > to be two approaches: (1) avoid the problem or (2) include support for ICE. > > (1) In this approach, we dictate that the DTLS-SRTP server's IP address(es) > must be accessible to the Answerer. This means the DTLS-SRTP server has to > use a publicly-routed IP address. > > (2) In this approach, we use ICE, inside a=dtls-srtp attribute lines, which > would look something like this: > > v=0 > o=- 25678 753849 IN IP4 192.0.2.1 > s= > t=0 0 > m=audio 41000 UDP/TLS/RTP/SAVP 98 > c=IN IP4 233.252.0.2/255 > a=dtls-srtp ice-pwd asd88fgpdd777uzjYhagZg > a=dtls-srtp ice-ufrag:8hhY > a=dtls-srtp candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host > a=dtls-srtp candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx > raddr > 10.0.1.1 rport 8998 > > > Would approach (1) meet your needs? > > -d > > > >> -----Original Message----- >> From: Dan Wing [mailto:dwing@cisco.com] >> Sent: Friday, March 26, 2010 11:31 AM >> To: 'Romain Biehlmann' >> Cc: 'avt@ietf.org'; 'Flemming Andreasen' >> Subject: RE: [AVT] Sockets in multicast DTLS-SRTP >> >> Thanks for explaining the issue. I believe we don't yet know >> how to have SDP associate a unicast session (for DTLS-SRTP) >> with a multicast session (for receiving the SRTP-encrypted >> stream). I expect there is an answer in MMUSIC's SDP >> Capability Negotiation and/or what is being done to mix >> unicast and multicast in draft-ietf-avt-rapid-acquisition-for-rtp, >> or somewhere. >> >> Flemming Andreasen (CC'd) will take a look at this over the >> next week (he is editor of SDP Capability Negotiation and >> co-author of EKT). But at this point I believe it will >> require additional standards work to mix unicast/multicast. >> >> -d >> >> >> > -----Original Message----- >> > From: Romain Biehlmann [mailto:romain.biehlmann@gmail.com] >> > Sent: Wednesday, March 24, 2010 1:20 AM >> > To: Dan Wing >> > Cc: avt@ietf.org >> > Subject: Re: [AVT] Sockets in multicast DTLS-SRTP >> > >> > Hi, >> > >> > And thank you for your fast answer! >> > >> > I actually already planned on using KTR, which uses EKT, >> but got stuck >> > by this socket problem. >> > >> > I don't get how the data should be multiplexed in the case of a >> > multicast session since two sockets will be opened on the clients' >> > side (as shown on the drawing below)... Or am I completely wrong? >> > >> > ---------- >> > | server |---- SRTP multicast session ------------------- >> > ---------- | >> > | | | ------------ | >> > | | |--- DTLS KTR unicast session 1 ---| client 1 |---| >> > | | ------------ | >> > | | ------------ | >> > | |----- DTLS KTR unicast session 2 ---| client 2 |---| >> > | ------------ | >> > | ------------ | >> > |------- DTLS KTR unicast session 3 ---| client 3 |---| >> > ------------ >> > >> > Thank you very much for the time you take to read me. >> > >> > Romain >> > >> > >> > >> > 2010/3/23 Dan Wing <dwing@cisco.com>: >> > >> -----Original Message----- >> > >> From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On >> > >> Behalf Of Romain Biehlmann >> > >> Sent: Tuesday, March 23, 2010 5:27 AM >> > >> To: avt@ietf.org >> > >> Subject: [AVT] Sockets in multicast DTLS-SRTP >> > >> >> > >> Hi all, >> > >> >> > >> I hope my question is not too dumb, and not too >> > >> implementation-oriented; if so, please accept my apologies >> > and ignore >> > >> it. >> > >> >> > >> In http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07 chapter >> > >> 5.1.1, we can read the following: >> > >> "When a user of DTLS wishes to send an RTP packet in SRTP mode it >> > >> delivers it to the DTLS implementation as an ordinary >> > application data >> > >> write (e.g., SSL_write())." >> > >> >> > >> From that, I understand that in the case of a unicast >> session, only >> > >> one socket is needed for the transmission of STUN, SRTP and DTLS >> > >> datagrams. >> > > >> > > Right, and demultiplexed as shown in >> > > >> http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07#section-5.1.2 >> > > >> > >> I am not sure, though, to get how it should work in the >> > case of a (one >> > >> to many) multicast session. >> > > >> > > Use DTLS-SRTP with EKT. EKT allows telling each of the receivers >> > > the same key. The sender then sends the same multicast packet >> > > (or if using unicast, the sender sends the same packet, unicast, >> > > to each NNN receivers). >> > > >> > > EKT is http://tools.ietf.org/html/draft-ietf-avt-srtp-ekt-00 >> > > >> > > -d >> > > >> > >> Isn't the server supposed to send SRTP datagrams to a broadcast >> > >> address, whereas DTLS data must be sent directly to (unicast) >> > >> designated clients? Is the sentence in the draft only >> applicable to >> > >> unicast? >> > >> >> > >> I thank you in advance for your valuable insight. >> > >> >> > >> Romain >> > >> _______________________________________________ >> > >> Audio/Video Transport Working Group >> > >> avt@ietf.org >> > >> https://www.ietf.org/mailman/listinfo/avt >> > > >> > > >> > >> > >
- [AVT] Sockets in multicast DTLS-SRTP Romain Biehlmann
- Re: [AVT] Sockets in multicast DTLS-SRTP Dan Wing
- Re: [AVT] Sockets in multicast DTLS-SRTP Romain Biehlmann
- Re: [AVT] Sockets in multicast DTLS-SRTP Dan Wing
- Re: [AVT] Sockets in multicast DTLS-SRTP Flemming Andreasen
- Re: [AVT] Sockets in multicast DTLS-SRTP Dan Wing
- Re: [AVT] Sockets in multicast DTLS-SRTP Romain Biehlmann
- Re: [AVT] Sockets in multicast DTLS-SRTP Dan Wing
- Re: [AVT] Sockets in multicast DTLS-SRTP Roni Even
- Re: [AVT] Sockets in multicast DTLS-SRTP Dan Wing