Internet Engineering Task Force MMUSIC WG INTERNET-DRAFT Mark Handley draft-ietf-mmusic-sap-00.txt ISI 19th Nov 1996 SAP: Session Announcement Protocol Status of this Memo This document is an Internet-Draft. Internet-Drafts are working docu- ments of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as ``work in progress.'' To learn the current status of any Internet-Draft, please check the ``1id-abstracts.txt'' listing contained in the Internet-Drafts Shadow Directories on ftp.is.co.za (Africa), nic.nordu.net (Europe), munnari.oz.au (Pacific Rim), ds.internic.net (US East Coast), or ftp.isi.edu (US West Coast). Distribution of this document is unlimited. Abstract This document describes the SAP - the session directory announcement protocol, and the related issues affecting secu- rity and scalability that should be taken into account by the implementors of session directory tools. It is a companion document to draft-ietf-mmusic-sdp. This document is a product of the Multiparty Multimedia Session Control (MMUSIC) working group of the Internet Engineering Task Force. Comments are solicited and should be addressed to the working group's mailing list at confctrl@isi.edu and/or the author. Handley [Page 1] INTERNET-DRAFT 18th Nov 1996 1. Introduction An mbone session directory is used to advertise multimedia conferences, and to communicate the session addresses (whether multicast or unicast) and conference-tool-specific information necessary for participation. Such sessions are described using the Session Description Protocol (SDP) which is described in a companion draft. This document describes the issues involved in the multicast announcement of session description packets and defines a packet format to be used by session directory clients. SAP v0 is currently implemented in Sdr and other compatible tools. This document describes SAP v1, which contains some enhancements to the basic announcement model. The differences between SAP v1 and SAP v0 are described in Appendix A. Much of this document is concerned with security considerations - these security considerations have not yet been subject to suitable peer-review, and this document should not be considered authoritative in this area. 2. Background IP Multicast is an extension of internet routing that permits efficient many-to-many communication. It is used extensively for multimedia con- ferencing. Such multimedia sessions usually have the property that tight coordination of session membership is not necessary; in order to receive a session, a user at a multicast-capable site only has to know the correct multicast group address for the session and the transport ports the conferencing applications will use to receive the conference data streams. In order to assist the advertisement of multicast sessions and to com- municate the relevant session setup information to prospective partici- pants, a distributed session directory is used. An instance of such a session directory periodically multicasts packets containing a descrip- tion of a multimedia session, and these advertisements are received by potential participants who can use the session description to start the tools required to participate in the session. The companion draft ``SDP: Session Description Protocol'' describes a payload format suit- able for such session descriptions. This draft describes the distribu- tion mechanism and packet format. 3. The SAP Protocol SAP is an announcement protocol for multicast conference sessions. An SAP client that announces a conference session periodically multicasts an announcement packet to a well known multicast address and port. The announcement is multicast with the same scope (as defined by group address range or TTL) as the session it is announcing. This ensures that the recipients of the announcement can also be potential recipients Handley [Page 2] INTERNET-DRAFT 18th Nov 1996 of the session the announcement describes (bandwidth and other such con- straints permitting). This is also important for the scalability of the protocol, as it keeps local session announcements local. The time period between one announcement and its repetition is dependent on two factors - the scope (TTL) of the session, and the number of other sessions currently being announced by other session directory clients. The goal is to keep the total bandwidth being used below a predefined level for each scope. Session Announcement A session to be announced is simply multicast to the appropriate well- known multicast address and port. The announcement contains a session description and, optionally, an authentication header. The session description may be encrypted. Session Deletion Sessions may be deleted in one of several ways: Explicit Timeout The session description contains timestamp information which speci- fies a start and end time for the session. If the current time is later than the end-time for the session, then the session is deleted from the receiver's session cache. If an announcement packet arrives with an end-time before the current time, it is ignored. Implicit Timeout A session announcement message should be received periodically for each session description in a receiver's session cache. The announcement period can be predicted by the receiver from the set of sessions currently being announced. If a session announcement mes- sage has not been received for ten times the announcement period, or half an hour, whichever is the greater, then the session is deleted from the receiver's session cache. The half hour minimum is to allow for transient network partitionings. Explicit Deletion A session deletion packet is received specifying the version of the session to be deleted. If the cached session contains an authentica- tion header, the session deletion packet must contain a signature signed by the same key. If the cached session does not contain an authentication header, but the deletion packet has the same IP- source address (not the SAP-stated source address in the packet) as that from which the session announcement was originally announced, then the session is deleted. If neither of these conditions is Handley [Page 3] INTERNET-DRAFT 18th Nov 1996 not the case, then the session deletion packet is ignored. Note that IP source addresses can be spoofed, and although the RPF filter in most multicast routing algorithms will result in the packet not being delivered in some cases, this is insufficient protection in many cases, and an authentication header should be used for such situations. Session Modification A pre-announced session can be modified by simply announcing the modi- fied session description. In this case, the version hash in the SAP header should be changed to indicate to receivers that the packet con- tents should be parsed (or decrypted and parsed if it is encrypted). The session itself is uniquely identified by the SDP origin field in the payload, and not by the version hash in the SAP header. The same rules apply for session modification as for session deletion: + Either the modified announcement must contain an authentication header signed by the same key as the cached session announcement it is modifying, or: + The cached session announcement must not contain an authentication header, and the session modification announcement must originate from the same host as the session it is modifying. If an announcement is received containing a authentication header and the cached announcement did not contain an authentication header, or it contained an different authentication header, then the modified announcement must be treated as a new and different announcement, and displayed in addition to the un-authenticated announcement. The same should happen if a modified packet without an authentication header is received from a different source than the original announcement. These rules prevent an announcement having an authentication header added by a malicious user and then being deleted using that header, and it also prevents a denial-of-service attack by someone putting out a spoof announcement which, due to packet loss, reaches some participants before the original announcement. Note that under such circumstances, being able to authenticate the message originator is the only way to discover which session is the correct session. 4. Packet Format Unencrypted SAP data packets are of the following format: Handley [Page 4] INTERNET-DRAFT 18th Nov 1996 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | V=1 | MT |E|C| auth len | msg id hash | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | orig source | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | optional authentication header | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | text payload | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Encrypted SAP data packets contain additional fields 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | V=1 | MT |E|C| auth len | msg id hash | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | orig source | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | optional authentication header | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | key id | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | timeout | *-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* |P| random field | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | text payload | | .... | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Only fields from * onwards are encrypted. V: Version Number SAP version number = 1 Handley [Page 5] INTERNET-DRAFT 18th Nov 1996 MT: Message Type One of the following: 0 Session description announcement packet. The text payload is an SDP session description, as described in draft-ietf-mmusic-sdp. 1 Session description deletion packet. The text payload is a single SDP line consisting of the origin field of the announcement to be deleted. E - Encryption Bit If the encryption bit is set, the text payload of the SAP packet is encrypted, and additional fields are added to the packet: Key-ID, Timeout, P (padding) and Random. The Key-ID and Timeout fields are not encrypted, but the P and Random fields are encrypted along with the text payload. Note the encryption algorithm is not specified in the packet - this is communicated to permitted receivers out-of-band along with the corresponding decryption key. C - Compressed bit This bit indicates that the payload was compressed using the gzip compression algorithm [3]. Authentication Length: A 8 bit unsigned quantity giving the number of 32 bit words following the main SAP header that contain authentication data (and padding bytes if present). If it is zero, no authentication header is present. Authentication Header This contains a digital signature (encrypted cryptographic hash) of the text payload (including key-id, expiry timestamp, and encrypted random field and text payload if the payload is encrypted) from the end of the authentication header onwards. It also contains the public key with which the authentication header can be checked, and information to iden- tify the encryption algorithm and mode used. It can be used for two purposes: + Verification that changes to a session description or deletion of a session are permitted. + Authentication of the identity of the session creator. Handley [Page 6] INTERNET-DRAFT 18th Nov 1996 In some circumstances only Verification is possible because a certifi- cate signed by a mutually trusted person or authority is not available. However, under such circumstances, the session originator may still be authenticated to be the same as the session originator of previous ses- sions claiming to be from the same person. This may or may not be suf- ficient depending on the purpose of the session and the people involved. Clearly the key given in the authentication header should not be trusted to belong to the session originator unless it has been separately authenticated by some other means, such as being certified by a trusted third party. Such certificates are not normally included in an SAP header because they take more space than can normally be afforded in an SAP packet, and such verification must therefore take place by some other mechanism. However, as certified public keys are normally locally cached, authentication of a particular key only has to take place once, rather than every time the session directory retransmits the announce- ment. SAP is not tied to any single authentication mechanism. Authentication Headers must be self-describing, but their precise format depends on the authentication mechanism (signature and encryption scheme) in use, and so is not defined here. Message Identifier Hash A 16 bit quantity that, used in combination with the originating source, provides a globally unique id identifying the precise version of this announcement. The message id hash should be changed if any field of the session description is changed. A value of zero means the hash should be ignored and the message should always be parsed. Originating Source This gives the IP address of the original source of the message. It is permissible to be zero if the message has not passed through a proxy relay and if the message id hash is also zero, though this is intended only for backwards compatibility with SAPv0 clients. Key ID The key identifier is a 32 bit network byte-order integer which is used as a hint to identify which encryption key was used to encrypt a packet. Key id's should be randomly generated when a new encryption key is chosen for a group of users, and so they are not guaranteed to be glo- bally unique. If a receiver has multiple keys with the same key-id, to perform decryption each key in turn must be used until one of them suc- cessfully decrypts the data. Handley [Page 7] INTERNET-DRAFT 18th Nov 1996 Timeout When the session payload is encrypted, and the session description is being relayed or announced via a proxy, the detailed timing fields in the SDP description are not available to the proxy as they are encrypted and the proxy is not trusted with the decryption key. Under such cir- cumstances, SAP includes an additional 32-bit timestamp field stating when the session should be timed out. This field is included after the authentication header, and the digital signature in the authentication header encompasses the timeout so that a session cannot be maliciously deleted by modifying its timeout in an announcing proxy. The value is an unsigned quantity giving the NTP time [2] in seconds at which time the session is timed out. It is in network byte order. P: Encryption Padding This bit indicates that the payload was padded prior to encryption. The last byte of the decrypted payload indicates how many padding bytes were added. Random This field is only present when the payload is encrypted. It is encrypted along with the payload, and is used to perform the randomiza- tion task normally performed by an initialization vector in algorithms such as cipher-block chained DES. This 31 bit field should contain a genuinely random number. After decryption, this field is discarded. 5. Encrypted Announcements Announcements may be encrypted using any encryption algorithm or mode. However, the use of DES in cipher-block chaining (CBC) mode is recom- mended as the default case. The choice of encryption algorithm and mode is conveyed to potential recipients along with the encryption key itself and a 32 bit key identifier which should be randomly chosen and is used as a non-globally-unique identifier for the key. In normal usage, a {decryption-key,keyid,algorithm,mode} tuple will be conveyed in advance to the intended group recipients. This process takes place out-of-band and is not described in this draft. However, if keys are to be communicated as plain text, the use of MD5 as described in [4] is recommended to manipulate the key prior to use. Session announcements may then be made to the appropriate session announcement address, encrypted so that they can be decrypted with the group key. The key-id is carried in the announcement packets, and Handley [Page 8] INTERNET-DRAFT 18th Nov 1996 serves as an index into a sparse key-ring at each receiver. As key-id's are allocated randomly, in some cases more than one decryption-key may be identified by the same key id - this is expected to be a rare event, but may happen. When more that one key is identified by a key-id, each of the decryption keys in turn must be tried. 5.1. Encrypting Announcements If the payload is to be compressed, this is performed first before encryption or padding. When an announcement is to be encrypted, a 32-bit word is prepended to the session description payload. The most significant bit of this number (in network byte order) is set to zero if the session description does not require padding for encryption, and set to one if padding is required for encryption, in which case the last byte of the padded ses- sion description contains the number of padding bytes added. The least significant 31 bits of this 32 bit quantity should contain random data. The padded and 32-bit pre-pended session description is then encrypted using the relevant encryption algorithm, key and mode. The encrypted payload is then sent with an extended SAP header which has the E bit set and contains the key id and timeout fields as described above. 5.2. Decrypting Announcements Upon receiving a new announcement with the encryption bit set, a receiver should attempt to decrypt the announcement with each of its set of session decryption keys that has the key-id appearing in the announcement. If it succeeds, then the session is displayed to the user. If it has no key that matches the announcement key-id, or does not succeed with any key that does match, then the session is ignored. If one of more keys did match the key-id, but decryption failed with all of these matching keys, then the version hash, original source and key- id are cached to avoid having to attempt to decrypt this announcement every time it is received in future. To avoid possible denial of ser- vice attacks, such incoming announcements should occasionally be attempted to be decrypted on a random basis as available processing power allows. This cache can be safely timed out when the timeout specified in encrypted packets expires. Note that if an encrypted announcement is being announced via a proxy, then there may be no way for the proxy to discover that the announcement has been superseded, and so it may continue to relay the old announce- ment in addition to the new announcement. SAP provides no mechanism to chain modified encrypted announcements, so it is advisable to announce the unmodified session as deleted for a short time after the modifica- tion has occurred. This does not guarantee that all proxies have Handley [Page 9] INTERNET-DRAFT 18th Nov 1996 deleted the session, and so receivers of encrypted sessions should be prepared to discard old versions of session announcements that they may receive (as identified by the SDP version field). In most cases how- ever, the only stateful proxy will be local to (and known to) the sender, and an additional (local-area) protocol involving a handshake for such session modifications can be used to avoid this problem. 6. SDP announcement by periodic multicast. SAP announces multicast sessions by periodic multicast of session descriptions to an appropriate well known multicast address and port. The appropriate address is determined by the scope mechanisms in force at the sites of the intended participants. IP multicast sessions can be either TTL-scoped or administratively scoped. One well-known address and port is used for all TTL-scoped announcements, and additionally, one well-known address (within the corresponding scope zone) and port is used for each administrative scope zone that an instance of the session directory is within. Thus an instance of the session directory should listen on multiple multicast addresses, but should normally only send a particular announcement to the single multicast address corresponding to the scope of the session being described. The discovery of administra- tive scope zones and the appropriate announcement address for each zone are outside the scope of this draft, but it is assumed that each instance of the session directory within a particular scope zone is aware of that scope zone, and of the corresponding announcement address, port, TTL, and session address allocation range. TTL Scoped Announcement The well-known address is 224.2.127.254 and the UDP port is 9875. The session announcements should be multicast with the same TTL with which the conference session will be multicast. If the different media in an announcement are given different TTLs, then multiple announcements are necessary to ensure that anyone joining the conference can in fact receive data for each media started. For example, if we have an announcement to make containing audio at TTL 127 and video at TTL 63, then we make an announcement at TTL 63 containing both media, and a separate announcement at TTL 127 containing only the audio. It is up to the receiving session directory to parse both announcements as the same announcement (as identified by the SDP origin field) if it is within the appropriate scope to get both announcements. If multiple announcements are being made for the same session in this way, then each announcement must carry an authentication header signed by the same key, or be treated as a completely separate announcement. The time period between one announcement and its repetition is dependent Handley [Page 10] INTERNET-DRAFT 18th Nov 1996 on two factors - the scope (TTL) of the session, and the number of other sessions currently being announced by other session directory instances. The recommended bandwidth limits for each TTL are: TTL bandwidth 1-15 2Kbps 16-63 1Kbps 64-127 1Kbps 128-255 200bps Session announcers in the same scope band can normally be expected to hear your announcements, and reduce their data rates accordingly. Thus you should calculate the available bandwidth for your session's scope band by dividing the appropriate limit above by the number of other announcers in your scope band. This gives you your bandwidth alloca- tion, which, given the size of your data packets, can be used to derive the base interval for announcements. I.e., given a limit in bits/second (as above) and a ad_size in bytes, the base announcement interval in seconds is: interval =MAX(300, (8*no_of_ads*ad_size)/limit) For every interval between announcement packets (i.e, every time you send a packet), you must add a random value (+/- 1/3 of the base inter- val) to the value used for the inter-announcement period to prevent announcement synchronisation. It is also important to keep monitoring other announcements and adjust the base interval accordingly. There is possibility to adjust the scope band limits depending on pro- perties of the sessions being announced, but this is left for future SAP drafts to specify. Administrative Scoped Announcements For each administrative scope zone in force at a particular site, instances of the session directory running at that site need to know the following information: + The multicast address to be used for announcement. The is normally the highest multicast address in the relevant administrative scope zone. For example, if the scope range is 239.16.32.0 - 239.16.33.255, then the convention is that 239.16.33.255 is used for session announcements. + The UDP port to which announcements should be sent. Handley [Page 11] INTERNET-DRAFT 18th Nov 1996 + The TTL announcements should be made with. This should be large enough to reach all sites in the admin scope zone, and will also be the TTL used for sessions announced to be using this scope zone. + The address range to be used for sessions in this scope zone. This should be a contiguous range, and currently should lie within the range 239.0.0.0 to 239.255.255.255 (but this is defined by IANA, not by this draft). + The total bandwidth to be used by the session directory for session announcements in this admin scope zone. A recommended default value for this is 500bps, but this may be inappropriate for some uses. 7. Security Considerations SAP contains mechanisms for ensuring integrity of session announcements, for authenticating the origin of an announcement and for encrypting such announcements. These mechanisms have not yet been subject to suitable peer-review, and this document should not be considered authoritative in this area at this time. SAP contains mechanisms that are designed to prevent an announcement by one user from being modified or deleted by another user, and also to provide limited privacy by use of encryption. Session announcements that are encrypted with a symmetric algorithm may allow a degree of privacy in the announcement of a session, but it should be recognised that a user in possession of such a key can pass it on to other users who should not be in possession of such a key. Thus announcements to such a group of key holders cannot be assumed to have come from an authorised key holder unless there is an appropriate authentication header signed by an authorised key holder. In addition the recipients of such encrypted announcements cannot be assumed to only be authorised key holders. Such encrypted announcements do not provide any real security unless all of the authorised key holders are trusted to maintain security of such session directory keys. This property is shared by the multicast session tools themselves, where it is possible for an un-trustworthy member of the session to pass on encryption keys to un-authorised users. However it is likely that keys used for the session tools will be more short lived that those used for session directories. Similar considerations should apply when session announcements are encrypted with an assymetric algorithm, but then it is possible to res- trict the possessor(s) of the private key, so that announcements to a key-holder group can not be made, even if one of the untrusted members of the group proves to be un-trustworthy. Handley [Page 12] INTERNET-DRAFT 18th Nov 1996 As stated above, if a session modification announcement is received that contains a valid authentication header, but which is not signed by the original creator of the session, then the session must be treated as a new session in addition to the original session with the same SDP origin information unless the originator of one of the session descriptions can be authenticated using a certificate signed by a trusted third party. If this were not done, there would be a possible denial of service attack whereby a party listens for new announcements, strips off the original authentication header, modifies the session description, adds a new authentication header and re-announces the session. If a rule was imposed that such spoof announcements were ignored, then if packet loss or late starting of a session directory instance caused the original announcement to fail to arrive at a site, but the spoof announcement did so, this would then prevent the original announcement from being accepted at that site. A similar denial-of-service attack is possible if a session announcement receiver relies completely on the originating source and hash fields to indicate change, and fails to parse the remainder of announcements for which it has seen the origin/hash combination before. A denial of service attack is possible from a malicious site close to a legitimate site which is making a session announcement. This can happen if the malicious site floods the legitimate site with huge numbers of (illegal) low TTL announcements describing high TTL sessions. This may reduce the session announcement rate of the legitimate announcement to below a tenth of the rate expected at remote sites and therefore cause the session to time out. Such an attack is likely to be easily detect- able, and we do not provide any mechanism here to prevent it. Appendix A: Summary of differences between SAPv0 and SAPv1 For this purpose SAPv0 is defined as the protocol in use by version 2.2 of the Sdr session description tool. SAPv1 is the proposed protocol described in the document. The packet headers of SAP messages are the same in V0 and V1 in that a V1 tool can parse a V0 announcement header but not vice-versa. In SAPv0, the fields have the following values: + Version Number: 0 + Message Type: 0 (Announcement) + Authentication Type: 0 (No Authentication) + Encryption Bit: 0 (No Encryption) Handley [Page 13] INTERNET-DRAFT 18th Nov 1996 + Compression Bit: 0 (No compression) + Message Id Hash: 0 (No Hash Specified) + Originating Source: 0 (No source specified, announcement has not been relayed) Appendix B: Author's Address Mark Handley Information Sciences Institute, University of Southern California, c/o MIT Laboratory for Computer Science, 545 Technology Square, Cambridge, MA 02139, United States electronic mail: mjh@isi.edu Acknowledgments SAP and SDP were originally based on the protocol used by the sd session directory from Van Jacobson at LBNL. The design of SAP was funded by the European Commission under the Esprit 7602 "MICE" project, and the Telematics 1007 "MERCI" project. References [1] M.Handley, V. Jacobson, ``SDP: Session Description Protocol'', INTERNET-DRAFT, Nov 1996. [2] D. Mills, ``Network Time Protocol version 2 specification and imple- mentation", RFC1119, 1st Sept 1989. [3] P. Deutsch, ``GZIP file format specification version 4.3'', RFC 1952, May 1996. [4] H. Schulzrinne, ``RTP Profile for Audio and Video Conferences with Minimal Control'', RFC 1890, January 1996 Handley [Page 14]