idnits 2.17.1 draft-ietf-perc-double-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 8, 2016) is 2849 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5285 (Obsoleted by RFC 8285) == Outdated reference: A later version (-04) exists of draft-jones-perc-dtls-tunnel-02 Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Jennings 3 Internet-Draft P. Jones 4 Intended status: Standards Track Cisco Systems 5 Expires: January 9, 2017 A. Roach 6 Mozilla 7 July 8, 2016 9 SRTP Double Encryption Procedures 10 draft-ietf-perc-double-01 12 Abstract 14 In some conferencing scenarios, it is desirable for an intermediary 15 to be able to manipulate some RTP parameters, while still providing 16 strong end-to-end security guarantees. This document defines SRTP 17 procedures that use two separate but related cryptographic contexts 18 to provide "hop-by-hop" and "end-to-end" security guarantees. Both 19 the end-to-end and hop-by-hop cryptographic transforms can utilize an 20 authenticated encryption with associated data scheme or take 21 advantage of future SRTP transforms with different properties. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on January 9, 2017. 40 Copyright Notice 42 Copyright (c) 2016 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 60 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 61 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 5 63 5.2. Modifying a Packet . . . . . . . . . . . . . . . . . . . 6 64 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 7 65 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 8 66 7. Recommended Inner and Outer Cryptographic Transforms . . . . 8 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 9 68 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 10 70 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 71 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11 72 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 73 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 74 11.2. Informative References . . . . . . . . . . . . . . . . . 12 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13 77 1. Introduction 79 Cloud conferencing systems that are based on switched conferencing 80 have a central Media Distributor device that receives media from 81 endpoints and distributes it to other endpoints, but does not need to 82 interpret or change the media content. For these systems, it is 83 desirable to have one cryptographic context from the sending endpoint 84 to the receiving endpoint that can encrypt and authenticate the media 85 end-to-end while still allowing certain RTP header information to be 86 changed by the Media Distributor. At the same time, a separate 87 cryptographic context provides integrity and optional confidentiality 88 for the media flowing between the Media Distributor and the 89 endpoints. See the framework document that describes this concept in 90 more detail in more detail in 91 [I-D.jones-perc-private-media-framework]. 93 This specification RECOMMENDS the SRTP AES-GCM transform [RFC7714] to 94 encrypt an RTP packet for the end-to-end cryptographic context. The 95 output of this is treated as an RTP packet and again encrypted with 96 an SRTP transform used in the hop-by-hop cryptographic context 97 between the endpoint and the Media Distributor. The Media 98 Distributor decrypts and checks integrity of the hop-by-hop security. 99 The Media Distributor MAY change some of the RTP header information 100 that would impact the end-to-end integrity. The original value of 101 any RTP header field that is changed is included in a new RTP header 102 extension called the Original Header Block. The new RTP packet is 103 encrypted with the hop-by-hop cryptographic transform before it is 104 sent. The receiving endpoint decrypts and checks integrity using the 105 hop-by-hop cryptographic transform and then replaces any parameters 106 the Media Distributor changed using the information in the Original 107 Header Block before decrypting and checking the end-to-end integrity. 109 2. Terminology 111 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 112 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 113 document are to be interpreted as described in [RFC2119]. 115 Terms used throughout this document include: 117 o Media Distributor: media distribution device that routes media 118 from one endpoint to other endpoints 120 o E2E: end-to-end, meaning the link from one endpoint through one or 121 more Media Distributors to the endpoint at the other end. 123 o HBH: hop-by-hop, meaning the link from the endpoint to or from the 124 Media Distributor. 126 o OHB: Original Header Block is an RTP header extension that 127 contains the original values from the RTP header that might have 128 been changed by a Media Distributor. 130 3. Cryptographic Contexts 132 This specification uses two cryptographic contexts: an inner ("end- 133 to-end") context that is used by endpoints that originate and consume 134 media to ensure the integrity of media end-to-end, and an outer 135 ("hop-by-hop") context that is used between endpoints and Media 136 Distributors to ensure the integrity of media over a single hop and 137 to enable a Media Distributor to modify certain RTP header fields. 138 RTCP is also encrypted using the hop-by-hop cryptographic context. 139 The RECOMMENDED cipher for the hop-by-hop and end-to-end contexts is 140 AES-GCM. Other combinations of SRTP ciphers that support the 141 procedures in this document can be added to the IANA registry. 143 The keys and salt for these contexts are generated with the following 144 steps: 146 o Generate key and salt values of the length required for the 147 combined inner (end-to-end) and outer (hop-by-hop) transforms. 149 o Assign the key and salt values generated for the inner (end-to- 150 end) transform. 152 o Assign the key and salt values for the outer (hop-by-hop) 153 transform. 155 Obviously, if the Media Distributor is to be able to modify header 156 fields but not decrypt the payload, then it must have cryptographic 157 context for the outer transform, but not the inner transform. This 158 document does not define how the Media Distributor should be 159 provisioned with this information. One possible way to provide 160 keying material for the outer ("hop-by-hop") transform is to use 161 [I-D.jones-perc-dtls-tunnel]. 163 4. Original Header Block 165 Any SRTP packet processed following these procedures MAY contain an 166 Original Header Block (OHB) RTP header extension. 168 The OHB contains the original values of any modified header fields 169 and MUST be placed after any already-existing RTP header extensions. 170 Placement of the OHB after any original header extensions is 171 important so that the receiving endpoint can properly authenticate 172 the original packet and any originally included RTP header 173 extensions. The receiving endpoint will authenticate the original 174 packet by restoring the modified RTP header field values and header 175 extensions. It does this by copying the original values from the OHB 176 and then removing the OHB extension and any other RTP header 177 extensions that appear after the OHB extension. 179 The Media Distributor is only permitted to modify the extension (X) 180 bit, payload type (PT) field, and the RTP sequence number field. 182 The OHB extension is either one octet in length, two octets in 183 length, or three octets in length. The length of the OHB indicates 184 what data is contained in the extension. 186 If the OHB is one octet in length, it contains the original PT field 187 value. In this case, the OHB has this form: 189 0 190 0 1 2 3 4 5 6 7 191 +---------------+ 192 |R| PT | 193 +---------------+ 194 Note that "R" indicates a reserved bit that MUST be set to zero when 195 sending a packet and ignored upon receipt. 197 If the OHB is two octets in length, it contains the original RTP 198 packet sequence number. In this case, the OHB has this form: 200 0 1 201 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 202 +-------------------------------+ 203 | Sequence Number | 204 +-------------------------------+ 206 If the OHB is three octets in length, it contains the original PT 207 field value and RTP packet sequence number. In this case, the OHB 208 has this form: 210 0 1 2 211 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 212 +---------------+-------------------------------+ 213 |R| PT | Sequence Number | 214 +---------------+-------------------------------+ 216 If a Media Distributor modifies an original RTP header value, the 217 Media Distributor MUST include the OHB extension to reflect the 218 changed value, setting the X bit in the RTP header to 1 if no header 219 extensions were originally present. If another Media Distributor 220 along the media path makes additional changes to the RTP header and 221 any original value is not already present in the OHB, the Media 222 Distributor must extend the OHB by adding the changed value to the 223 OHB. To properly preserve original RTP header values, a Media 224 Distributor MUST NOT change a value already present in the OHB 225 extension. 227 5. RTP Operations 229 5.1. Encrypting a Packet 231 To encrypt a packet, the endpoint encrypts the packet using the inner 232 cryptographic context and then encrypts using the outer cryptographic 233 context. The processes is as follows: 235 o Form an RTP packet. If there are any header extensions, they MUST 236 use [RFC5285]. 238 o Apply the inner cryptographic transform to the RTP packet. If 239 encrypting RTP header extensions end-to-end, then [RFC6904] MUST 240 be used when encrypting the RTP packet using the inner 241 cryptographic context. 243 o If the endpoint wishes to insert header extensions that can be 244 modified by an Media Distributor, it MUST insert an OHB header 245 extension at the end of any header extensions protected end-to-end 246 (if any), then add any Media Distributor-modifiable header 247 extensions. The OHB MUST replicate the information found in the 248 RTP header following the application of the inner cryptographic 249 transform. If not already set, the endpoint MUST set the X bit in 250 the RTP header to 1 when introducing the OHB extension. 252 o Apply the outer cryptographic transform to the RTP packet. If 253 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 254 be used when encrypting the RTP packet using the outer 255 cryptographic context. 257 5.2. Modifying a Packet 259 The Media Distributor does not have a notion of outer or inner 260 cryptographic contexts. Rather, the Media Distributor has a single 261 cryptographic context. The cryptographic transform and key used to 262 decrypt a packet and any encrypted RTP header extensions would be the 263 same as those used in the endpoint's outer cryptographic context. 265 In order to modify a packet, the Media Distributor decrypts the 266 packet, modifies the packet, updates the OHB with any modifications 267 not already present in the OHB, and re-encrypts the packet using the 268 cryptographic context used for next hop. 270 o Apply the cryptographic transform to the packet. If decrypting 271 RTP header extensions hop-by-hop, then [RFC6904] MUST be used. 273 o Change any required parameters 275 o If a changed RTP header field is not already in the OHB, add it 276 with its original value to the OHB. A Media Distributor can add 277 information to the OHB, but MUST NOT change existing information 278 in the OHB. 280 o If the Media Distributor resets a parameter to its original value, 281 it MAY drop it from the OHB as long as there are no other header 282 extensions following the OHB. Note that this might result in a 283 decrease in the size of the OHB. It is also possible for the 284 Media Distributor to remove the OHB entirely if all parameters in 285 the RTP header are reset to their original values and no other 286 header extensions follow the OHB. If the OHB is removed and no 287 other extension is present, the X bit in the RTP header MUST be 288 set to 0. 290 o The Media Distributor MUST NOT delete any header extensions before 291 the OHB, but MAY add, delete, or modify any that follow the OHB. 293 * If the Media Distributor adds any header extensions, it must 294 append them and it must maintain the order of the original 295 header extensions in the [RFC5285] block. 297 * If the Media Distributor appends header extensions, then it 298 MUST add the OHB header extension (if not present), even if the 299 OHB merely replicates the original header field values, and 300 append the new extensions following the OHB. The OHB serves as 301 a demarcation point between original RTP header extensions 302 introduced by the endpoint and those introduced by a Media 303 Distributor. 305 o The Media Distributor MAY modify any header extension appearing 306 after the OHB, but MUST NOT modify header extensions that are 307 present before the OHB. 309 o Apply the cryptographic transform to the packet. If the RTP 310 Sequence Number has been modified, SRTP processing happens as 311 defined in SRTP and which will end up using the new Sequence 312 Number. If encrypting RTP header extensions hop-by-hop, then 313 [RFC6904] MUST be used. 315 5.3. Decrypting a Packet 317 To decrypt a packet, the endpoint first decrypts and verifies using 318 the outer cryptographic context, then uses the OHB to reconstruct the 319 original packet, which it decrypts and verifies with the inner 320 cryptographic context. 322 o Apply the outer cryptographic transform to the packet. If the 323 integrity check does not pass, discard the packet. The result of 324 this is referred to as the outer SRTP packet. If decrypting RTP 325 header extensions hop-by-hop, then [RFC6904] MUST be used when 326 decrypting the RTP packet using the outer cryptographic context. 328 o Form a new synthetic SRTP packet with: 330 * Header = Received header, with header fields replaced with 331 values from OHB (if present). 333 * Insert all header extensions up to the OHB extension, but 334 exclude the OHB and any header extensions that follow the OHB. 335 If there are no extensions remaining, then the X bit MUST bet 336 set to 0. If there are extensions remaining, then the 337 remaining extensions MUST be padded to the first 32-bit 338 boundary and the overall length of the header extensions 339 adjusted accordingly. 341 * Payload is the original encrypted payload. 343 o Apply the inner cryptographic transform to this synthetic SRTP 344 packet. Note if the RTP Sequence Number was changed by the Media 345 Distributor, the syntetic packet has the original Sequence Number. 346 If the integrity check does not pass, discard the packet. If 347 decrypting RTP header extensions end-to-end, then [RFC6904] MUST 348 be used when decrypting the RTP packet using the inner 349 cryptographic context. 351 Once the packet has successfully decrypted, the application needs to 352 be careful about which information it uses to get the correct 353 behavior. The application MUST use only the information found in the 354 synthetic SRTP packet and MUST NOT use the other data that was in the 355 outer SRTP packet with the following exceptions: 357 o The PT from the outer SRTP packet is used for normal matching to 358 SDP and codec selection. 360 o The sequence number from the outer SRTP packet is used for normal 361 RTP ordering. 363 If any of the following RTP headers extensions are found in the outer 364 SRTP packet, they MAY be used: 366 o TBD 368 6. RTCP Operations 370 Unlike RTP, which is encrypted both hop-by-hop and end-to-end using 371 two separate cryptographic contexts, RTCP is encrypted using only the 372 outer (HBH) cryptographic context. The procedures for RTCP 373 encryption are specified in [RFC3711] and this document introduces no 374 additional steps. 376 7. Recommended Inner and Outer Cryptographic Transforms 378 This specification recommends and defines AES-GCM as both the inner 379 and outer cryptographic transforms, identified as 380 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and 381 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These transforms provide 382 for authenticated encryption and will consume additional processing 383 time double-encrypting for HBH and E2E. However, the approach is 384 secure and simple, and is thus viewed as an acceptable trade-off in 385 processing efficiency. 387 Note that names for the cryptographic transforms are of the form 388 DOUBLE_(inner transform)_(outer transform). 390 While this document only defines a profile based on AES-GCM, it is 391 possible for future documents to define further profiles with 392 different inner and outer transforms in this same framework. For 393 example, if a new SRTP transform was defined that encrypts some or 394 all of the RTP header, it would be reasonable for systems to have the 395 option of using that for the outer transform. Similarly, if a new 396 transform was defined that provided only integrity, that would also 397 be reasonable to use for the HBH as the payload data is already 398 encrypted by the E2E. 400 The AES-GCM cryptographic transform introduces an additional 16 401 octets to the length of the packet. When using AES-GCM for both the 402 inner and outer cryptographic transforms, the total additional length 403 is 32 octets. If no other header extensions are present in the 404 packet and the OHB is introduced, that will consume an additional 8 405 octets. If other extensions are already present, the OHB will 406 consume up to 4 additional octets. 408 Open Issue: For an audio confernce using opus in a narrowband 409 configuration at TBD kbps with 20 ms packetizaton, the total 410 bandwidth of the RTP would change from TBD to TBD. Do we want to 411 consider having some AES-GCM transfroms with reduced length 412 authentication tags for the HBH. Since the actual authentication is 413 provided by the E2E check, and tampering with the the HBH can only 414 result in the wrong packet being selected as the loudest speaker, it 415 might be desirable to have 64 bits or even less of securiyt for the 416 HBH portion of the authentication. 418 8. Security Considerations 420 To summarize what is encrypted and authenticated, we will refer to 421 all the RTP fields and headers created by the sender and before the 422 pay load as the initial envelope and the RTP payload information with 423 the media as the payload. Any additional headers added by the Media 424 Distributor are referred to as the extra envelope. The sender uses 425 the E2E key to encrypts the payload and authenticate the payload + 426 initial envelope which using an AEAD cipher results in a slight 427 longer new payload. Then the sender uses the HBH key to encrypt the 428 new payload and authenticate the initial envelope and new payload. 430 The Media Distributor has the HBH key so it can check the 431 authentication of the received packet across the initial envelope and 432 payload data but it can't decrypt the payload as it does not have the 433 E2E key. It can add extra envelope information. It then 434 authenticates the initial plus extra envelope information plus 435 payload with a HBH key. This HBH for the outgoing packet is 436 typically different than the HBH key for the incoming packet. 438 The receiver can check the authentication of the initial and extra 439 envelope information. This, along with the OBH, i used to construct 440 a synthetic packet that is should be identital to one the sender 441 created and the receiver can check that it is identical and then 442 decrypt the original payload. 444 The end result is that if the authentications succeed, the receiver 445 knows exactly what the original sender sent, as well as exactly which 446 modifications were made by the Media Distributor. 448 It is obviously critical that the intermediary have only the outer 449 transform parameters and not the inner transform parameters. We rely 450 on an external key management protocol to assure this property. 452 Modifications by the intermediary result in the recipient getting two 453 values for changed parameters (original and modified). The recipient 454 will have to choose which to use; there is risk in using either that 455 depends on the session setup. 457 The security properties for both the inner and outer key holders are 458 the same as the security properties of classic SRTP. 460 9. IANA Considerations 462 9.1. RTP Header Extension 464 This document defines a new extension URI in the RTP Compact Header 465 Extensions part of the Real-Time Transport Protocol (RTP) Parameters 466 registry, according to the following data: 468 Extension URI: urn:ietf:params:rtp-hdrext:ohb 470 Description: Original Header Block 472 Contact: Cullen Jennings 474 Reference: RFCXXXX 476 Note to RFC Editor: Replace RFCXXXX with the RFC number of this 477 specification. 479 9.2. DTLS-SRTP 481 We request IANA to add the following values to defines a DTLS-SRTP 482 "SRTP Protection Profile" defined in [RFC5764]. 484 +-------+------------------------------------------+-----------+ 485 | Value | Profile | Reference | 486 +-------+------------------------------------------+-----------+ 487 | {TBD} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | 488 | {TBD} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | 489 +-------+------------------------------------------+-----------+ 491 Note to IANA: Please assign value RFCXXXX and update table to point 492 at this RFC for these values. 494 The SRTP transform parameters for each of these protection are: 496 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 497 cipher: AES_128_GCM then AES_128_GCM 498 cipher_key_length: 256 bits 499 cipher_salt_length: 192 bits 500 aead_auth_tag_length: 32 octets 501 auth_function: NULL 502 auth_key_length: N/A 503 auth_tag_length: N/A 504 maximum lifetime: at most 2^31 SRTCP packets and 505 at most 2^48 SRTP packets 507 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 508 cipher: AES_256_GCM then AES_256_GCM 509 cipher_key_length: 512 bits 510 cipher_salt_length: 192 bits 511 aead_auth_tag_length: 32 octets 512 auth_function: NULL 513 auth_key_length: N/A 514 auth_tag_length: N/A 515 maximum lifetime: at most 2^31 SRTCP packets and 516 at most 2^48 SRTP packets 518 The first half of the key and salt is used for the inner (E2E) 519 transform and the second half is used for the outer (HBH) transform. 521 10. Acknowledgments 523 Many thanks to review from Suhas Nandakumar, David Benham, Magnus 524 Westerlund and significant text from Richard Barnes. 526 11. References 528 11.1. Normative References 530 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 531 Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ 532 RFC2119, March 1997, 533 . 535 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 536 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 537 RFC 3711, DOI 10.17487/RFC3711, March 2004, 538 . 540 [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP 541 Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July 542 2008, . 544 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 545 Security (DTLS) Extension to Establish Keys for the Secure 546 Real-time Transport Protocol (SRTP)", RFC 5764, DOI 547 10.17487/RFC5764, May 2010, 548 . 550 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 551 Real-time Transport Protocol (SRTP)", RFC 6904, DOI 552 10.17487/RFC6904, April 2013, 553 . 555 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 556 in the Secure Real-time Transport Protocol (SRTP)", RFC 557 7714, DOI 10.17487/RFC7714, December 2015, 558 . 560 11.2. Informative References 562 [I-D.jones-perc-dtls-tunnel] 563 Jones, P., "DTLS Tunnel between Media Distribution Device 564 and Key Management Function to Facilitate Key Exchange", 565 draft-jones-perc-dtls-tunnel-02 (work in progress), March 566 2016. 568 [I-D.jones-perc-private-media-framework] 569 Jones, P. and D. Benham, "A Solution Framework for Private 570 Media in Privacy Enhanced RTP Conferencing", draft-jones- 571 perc-private-media-framework-02 (work in progress), March 572 2016. 574 Authors' Addresses 576 Cullen Jennings 577 Cisco Systems 579 Email: fluffy@iii.ca 581 Paul E. Jones 582 Cisco Systems 584 Email: paulej@packetizer.com 586 Adam Roach 587 Mozilla 589 Email: adam@nostrum.com