idnits 2.17.1 draft-ietf-perc-double-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (April 28, 2017) is 2526 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 5285 (Obsoleted by RFC 8285) == Outdated reference: A later version (-12) exists of draft-ietf-perc-dtls-tunnel-00 == Outdated reference: A later version (-12) exists of draft-ietf-perc-private-media-framework-03 == Outdated reference: A later version (-13) exists of draft-ietf-perc-srtp-ekt-diet-03 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Jennings 3 Internet-Draft P. Jones 4 Intended status: Standards Track Cisco Systems 5 Expires: October 30, 2017 A. Roach 6 Mozilla 7 April 28, 2017 9 SRTP Double Encryption Procedures 10 draft-ietf-perc-double-04 12 Abstract 14 In some conferencing scenarios, it is desirable for an intermediary 15 to be able to manipulate some RTP parameters, while still providing 16 strong end-to-end security guarantees. This document defines SRTP 17 procedures that use two separate but related cryptographic contexts 18 to provide "hop-by-hop" and "end-to-end" security guarantees. Both 19 the end-to-end and hop-by-hop cryptographic transforms can utilize an 20 authenticated encryption with associated data scheme or take 21 advantage of future SRTP transforms with different properties. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at http://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on October 30, 2017. 40 Copyright Notice 42 Copyright (c) 2017 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (http://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Cryptographic Contexts . . . . . . . . . . . . . . . . . . . 3 60 4. Original Header Block . . . . . . . . . . . . . . . . . . . . 4 61 5. RTP Operations . . . . . . . . . . . . . . . . . . . . . . . 5 62 5.1. Encrypting a Packet . . . . . . . . . . . . . . . . . . . 6 63 5.2. Relaying a Packet . . . . . . . . . . . . . . . . . . . . 6 64 5.3. Decrypting a Packet . . . . . . . . . . . . . . . . . . . 8 65 6. RTCP Operations . . . . . . . . . . . . . . . . . . . . . . . 9 66 7. Recommended Inner and Outer Cryptographic Transforms . . . . 9 67 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 68 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 69 9.1. RTP Header Extension . . . . . . . . . . . . . . . . . . 11 70 9.2. DTLS-SRTP . . . . . . . . . . . . . . . . . . . . . . . . 11 71 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 12 72 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 73 11.1. Normative References . . . . . . . . . . . . . . . . . . 12 74 11.2. Informative References . . . . . . . . . . . . . . . . . 13 75 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 77 1. Introduction 79 Cloud conferencing systems that are based on switched conferencing 80 have a central Media Distributor device that receives media from 81 endpoints and distributes it to other endpoints, but does not need to 82 interpret or change the media content. For these systems, it is 83 desirable to have one cryptographic context from the sending endpoint 84 to the receiving endpoint that can encrypt and authenticate the media 85 end-to-end while still allowing certain RTP header information to be 86 changed by the Media Distributor. At the same time, a separate 87 cryptographic context provides integrity and optional confidentiality 88 for the media flowing between the Media Distributor and the 89 endpoints. See the framework document that describes this concept in 90 more detail in more detail in 91 [I-D.ietf-perc-private-media-framework]. 93 This specification defines an SRTP transform that uses the AES-GCM 94 transform [RFC7714] to encrypt an RTP packet for the end-to-end 95 cryptographic context. The output of this is treated as an RTP 96 packet and again encrypted with an SRTP transform used in the hop-by- 97 hop cryptographic context between the endpoint and the Media 98 Distributor. The Media Distributor decrypts and checks integrity of 99 the hop-by-hop security. The Media Distributor MAY change some of 100 the RTP header information that would impact the end-to-end 101 integrity. The original value of any RTP header field that is 102 changed is included in a new RTP header extension called the Original 103 Header Block. The new RTP packet is encrypted with the hop-by-hop 104 cryptographic transform before it is sent. The receiving endpoint 105 decrypts and checks integrity using the hop-by-hop cryptographic 106 transform and then replaces any parameters the Media Distributor 107 changed using the information in the Original Header Block before 108 decrypting and checking the end-to-end integrity. 110 One can think of the double as a normal SRTP transform as encrypting 111 the RTP in a way where things that only know half of the key, can 112 decrypt and modify part of the RTP packet but not other parts of if 113 including the media payload. 115 2. Terminology 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in [RFC2119]. 121 Terms used throughout this document include: 123 o Media Distributor: media distribution device that routes media 124 from one endpoint to other endpoints 126 o E2E: end-to-end, meaning the link from one endpoint through one or 127 more Media Distributors to the endpoint at the other end. 129 o HBH: hop-by-hop, meaning the link from the endpoint to or from the 130 Media Distributor. 132 o OHB: Original Header Block is an RTP header extension that 133 contains the original values from the RTP header that might have 134 been changed by a Media Distributor. 136 3. Cryptographic Contexts 138 This specification uses two cryptographic contexts: an inner ("end- 139 to-end") context that is used by endpoints that originate and consume 140 media to ensure the integrity of media end-to-end, and an outer 141 ("hop-by-hop") context that is used between endpoints and Media 142 Distributors to ensure the integrity of media over a single hop and 143 to enable a Media Distributor to modify certain RTP header fields. 144 RTCP is also encrypted using the hop-by-hop cryptographic context. 146 The RECOMMENDED cipher for the hop-by-hop and end-to-end contexts is 147 AES-GCM. Other combinations of SRTP ciphers that support the 148 procedures in this document can be added to the IANA registry. 150 The keys and salt for these contexts are generated with the following 151 steps: 153 o Generate key and salt values of the length required for the 154 combined inner (end-to-end) and outer (hop-by-hop) transforms. 156 o Assign the key and salt values generated for the inner (end-to- 157 end) transform to the first half of the key and salt for the 158 double transform. 160 o Assign the key and salt values for the outer (hop-by-hop) 161 transform to the second half of the key and salt for the double 162 transform. 164 Obviously, if the Media Distributor is to be able to modify header 165 fields but not decrypt the payload, then it must have cryptographic 166 context for the outer transform, but not the inner transform. This 167 document does not define how the Media Distributor should be 168 provisioned with this information. One possible way to provide 169 keying material for the outer ("hop-by-hop") transform is to use 170 [I-D.ietf-perc-dtls-tunnel]. 172 4. Original Header Block 174 Any SRTP packet processed following these procedures MAY contain an 175 Original Header Block (OHB) RTP header extension. 177 The OHB contains the original values of any modified header fields 178 and MUST be placed after any already-existing RTP header extensions. 179 Placement of the OHB after any original header extensions is 180 important so that the receiving endpoint can properly authenticate 181 the original packet and any originally included RTP header 182 extensions. The receiving endpoint will authenticate the original 183 packet by restoring the modified RTP header field values and header 184 extensions. It does this by copying the original values from the OHB 185 and then removing the OHB extension and any other RTP header 186 extensions that appear after the OHB extension. 188 The Media Distributor is only permitted to modify the extension (X) 189 bit, payload type (PT) field, and the RTP sequence number field. 191 The OHB extension is either one octet in length, two octets in 192 length, or three octets in length. The length of the OHB indicates 193 what data is contained in the extension. 195 If the OHB is one octet in length, it contains the original PT field 196 value. In this case, the OHB has this form: 198 0 1 199 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 200 +-+-+-+-+-+-+-+-+---------------+ 201 | ID | len=0 |R| PT | 202 +-+-+-+-+-+-+-+-+---------------+ 204 Note that "R" indicates a reserved bit that MUST be set to zero when 205 sending a packet and ignored upon receipt. ID is the RTP Header 206 Extension identifier negotiated in the SDP. 208 If the OHB is two octets in length, it contains the original RTP 209 packet sequence number. In this case, the OHB has this form: 211 0 1 2 212 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 213 +-+-+-+-+-+-+-+-+-------------------------------+ 214 | ID | len=1 | Sequence Number | 215 +-+-+-+-+-+-+-+-+-------------------------------+ 217 If the OHB is three octets in length, it contains the original PT 218 field value and RTP packet sequence number. In this case, the OHB 219 has this form: 221 0 1 2 3 222 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 6 4 5 6 7 8 9 1 223 +-+-+-+-+-+-+-+-+---------------+-------------------------------+ 224 | ID | len=2 |R| PT | Sequence Number | 225 +-+-+-+-+-+-+-+-+---------------+-------------------------------+ 227 If a Media Distributor modifies an original RTP header value, the 228 Media Distributor MUST include the OHB extension to reflect the 229 changed value, setting the X bit in the RTP header to 1 if no header 230 extensions were originally present. If another Media Distributor 231 along the media path makes additional changes to the RTP header and 232 any original value is already present in the OHB, the Media 233 Distributor must extend the OHB by adding the changed value to the 234 OHB. To properly preserve original RTP header values, a Media 235 Distributor MUST NOT change a value already present in the OHB 236 extension. 238 5. RTP Operations 239 5.1. Encrypting a Packet 241 To encrypt a packet, the endpoint encrypts the packet using the inner 242 cryptographic context and then encrypts using the outer cryptographic 243 context. The processes is as follows: 245 o Form an RTP packet. If there are any header extensions, they MUST 246 use [RFC5285]. 248 o Apply the inner cryptographic transform to the RTP packet. If 249 encrypting RTP header extensions end-to-end, then [RFC6904] MUST 250 be used when encrypting the RTP packet using the inner 251 cryptographic context. 253 o If the endpoint wishes to insert header extensions that can be 254 modified by an Media Distributor, it MUST insert an OHB header 255 extension at the end of any header extensions protected end-to-end 256 (if any), then add any Media Distributor-modifiable header 257 extensions. In other cases, the endpoint SHOULD still insert an 258 OHB header extension. The OHB MUST replicate the information 259 found in the RTP header following the application of the inner 260 cryptographic transform. If not already set, the endpoint MUST 261 set the X bit in the RTP header to 1 when introducing the OHB 262 extension. 264 o Apply the outer cryptographic transform to the RTP packet. If 265 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 266 be used when encrypting the RTP packet using the outer 267 cryptographic context. 269 When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes 270 after the SRTP packet exactly like using EKT with any other SRTP 271 transform. 273 5.2. Relaying a Packet 275 The Media Distributor does not have a notion of outer or inner 276 cryptographic contexts. Rather, the Media Distributor has a single 277 cryptographic context. The cryptographic transform and key used to 278 decrypt a packet and any encrypted RTP header extensions would be the 279 same as those used in the endpoint's outer cryptographic context. 281 In order to modify a packet, the Media Distributor decrypts the 282 packet, modifies the packet, updates the OHB with any modifications 283 not already present in the OHB, and re-encrypts the packet using the 284 cryptographic context used for next hop. 286 o Apply the cryptographic transform to the packet. If decrypting 287 RTP header extensions hop-by-hop, then [RFC6904] MUST be used. 289 o Change any required parameters 291 o If a changed RTP header field is not already in the OHB, add it 292 with its original value to the OHB. A Media Distributor can add 293 information to the OHB, but MUST NOT change existing information 294 in the OHB. 296 o If the Media Distributor resets a parameter to its original value, 297 it MAY drop it from the OHB as long as there are no other header 298 extensions following the OHB. Note that this might result in a 299 decrease in the size of the OHB. It is also possible for the 300 Media Distributor to remove the OHB entirely if all parameters in 301 the RTP header are reset to their original values and no other 302 header extensions follow the OHB. If the OHB is removed and no 303 other extension is present, the X bit in the RTP header MUST be 304 set to 0. 306 o The Media Distributor MUST NOT delete any header extensions before 307 the OHB, but MAY add, delete, or modify any that follow the OHB. 309 * If the Media Distributor adds any header extensions, it must 310 append them and it must maintain the order of the original 311 header extensions in the [RFC5285] block. 313 * If the Media Distributor appends header extensions, then it 314 MUST add the OHB header extension (if not present), even if the 315 OHB merely replicates the original header field values, and 316 append the new extensions following the OHB. The OHB serves as 317 a demarcation point between original RTP header extensions 318 introduced by the endpoint and those introduced by a Media 319 Distributor. 321 o The Media Distributor MAY modify any header extension appearing 322 after the OHB, but MUST NOT modify header extensions that are 323 present before the OHB. 325 o Apply the cryptographic transform to the packet. If the RTP 326 Sequence Number has been modified, SRTP processing happens as 327 defined in SRTP and will end up using the new Sequence Number. If 328 encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST 329 be used. 331 5.3. Decrypting a Packet 333 To decrypt a packet, the endpoint first decrypts and verifies using 334 the outer cryptographic context, then uses the OHB to reconstruct the 335 original packet, which it decrypts and verifies with the inner 336 cryptographic context. 338 o Apply the outer cryptographic transform to the packet. If the 339 integrity check does not pass, discard the packet. The result of 340 this is referred to as the outer SRTP packet. If decrypting RTP 341 header extensions hop-by-hop, then [RFC6904] MUST be used when 342 decrypting the RTP packet using the outer cryptographic context. 344 o Form a new synthetic SRTP packet with: 346 * Header = Received header, with header fields replaced with 347 values from OHB (if present). 349 * Insert all header extensions up to the OHB extension, but 350 exclude the OHB and any header extensions that follow the OHB. 351 If there are no extensions remaining, then the X bit MUST bet 352 set to 0. If there are extensions remaining, then the 353 remaining extensions MUST be padded to the first 32-bit 354 boundary and the overall length of the header extensions 355 adjusted accordingly. 357 * Payload is the encrypted payload from the outer SRTP packet. 359 o Apply the inner cryptographic transform to this synthetic SRTP 360 packet. Note if the RTP Sequence Number was changed by the Media 361 Distributor, the synthetic packet has the original Sequence 362 Number. If the integrity check does not pass, discard the packet. 363 If decrypting RTP header extensions end-to-end, then [RFC6904] 364 MUST be used when decrypting the RTP packet using the inner 365 cryptographic context. 367 Once the packet has been successfully decrypted, the application 368 needs to be careful about which information it uses to get the 369 correct behavior. The application MUST use only the information 370 found in the synthetic SRTP packet and MUST NOT use the other data 371 that was in the outer SRTP packet with the following exceptions: 373 o The PT from the outer SRTP packet is used for normal matching to 374 SDP and codec selection. 376 o The sequence number from the outer SRTP packet is used for normal 377 RTP ordering. 379 The PT and sequence number from the inner SRTP packet can be used for 380 collection of various statistics. 382 If any of the following RTP headers extensions are found in the outer 383 SRTP packet, they MAY be used: 385 o Mixer-to-client audio level indicators (See [RFC6465]) 387 6. RTCP Operations 389 Unlike RTP, which is encrypted both hop-by-hop and end-to-end using 390 two separate cryptographic contexts, RTCP is encrypted using only the 391 outer (HBH) cryptographic context. The procedures for RTCP 392 encryption are specified in [RFC3711] and this document introduces no 393 additional steps. 395 7. Recommended Inner and Outer Cryptographic Transforms 397 This specification recommends and defines AES-GCM as both the inner 398 and outer cryptographic transforms, identified as 399 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and 400 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. These transforms provide 401 for authenticated encryption and will consume additional processing 402 time double-encrypting for HBH and E2E. However, the approach is 403 secure and simple, and is thus viewed as an acceptable trade-off in 404 processing efficiency. 406 Note that names for the cryptographic transforms are of the form 407 DOUBLE_(inner transform)_(outer transform). 409 While this document only defines a profile based on AES-GCM, it is 410 possible for future documents to define further profiles with 411 different inner and outer transforms in this same framework. For 412 example, if a new SRTP transform was defined that encrypts some or 413 all of the RTP header, it would be reasonable for systems to have the 414 option of using that for the outer transform. Similarly, if a new 415 transform was defined that provided only integrity, that would also 416 be reasonable to use for the HBH as the payload data is already 417 encrypted by the E2E. 419 The AES-GCM cryptographic transform introduces an additional 16 420 octets to the length of the packet. When using AES-GCM for both the 421 inner and outer cryptographic transforms, the total additional length 422 is 32 octets. If no other header extensions are present in the 423 packet and the OHB is introduced, that will consume an additional 8 424 octets. If other extensions are already present, the OHB will 425 consume up to 4 additional octets. 427 8. Security Considerations 429 To summarize what is encrypted and authenticated, we will refer to 430 all the RTP fields and headers created by the sender and before the 431 pay load as the initial envelope and the RTP payload information with 432 the media as the payload. Any additional headers added by the Media 433 Distributor are referred to as the extra envelope. The sender uses 434 the E2E key to encrypts the payload and authenticate the payload + 435 initial envelope which using an AEAD cipher results in a slight 436 longer new payload. Then the sender uses the HBH key to encrypt the 437 new payload and authenticate the initial envelope and new payload. 439 The Media Distributor has the HBH key so it can check the 440 authentication of the received packet across the initial envelope and 441 payload data but it can't decrypt the payload as it does not have the 442 E2E key. It can add extra envelope information. It then 443 authenticates the initial plus extra envelope information plus 444 payload with a HBH key. This HBH for the outgoing packet is 445 typically different than the HBH key for the incoming packet. 447 The receiver can check the authentication of the initial and extra 448 envelope information. This, along with the OHB, is used to construct 449 a synthetic packet that is should be identical to one the sender 450 created and the receiver can check that it is identical and then 451 decrypt the original payload. 453 The end result is that if the authentications succeed, the receiver 454 knows exactly what the original sender sent, as well as exactly which 455 modifications were made by the Media Distributor. 457 It is obviously critical that the intermediary has only the outer 458 transform parameters and not the inner transform parameters. We rely 459 on an external key management protocol to assure this property. 461 Modifications by the intermediary result in the recipient getting two 462 values for changed parameters (original and modified). The recipient 463 will have to choose which to use; there is risk in using either that 464 depends on the session setup. 466 The security properties for both the inner and outer key holders are 467 the same as the security properties of classic SRTP. 469 9. IANA Considerations 470 9.1. RTP Header Extension 472 This document defines a new extension URI in the RTP Compact Header 473 Extensions part of the Real-Time Transport Protocol (RTP) Parameters 474 registry, according to the following data: 476 Extension URI: urn:ietf:params:rtp-hdrext:ohb 478 Description: Original Header Block 480 Contact: Cullen Jennings 482 Reference: RFCXXXX 484 Note to RFC Editor: Replace RFCXXXX with the RFC number of this 485 specification. 487 9.2. DTLS-SRTP 489 We request IANA to add the following values to defines a DTLS-SRTP 490 "SRTP Protection Profile" defined in [RFC5764]. 492 +-------+------------------------------------------+-----------+ 493 | Value | Profile | Reference | 494 +-------+------------------------------------------+-----------+ 495 | {TBD} | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX | 496 | {TBD} | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX | 497 +-------+------------------------------------------+-----------+ 499 Note to IANA: Please assign value RFCXXXX and update table to point 500 at this RFC for these values. 502 The SRTP transform parameters for each of these protection are: 504 DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM 505 cipher: AES_128_GCM then AES_128_GCM 506 cipher_key_length: 256 bits 507 cipher_salt_length: 192 bits 508 aead_auth_tag_length: 32 octets 509 auth_function: NULL 510 auth_key_length: N/A 511 auth_tag_length: N/A 512 maximum lifetime: at most 2^31 SRTCP packets and 513 at most 2^48 SRTP packets 515 DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM 516 cipher: AES_256_GCM then AES_256_GCM 517 cipher_key_length: 512 bits 518 cipher_salt_length: 192 bits 519 aead_auth_tag_length: 32 octets 520 auth_function: NULL 521 auth_key_length: N/A 522 auth_tag_length: N/A 523 maximum lifetime: at most 2^31 SRTCP packets and 524 at most 2^48 SRTP packets 526 The first half of the key and salt is used for the inner (E2E) 527 transform and the second half is used for the outer (HBH) transform. 529 10. Acknowledgments 531 Many thanks to Richard Barnes for sending significant text for this 532 specification. Thank you for reviews and improvements from David 533 Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus 534 Westerlund. 536 11. References 538 11.1. Normative References 540 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 541 Requirement Levels", BCP 14, RFC 2119, 542 DOI 10.17487/RFC2119, March 1997, 543 . 545 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 546 Norrman, "The Secure Real-time Transport Protocol (SRTP)", 547 RFC 3711, DOI 10.17487/RFC3711, March 2004, 548 . 550 [RFC5285] Singer, D. and H. Desineni, "A General Mechanism for RTP 551 Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July 552 2008, . 554 [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer 555 Security (DTLS) Extension to Establish Keys for the Secure 556 Real-time Transport Protocol (SRTP)", RFC 5764, 557 DOI 10.17487/RFC5764, May 2010, 558 . 560 [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure 561 Real-time Transport Protocol (SRTP)", RFC 6904, 562 DOI 10.17487/RFC6904, April 2013, 563 . 565 [RFC7714] McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption 566 in the Secure Real-time Transport Protocol (SRTP)", 567 RFC 7714, DOI 10.17487/RFC7714, December 2015, 568 . 570 11.2. Informative References 572 [I-D.ietf-perc-dtls-tunnel] 573 Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel 574 between a Media Distributor and Key Distributor to 575 Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-00 576 (work in progress), March 2017. 578 [I-D.ietf-perc-private-media-framework] 579 Jones, P., Benham, D., and C. Groves, "A Solution 580 Framework for Private Media in Privacy Enhanced RTP 581 Conferencing", draft-ietf-perc-private-media-framework-03 582 (work in progress), March 2017. 584 [I-D.ietf-perc-srtp-ekt-diet] 585 Jennings, C., Mattsson, J., McGrew, D., and D. Wing, 586 "Encrypted Key Transport for Secure RTP", draft-ietf-perc- 587 srtp-ekt-diet-03 (work in progress), March 2017. 589 [RFC6465] Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real- 590 time Transport Protocol (RTP) Header Extension for Mixer- 591 to-Client Audio Level Indication", RFC 6465, 592 DOI 10.17487/RFC6465, December 2011, 593 . 595 Authors' Addresses 597 Cullen Jennings 598 Cisco Systems 600 Email: fluffy@iii.ca 602 Paul E. Jones 603 Cisco Systems 605 Email: paulej@packetizer.com 607 Adam Roach 608 Mozilla 610 Email: adam@nostrum.com