draft-ietf-avt-srtp-not-mandatory-01.txt   draft-ietf-avt-srtp-not-mandatory-02.txt 
Network Working Group C. Perkins Network Working Group C. Perkins
Internet-Draft University of Glasgow Internet-Draft University of Glasgow
Intended status: Informational M. Westerlund Intended status: Informational M. Westerlund
Expires: May 6, 2009 Ericsson Expires: September 10, 2009 Ericsson
November 2, 2008 March 9, 2009
Why RTP Does Not Mandate a Single Security Mechanism Why RTP Does Not Mandate a Single Security Mechanism
draft-ietf-avt-srtp-not-mandatory-01.txt draft-ietf-avt-srtp-not-mandatory-02.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any This Internet-Draft is submitted to IETF in full conformance with the
applicable patent or other IPR claims of which he or she is aware provisions of BCP 78 and BCP 79.
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 6, 2009. This Internet-Draft will expire on September 10, 2009.
Copyright Notice Copyright Notice
Copyright (C) The IETF Trust (2008). Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
Abstract Abstract
This memo discusses the problem of securing real-time multimedia This memo discusses the problem of securing real-time multimedia
sessions, and explains why the Real-time Transport Protocol (RTP) sessions, and explains why the Real-time Transport Protocol (RTP)
does not mandate a single media security mechanism. does not mandate a single media security mechanism.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. RTP Applications and Deployment Scenarios . . . . . . . . . . 3 2. RTP Applications and Deployment Scenarios . . . . . . . . . . 3
3. Implications for RTP Media Security . . . . . . . . . . . . . 4 3. Implications for RTP Media Security . . . . . . . . . . . . . 4
4. Implications for Key Management . . . . . . . . . . . . . . . 5 4. Implications for Key Management . . . . . . . . . . . . . . . 5
5. On the Requirement for Strong Security in IETF protocols . . . 6 5. On the Requirement for Strong Security in IETF protocols . . . 6
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7 6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 7
7. Security Considerations . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 7
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7
9. Informative References . . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 9 10. Informative References . . . . . . . . . . . . . . . . . . . . 8
Intellectual Property and Copyright Statements . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 10
1. Introduction 1. Introduction
The Real-time Transport Protocol (RTP) [1] is widely used for voice The Real-time Transport Protocol (RTP) [RFC3550] is widely used for
over IP, Internet television, video conferencing, and various other voice over IP, Internet television, video conferencing, and various
real-time and streaming media applications. Despite this, the base other real-time and streaming media applications. Despite this, the
RTP specification provides very limited options for media security, base RTP specification provides very limited options for media
and defines no standard key exchange mechanism. Rather, a number of security, and defines no standard key exchange mechanism. Rather, a
extensions are defined to provide confidentiality and authentication number of extensions are defined to provide confidentiality and
of media streams, and to exchange security keys. This memo outlines authentication of media streams, and to exchange security keys. This
why it is appropriate that multiple extension mechanisms are defined, memo outlines why it is appropriate that multiple extension
rather than mandating a single media security and keying mechanism. mechanisms are defined, rather than mandating a single media security
and keying mechanism.
This memo provides information for the community; it does not specify This memo provides information for the community; it does not specify
a standard of any kind. a standard of any kind.
The structure of this memo is as follows: we begin, in Section 2 by The structure of this memo is as follows: we begin, in Section 2 by
describing the scenarios in which RTP is deployed. Following this, describing the scenarios in which RTP is deployed. Following this,
Section 3 outlines the implications of this range of scenarios for Section 3 outlines the implications of this range of scenarios for
media confidentially and authentication, and Section 4 outlines the media confidentially and authentication, and Section 4 outlines the
implications for key exchange. Section 5 outlines how the RTP implications for key exchange. Section 5 outlines how the RTP
framework meets the requirement of BCP 61. Section 6 then concludes framework meets the requirement of BCP 61. Section 6 then concludes
skipping to change at page 3, line 47 skipping to change at page 3, line 48
o Centralised group video conferencing with a multipoint conference o Centralised group video conferencing with a multipoint conference
unit (MCU) unit (MCU)
o Any Source Multicast video conferencing (light-weight sessions; o Any Source Multicast video conferencing (light-weight sessions;
Mbone conferencing) Mbone conferencing)
o Point-to-point streaming audio and/or video o Point-to-point streaming audio and/or video
o Single Source Multicast streaming to large group (IPTV and MBMS o Single Source Multicast streaming to large group (IPTV and MBMS
[2]) [MBMS])
o Replicated unicast streaming to a group o Replicated unicast streaming to a group
o Interconnecting components in music production studios and video o Interconnecting components in music production studios and video
editing suites editing suites
o Interconnecting components of distributed simulation systems o Interconnecting components of distributed simulation systems
o Streaming real-time sensor data o Streaming real-time sensor data
As can be seen, these scenarios vary from point-to-point to very As can be seen, these scenarios vary from point-to-point to very
large multicast groups, from interactive to non-interactive, and from large multicast groups, from interactive to non-interactive, and from
low bandwidth (kilobits per second) to very high bandwidth (multiple low bandwidth (kilobits per second) to very high bandwidth (multiple
gigabits per second). While most of these applications run over UDP, gigabits per second). While most of these applications run over UDP
some use TCP or DCCP as their underlying transport. Some run on [RFC0768], some use TCP [RFC0793], [RFC4614] or DCCP [RFC4340] as
highly reliable optical networks, others use low rate unreliable their underlying transport. Some run on highly reliable optical
wireless networks. Some applications of RTP operate entirely within networks, others use low rate unreliable wireless networks. Some
a single trust domain, others are inter-domain, with untrusted (and applications of RTP operate entirely within a single trust domain,
potentially unknown) users. The range of scenarios is wide, and others are inter-domain, with untrusted (and potentially unknown)
growing both in number and in heterogeneity. users. The range of scenarios is wide, and growing both in number
and in heterogeneity.
3. Implications for RTP Media Security 3. Implications for RTP Media Security
The wide range of application scenarios where RTP is used has led to The wide range of application scenarios where RTP is used has led to
the development of multiple solutions for media security, considering the development of multiple solutions for media security, considering
different requirements. Perhaps the most widely applicable of these different requirements. Perhaps the most widely applicable of these
solutions is the Secure RTP (SRTP) framework [3]. This is an solutions is the Secure RTP (SRTP) framework [RFC3711]. This is an
application-level media security solution, encrypting the media application-level media security solution, encrypting the media
payload data (but not the RTP headers) to provide some degree of payload data (but not the RTP headers) to provide some degree of
confidentiality, and providing optional source origin authentication. confidentiality, and providing optional source origin authentication.
It was carefully designed to be both low overhead, and to support the It was carefully designed to be both low overhead, and to support the
group communication features of RTP, across a range of networks. group communication features of RTP, across a range of networks.
SRTP is not the only media security solution in use, however, and SRTP is not the only media security solution in use, however, and
alternatives are more appropriate for some scenarios. For example, alternatives are more appropriate for some scenarios. For example,
many client-server streaming media applications run over a single TCP many client-server streaming media applications can run over a single
connection, multiplexing media data with control information on that TCP connection, multiplexing media data with control information on
connection (for example, on an RTSP connection). The natural way to that connection (RTSP [I-D.ietf-mmusic-rfc2326bis] is a widely used
provide media security for such client-server media applications is example of such a protocol). The natural way to provide media
to use TLS to protect the TCP connection, sending the RTP media data security for such client-server media applications is to use TLS
[RFC5246] to protect the TCP connection, sending the RTP media data
over the TLS connection. Using the SRTP framework in addition to TLS over the TLS connection. Using the SRTP framework in addition to TLS
is unncessary, and would result in double encryption of the media, is unncessary, and would result in double encryption of the media,
and SRTP cannot be used instead of TLS since it is RTP-specific, and and SRTP cannot be used instead of TLS since it is RTP-specific, and
so cannot protect the control traffic. so cannot protect the control traffic.
Other RTP use cases work over networks which provide security at the Other RTP use cases work over networks which provide security at the
network layer, using IPsec. For example, certain 3GPP networks need network layer, using IPsec. For example, certain 3GPP networks need
IPsec security associations for other purposes, and can reuse those IPsec security associations for other purposes, and can reuse those
to secure the RTP session [4]. SRTP is, again, unnecessary in such to secure the RTP session [3GPP.33.210]. SRTP is, again, unnecessary
environments, and its use would only introduce overhead for no gain. in such environments, and its use would only introduce overhead for
no gain.
For some applications it is sufficient to protect the RTP payload For some applications it is sufficient to protect the RTP payload
data while leaving RTP, transport, and network layer headers data while leaving RTP, transport, and network layer headers
unprotected. An example of this is RTP broadcast over DVB-H [5], unprotected. An example of this is RTP broadcast over DVB-H
where one mode of operation uses ISMAcryp to protect the media data [ETSI.TS.102.474], where one mode of operation uses ISMAcryp
only. (http://www.isma.tv) to protect the media data only.
Finally, the link layer may be secure, and it may be known that the Finally, the link layer may be secure, and it may be known that the
RTP media data is constrained to that single link (for example, when RTP media data is constrained to that single link (for example, when
operating in a studio environment, with physical link security). An operating in a studio environment, with physical link security). An
environment like this is inherently constrained, but might avoid the environment like this is inherently constrained, but might avoid the
need for application, transport, or network layer media security. need for application, transport, or network layer media security.
All these are application scenarios where RTP has seen commerical All these are application scenarios where RTP has seen commerical
deployment. Other use case also exist, with additional requirements. deployment. Other use case also exist, with additional requirements.
There is no media security protocol that is appropriate for all these There is no media security protocol that is appropriate for all these
skipping to change at page 5, line 34 skipping to change at page 5, line 37
With such a diverse range of use case come a range of different With such a diverse range of use case come a range of different
protocols for RTP session establishment. Mechanisms used to provide protocols for RTP session establishment. Mechanisms used to provide
security keying for these different session establishment protocols security keying for these different session establishment protocols
can basically be put into two categories: inband and out-of-band in can basically be put into two categories: inband and out-of-band in
relation to the session establishment mechanism. The requirements relation to the session establishment mechanism. The requirements
for these solutions are highly varying. Thus a wide range of for these solutions are highly varying. Thus a wide range of
solutions have been developed in this space: solutions have been developed in this space:
o The most common use case for RTP is probably point-to-point voice o The most common use case for RTP is probably point-to-point voice
calls or centralised group conferences, negotiated using SIP with calls or centralised group conferences, negotiated using SIP
the SDP offer/answer model, operating on a trusted infrastructure. [RFC3261] with the SDP offer/answer model [RFC3264], operating on
In such environments, SDP security descriptions [6] or the MIKEY a trusted infrastructure. In such environments, SDP security
[7] protocol are appropriate keying mechanisms, piggybacked onto descriptions [RFC4568] or the MIKEY [RFC4567] protocol are
the SDP exchange. The infrastructure may be secured by protecting appropriate keying mechanisms, piggybacked onto the SDP [RFC4566]
the SIP exchange using SIPS or S/MIME, for example. exchange. The infrastructure may be secured by protecting the SIP
exchange using TLS or S/MIME, for example [RFC3261].
o Point-to-point RTP sessions may be negotiated using SIP with the o Point-to-point RTP sessions may be negotiated using SIP with the
offer/answer model, but operating over a network with untrusted offer/answer model, but operating over a network with untrusted
infrastructure. In such environments, the key management protocol infrastructure. In such environments, the key management protocol
is run on the media path, bypassing the untrusted infrastructure. is run on the media path, bypassing the untrusted infrastructure.
Protocols such as DTLS [8] or ZRTP [9] are useful here. Protocols such as DTLS [I-D.ietf-avt-dtls-srtp] or ZRTP
[I-D.zimmermann-avt-zrtp] are useful here.
o For point-to-point client-server streaming of RTP over RTSP [10], o For point-to-point client-server streaming of RTP over RTSP, a TLS
a TLS association is appropriate to manage keying material, in association is appropriate to manage keying material, in much the
much the same manner as would be used to secure an HTTP session. same manner as would be used to secure an HTTP session.
o A session description may be sent by email, secured using X.500 or o A session description may be sent by email, secured using X.500 or
PGP, or retrieved from a web page, using HTTP with TLS. PGP, or retrieved from a web page, using HTTP with TLS.
o A session description may be distributed to a multicast group o A session description may be distributed to a multicast group
using SAP or FLUTE secured with S/MIME. using SAP or FLUTE secured with S/MIME.
o A session description may be distributed using OMA's DRM key o A session description may be distributed using the Open Mobile
management [11] with pointer for point to point streaming setup Alliance DRM key management specification [OMA-DRM] when using a
with RTSP in 3GPP [12]. point-to-point streaming session setup with RTSP in the 3GPP PSS
environment [PSS].
o In the 3GPP MBMS system, HTTP and MIKEY are used for key o In the 3GPP Multimedia Broadcast Multicast Service (MBMS) system,
management [13]. HTTP and MIKEY are used for key management [MBMS-SEC].
A more detailed survey of requirements for media security management A more detailed survey of requirements for media security management
protocols can be found in [14]. As can be seen, the range of use protocols can be found in [I-D.ietf-sip-media-security-requirements].
cases is wide, and there is no single protocol that is appropriate As can be seen, the range of use cases is wide, and there is no
for all scenarios. These solutions have be further diversified by single protocol that is appropriate for all scenarios. These
the existence of infrastructure elements such as authentication solutions have been further diversified by the existence of
solutions that are tied into the key manangement. infrastructure elements such as authentication solutions that are
tied into the key manangement.
5. On the Requirement for Strong Security in IETF protocols 5. On the Requirement for Strong Security in IETF protocols
BCP 61 [15] puts a requirement on IETF protocols to provide strong, BCP 61 [RFC3365] puts a requirement on IETF protocols to provide
mandatory to implement, security solutions. This is actually quite a strong, mandatory to implement, security solutions. This is actually
difficult requirement for any type of framework protocol, like RTP, quite a difficult requirement for any type of framework protocol,
since one can never know all the deployement scenarios, and if they like RTP, since one can never know all the deployment scenarios, and
are covered by the security solution. It would clearly be desirable if they are covered by the security solution. It would clearly be
if a single media security solution and a single key management desirable if a single media security solution and a single key
solution could be developed, satisfying the range of use cases for management solution could be developed, satisfying the range of use
RTP. The authors are not aware of any such solution, however, and it cases for RTP. The authors are not aware of any such solution,
is not clear that any single solution can be developed. however, and it is not clear that any single solution can be
developed.
For a framework protocol it appears that the only sensible solution For a framework protocol it appears that the only sensible solution
to the requirement of BCP 61 is to develop or use security building to the requirement of BCP 61 is to develop or use security building
blocks, like SRTP, SDES, MIKEY, DTLS, or IPsec, to provide the basic blocks, like SRTP, SDP security descriptions [RFC4568], MIKEY, DTLS,
security services of authorization, data integrity protocetion and or IPsec, to provide the basic security services of authorization,
date confidentiality protection. When new usages of the RTP data integrity protection and date confidentiality protection. When
framework arise, one needs to analyze the situation, to determine of new usages of the RTP framework arise, one needs to analyze the
the existing building blocks satisfy the requirements. If not, it is situation, to determine if the existing building blocks satisfy the
necessary to develop new security building blocks. requirements. If not, it is necessary to develop new security
building blocks.
When it comes to fulfilling the "MUST Implement" strong security for When it comes to fulfilling the "MUST Implement" strong security for
a specific application, it will fall on that application to actually a specific application, it will fall on that application to actually
consider what building blocks it is required to support. To maximize consider what building blocks it is required to support. To maximize
interoperability it is desirable if certain applications, or classes interoperability it is desirable if certain applications, or classes
of application with similar requirements, agree on what data security of application with similar requirements, agree on what data security
mechanisms and key-management should be used. If such agreement is mechanisms and key-management should be used. If such agreement is
not possible, there will be increased cost, either in the lack of not possible, there will be increased cost, either in the lack of
interoperability, or in the need to implement more solutions. interoperability, or in the need to implement more solutions.
Unfortunately this situation, if not handled reasonably well, can Unfortunately this situation, if not handled reasonably well, can
result in a failure to satisfy the requirement of providing the users result in a failure to satisfy the requirement of providing the users
with an option of turining on strong security when desired. with an option of turning on strong security when desired.
6. Conclusions 6. Conclusions
As discussed earlier it appears that a single solution can't be As discussed earlier it appears that a single solution can't be
designed to meet the diverse requirements. In the absense of such a designed to meet the diverse requirements. In the absence of such a
solution, it is hoped that this memo explains why SRTP is not solution, it is hoped that this memo explains why SRTP is not
mandatory as the media security solution for RTP-based systems, and mandatory as the media security solution for RTP-based systems, and
why we can expect multiple key management solutions for systems using why we can expect multiple key management solutions for systems using
RTP. RTP.
It is important for any RTP-based application to consider how it It is important for any RTP-based application to consider how it
meets the security requirements. This will require some analysis to meets the security requirements. This will require some analysis to
determine these requirements, followed by a selection of a mandatory determine these requirements, followed by the selection of a
to implement solution, or in exceptional scenarios several solutions, mandatory to implement solution, or in exceptional scenarios several
including the desired RTP traffic protection and key-management. solutions, including the desired RTP traffic protection and key-
SRTP is a preferred solution for the protection of the RTP traffic in management. SRTP is a preferred solution for the protection of the
those use cases where it is applicable. It is out of scope for this RTP traffic in those use cases where it is applicable. It is out of
memo to recommend a preferred key management solution. scope for this memo to recommend a preferred key management solution.
7. Security Considerations 7. Security Considerations
This entire memo is about security. This entire memo is about security.
8. IANA Considerations 8. IANA Considerations
No IANA actions are required. No IANA actions are required.
9. Informative References 9. Acknowledgements
[1] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson,
"RTP: A Transport Protocol for Real-Time Applications", STD 64,
RFC 3550, July 2003.
[2] 3GPP, "Multimedia Broadcast/Multicast Service (MBMS); Protocols Thanks to Ralph Blom, Hannes Tschofenig, Dan York, Alfred Hoenes, and
and codecs TS 26.346". Martin Ellis for their feedback.
[3] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. 10. Informative References
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004.
[4] 3GPP, "IP network layer security", 3GPP TS 33.210, [3GPP.33.210]
3GPP, "IP network layer security", 3GPP TS 33.210,
September 2008. September 2008.
[5] ETSI, "Digital Video Broadcasting (DVB); IP Datacast over [ETSI.TS.102.474]
ETSI, "Digital Video Broadcasting (DVB); IP Datacast over
DVB-H: Service Purchase and Protection", ETSI TS 102 474, DVB-H: Service Purchase and Protection", ETSI TS 102 474,
November 2007. November 2007.
[6] Andreasen, F., Baugher, M., and D. Wing, "Session Description [I-D.ietf-avt-dtls-srtp]
Protocol (SDP) Security Descriptions for Media Streams", McGrew, D. and E. Rescorla, "Datagram Transport Layer
RFC 4568, July 2006. Security (DTLS) Extension to Establish Keys for Secure
Real-time Transport Protocol (SRTP)",
[7] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E. draft-ietf-avt-dtls-srtp-06 (work in progress),
Carrara, "Key Management Extensions for Session Description October 2008.
Protocol (SDP) and Real Time Streaming Protocol (RTSP)",
RFC 4567, July 2006.
[8] McGrew, D. and E. Rescorla, "Datagram Transport Layer Security [I-D.ietf-mmusic-rfc2326bis]
(DTLS) Extension to Establish Keys for Secure Real-time Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M.,
Transport Protocol (SRTP)", draft-ietf-avt-dtls-srtp-06 (work and M. Stiemerling, "Real Time Streaming Protocol 2.0
in progress), October 2008. (RTSP)", draft-ietf-mmusic-rfc2326bis-19 (work in
progress), November 2008.
[9] Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media Path [I-D.ietf-sip-media-security-requirements]
Key Agreement for Secure RTP", draft-zimmermann-avt-zrtp-10 Wing, D., Fries, S., Tschofenig, H., and F. Audet,
"Requirements and Analysis of Media Security Management
Protocols", draft-ietf-sip-media-security-requirements-08
(work in progress), October 2008. (work in progress), October 2008.
[10] Schulzrinne, H., Rao, A., Lanphier, R., Westerlund, M., and M. [I-D.zimmermann-avt-zrtp]
Stiemerling, "Real Time Streaming Protocol 2.0 (RTSP)", Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media
draft-ietf-mmusic-rfc2326bis-18 (work in progress), May 2008. Path Key Agreement for Secure RTP",
draft-zimmermann-avt-zrtp-10 (work in progress),
[11] Open Mobile Alliance, "DRM Specification 2.0". October 2008.
[12] 3GPP, "Transparent end-to-end Packet-switched Streaming Service [MBMS] 3GPP, "Multimedia Broadcast/Multicast Service (MBMS);
(PSS); Protocols and codecs TS 26.234". Protocols and codecs TS 26.346".
[13] 3GPP, "Security of Multimedia Broadcast/Multicast Service [MBMS-SEC]
3GPP, "Security of Multimedia Broadcast/Multicast Service
(MBMS) TS 33.246". (MBMS) TS 33.246".
[14] Wing, D., Fries, S., Tschofenig, H., and F. Audet, [OMA-DRM] Open Mobile Alliance, "DRM Specification 2.0".
"Requirements and Analysis of Media Security Management
Protocols", draft-ietf-sip-media-security-requirements-08 (work
in progress), October 2008.
[15] Schiller, J., "Strong Security Requirements for Internet [PSS] 3GPP, "Transparent end-to-end Packet-switched Streaming
Engineering Task Force Standard Protocols", BCP 61, RFC 3365, Service (PSS); Protocols and codecs TS 26.234".
August 2002.
[RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768,
August 1980.
[RFC0793] Postel, J., "Transmission Control Protocol", STD 7,
RFC 793, September 1981.
[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston,
A., Peterson, J., Sparks, R., Handley, M., and E.
Schooler, "SIP: Session Initiation Protocol", RFC 3261,
June 2002.
[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", RFC 3264,
June 2002.
[RFC3365] Schiller, J., "Strong Security Requirements for Internet
Engineering Task Force Standard Protocols", BCP 61,
RFC 3365, August 2002.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, July 2003.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, March 2004.
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, March 2006.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, July 2006.
[RFC4567] Arkko, J., Lindholm, F., Naslund, M., Norrman, K., and E.
Carrara, "Key Management Extensions for Session
Description Protocol (SDP) and Real Time Streaming
Protocol (RTSP)", RFC 4567, July 2006.
[RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session
Description Protocol (SDP) Security Descriptions for Media
Streams", RFC 4568, July 2006.
[RFC4614] Duke, M., Braden, R., Eddy, W., and E. Blanton, "A Roadmap
for Transmission Control Protocol (TCP) Specification
Documents", RFC 4614, September 2006.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
Authors' Addresses Authors' Addresses
Colin Perkins Colin Perkins
University of Glasgow University of Glasgow
Department of Computing Science Department of Computing Science
Sir Alwyn Williams Building Sir Alwyn Williams Building
Lilybank Gardens Lilybank Gardens
Glasgow G12 8QQ Glasgow G12 8QQ
UK UK
Email: csp@csperkins.org Email: csp@csperkins.org
Magnus Westerlund Magnus Westerlund
Ericsson Ericsson
Torshamgatan 23 Torshamgatan 23
Stockholm SE-164 80 Stockholm SE-164 80
Sweden Sweden
Email: magnus.westerlund@ericsson.com Email: magnus.westerlund@ericsson.com
Full Copyright Statement
Copyright (C) The IETF Trust (2008).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
 End of changes. 38 change blocks. 
124 lines changed or deleted 182 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/