| draft-ietf-sipbrandy-osrtp-08.txt | draft-ietf-sipbrandy-osrtp-09.txt | |||
|---|---|---|---|---|
| SIPBRANDY Working Group A. Johnston | SIPBRANDY Working Group A. Johnston | |||
| Internet-Draft Villanova University | Internet-Draft Villanova University | |||
| Intended status: Informational B. Aboba | Intended status: Informational B. Aboba | |||
| Expires: September 27, 2019 Microsoft | Expires: November 2, 2019 Microsoft | |||
| A. Hutton | A. Hutton | |||
| Atos | Atos | |||
| R. Jesske | R. Jesske | |||
| Deutsche Telekom | Deutsche Telekom | |||
| T. Stach | T. Stach | |||
| Unaffiliated | Unaffiliated | |||
| March 26, 2019 | May 1, 2019 | |||
| An Opportunistic Approach for Secure Real-time Transport Protocol | An Opportunistic Approach for Secure Real-time Transport Protocol | |||
| (OSRTP) | (OSRTP) | |||
| draft-ietf-sipbrandy-osrtp-08 | draft-ietf-sipbrandy-osrtp-09 | |||
| Abstract | Abstract | |||
| Opportunistic Secure Real-time Transport Protocol (OSRTP) is an | Opportunistic Secure Real-time Transport Protocol (OSRTP) is an | |||
| implementation of the Opportunistic Security mechanism, as defined in | implementation of the Opportunistic Security mechanism, as defined in | |||
| RFC 7435, applied to Real-time Transport Protocol (RTP). OSRTP | RFC 7435, applied to Real-time Transport Protocol (RTP). OSRTP | |||
| allows encrypted media to be used in environments where support for | allows encrypted media to be used in environments where support for | |||
| encryption is not known in advance, and not required. OSRTP does not | encryption is not known in advance, and not required. OSRTP does not | |||
| require SDP extensions or features and is fully backwards compatible | require SDP extensions or features and is fully backwards compatible | |||
| with existing implementations using encrypted and authenticated media | with existing implementations using encrypted and authenticated media | |||
| skipping to change at page 1, line 49 ¶ | skipping to change at page 1, line 49 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 27, 2019. | This Internet-Draft will expire on November 2, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 31 ¶ | skipping to change at page 2, line 31 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Applicability Statement . . . . . . . . . . . . . . . . . 3 | 1.1. Applicability Statement . . . . . . . . . . . . . . . . . 3 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. SDP Offer/Answer Considerations . . . . . . . . . . . . . . . 3 | 3. SDP Offer/Answer Considerations . . . . . . . . . . . . . . . 3 | |||
| 3.1. Generating the Initial OSRTP Offer . . . . . . . . . . . 4 | 3.1. Generating the Initial OSRTP Offer . . . . . . . . . . . 4 | |||
| 3.2. Generating the Answer . . . . . . . . . . . . . . . . . . 4 | 3.2. Generating the Answer . . . . . . . . . . . . . . . . . . 4 | |||
| 3.3. Offerer Processing the Answer . . . . . . . . . . . . . . 4 | 3.3. Offerer Processing the Answer . . . . . . . . . . . . . . 4 | |||
| 3.4. Modifying the Session . . . . . . . . . . . . . . . . . . 5 | 3.4. Modifying the Session . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 5 | 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 6 | |||
| 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 | 8.1. Normative References . . . . . . . . . . . . . . . . . . 7 | |||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 8 | 8.2. Informative References . . . . . . . . . . . . . . . . . 8 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 1. Introduction | 1. Introduction | |||
| Opportunistic Security [RFC7435] (OS) is an approach to security that | Opportunistic Security [RFC7435] (OS) is an approach to security that | |||
| defines a third mode for security between "cleartext" and | defines a third mode for security between "cleartext" and | |||
| "comprehensive protection" that allows encryption and authentication | "comprehensive protection" that allows encryption and authentication | |||
| of media to be used if supported but will not result in failures if | of media to be used if supported but will not result in failures if | |||
| it is not supported. In terms of secure media, cleartext is RTP | it is not supported. In terms of secure media, cleartext is RTP | |||
| [RFC3550] media which is negotiated with the RTP/AVP (Audio Video | [RFC3550] media which is negotiated with the RTP/AVP (Audio Video | |||
| Profile) [RFC3551] or the RTP/AVPF profile [RFC4585]. Comprehensive | Profile) [RFC3551] or the RTP/AVPF profile [RFC4585]. Comprehensive | |||
| skipping to change at page 5, line 36 ¶ | skipping to change at page 5, line 36 ¶ | |||
| For SDP Security Descriptions key agreement [RFC4568], an | For SDP Security Descriptions key agreement [RFC4568], an | |||
| authenticated signaling channel does not need to be used with | authenticated signaling channel does not need to be used with | |||
| OSRTP if it is not available, although an encrypted signaling | OSRTP if it is not available, although an encrypted signaling | |||
| channel must still be used. | channel must still be used. | |||
| For ZRTP key agreement [RFC6189], the security considerations are | For ZRTP key agreement [RFC6189], the security considerations are | |||
| unchanged, since ZRTP does not rely on the security of the | unchanged, since ZRTP does not rely on the security of the | |||
| signaling channel. | signaling channel. | |||
| While OSRTP does not require authentication of the key-agreement | ||||
| mechanism, it does need to avoid exposing SRTP keys to eavesdroppers, | ||||
| since this could enable passive attacks against SRTP. Section 8.3 of | ||||
| [RFC7435] requires that any messages that contain SRTP keys be | ||||
| encrypted, and further says that encryption "SHOULD" provide end-to- | ||||
| end confidentiality protection if intermediaries that could inspect | ||||
| the SDP message are present. At the time of this writing, it is | ||||
| understood that the [RFC7435] requirement for end-to-end | ||||
| confidentiality protection is commonly ignored. Therefore, if OSRTP | ||||
| is used with SDP Security Descriptions, any such intermediaries | ||||
| (e.g., SIP proxies) must be assumed to have access to the SRTP keys. | ||||
| As discussed in [RFC7435], OSRTP is used in cases where support for | As discussed in [RFC7435], OSRTP is used in cases where support for | |||
| encryption by the other party is not known in advance, and not | encryption by the other party is not known in advance, and not | |||
| required. For cases where it is known that the other party supports | required. For cases where it is known that the other party supports | |||
| SRTP or SRTP needs to be used, OSRTP MUST NOT be used. Instead, a | SRTP or SRTP needs to be used, OSRTP MUST NOT be used. Instead, a | |||
| secure profile of RTP is used in the offer. | secure profile of RTP is used in the offer. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document has no actions for IANA. | This document has no actions for IANA. | |||
| End of changes. 8 change blocks. | ||||
| 9 lines changed or deleted | 21 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||