idnits 2.17.1 draft-ietf-avt-srtp-not-mandatory-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 1, 2010) is 5047 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-40) exists of draft-ietf-mmusic-rfc2326bis-23 -- Obsolete informational reference (is this intentional?): RFC 793 (Obsoleted by RFC 9293) -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) -- Obsolete informational reference (is this intentional?): RFC 4614 (Obsoleted by RFC 7414) -- Obsolete informational reference (is this intentional?): RFC 5246 (Obsoleted by RFC 8446) Summary: 0 errors (**), 0 flaws (~~), 2 warnings (==), 6 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Perkins 3 Internet-Draft University of Glasgow 4 Intended status: Informational M. Westerlund 5 Expires: January 2, 2011 Ericsson 6 July 1, 2010 8 Why RTP Does Not Mandate a Single Security Mechanism 9 draft-ietf-avt-srtp-not-mandatory-07.txt 11 Abstract 13 This memo discusses the problem of securing real-time multimedia 14 sessions, and explains why the Real-time Transport Protocol (RTP), 15 and the associated RTP control protocol (RTCP), do not mandate a 16 single media security mechanism. 18 Status of this Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 This Internet-Draft will expire on January 2, 2011. 35 Copyright Notice 37 Copyright (c) 2010 IETF Trust and the persons identified as the 38 document authors. All rights reserved. 40 This document is subject to BCP 78 and the IETF Trust's Legal 41 Provisions Relating to IETF Documents 42 (http://trustee.ietf.org/license-info) in effect on the date of 43 publication of this document. Please review these documents 44 carefully, as they describe your rights and restrictions with respect 45 to this document. Code Components extracted from this document must 46 include Simplified BSD License text as described in Section 4.e of 47 the Trust Legal Provisions and are provided without warranty as 48 described in the Simplified BSD License. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 53 2. RTP Applications and Deployment Scenarios . . . . . . . . . . 3 54 3. Implications for RTP Security . . . . . . . . . . . . . . . . 4 55 4. Implications for Key Management . . . . . . . . . . . . . . . 5 56 5. On the Requirement for Strong Security in IETF protocols . . . 6 57 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7 58 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 59 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 60 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 8 61 10. Informative References . . . . . . . . . . . . . . . . . . . . 8 62 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10 64 1. Introduction 66 The Real-time Transport Protocol (RTP) [RFC3550] is widely used for 67 voice over IP, Internet television, video conferencing, and various 68 other real-time and streaming media applications. Despite this, the 69 base RTP specification provides very limited options for media 70 security, and defines no standard key exchange mechanism. Rather, a 71 number of extensions are defined to provide confidentiality and 72 authentication of RTP media streams and RTCP control messages, and to 73 exchange security keys. This memo outlines why it is appropriate 74 that multiple extension mechanisms are defined, rather than mandating 75 a single security and keying mechanism. 77 This memo provides information for the community; it does not specify 78 a standard of any kind. 80 The structure of this memo is as follows. Section 2 describes the 81 scenarios in which RTP is deployed. Following this, Section 3 82 outlines the implications of this range of scenarios for media 83 confidentially and authentication, and Section 4 outlines the 84 implications for key exchange. Section 5 outlines how the RTP 85 framework meets the requirement of BCP 61. Section 6 then concludes 86 and gives some recommendations. 88 2. RTP Applications and Deployment Scenarios 90 The range of application and deployment scenarios where RTP has been 91 used includes, but is not limited to, the following: 93 o Point-to-point voice telephony (fixed and wireless networks) 95 o Point-to-point video conferencing 97 o Centralised group video conferencing with a multipoint conference 98 unit (MCU) 100 o Any Source Multicast video conferencing (light-weight sessions; 101 Mbone conferencing) 103 o Point-to-point streaming audio and/or video 105 o Source-specific multicast (SSM) streaming to large group (IPTV and 106 3GPP Multimedia Broadcast Multicast Service (MBMS) [MBMS]) 108 o Replicated unicast streaming to a group 109 o Interconnecting components in music production studios and video 110 editing suites 112 o Interconnecting components of distributed simulation systems 114 o Streaming real-time sensor data 116 As can be seen, these scenarios vary from point-to-point to very 117 large multicast groups, from interactive to non-interactive, and from 118 low bandwidth (kilobits per second) to very high bandwidth (multiple 119 gigabits per second). While most of these applications run over UDP 120 [RFC0768], some use TCP [RFC0793], [RFC4614] or DCCP [RFC4340] as 121 their underlying transport. Some run on highly reliable optical 122 networks, others use low rate unreliable wireless networks. Some 123 applications of RTP operate entirely within a single trust domain, 124 others are inter-domain, with untrusted (and potentially unknown) 125 users. The range of scenarios is wide, and growing both in number 126 and in heterogeneity. 128 3. Implications for RTP Security 130 The wide range of application scenarios where RTP is used has led to 131 the development of multiple solutions for securing RTP media streams 132 and RTCP control messages, considering different requirements. 133 Perhaps the most widely applicable of these solutions is the Secure 134 RTP (SRTP) framework [RFC3711]. This is an application-level media 135 security solution, encrypting the media payload data (but not the RTP 136 headers) to provide some degree of confidentiality, and providing 137 optional source origin authentication. It was carefully designed to 138 be both low overhead, and to support the group communication features 139 of RTP, across a range of networks. 141 SRTP is not the only media security solution in use, however, and 142 alternatives are more appropriate for some scenarios. For example, 143 many client-server streaming media applications can run over a single 144 TCP connection, multiplexing media data with control information on 145 that connection (RTSP [I-D.ietf-mmusic-rfc2326bis] is a widely used 146 example of such a protocol). The natural way to provide media 147 security for such client-server media applications is to use TLS 148 [RFC5246] to protect the TCP connection, sending the RTP media data 149 over the TLS connection. Using the SRTP framework in addition to TLS 150 is unnecessary, and would result in double encryption of the media, 151 and SRTP cannot be used instead of TLS since it is RTP-specific, and 152 so cannot protect the control traffic. 154 Other RTP use cases work over networks which provide security at the 155 network layer, using IPsec. For example, certain 3GPP networks need 156 IPsec security associations for other purposes, and can reuse those 157 to secure the RTP session [3GPP.33.210]. SRTP is, again, unnecessary 158 in such environments, and its use would only introduce overhead for 159 no gain. 161 For some applications it is sufficient to protect the RTP payload 162 data while leaving RTP, transport, and network layer headers 163 unprotected. An example of this is RTP broadcast over DVB-H 164 [ETSI.TS.102.474], where one mode of operation uses ISMAcryp 165 (http://www.isma.tv/specs/ISMA_E&Aspec2.0.pdf) to encrypt the RTP 166 payload data only. 168 Finally, the link layer may be secure, and it may be known that the 169 RTP media data is constrained to that single link (for example, when 170 operating in a studio environment, with physical link security). An 171 environment like this is inherently constrained, but might avoid the 172 need for application, transport, or network layer media security. 174 All these are application scenarios where RTP has seen commercial 175 deployment. Other use case also exist, with additional requirements. 176 There is no media security protocol that is appropriate for all these 177 environments. Accordingly, multiple RTP media security protocols can 178 be expected to remain in wide use. 180 4. Implications for Key Management 182 With such a diverse range of use cases come a range of different 183 protocols for RTP session establishment. Mechanisms used to provide 184 security keying for these different session establishment protocols 185 can basically be put into two categories: inband and out-of-band in 186 relation to the session establishment mechanism. The requirements 187 for these solutions are highly varying. Thus a wide range of 188 solutions have been developed in this space: 190 o A common use case for RTP is probably point-to-point voice calls 191 or centralised group conferences, negotiated using SIP [RFC3261] 192 with the SDP offer/answer model [RFC3264], operating on a trusted 193 infrastructure. In such environments, SDP security descriptions 194 [RFC4568] or the MIKEY [RFC4567] protocol are appropriate keying 195 mechanisms, piggybacked onto the SDP [RFC4566] exchange. The 196 infrastructure may be secured by protecting the SIP exchange using 197 TLS or S/MIME, for example [RFC3261]. Protocols such as DTLS 198 [RFC5764] or ZRTP [I-D.zimmermann-avt-zrtp] are also appropriate 199 in such environments. 201 o Point-to-point RTP sessions may be negotiated using SIP with the 202 offer/answer model, but operating over a network with untrusted 203 infrastructure. In such environments, the key management protocol 204 is run on the media path, bypassing the untrusted infrastructure. 205 Protocols such as DTLS [RFC5764] or ZRTP [I-D.zimmermann-avt-zrtp] 206 are useful here. 208 o For point-to-point client-server streaming of RTP over RTSP, a TLS 209 association is appropriate to manage keying material, in much the 210 same manner as would be used to secure an HTTP session. 212 o A session description may be sent by email, secured using S/MIME 213 or PGP, or retrieved from a web page, using HTTP with TLS. 215 o A session description may be distributed to a multicast group 216 using SAP or FLUTE secured with S/MIME. 218 o A session description may be distributed using the Open Mobile 219 Alliance DRM key management specification [OMA-DRM] when using a 220 point-to-point streaming session setup with RTSP in the 3GPP PSS 221 environment [PSS]. 223 o In the 3GPP Multimedia Broadcast Multicast Service (MBMS) system, 224 HTTP and MIKEY are used for key management [MBMS-SEC]. 226 A more detailed survey of requirements for media security management 227 protocols can be found in [RFC5479]. As can be seen, the range of 228 use cases is wide, and there is no single protocol that is 229 appropriate for all scenarios. These solutions have been further 230 diversified by the existence of infrastructure elements such as 231 authentication solutions that are tied into the key manangement. 233 5. On the Requirement for Strong Security in IETF protocols 235 BCP 61 [RFC3365] puts a requirement on IETF protocols to provide 236 strong, mandatory to implement, security solutions. This is actually 237 quite a difficult requirement for any type of framework protocol, 238 like RTP, since one can never know all the deployment scenarios, and 239 if they are covered by the security solution. It would clearly be 240 desirable if a single media security solution and a single key 241 management solution could be developed, satisfying the range of use 242 cases for RTP. The authors are not aware of any such solution, 243 however, and it is not clear that any single solution can be 244 developed. 246 For a framework protocol it appears that the only sensible solution 247 to the requirement of BCP 61 is to develop or use security building 248 blocks, like SRTP, SDP security descriptions [RFC4568], MIKEY, DTLS, 249 or IPsec, to provide the basic security services of authorization, 250 data integrity protection and date confidentiality protection. When 251 new usages of the RTP framework arise, one needs to analyze the 252 situation, to determine if the existing building blocks satisfy the 253 requirements. If not, it is necessary to develop new security 254 building blocks. 256 When it comes to fulfilling the "MUST Implement" strong security for 257 a specific application, it will fall on that application to actually 258 consider what building blocks it is required to support. To maximize 259 interoperability it is desirable if certain applications, or classes 260 of application with similar requirements, agree on what data security 261 mechanisms and key-management should be used. If such agreement is 262 not possible, there will be increased cost, either in the lack of 263 interoperability, or in the need to implement more solutions. 264 Unfortunately this situation, if not handled reasonably well, can 265 result in a failure to satisfy the requirement of providing the users 266 with an option of turning on strong security when desired. 268 6. Conclusions 270 As discussed earlier it appears that a single solution can't be 271 designed to meet the diverse requirements. In the absence of such a 272 solution, it is hoped that this memo explains why SRTP is not 273 mandatory as the media security solution for RTP-based systems, and 274 why we can expect multiple key management solutions for systems using 275 RTP. 277 It is important for any RTP-based application to consider how it 278 meets the security requirements. This will require some analysis to 279 determine these requirements, followed by the selection of a 280 mandatory to implement solution, or in exceptional scenarios several 281 solutions, including the desired RTP traffic protection and key- 282 management. SRTP is a preferred solution for the protection of the 283 RTP traffic in those use cases where it is applicable. It is out of 284 scope for this memo to recommend a preferred key management solution. 286 7. Security Considerations 288 This entire memo is about security. 290 8. IANA Considerations 292 No IANA actions are required. 294 9. Acknowledgements 296 Thanks to Ralph Blom, Hannes Tschofenig, Dan York, Alfred Hoenes, 297 Martin Ellis, Ali Begen, and Keith Drage for their feedback. 299 10. Informative References 301 [3GPP.33.210] 302 3GPP, "IP network layer security", 3GPP TS 33.210. 304 [ETSI.TS.102.474] 305 ETSI, "Digital Video Broadcasting (DVB); IP Datacast over 306 DVB-H: Service Purchase and Protection", ETSI TS 102 474, 307 November 2007. 309 [I-D.ietf-mmusic-rfc2326bis] 310 Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M., 311 and M. Stiemerling, "Real Time Streaming Protocol 2.0 312 (RTSP)", draft-ietf-mmusic-rfc2326bis-23 (work in 313 progress), March 2010. 315 [I-D.zimmermann-avt-zrtp] 316 Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media 317 Path Key Agreement for Unicast Secure RTP", 318 draft-zimmermann-avt-zrtp-22 (work in progress), 319 June 2010. 321 [MBMS] 3GPP, "Multimedia Broadcast/Multicast Service (MBMS); 322 Protocols and codecs TS 26.346". 324 [MBMS-SEC] 325 3GPP, "Security of Multimedia Broadcast/Multicast Service 326 (MBMS) TS 33.246". 328 [OMA-DRM] Open Mobile Alliance, "DRM Specification 2.0". 330 [PSS] 3GPP, "Transparent end-to-end Packet-switched Streaming 331 Service (PSS); Protocols and codecs TS 26.234". 333 [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, 334 August 1980. 336 [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, 337 RFC 793, September 1981. 339 [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, 340 A., Peterson, J., Sparks, R., Handley, M., and E. 342 Schooler, "SIP: Session Initiation Protocol", RFC 3261, 343 June 2002. 345 [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model 346 with Session Description Protocol (SDP)", RFC 3264, 347 June 2002. 349 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 350 Engineering Task Force Standard Protocols", BCP 61, 351 RFC 3365, August 2002. 353 [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. 354 Jacobson, "RTP: A Transport Protocol for Real-Time 355 Applications", STD 64, RFC 3550, July 2003. 357 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 358 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 359 RFC 3711, March 2004. 361 [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram 362 Congestion Control Protocol (DCCP)", RFC 4340, March 2006. 364 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 365 Description Protocol", RFC 4566, July 2006. 367 [RFC4567] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. 368 Carrara, "Key Management Extensions for Session 369 Description Protocol (SDP) and Real Time Streaming 370 Protocol (RTSP)", RFC 4567, July 2006. 372 [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session 373 Description Protocol (SDP) Security Descriptions for Media 374 Streams", RFC 4568, July 2006. 376 [RFC4614] Duke, M., Braden, R., Eddy, W., and E. Blanton, "A Roadmap 377 for Transmission Control Protocol (TCP) Specification 378 Documents", RFC 4614, September 2006. 380 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 381 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 383 [RFC5479] Wing, D., Fries, S., Tschofenig, H., and F. Audet, 384 "Requirements and Analysis of Media Security Management 385 Protocols", RFC 5479, April 2009. 387 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 388 Security (DTLS) Extension to Establish Keys for the Secure 389 Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. 391 Authors' Addresses 393 Colin Perkins 394 University of Glasgow 395 Department of Computing Science 396 Glasgow G12 8QQ 397 UK 399 Email: csp@csperkins.org 401 Magnus Westerlund 402 Ericsson 403 Farogatan 6 404 Kista SE-164 80 405 Sweden 407 Email: magnus.westerlund@ericsson.com