idnits 2.17.1 draft-ietf-avt-rtp-cnames-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document updates RFC3550, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year (Using the creation date from RFC3550, updated by this document, for RFC5378 checks: 1998-04-07) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (January 10, 2011) is 4849 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4634 (Obsoleted by RFC 6234) ** Obsolete normative reference: RFC 5342 (Obsoleted by RFC 7042) -- Obsolete informational reference (is this intentional?): RFC 4941 (Obsoleted by RFC 8981) Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 4 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 AVT A. Begen 3 Internet-Draft Cisco 4 Updates: 3550 (if approved) C. Perkins 5 Intended status: Standards Track University of Glasgow 6 Expires: July 14, 2011 D. Wing 7 Cisco 8 January 10, 2011 10 Guidelines for Choosing RTP Control Protocol (RTCP) Canonical Names 11 (CNAMEs) 12 draft-ietf-avt-rtp-cnames-04 14 Abstract 16 The RTP Control Protocol (RTCP) Canonical Name (CNAME) is a 17 persistent transport-level identifier for an RTP endpoint. While the 18 Synchronization Source (SSRC) identifier of an RTP endpoint may 19 change if a collision is detected, or when the RTP application is 20 restarted, its RTCP CNAME is meant to stay unchanged, so that RTP 21 endpoints can be uniquely identified and associated with their RTP 22 media streams. For proper functionality, RTCP CNAMEs should be 23 unique within the participants of an RTP session. However, the 24 existing guidelines for choosing the RTCP CNAME provided in the RTP 25 standard are insufficient to achieve this uniqueness. This memo 26 updates those guidelines to allow endpoints to choose unique RTCP 27 CNAMEs. 29 Status of this Memo 31 This Internet-Draft is submitted to IETF in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF), its areas, and its working groups. Note that 36 other groups may also distribute working documents as Internet- 37 Drafts. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 The list of current Internet-Drafts can be accessed at 45 http://www.ietf.org/ietf/1id-abstracts.txt. 47 The list of Internet-Draft Shadow Directories can be accessed at 48 http://www.ietf.org/shadow.html. 50 This Internet-Draft will expire on July 14, 2011. 52 Copyright Notice 54 Copyright (c) 2011 IETF Trust and the persons identified as the 55 document authors. All rights reserved. 57 This document is subject to BCP 78 and the IETF Trust's Legal 58 Provisions Relating to IETF Documents 59 (http://trustee.ietf.org/license-info) in effect on the date of 60 publication of this document. Please review these documents 61 carefully, as they describe your rights and restrictions with respect 62 to this document. Code Components extracted from this document must 63 include Simplified BSD License text as described in Section 4.e of 64 the Trust Legal Provisions and are provided without warranty as 65 described in the Simplified BSD License. 67 Table of Contents 69 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 2. Requirements Notation . . . . . . . . . . . . . . . . . . . . 4 71 3. Deficiencies with Earlier Guidelines for Choosing an RTCP 72 CNAME . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 4. Choosing an RTCP CNAME . . . . . . . . . . . . . . . . . . . . 5 74 4.1. Persistent RTCP CNAMEs vs. Per-Session RTCP CNAMEs . . . . 5 75 4.2. Requirements . . . . . . . . . . . . . . . . . . . . . . . 6 76 5. Procedure to Generate a Unique Identifier . . . . . . . . . . 7 77 6. Security Considerations . . . . . . . . . . . . . . . . . . . 8 78 6.1. Considerations on Uniqueness of RTCP CNAMEs . . . . . . . 8 79 6.2. Session Correlation Based on RTCP CNAMEs . . . . . . . . . 8 80 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9 81 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9 82 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9 83 9.1. Normative References . . . . . . . . . . . . . . . . . . . 9 84 9.2. Informative References . . . . . . . . . . . . . . . . . . 10 85 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 87 1. Introduction 89 In Section 6.5.1 of the RTP specification, [RFC3550], there are a 90 number of recommendations for choosing a unique RTCP CNAME for an RTP 91 endpoint. However, in practice, some of these methods are not 92 guaranteed to produce a unique RTCP CNAME. This memo updates 93 guidelines for choosing RTCP CNAMEs, superceding those presented in 94 Section 6.5.1 of [RFC3550]. 96 2. Requirements Notation 98 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 99 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 100 "OPTIONAL" in this document are to be interpreted as described in 101 [RFC2119]. 103 3. Deficiencies with Earlier Guidelines for Choosing an RTCP CNAME 105 The recommendation in [RFC3550] is to generate an RTCP CNAME of the 106 form "user@host" for multiuser systems, or "host" if the username is 107 not available. The "host" part is specified to be the fully 108 qualified domain name (FQDN) of the host from which the real-time 109 data originates. While this guidance was appropriate at the time 110 [RFC3550] was written, FQDNs are no longer necessarily unique, and 111 can sometimes be common across several endpoints in large service 112 provider networks. This document replaces the use of FQDN as an RTCP 113 CNAME by alternative mechanisms. 115 IPv4 addresses are also suggested for use in RTCP CNAMEs in 116 [RFC3550], where the "host" part of the RTCP CNAME is the numeric 117 representation of the IPv4 address of the interface from which the 118 RTP data originates. As noted in [RFC3550], the use of private 119 network address space [RFC1918] can result in hosts having network 120 addresses that are not globally unique. Additionally, this shared 121 use of the same IPv4 address can also occur with public IPv4 122 addresses if multiple hosts are assigned the same public IPv4 address 123 and connected to a Network Address Translation (NAT) device 124 [RFC3022]. When multiple hosts share the same IPv4 address, whether 125 private or public, using the IPv4 address as the RTCP CNAME leads to 126 RTCP CNAMEs that are not necessarily unique. 128 It is also noted in [RFC3550] that if hosts with private addresses 129 and no direct IP connectivity to the public Internet have their RTP 130 packets forwarded to the public Internet through an RTP-level 131 translator, they may end up having non-unique RTCP CNAMEs. The 132 suggestion in [RFC3550] is that such applications provide a 133 configuration option to allow the user to choose a unique RTCP CNAME, 134 and puts the burden on the translator to translate RTCP CNAMEs from 135 private addresses to public addresses if necessary to keep private 136 addresses from being exposed. Experience has shown that this does 137 not work well in practice. 139 4. Choosing an RTCP CNAME 141 It is difficult, and in some cases impossible, for a host to 142 determine if there is a NAT between itself and its RTP peer. 143 Furthermore, even some public IPv4 addresses can be shared by 144 multiple hosts in the Internet. Using the numeric representation of 145 the IPv4 address as the "host" part of the RTCP CNAME is NOT 146 RECOMMENDED. 148 4.1. Persistent RTCP CNAMEs vs. Per-Session RTCP CNAMEs 150 The RTCP CNAME can either be persistent across different RTP sessions 151 for an RTP endpoint, or it can be unique per session, meaning that an 152 RTP endpoint chooses a different RTCP CNAME for each RTP session. 154 An RTP endpoint that is emitting multiple related RTP streams that 155 require synchronization at the other endpoint(s) MUST use the same 156 RTCP CNAME for all streams that are to be synchronized. This 157 requires a short-term persistent RTCP CNAME that is common across 158 several RTP flows, and potentially across several related RTP 159 sessions. A common example of such use occurs when lip-syncing audio 160 and video streams in a multimedia session, where a single participant 161 has to use the same RTCP CNAME for its audio RTP session and for its 162 video RTP session. Another example might be to synchronize the 163 layers of a layered audio codec, where the same RTCP CNAME has to be 164 used for each layer. 166 A longer-term persistent RTCP CNAME is sometimes useful to facilitate 167 third-party monitoring. One such use might be to allow network 168 management tools to correlate the ongoing quality of service for a 169 participant across multiple RTP sessions for fault diagnosis, and to 170 understand long-term network performance statistics. Other, less 171 benign, uses can also be envisaged. An implementation that wishes to 172 discourage this type of third-party monitoring can generate a unique 173 RTCP CNAME for each RTP session, or group of related RTP sessions, 174 that it joins. Such a per-session RTCP CNAME cannot be used for 175 traffic analysis, and so provides some limited form of privacy (note 176 that there are non-RTP means that can be used by a third-party to 177 correlate RTP sessions, so the use of per-session RTCP CNAMEs will 178 not prevent a determined traffic analyst). 180 This memo defines several different ways by which an implementation 181 can choose an RTCP CNAME. It is possible, and legitimate, for 182 independent implementations to make different choices of RTCP CNAME 183 when running on the same host. This can hinder third-party 184 monitoring, unless some external means is provided to configure a 185 persistent choice of RTCP CNAME for those implementations. 187 Note that there is no backwards compatibility issue (with [RFC3550]- 188 compatible implementations) introduced in this memo, since the RTCP 189 CNAMEs are opaque strings to remote peers. 191 4.2. Requirements 193 RTP endpoints will choose to generate RTCP CNAMEs that are persistent 194 or per-session. An RTP endpoint that wishes to generate a persistent 195 RTCP CNAME MUST use one of the following two methods: 197 o To produce a long-term persistent RTCP CNAME, an RTP endpoint MUST 198 generate and store a Universally Unique IDentifier (UUID) 199 [RFC4122] for use as the "host" part of its RTCP CNAME. The UUID 200 MUST be version 1, 2 or 4 described in [RFC4122], with the 201 "urn:uuid:" stripped, resulting in a 36-octet printable string 202 representation. 204 o To produce a short-term persistent RTCP CNAME, an RTP endpoint 205 MUST use either (a) the numeric representation of the layer-2 206 (MAC) address of the interface that is used to initiate the RTP 207 session as the "host" part of its RTCP CNAME or (b) generate an 208 identifier by following the procedure described in Section 5. In 209 either case, the procedure is performed once per initialization of 210 the software. After obtaining a identifier by doing (a) or (b), 211 the least significant 48 bits are converted to the standard colon- 212 separated hexadecimal format [RFC5342], e.g., "00:23:32:af:9b:aa", 213 resulting in a 17-octet printable string representation. 215 In the two cases above, the "user@" part of the RTCP CNAME MAY be 216 omitted on single-user systems, and MAY be replaced by an opaque 217 token on multi-user systems, to preserve privacy. 219 An RTP endpoint that wishes to generate a per-session RTCP CNAME MUST 220 use the following method: 222 o For every new RTP session, a new CNAME is generated following the 223 procedure described in Section 5. After performing that 224 procedure, the least significant 96 bits are used to generate an 225 identifier (to compromise between packet size and security) which 226 is converted ASCII using Base64 encoding [RFC4648]. This results 227 in a 16-octet string representation. The RTCP CNAME cannot change 228 over the life of an RTP session [RFC3550], hence, only the initial 229 SSRC value chosen by the endpoint is used. The "user@" part of 230 the RTCP CNAME is omitted when generating per-session RTCP CNAMEs. 232 It is believed that obtaining uniqueness (with a high probability) is 233 an important property that requires careful evaluation of the method. 234 This document provides a number of methods, at least one of which 235 would be suitable for all deployment scenarios. This document 236 therefore does not provide for the implementor to define and select 237 an alternative method. 239 A future specification might define an alternative method for 240 generating RTCP CNAMEs as long as the proposed method has appropriate 241 uniqueness, and there is consistency between the methods used for 242 multiple RTP sessions that are to be correlated. However, such a 243 specification needs to be reviewed and approved before deployment. 245 The mechanisms described in this document are to be used to generate 246 RTCP CNAMEs, and they are not to be used for generating general- 247 purpose unique identifiers. 249 5. Procedure to Generate a Unique Identifier 251 The algorithm described below is intended to be used for locally- 252 generated unique identifier. 254 1. Obtain the current time of day in 64-bit NTP format [RFC5905]. 256 2. Obtain a modified EUI-64 identifier from the system running this 257 algorithm [RFC4291]. If this does not exist, one can be created 258 from a 48-bit MAC address as specified in [RFC4291]. If one 259 cannot be obtained or created, a suitably unique identifier, 260 local to the node, should be used (e.g., system serial number). 262 3. Concatenate the time of day with the system-specific identifier 263 in order to create a key. 265 4. If generating a per-session CNAME, also concatenate RTP 266 endpoint's initial SSRC, the source and destination IP addresses, 267 and ports to the key. 269 5. Compute an SHA-256 digest on the key as specified in [RFC4634], 270 which outputs 256 bits. 272 6. Security Considerations 274 The security considerations of [RFC3550] apply to this memo. 276 6.1. Considerations on Uniqueness of RTCP CNAMEs 278 The recommendations on RTCP CNAME generation in this document ensure 279 that a set of cooperating participants in an RTP session will have 280 unique RTCP CNAMEs with very high probability. However, neither 281 [RFC3550] nor this document provides any way to ensure that 282 participants will choose RTCP CNAMEs appropriately, and thus 283 implementations MUST NOT rely on the uniqueness of CNAMEs for any 284 essential security services. This is consistent with [RFC3550], 285 which does not require that RTCP CNAMEs are unique within a session, 286 but instead says that condition SHOULD hold. As described in the 287 Security Considerations section of [RFC3550], because each 288 participant in a session is free to choose its own RTCP CNAME, they 289 can do so in such a way as to impersonate another participant. That 290 is, participants are trusted to not impersonate each other. No 291 recommendation for generating RTCP CNAMEs can prevent this 292 impersonation, because an attacker can neglect the stipulation. 293 Secure RTP (SRTP) [RFC3711] keeps unauthorized entities out of an RTP 294 session, but it does not not aim to prevent impersonation attacks 295 from unauthorized entities. 297 This document uses a hash function to ensure the uniqueness of RTCP 298 CNAMEs. A cryptographic hash function is used because such functions 299 provide the randomness properties that are needed. However, no 300 security assumptions are made on the hash function. The hash 301 function is not assumed to be collision-resistant or second-preimage 302 resistant in an adversarial setting; as described above, an attacker 303 attempting an impersonation attack could merely set the RTCP CNAME 304 directly rather than attacking the hash function. Similarly, the 305 hash function is not assumed to be a one-way function, or 306 pseudorandom in a cryptographic sense. 308 No confidentiality is provided on the data used as input to the RTCP 309 CNAME generation algorithm. It might be possible for an attacker who 310 observes an RTCP CNAME to determine the inputs that were used to 311 generate that value. 313 6.2. Session Correlation Based on RTCP CNAMEs 315 In some environments, notably telephony, a fixed RTCP CNAME value 316 allows separate RTP sessions to be correlated and eliminates the 317 obfuscation provided by IPv6 privacy addresses [RFC4941] or IPv4 NAPT 318 [RFC3022]. SRTP [RFC3711] can help prevent such correlation by 319 encrypting Secure RTCP (SRTCP) but it should be noted that SRTP only 320 mandates SRTCP integrity protection (not encryption). Thus, RTP 321 applications used in such environments should consider encrypting 322 their SRTCP or generate a per-session RTCP CNAME as discussed in 323 Section 4.1. 325 7. IANA Considerations 327 No IANA actions are required. 329 8. Acknowledgments 331 Thanks to Marc Petit-Huguenin who suggested to use UUIDs in 332 generating RTCP CNAMEs. Also thanks to David McGrew for providing 333 text for the Security Considerations section. 335 9. References 337 9.1. Normative References 339 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 340 Jacobson, "RTP: A Transport Protocol for Real-Time 341 Applications", STD 64, RFC 3550, July 2003. 343 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 344 Requirement Levels", BCP 14, RFC 2119, March 1997. 346 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 347 Unique IDentifier (UUID) URN Namespace", RFC 4122, 348 July 2005. 350 [RFC4634] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms 351 (SHA and HMAC-SHA)", RFC 4634, July 2006. 353 [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data 354 Encodings", RFC 4648, October 2006. 356 [RFC5905] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network 357 Time Protocol Version 4: Protocol and Algorithms 358 Specification", RFC 5905, June 2010. 360 [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing 361 Architecture", RFC 4291, February 2006. 363 [RFC5342] Eastlake, D., "IANA Considerations and IETF Protocol Usage 364 for IEEE 802 Parameters", BCP 141, RFC 5342, 365 September 2008. 367 9.2. Informative References 369 [RFC1918] Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and 370 E. Lear, "Address Allocation for Private Internets", 371 BCP 5, RFC 1918, February 1996. 373 [RFC3022] Srisuresh, P. and K. Egevang, "Traditional IP Network 374 Address Translator (Traditional NAT)", RFC 3022, 375 January 2001. 377 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 378 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 379 RFC 3711, March 2004. 381 [RFC4941] Narten, T., Draves, R., and S. Krishnan, "Privacy 382 Extensions for Stateless Address Autoconfiguration in 383 IPv6", RFC 4941, September 2007. 385 Authors' Addresses 387 Ali Begen 388 Cisco 389 181 Bay Street 390 Toronto, ON M5J 2T3 391 CANADA 393 Email: abegen@cisco.com 395 Colin Perkins 396 University of Glasgow 397 School of Computing Science 398 Glasgow, G12 8QQ 399 UK 401 Email: csp@csperkins.org 402 Dan Wing 403 Cisco Systems, Inc. 404 170 West Tasman Dr. 405 San Jose, CA 95134 406 USA 408 Email: dwing@cisco.com