idnits 2.17.1 draft-ietf-avt-srtp-not-mandatory-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 13, 2009) is 5394 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-40) exists of draft-ietf-mmusic-rfc2326bis-21 == Outdated reference: A later version (-22) exists of draft-zimmermann-avt-zrtp-15 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) -- Obsolete informational reference (is this intentional?): RFC 4614 (Obsoleted by RFC 7414) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Perkins 3 Internet-Draft University of Glasgow 4 Intended status: Informational M. Westerlund 5 Expires: January 14, 2010 Ericsson 6 July 13, 2009 8 Why RTP Does Not Mandate a Single Security Mechanism 9 draft-ietf-avt-srtp-not-mandatory-03.txt 11 Status of this Memo 13 This Internet-Draft is submitted to IETF in full conformance with the 14 provisions of BCP 78 and BCP 79. 16 Internet-Drafts are working documents of the Internet Engineering 17 Task Force (IETF), its areas, and its working groups. Note that 18 other groups may also distribute working documents as Internet- 19 Drafts. 21 Internet-Drafts are draft documents valid for a maximum of six months 22 and may be updated, replaced, or obsoleted by other documents at any 23 time. It is inappropriate to use Internet-Drafts as reference 24 material or to cite them other than as "work in progress." 26 The list of current Internet-Drafts can be accessed at 27 http://www.ietf.org/ietf/1id-abstracts.txt. 29 The list of Internet-Draft Shadow Directories can be accessed at 30 http://www.ietf.org/shadow.html. 32 This Internet-Draft will expire on January 14, 2010. 34 Copyright Notice 36 Copyright (c) 2009 IETF Trust and the persons identified as the 37 document authors. All rights reserved. 39 This document is subject to BCP 78 and the IETF Trust's Legal 40 Provisions Relating to IETF Documents in effect on the date of 41 publication of this document (http://trustee.ietf.org/license-info). 42 Please review these documents carefully, as they describe your rights 43 and restrictions with respect to this document. 45 Abstract 47 This memo discusses the problem of securing real-time multimedia 48 sessions, and explains why the Real-time Transport Protocol (RTP) 49 does not mandate a single media security mechanism. 51 Table of Contents 53 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 54 2. RTP Applications and Deployment Scenarios . . . . . . . . . . 3 55 3. Implications for RTP Media Security . . . . . . . . . . . . . 4 56 4. Implications for Key Management . . . . . . . . . . . . . . . 5 57 5. On the Requirement for Strong Security in IETF protocols . . . 6 58 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7 59 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 60 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 61 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7 62 10. Informative References . . . . . . . . . . . . . . . . . . . . 8 63 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 65 1. Introduction 67 The Real-time Transport Protocol (RTP) [RFC3550] is widely used for 68 voice over IP, Internet television, video conferencing, and various 69 other real-time and streaming media applications. Despite this, the 70 base RTP specification provides very limited options for media 71 security, and defines no standard key exchange mechanism. Rather, a 72 number of extensions are defined to provide confidentiality and 73 authentication of media streams, and to exchange security keys. This 74 memo outlines why it is appropriate that multiple extension 75 mechanisms are defined, rather than mandating a single media security 76 and keying mechanism. 78 This memo provides information for the community; it does not specify 79 a standard of any kind. 81 The structure of this memo is as follows: we begin, in Section 2 by 82 describing the scenarios in which RTP is deployed. Following this, 83 Section 3 outlines the implications of this range of scenarios for 84 media confidentially and authentication, and Section 4 outlines the 85 implications for key exchange. Section 5 outlines how the RTP 86 framework meets the requirement of BCP 61. Section 6 then concludes 87 and gives some recommendations. Finally, Section 7 outlines the 88 security considerations, and Section 8 outlines IANA considerations. 90 2. RTP Applications and Deployment Scenarios 92 The range of application and deployment scenarios where RTP has been 93 used includes, but is not limited to, the following: 95 o Point-to-point voice telephony (fixed and wireless networks) 97 o Point-to-point video conferencing 99 o Centralised group video conferencing with a multipoint conference 100 unit (MCU) 102 o Any Source Multicast video conferencing (light-weight sessions; 103 Mbone conferencing) 105 o Point-to-point streaming audio and/or video 107 o Single Source Multicast streaming to large group (IPTV and MBMS 108 [MBMS]) 110 o Replicated unicast streaming to a group 111 o Interconnecting components in music production studios and video 112 editing suites 114 o Interconnecting components of distributed simulation systems 116 o Streaming real-time sensor data 118 As can be seen, these scenarios vary from point-to-point to very 119 large multicast groups, from interactive to non-interactive, and from 120 low bandwidth (kilobits per second) to very high bandwidth (multiple 121 gigabits per second). While most of these applications run over UDP 122 [RFC0768], some use TCP [RFC0793], [RFC4614] or DCCP [RFC4340] as 123 their underlying transport. Some run on highly reliable optical 124 networks, others use low rate unreliable wireless networks. Some 125 applications of RTP operate entirely within a single trust domain, 126 others are inter-domain, with untrusted (and potentially unknown) 127 users. The range of scenarios is wide, and growing both in number 128 and in heterogeneity. 130 3. Implications for RTP Media Security 132 The wide range of application scenarios where RTP is used has led to 133 the development of multiple solutions for media security, considering 134 different requirements. Perhaps the most widely applicable of these 135 solutions is the Secure RTP (SRTP) framework [RFC3711]. This is an 136 application-level media security solution, encrypting the media 137 payload data (but not the RTP headers) to provide some degree of 138 confidentiality, and providing optional source origin authentication. 139 It was carefully designed to be both low overhead, and to support the 140 group communication features of RTP, across a range of networks. 142 SRTP is not the only media security solution in use, however, and 143 alternatives are more appropriate for some scenarios. For example, 144 many client-server streaming media applications can run over a single 145 TCP connection, multiplexing media data with control information on 146 that connection (RTSP [I-D.ietf-mmusic-rfc2326bis] is a widely used 147 example of such a protocol). The natural way to provide media 148 security for such client-server media applications is to use TLS 149 [RFC5246] to protect the TCP connection, sending the RTP media data 150 over the TLS connection. Using the SRTP framework in addition to TLS 151 is unncessary, and would result in double encryption of the media, 152 and SRTP cannot be used instead of TLS since it is RTP-specific, and 153 so cannot protect the control traffic. 155 Other RTP use cases work over networks which provide security at the 156 network layer, using IPsec. For example, certain 3GPP networks need 157 IPsec security associations for other purposes, and can reuse those 158 to secure the RTP session [3GPP.33.210]. SRTP is, again, unnecessary 159 in such environments, and its use would only introduce overhead for 160 no gain. 162 For some applications it is sufficient to protect the RTP payload 163 data while leaving RTP, transport, and network layer headers 164 unprotected. An example of this is RTP broadcast over DVB-H 165 [ETSI.TS.102.474], where one mode of operation uses ISMAcryp 166 (http://www.isma.tv) to protect the media data only. 168 Finally, the link layer may be secure, and it may be known that the 169 RTP media data is constrained to that single link (for example, when 170 operating in a studio environment, with physical link security). An 171 environment like this is inherently constrained, but might avoid the 172 need for application, transport, or network layer media security. 174 All these are application scenarios where RTP has seen commerical 175 deployment. Other use case also exist, with additional requirements. 176 There is no media security protocol that is appropriate for all these 177 environments. Accordingly, multiple RTP media security protocols can 178 be expected to remain in wide use. 180 4. Implications for Key Management 182 With such a diverse range of use case come a range of different 183 protocols for RTP session establishment. Mechanisms used to provide 184 security keying for these different session establishment protocols 185 can basically be put into two categories: inband and out-of-band in 186 relation to the session establishment mechanism. The requirements 187 for these solutions are highly varying. Thus a wide range of 188 solutions have been developed in this space: 190 o The most common use case for RTP is probably point-to-point voice 191 calls or centralised group conferences, negotiated using SIP 192 [RFC3261] with the SDP offer/answer model [RFC3264], operating on 193 a trusted infrastructure. In such environments, SDP security 194 descriptions [RFC4568] or the MIKEY [RFC4567] protocol are 195 appropriate keying mechanisms, piggybacked onto the SDP [RFC4566] 196 exchange. The infrastructure may be secured by protecting the SIP 197 exchange using TLS or S/MIME, for example [RFC3261]. 199 o Point-to-point RTP sessions may be negotiated using SIP with the 200 offer/answer model, but operating over a network with untrusted 201 infrastructure. In such environments, the key management protocol 202 is run on the media path, bypassing the untrusted infrastructure. 203 Protocols such as DTLS [I-D.ietf-avt-dtls-srtp] or ZRTP 204 [I-D.zimmermann-avt-zrtp] are useful here. 206 o For point-to-point client-server streaming of RTP over RTSP, a TLS 207 association is appropriate to manage keying material, in much the 208 same manner as would be used to secure an HTTP session. 210 o A session description may be sent by email, secured using X.500 or 211 PGP, or retrieved from a web page, using HTTP with TLS. 213 o A session description may be distributed to a multicast group 214 using SAP or FLUTE secured with S/MIME. 216 o A session description may be distributed using the Open Mobile 217 Alliance DRM key management specification [OMA-DRM] when using a 218 point-to-point streaming session setup with RTSP in the 3GPP PSS 219 environment [PSS]. 221 o In the 3GPP Multimedia Broadcast Multicast Service (MBMS) system, 222 HTTP and MIKEY are used for key management [MBMS-SEC]. 224 A more detailed survey of requirements for media security management 225 protocols can be found in [I-D.ietf-sip-media-security-requirements]. 226 As can be seen, the range of use cases is wide, and there is no 227 single protocol that is appropriate for all scenarios. These 228 solutions have been further diversified by the existence of 229 infrastructure elements such as authentication solutions that are 230 tied into the key manangement. 232 5. On the Requirement for Strong Security in IETF protocols 234 BCP 61 [RFC3365] puts a requirement on IETF protocols to provide 235 strong, mandatory to implement, security solutions. This is actually 236 quite a difficult requirement for any type of framework protocol, 237 like RTP, since one can never know all the deployment scenarios, and 238 if they are covered by the security solution. It would clearly be 239 desirable if a single media security solution and a single key 240 management solution could be developed, satisfying the range of use 241 cases for RTP. The authors are not aware of any such solution, 242 however, and it is not clear that any single solution can be 243 developed. 245 For a framework protocol it appears that the only sensible solution 246 to the requirement of BCP 61 is to develop or use security building 247 blocks, like SRTP, SDP security descriptions [RFC4568], MIKEY, DTLS, 248 or IPsec, to provide the basic security services of authorization, 249 data integrity protection and date confidentiality protection. When 250 new usages of the RTP framework arise, one needs to analyze the 251 situation, to determine if the existing building blocks satisfy the 252 requirements. If not, it is necessary to develop new security 253 building blocks. 255 When it comes to fulfilling the "MUST Implement" strong security for 256 a specific application, it will fall on that application to actually 257 consider what building blocks it is required to support. To maximize 258 interoperability it is desirable if certain applications, or classes 259 of application with similar requirements, agree on what data security 260 mechanisms and key-management should be used. If such agreement is 261 not possible, there will be increased cost, either in the lack of 262 interoperability, or in the need to implement more solutions. 263 Unfortunately this situation, if not handled reasonably well, can 264 result in a failure to satisfy the requirement of providing the users 265 with an option of turning on strong security when desired. 267 6. Conclusions 269 As discussed earlier it appears that a single solution can't be 270 designed to meet the diverse requirements. In the absence of such a 271 solution, it is hoped that this memo explains why SRTP is not 272 mandatory as the media security solution for RTP-based systems, and 273 why we can expect multiple key management solutions for systems using 274 RTP. 276 It is important for any RTP-based application to consider how it 277 meets the security requirements. This will require some analysis to 278 determine these requirements, followed by the selection of a 279 mandatory to implement solution, or in exceptional scenarios several 280 solutions, including the desired RTP traffic protection and key- 281 management. SRTP is a preferred solution for the protection of the 282 RTP traffic in those use cases where it is applicable. It is out of 283 scope for this memo to recommend a preferred key management solution. 285 7. Security Considerations 287 This entire memo is about security. 289 8. IANA Considerations 291 No IANA actions are required. 293 9. Acknowledgements 295 Thanks to Ralph Blom, Hannes Tschofenig, Dan York, Alfred Hoenes, and 296 Martin Ellis for their feedback. 298 10. Informative References 300 [3GPP.33.210] 301 3GPP, "IP network layer security", 3GPP TS 33.210, 302 September 2008. 304 [ETSI.TS.102.474] 305 ETSI, "Digital Video Broadcasting (DVB); IP Datacast over 306 DVB-H: Service Purchase and Protection", ETSI TS 102 474, 307 November 2007. 309 [I-D.ietf-avt-dtls-srtp] 310 McGrew, D. and E. Rescorla, "Datagram Transport Layer 311 Security (DTLS) Extension to Establish Keys for Secure 312 Real-time Transport Protocol (SRTP)", 313 draft-ietf-avt-dtls-srtp-07 (work in progress), 314 February 2009. 316 [I-D.ietf-mmusic-rfc2326bis] 317 Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M., 318 and M. Stiemerling, "Real Time Streaming Protocol 2.0 319 (RTSP)", draft-ietf-mmusic-rfc2326bis-21 (work in 320 progress), June 2009. 322 [I-D.ietf-sip-media-security-requirements] 323 Wing, D., Fries, S., Tschofenig, H., and F. Audet, 324 "Requirements and Analysis of Media Security Management 325 Protocols", draft-ietf-sip-media-security-requirements-09 326 (work in progress), January 2009. 328 [I-D.zimmermann-avt-zrtp] 329 Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media 330 Path Key Agreement for Secure RTP", 331 draft-zimmermann-avt-zrtp-15 (work in progress), 332 March 2009. 334 [MBMS] 3GPP, "Multimedia Broadcast/Multicast Service (MBMS); 335 Protocols and codecs TS 26.346". 337 [MBMS-SEC] 338 3GPP, "Security of Multimedia Broadcast/Multicast Service 339 (MBMS) TS 33.246". 341 [OMA-DRM] Open Mobile Alliance, "DRM Specification 2.0". 343 [PSS] 3GPP, "Transparent end-to-end Packet-switched Streaming 344 Service (PSS); Protocols and codecs TS 26.234". 346 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 347 August 1980. 349 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 350 RFC 793, September 1981. 352 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 353 A., Peterson, J., Sparks, R., Handley, M., and E. 354 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 355 June 2002. 357 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 358 with Session Description Protocol (SDP)", RFC 3264, 359 June 2002. 361 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 362 Engineering Task Force Standard Protocols", BCP 61, 363 RFC 3365, August 2002. 365 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 366 Jacobson, "RTP: A Transport Protocol for Real-Time 367 Applications", STD 64, RFC 3550, July 2003. 369 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 370 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 371 RFC 3711, March 2004. 373 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 374 Congestion Control Protocol (DCCP)", RFC 4340, March 2006. 376 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 377 Description Protocol", RFC 4566, July 2006. 379 [RFC4567] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. 380 Carrara, "Key Management Extensions for Session 381 Description Protocol (SDP) and Real Time Streaming 382 Protocol (RTSP)", RFC 4567, July 2006. 384 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 385 Description Protocol (SDP) Security Descriptions for Media 386 Streams", RFC 4568, July 2006. 388 [RFC4614] Duke, M., Braden, R., Eddy, W., and E. Blanton, "A Roadmap 389 for Transmission Control Protocol (TCP) Specification 390 Documents", RFC 4614, September 2006. 392 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 393 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 395 Authors' Addresses 397 Colin Perkins 398 University of Glasgow 399 Department of Computing Science 400 Glasgow G12 8QQ 401 UK 403 Email: csp@csperkins.org 405 Magnus Westerlund 406 Ericsson 407 Farogatan 6 408 Kista SE-164 80 409 Sweden 411 Email: magnus.westerlund@ericsson.com