IETF Logo Mail Archive

Re: [AVT] Sockets in multicast DTLS-SRTP

Romain Biehlmann <romain.biehlmann@gmail.com> Fri, 07 May 2010 08:35 UTC

Return-Path: <romain.biehlmann@gmail.com>
X-Original-To: avt@core3.amsl.com
Delivered-To: avt@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42E473A6AF4; Fri, 7 May 2010 01:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.399
X-Spam-Level:
X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_12=0.6, J_CHICKENPOX_15=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jksxsCAHwBLN; Fri, 7 May 2010 01:35:43 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id A3C4A3A6ABE; Fri, 7 May 2010 01:35:42 -0700 (PDT)
Received: by wyb32 with SMTP id 32so635243wyb.31 for <multiple recipients>; Fri, 07 May 2010 01:35:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=BcL9LpI/EMiFY2/nTONAnMw+dDJIE3Q1LSfEhGjPMjI=; b=NcXP6nV0r0ccu374dyoH6qMDU8v1PHVTT4EvmLaGiX7Skdqc0dwVWEjI7sqWtV3g5m yZQhpV4+lh2Ll6Cdrk1KHhaBSCzCNUzKchk2cmgWn87posyJvq/73XQKpjjfTckBffTG Y2LpeRUZyfKeIMH9KDrwZaZrndSwtgHTlJJ3g=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=VsPUDKmwP6hyyR6lPqBMHToZid5jNyGPTrLZabaQsD0QBaErW1W2To1oD8SrtaW24B nzAJgH68TC0eQLHJKPMrqGzcJCbPRXiR5sMtaeAIYDUyPrl2s+UrIaYWxGi9zeP7Rj16 9eJ4iwnUqKkznsN+j99PIXHg3oBYG4SYQzq4I=
MIME-Version: 1.0
Received: by 10.216.86.71 with SMTP id v49mr5473809wee.14.1273221326181; Fri, 07 May 2010 01:35:26 -0700 (PDT)
Received: by 10.216.169.195 with HTTP; Fri, 7 May 2010 01:35:26 -0700 (PDT)
In-Reply-To: <009201caed66$6fef95e0$38a66b80@cisco.com>
References: <9a06dcf1003230527q39fc7f9bye2ca616599e95cac@mail.gmail.com> <00f101cacad0$9d93fc10$1143150a@cisco.com> <9a06dcf1003240120g29db1b1bxb0f0a3e719336720@mail.gmail.com> <009201caed66$6fef95e0$38a66b80@cisco.com>
Date: Fri, 07 May 2010 10:35:26 +0200
Message-ID: <q2p9a06dcf1005070135k7d2d133el8516cb8689761c50@mail.gmail.com>
From: Romain Biehlmann <romain.biehlmann@gmail.com>
To: Dan Wing <dwing@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: Flemming Andreasen <fandreas@cisco.com>, avt@ietf.org, mmusic@ietf.org
Subject: Re: [AVT] Sockets in multicast DTLS-SRTP
X-BeenThere: avt@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Audio/Video Transport Working Group <avt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/avt>
List-Post: <mailto:avt@ietf.org>
List-Help: <mailto:avt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/avt>, <mailto:avt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 08:35:44 -0000

Hi Dan,

Thank you for your answer: the first solution could solve the problem.
I now wonder about KTR: do you consider (a) as a replacement for (b)?

(a)
a=dtls-srtp-ktr
a=dtls-srtp IP4 192.168.0.1 12345

(b)
a=dtls-srtp-ktr
a=dtls-srtp-ktr-server:12345 IN IP4 192.168.0.1

Romain



On Thu, May 6, 2010 at 11:52 PM, Dan Wing <dwing@cisco.com> wrote:
> Romain,
>
> (added MMUSIC, as this is mostly about SDP in this post.)
>
> I talked with Flemming about this and there isn't an existing SDP mechanism we
> could easily extend to allow unicast keying of a multicast session.  The
> problem isn't just with multicast; there are some unicast scenarios, such as
> really large unicast groups, where having the 'speaker' or 'mixer' do the
> keying doesn't scale very well (and doing DTLS in a separate device can
> improve things).
>
> So, we would need to define a new SDP attribute that indicates the DTLS-SRTP
> peer for keying, something like this (which shows a DTLS-SRTP-encrypted
> multicast audio session),
>
>        v=0
>        o=- 25678 753849 IN IP4 192.0.2.1
>        s=
>        t=0 0
>        m=audio 41000 UDP/TLS/RTP/SAVP 98
>        c=IN IP4 233.252.0.2/255
>        a=dtls-srtp IP4 192.0.2.2 556677             <<<<<<<
>        a=dtls-srtp IP6 2001:db8:abcd::1234 556677   <<<<<<<
>
> The Answerer would choose IPv6 or IPv4, and initiate a DTLS-SRTP handshake
> with that address.  However, this won't work well if the DTLS-SRTP 'server' is
> behind a NAT, and almost begs for ICE to support that situation.  There seem
> to be two approaches:  (1) avoid the problem or (2) include support for ICE.
>
> (1) In this approach, we dictate that the DTLS-SRTP server's IP address(es)
> must be accessible to the Answerer.  This means the DTLS-SRTP server has to
> use a publicly-routed IP address.
>
> (2) In this approach, we use ICE, inside a=dtls-srtp attribute lines, which
> would look something like this:
>
>        v=0
>        o=- 25678 753849 IN IP4 192.0.2.1
>        s=
>        t=0 0
>        m=audio 41000 UDP/TLS/RTP/SAVP 98
>        c=IN IP4 233.252.0.2/255
>        a=dtls-srtp ice-pwd asd88fgpdd777uzjYhagZg
>        a=dtls-srtp ice-ufrag:8hhY
>        a=dtls-srtp candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host
>        a=dtls-srtp candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx
> raddr
>   10.0.1.1 rport 8998
>
>
> Would approach (1) meet your needs?
>
> -d
>
>
>
>> -----Original Message-----
>> From: Dan Wing [mailto:dwing@cisco.com]
>> Sent: Friday, March 26, 2010 11:31 AM
>> To: 'Romain Biehlmann'
>> Cc: 'avt@ietf.org'; 'Flemming Andreasen'
>> Subject: RE: [AVT] Sockets in multicast DTLS-SRTP
>>
>> Thanks for explaining the issue.  I believe we don't yet know
>> how to have SDP associate a unicast session (for DTLS-SRTP)
>> with a multicast session (for receiving the SRTP-encrypted
>> stream).  I expect there is an answer in MMUSIC's SDP
>> Capability Negotiation and/or what is being done to mix
>> unicast and multicast in draft-ietf-avt-rapid-acquisition-for-rtp,
>> or somewhere.
>>
>> Flemming Andreasen (CC'd) will take a look at this over the
>> next week (he is editor of SDP Capability Negotiation and
>> co-author of EKT).  But at this point I believe it will
>> require additional standards work to mix unicast/multicast.
>>
>> -d
>>
>>
>> > -----Original Message-----
>> > From: Romain Biehlmann [mailto:romain.biehlmann@gmail.com]
>> > Sent: Wednesday, March 24, 2010 1:20 AM
>> > To: Dan Wing
>> > Cc: avt@ietf.org
>> > Subject: Re: [AVT] Sockets in multicast DTLS-SRTP
>> >
>> > Hi,
>> >
>> > And thank you for your fast answer!
>> >
>> > I actually already planned on using KTR, which uses EKT,
>> but got stuck
>> > by this socket problem.
>> >
>> > I don't get how the data should be multiplexed in the case of a
>> > multicast session since two sockets will be opened on the clients'
>> > side (as shown on the drawing below)... Or am I completely wrong?
>> >
>> > ----------
>> > | server |---- SRTP multicast session -------------------
>> > ----------                                              |
>> >   | | |                                  ------------   |
>> >   | | |--- DTLS KTR unicast session 1 ---| client 1 |---|
>> >   | |                                    ------------   |
>> >   | |                                    ------------   |
>> >   | |----- DTLS KTR unicast session 2 ---| client 2 |---|
>> >   |                                      ------------   |
>> >   |                                      ------------   |
>> >   |------- DTLS KTR unicast session 3 ---| client 3 |---|
>> >                                          ------------
>> >
>> > Thank you very much for the time you take to read me.
>> >
>> > Romain
>> >
>> >
>> >
>> > 2010/3/23 Dan Wing <dwing@cisco.com>:
>> > >> -----Original Message-----
>> > >> From: avt-bounces@ietf.org [mailto:avt-bounces@ietf.org] On
>> > >> Behalf Of Romain Biehlmann
>> > >> Sent: Tuesday, March 23, 2010 5:27 AM
>> > >> To: avt@ietf.org
>> > >> Subject: [AVT] Sockets in multicast DTLS-SRTP
>> > >>
>> > >> Hi all,
>> > >>
>> > >> I hope my question is not too dumb, and not too
>> > >> implementation-oriented; if so, please accept my apologies
>> > and ignore
>> > >> it.
>> > >>
>> > >> In http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07 chapter
>> > >> 5.1.1, we can read the following:
>> > >> "When a user of DTLS wishes to send an RTP packet in SRTP mode it
>> > >> delivers it to the DTLS implementation as an ordinary
>> > application data
>> > >> write (e.g., SSL_write())."
>> > >>
>> > >> From that, I understand that in the case of a unicast
>> session, only
>> > >> one socket is needed for the transmission of STUN, SRTP and DTLS
>> > >> datagrams.
>> > >
>> > > Right, and demultiplexed as shown in
>> > >
>> http://tools.ietf.org/html/draft-ietf-avt-dtls-srtp-07#section-5.1.2
>> > >
>> > >> I am not sure, though, to get how it should work in the
>> > case of a (one
>> > >> to many) multicast session.
>> > >
>> > > Use DTLS-SRTP with EKT.  EKT allows telling each of the receivers
>> > > the same key.  The sender then sends the same multicast packet
>> > > (or if using unicast, the sender sends the same packet, unicast,
>> > > to each NNN receivers).
>> > >
>> > > EKT is http://tools.ietf.org/html/draft-ietf-avt-srtp-ekt-00
>> > >
>> > > -d
>> > >
>> > >> Isn't the server supposed to send SRTP datagrams to a broadcast
>> > >> address, whereas DTLS data must be sent directly to (unicast)
>> > >> designated clients? Is the sentence in the draft only
>> applicable to
>> > >> unicast?
>> > >>
>> > >> I thank you in advance for your valuable insight.
>> > >>
>> > >> Romain
>> > >> _______________________________________________
>> > >> Audio/Video Transport Working Group
>> > >> avt@ietf.org
>> > >> https://www.ietf.org/mailman/listinfo/avt
>> > >
>> > >
>> >
>>
>
>

v2.23.0 | Report a Bug | By Email