draft-ietf-perc-dtls-tunnel-08.txt   draft-ietf-perc-dtls-tunnel-09.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational P. Ellenbogen Intended status: Informational P. Ellenbogen
Expires: 21 November 2021 Princeton University Expires: 15 December 2021 Princeton University
N. Ohlmeier N. Ohlmeier
Mozilla 8x8, Inc.
20 May 2021 13 June 2021
DTLS Tunnel between a Media Distributor and Key Distributor to DTLS Tunnel between a Media Distributor and Key Distributor to
Facilitate Key Exchange Facilitate Key Exchange
draft-ietf-perc-dtls-tunnel-08 draft-ietf-perc-dtls-tunnel-09
Abstract Abstract
This document defines a DTLS tunneling protocol for use in multimedia This document defines a DTLS tunneling protocol for use in multimedia
conferences that enables a Media Distributor to facilitate key conferences that enables a Media Distributor to facilitate key
exchange between an endpoint in a conference and the Key Distributor. exchange between an endpoint in a conference and the Key Distributor.
The protocol is designed to ensure that the keying material used for The protocol is designed to ensure that the keying material used for
hop-by-hop encryption and authentication is accessible to the media hop-by-hop encryption and authentication is accessible to the Media
distributor, while the keying material used for end-to-end encryption Distributor, while the keying material used for end-to-end encryption
and authentication is inaccessible to the media distributor. and authentication is inaccessible to the Media Distributor.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 November 2021. This Internet-Draft will expire on 15 December 2021.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used In This Document . . . . . . . . . . . . . . 3 2. Conventions Used In This Document . . . . . . . . . . . . . . 3
3. Tunneling Concept . . . . . . . . . . . . . . . . . . . . . . 3 3. Tunneling Concept . . . . . . . . . . . . . . . . . . . . . . 4
4. Example Message Flows . . . . . . . . . . . . . . . . . . . . 4 4. Example Message Flows . . . . . . . . . . . . . . . . . . . . 4
5. Tunneling Procedures . . . . . . . . . . . . . . . . . . . . 6 5. Tunneling Procedures . . . . . . . . . . . . . . . . . . . . 6
5.1. Endpoint Procedures . . . . . . . . . . . . . . . . . . . 6 5.1. Endpoint Procedures . . . . . . . . . . . . . . . . . . . 6
5.2. Tunnel Establishment Procedures . . . . . . . . . . . . . 6 5.2. Tunnel Establishment Procedures . . . . . . . . . . . . . 6
5.3. Media Distributor Tunneling Procedures . . . . . . . . . 7 5.3. Media Distributor Tunneling Procedures . . . . . . . . . 7
5.4. Key Distributor Tunneling Procedures . . . . . . . . . . 8 5.4. Key Distributor Tunneling Procedures . . . . . . . . . . 8
5.5. Versioning Considerations . . . . . . . . . . . . . . . . 10 5.5. Versioning Considerations . . . . . . . . . . . . . . . . 10
6. Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . 10 6. Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . 10
6.1. Tunnel Message Format . . . . . . . . . . . . . . . . . . 11 6.1. TunnelMessage Structure . . . . . . . . . . . . . . . . . 10
6.2. SupportedProfiles Message . . . . . . . . . . . . . . . . 11
6.3. UnsupportedVersion Message . . . . . . . . . . . . . . . 12
6.4. MediaKeys Message . . . . . . . . . . . . . . . . . . . . 12
6.5. TunneledDtls Message . . . . . . . . . . . . . . . . . . 13
6.6. EndpointDisconnect Message . . . . . . . . . . . . . . . 13
7. Example Binary Encoding . . . . . . . . . . . . . . . . . . . 13 7. Example Binary Encoding . . . . . . . . . . . . . . . . . . . 13
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 9. Security Considerations . . . . . . . . . . . . . . . . . . . 15
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
11. Normative References . . . . . . . . . . . . . . . . . . . . 15 11. Normative References . . . . . . . . . . . . . . . . . . . . 16
12. Informative References . . . . . . . . . . . . . . . . . . . 16 12. Informative References . . . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17
1. Introduction 1. Introduction
An objective of Privacy-Enhanced RTP Conferencing (PERC) [RFC8871] is An objective of Privacy-Enhanced RTP Conferencing (PERC) [RFC8871] is
to ensure that endpoints in a multimedia conference have access to to ensure that endpoints in a multimedia conference have access to
the end-to-end (E2E) and hop-by-hop (HBH) keying material used to the end-to-end (E2E) and hop-by-hop (HBH) keying material used to
encrypt and authenticate Real-time Transport Protocol (RTP) [RFC3550] encrypt and authenticate Real-time Transport Protocol (RTP) [RFC3550]
packets, while the Media Distributor has access only to the HBH packets, while the Media Distributor has access only to the HBH
keying material for encryption and authentication. keying material for encryption and authentication.
This specification defines a tunneling protocol that enables the This specification defines a tunneling protocol that enables the
media distributor to tunnel DTLS [RFC6347] messages between an Media Distributor to tunnel DTLS [RFC6347] messages between an
endpoint and the key distributor, thus allowing an endpoint to use endpoint and the Key Distributor, thus allowing an endpoint to use
DTLS-SRTP [RFC5764] for establishing encryption and authentication DTLS-SRTP [RFC5764] for establishing encryption and authentication
keys with the key distributor. keys with the Key Distributor.
The tunnel established between the media distributor and key The tunnel established between the Media Distributor and Key
distributor is a TLS connection that is established before any Distributor is a TLS [RFC5246] connection that is established before
messages are forwarded by the media distributor on behalf of the any messages are forwarded by the Media Distributor on behalf of the
endpoint. DTLS packets received from the endpoint are encapsulated endpoint. DTLS packets received from the endpoint are encapsulated
by the media distributor inside this tunnel as data to be sent to the by the Media Distributor inside this tunnel as data to be sent to the
key distributor. Likewise, when the media distributor receives data Key Distributor. Likewise, when the Media Distributor receives data
from the key distributor over the tunnel, it extracts the DTLS from the Key Distributor over the tunnel, it extracts the DTLS
message inside and forwards the DTLS message to the endpoint. In message inside and forwards the DTLS message to the endpoint. In
this way, the DTLS association for the DTLS-SRTP procedures is this way, the DTLS association for the DTLS-SRTP procedures is
established between the endpoint and the key distributor, with the established between the endpoint and the Key Distributor, with the
media distributor simply forwarding packets between the two entities Media Distributor simply forwarding packets between the two entities
and having no visibility into the confidential information exchanged. and having no visibility into the confidential information exchanged.
Following the existing DTLS-SRTP procedures, the endpoint and key Following the existing DTLS-SRTP procedures, the endpoint and Key
distributor will arrive at a selected cipher and keying material, Distributor will arrive at a selected cipher and keying material,
which are used for HBH encryption and authentication by both the which are used for HBH encryption and authentication by both the
endpoint and the media distributor. However, since the media endpoint and the Media Distributor. However, since the Media
distributor would not have direct access to this information, the key Distributor would not have direct access to this information, the Key
distributor explicitly shares the HBH key information with the media Distributor explicitly shares the HBH key information with the Media
distributor via the tunneling protocol defined in this document. Distributor via the tunneling protocol defined in this document.
Additionally, the endpoint and key distributor will agree on a cipher Additionally, the endpoint and Key Distributor will agree on a cipher
for E2E encryption and authentication. The key distributor will for E2E encryption and authentication. The Key Distributor will
transmit keying material to the endpoint for E2E operations, but will transmit keying material to the endpoint for E2E operations, but will
not share that information with the media distributor. not share that information with the Media Distributor.
By establishing this TLS tunnel between the media distributor and key By establishing this TLS tunnel between the Media Distributor and Key
distributor and implementing the protocol defined in this document, Distributor and implementing the protocol defined in this document,
it is possible for the media distributor to facilitate the it is possible for the Media Distributor to facilitate the
establishment of a secure DTLS association between an endpoint and establishment of a secure DTLS association between an endpoint and
the key distributor in order for the endpoint to receive E2E and HBH the Key Distributor in order for the endpoint to receive E2E and HBH
keying material. At the same time, the key distributor can securely keying material. At the same time, the Key Distributor can securely
provide the HBH keying material to the media distributor. provide the HBH keying material to the Media Distributor.
2. Conventions Used In This Document 2. Conventions Used In This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP "OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119] [RFC8174] when, and only when, they appear in all 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document uses the terms "endpoint", "Media Distributor", and
"Key Distributor" defined in [RFC8871].
3. Tunneling Concept 3. Tunneling Concept
A TLS connection (tunnel) is established between the media A TLS connection (tunnel) is established between the Media
distributor and the key distributor. This tunnel is used to relay Distributor and the Key Distributor. This tunnel is used to relay
DTLS messages between the endpoint and key distributor, as depicted DTLS messages between the endpoint and Key Distributor, as depicted
in Figure 1: in Figure 1:
+-------------+ +-------------+
| Key | | Key |
| Distributor | | Distributor |
+-------------+ +-------------+
# ^ ^ # # ^ ^ #
# | | # <-- TLS Tunnel # | | # <-- TLS Tunnel
# | | # # | | #
+----------+ +-------------+ +----------+ +----------+ +-------------+ +----------+
| | DTLS | | DTLS | | | | DTLS | | DTLS | |
| Endpoint |<------------| Media |------------>| Endpoint | | Endpoint |<------------| Media |------------>| Endpoint |
| | to Key | Distributor | to Key | | | | to Key | Distributor | to Key | |
| | Distributor | | Distributor | | | | Distributor | | Distributor | |
+----------+ +-------------+ +----------+ +----------+ +-------------+ +----------+
Figure 1: TLS Tunnel to Key Distributor Figure 1: TLS Tunnel to Key Distributor
The three entities involved in this communication flow are the The three entities involved in this communication flow are the
endpoint, the media distributor, and the key distributor. The endpoint, the Media Distributor, and the Key Distributor. The
behavior of each entity is described in Section 5. behavior of each entity is described in Section 5.
The key distributor is a logical function that might might be co- The Key Distributor is a logical function that might be co-resident
resident with a key management server operated by an enterprise, with a key management server operated by an enterprise, reside in one
reside in one of the endpoints participating in the conference, or of the endpoints participating in the conference, or elsewhere that
elsewhere that is trusted with E2E keying material. is trusted with E2E keying material.
4. Example Message Flows 4. Example Message Flows
This section provides an example message flow to help clarify the This section provides an example message flow to help clarify the
procedures described later in this document. It is necessary that procedures described later in this document. It is necessary that
the key distributor and media distributor establish a mutually the Key Distributor and Media Distributor establish a mutually
authenticated TLS connection for the purpose of sending tunneled authenticated TLS connection for the purpose of sending tunneled
messages, though the complete TLS handshake for the tunnel is not messages, though the complete TLS handshake for the tunnel is not
shown in Figure 2 since there is nothing new this document introduces shown in Figure 2 since there is nothing new this document introduces
with regard to those procedures. with regard to those procedures.
Once the tunnel is established, it is possible for the media Once the tunnel is established, it is possible for the Media
distributor to relay the DTLS messages between the endpoint and the Distributor to relay the DTLS messages between the endpoint and the
key distributor. Figure 2 shows a message flow wherein the endpoint Key Distributor. Figure 2 shows a message flow wherein the endpoint
uses DTLS-SRTP to establish an association with the key distributor. uses DTLS-SRTP to establish an association with the Key Distributor.
In the process, the media distributor shares its supported SRTP In the process, the Media Distributor shares its supported SRTP
protection profile information (see [RFC5764]) and the key protection profile information (see [RFC5764]) and the Key
distributor shares HBH keying material and selected cipher with the Distributor shares HBH keying material and selected cipher with the
media distributor. Media Distributor.
Endpoint media distributor key distributor Endpoint Media Distributor Key Distributor
| | | | | |
| |<=======================>| | |<=======================>|
| | TLS Connection Made | | | TLS Connection Made |
| | | | | |
| |========================>| | |========================>|
| | SupportedProfiles | | | SupportedProfiles |
| | | | | |
|------------------------>|========================>| |------------------------>|========================>|
| DTLS handshake message | TunneledDtls | | DTLS handshake message | TunneledDtls |
| | | | | |
skipping to change at page 5, line 31 skipping to change at page 5, line 40
|<------------------------|<========================| |<------------------------|<========================|
| DTLS handshake message | TunneledDtls | | DTLS handshake message | TunneledDtls |
| | | | | |
Figure 2: Sample DTLS-SRTP Exchange via the Tunnel Figure 2: Sample DTLS-SRTP Exchange via the Tunnel
After the initial TLS connection has been established each of the After the initial TLS connection has been established each of the
messages on the right-hand side of Figure 2 is a tunneling protocol messages on the right-hand side of Figure 2 is a tunneling protocol
message as defined in Section 6. message as defined in Section 6.
SRTP protection profiles supported by the media distributor will be SRTP protection profiles supported by the Media Distributor will be
sent in a "SupportedProfiles" message when the TLS tunnel is sent in a "SupportedProfiles" message when the TLS tunnel is
initially established. The key distributor will use that information initially established. The Key Distributor will use that information
to select a common profile supported by both the endpoint and the to select a common profile supported by both the endpoint and the
media distributor to ensure that HBH operations can be successfully Media Distributor to ensure that HBH operations can be successfully
performed. performed.
As DTLS messages are received from the endpoint by the media As DTLS messages are received from the endpoint by the Media
distributor, they are forwarded to the key distributor encapsulated Distributor, they are forwarded to the Key Distributor encapsulated
inside a "TunneledDtls" message. Likewise, as "TunneledDtls" inside a "TunneledDtls" message. Likewise, as "TunneledDtls"
messages are received by the media distributor from the key messages are received by the Media Distributor from the Mey
distributor, the encapsulated DTLS packet is forwarded to the Distributor, the encapsulated DTLS packet is forwarded to the
endpoint. endpoint.
The key distributor will provide the SRTP [RFC3711] keying material The Key Distributor will provide the SRTP [RFC3711] keying material
to the media distributor for HBH operations via the "MediaKeys" to the Media Distributor for HBH operations via the "MediaKeys"
message. The media distributor will extract this keying material message. The Media Distributor will extract this keying material
from the "MediaKeys" message when received and use it for HBH from the "MediaKeys" message when received and use it for HBH
encryption and authentication. encryption and authentication.
5. Tunneling Procedures 5. Tunneling Procedures
The following sub-sections explain in detail the expected behavior of The following sub-sections explain in detail the expected behavior of
the endpoint, the media distributor, and the key distributor. the endpoint, the Media Distributor, and the Key Distributor.
It is important to note that the tunneling protocol described in this It is important to note that the tunneling protocol described in this
document is not an extension to TLS [RFC5246] or DTLS [RFC6347]. document is not an extension to TLS [RFC5246] or DTLS [RFC6347].
Rather, it is a protocol that transports DTLS messages generated by Rather, it is a protocol that transports DTLS messages generated by
an endpoint or key distributor as data inside of the TLS connection an endpoint or Key Distributor as data inside of the TLS connection
established between the media distributor and key distributor. established between the Media Distributor and Key Distributor.
5.1. Endpoint Procedures 5.1. Endpoint Procedures
The endpoint follows the procedures outlined for DTLS-SRTP [RFC5764] The endpoint follows the procedures outlined for DTLS-SRTP [RFC5764]
in order to establish the cipher and keys used for encryption and in order to establish the cipher and keys used for encryption and
authentication, with the endpoint acting as the client and the key authentication, with the endpoint acting as the client and the Key
distributor acting as the server. The endpoint does not need to be Distributor acting as the server. The endpoint does not need to be
aware of the fact that DTLS messages it transmits toward the media aware of the fact that DTLS messages it transmits toward the Media
distributor are being tunneled to the key distributor. Distributor are being tunneled to the Key Distributor.
The endpoint MUST include a unique identifier in the "tls-id" SDP The endpoint MUST include a unique identifier in the "tls-id" SDP
[!@RFC4566] attribute sent by the endpoint in both offer and answer [RFC4566] attribute sent by the endpoint in both offer and answer
[RFC3264] messages as per [RFC8842]. Further, the endpoint MUST [RFC3264] messages as per [RFC8842]. Further, the endpoint MUST
include this same unique identifier in the "external_session_id" include this same unique identifier in the "external_session_id"
extension [RFC8844] in the "ClientHello" message when establishing a extension [RFC8844] in the "ClientHello" message when establishing a
DTLS association. DTLS association.
When receiving a "external_session_id" value from the key When receiving a "external_session_id" value from the Key
distributor, the client MUST check to ensure that value matches the Distributor, the client MUST check to ensure that value matches the
"tls-id" value received in SDP. If the values do not match, the "tls-id" value received in SDP. If the values do not match, the
endpoint MUST consider any received keying material to be invalid and endpoint MUST consider any received keying material to be invalid and
terminate the DTLS association. terminate the DTLS association.
5.2. Tunnel Establishment Procedures 5.2. Tunnel Establishment Procedures
Either the media distributor or key distributor initiates the Either the Media Distributor or Key Distributor initiates the
establishment of a TLS tunnel. Which entity acts as the TLS client establishment of a TLS tunnel. Which entity acts as the TLS client
when establishing the tunnel and what event triggers the when establishing the tunnel and what event triggers the
establishment of the tunnel are outside the scope of this document. establishment of the tunnel are outside the scope of this document.
Further, how the trust relationships are established between the key Further, how the trust relationships are established between the Key
distributor and media distributor are also outside the scope of this Distributor and Media Distributor are also outside the scope of this
document. document.
A tunnel MUST be a mutually authenticated TLS connection. A tunnel MUST be a mutually authenticated TLS connection.
The media distributor or key distributor MUST establish a tunnel The Media Distributor or Key Distributor MUST establish a tunnel
prior to forwarding tunneled DTLS messages. Given the time-sensitive prior to forwarding tunneled DTLS messages. Given the time-sensitive
nature of DTLS-SRTP procedures, a tunnel SHOULD be established prior nature of DTLS-SRTP procedures, a tunnel SHOULD be established prior
to the media distributor receiving a DTLS message from an endpoint. to the Media Distributor receiving a DTLS message from an endpoint.
A single tunnel MAY be used to relay DTLS messages between any number A single tunnel MAY be used to relay DTLS messages between any number
of endpoints and the key distributor. of endpoints and the Key Distributor.
A media distributor MAY have more than one tunnel established between A Media Distributor MAY have more than one tunnel established between
itself and one or more key distributors. When multiple tunnels are itself and one or more Key Distributors. When multiple tunnels are
established, which tunnel or tunnels to use to send messages for a established, which tunnel or tunnels to use to send messages for a
given conference is outside the scope of this document. given conference is outside the scope of this document.
5.3. Media Distributor Tunneling Procedures 5.3. Media Distributor Tunneling Procedures
The first message transmitted over the tunnel is the The first message transmitted over the tunnel is the
"SupportedProfiles" (see Section 6). This message informs the key "SupportedProfiles" (see Section 6). This message informs the Key
distributor about which DTLS-SRTP profiles the media distributor Distributor about which DTLS-SRTP profiles the Media Distributor
supports. This message MUST be sent each time a new tunnel supports. This message MUST be sent each time a new tunnel
connection is established or, in the case of connection loss, when a connection is established or, in the case of connection loss, when a
connection is re-established. The media distributor MUST support the connection is re-established. The Media Distributor MUST support the
same list of protection profiles for the duration of any endpoint- same list of protection profiles for the duration of any endpoint-
initiated DTLS association and tunnel connection. initiated DTLS association and tunnel connection.
The media distributor MUST assign a unique association identifier for The Media Distributor MUST assign a unique association identifier for
each endpoint-initiated DTLS association and include it in all each endpoint-initiated DTLS association and include it in all
messages forwarded to the key distributor. The key distributor will messages forwarded to the Key Distributor. The Key Distributor will
subsequently include this identifier in all messages it sends so that subsequently include this identifier in all messages it sends so that
the media distributor can map messages received via a tunnel and the Media Distributor can map messages received via a tunnel and
forward those messages to the correct endpoint. The association forward those messages to the correct endpoint. The association
identifier MUST be randomly assigned UUID value as described identifier MUST be randomly assigned UUID value as described
Section 4.4 of [RFC4122]. Section 4.4 of [RFC4122].
When a DTLS message is received by the media distributor from an When a DTLS message is received by the Media Distributor from an
endpoint, it forwards the UDP payload portion of that message to the endpoint, it forwards the UDP payload portion of that message to the
key distributor encapsulated in a "TuneledDtls" message. The media Key Distributor encapsulated in a "TuneledDtls" message. The Media
distributor is not required to forward all messages received from an Distributor is not required to forward all messages received from an
endpoint for a given DTLS association through the same tunnel if more endpoint for a given DTLS association through the same tunnel if more
than one tunnel has been established between it and a key than one tunnel has been established between it and a Key
distributor. Distributor.
When a "MediaKeys" message is received, the media distributor MUST When a "MediaKeys" message is received, the Media Distributor MUST
extract the cipher and keying material conveyed in order to extract the cipher and keying material conveyed in order to
subsequently perform HBH encryption and authentication operations for subsequently perform HBH encryption and authentication operations for
RTP and RTCP packets sent between it and an endpoint. Since the HBH RTP and RTCP packets sent between it and an endpoint. Since the HBH
keying material will be different for each endpoint, the media keying material will be different for each endpoint, the Media
distributor uses the association identifier included by the key Distributor uses the association identifier included by the Key
distributor to ensure that the HBH keying material is used with the Distributor to ensure that the HBH keying material is used with the
correct endpoint. correct endpoint.
The media distributor MUST forward all DTLS messages received from The Media Distributor MUST forward all DTLS messages received from
either the endpoint or the key distributor (via the "TunneledDtls" either the endpoint or the Key Distributor (via the "TunneledDtls"
message) to ensure proper communication between those two entities. message) to ensure proper communication between those two entities.
When the media distributor detects an endpoint has disconnected or When the Media Distributor detects an endpoint has disconnected or
when it receives conference control messages indicating the endpoint when it receives conference control messages indicating the endpoint
is to be disconnected, the media distributors MUST send an is to be disconnected, the Media Distributors MUST send an
"EndpointDisconnect" message with the association identifier assigned "EndpointDisconnect" message with the association identifier assigned
to the endpoint to the key distributor. The media distributor SHOULD to the endpoint to the Key Distributor. The Media Distributor SHOULD
take a loss of all RTP and RTCP packets as an indicator that the take a loss of all RTP and RTCP packets as an indicator that the
endpoint has disconnected. The particulars of how RTP and RTCP are endpoint has disconnected. The particulars of how RTP and RTCP are
to be used to detect an endpoint disconnect, such as timeout period, to be used to detect an endpoint disconnect, such as timeout period,
is not specified. The media distributor MAY use additional is not specified. The Media Distributor MAY use additional
indicators to determine when an endpoint has disconnected. indicators to determine when an endpoint has disconnected.
5.4. Key Distributor Tunneling Procedures 5.4. Key Distributor Tunneling Procedures
Each TLS tunnel established between the media distributor and the key Each TLS tunnel established between the Media Distributor and the Key
distributor MUST be mutually authenticated. Distributor MUST be mutually authenticated.
When the media distributor relays a DTLS message from an endpoint, When the Media Distributor relays a DTLS message from an endpoint,
the media distributor will include an association identifier that is the Media Distributor will include an association identifier that is
unique per endpoint-originated DTLS association. The association unique per endpoint-originated DTLS association. The association
identifier remains constant for the life of the DTLS association. identifier remains constant for the life of the DTLS association.
The key distributor identifies each distinct endpoint-originated DTLS The Key Distributor identifies each distinct endpoint-originated DTLS
association by the association identifier. association by the association identifier.
When processing an incoming endpoint association, the key distributor When processing an incoming endpoint association, the Key Distributor
MUST extract the "external_session_id" value transmitted in the MUST extract the "external_session_id" value transmitted in the
"ClientHello" message and match that against "tls-id" value the "ClientHello" message and match that against "tls-id" value the
endpoint transmitted via SDP. If the values in SDP and the endpoint transmitted via SDP. If the values in SDP and the
"ClientHello" do not match, the DTLS association MUST be rejected. "ClientHello" do not match, the DTLS association MUST be rejected.
The process through which the "tls-id" in SDP is conveyed to the key The process through which the "tls-id" in SDP is conveyed to the Key
distributor is outside the scope of this document. Distributor is outside the scope of this document.
The key distributor MUST match the certificate fingerprint and The Key Distributor MUST match the certificate fingerprint and
"external_session_id" received from endpoint's "ClientHello" message "external_session_id" received from endpoint's "ClientHello" message
with the values received from the SDP transmitted by the endpoint. with the values received from the SDP transmitted by the endpoint.
It is through this process that the key distributor can be sure to It is through this process that the Key Distributor can be sure to
deliver the correct conference key to the endpoint. deliver the correct conference key to the endpoint.
When sending the "ServerHello" message, the key distributor MUST When sending the "ServerHello" message, the Key Distributor MUST
insert its own unique identifier in the "external_session_id" insert its own unique identifier in the "external_session_id"
extension. This value MUST also be conveyed back to the client via extension. This value MUST also be conveyed back to the client via
SDP as a "tls-id" attribute. SDP as a "tls-id" attribute.
The key distributor MUST encapsulate any DTLS message it sends to an The Key Distributor MUST encapsulate any DTLS message it sends to an
endpoint inside a "TunneledDtls" message (see Section 6). The key endpoint inside a "TunneledDtls" message (see Section 6). The Key
distributor is not required to transmit all messages a given DTLS Distributor is not required to transmit all messages a given DTLS
association through the same tunnel if more than one tunnel has been association through the same tunnel if more than one tunnel has been
established between it and a media distributor. established between it and a Media Distributor.
The key distributor MUST use the same association identifier in The Key Distributor MUST use the same association identifier in
messages sent to an endpoint as was received in messages from that messages sent to an endpoint as was received in messages from that
endpoint. This ensures the media distributor can forward the endpoint. This ensures the Media Distributor can forward the
messages to the correct endpoint. messages to the correct endpoint.
The key distributor extracts tunneled DTLS messages from an endpoint The Key Distributor extracts tunneled DTLS messages from an endpoint
and acts on those messages as if that endpoint had established the and acts on those messages as if that endpoint had established the
DTLS association directly with the key distributor. The key DTLS association directly with the Key Distributor. The Key
distributor is acting as the DTLS server and the endpoint is acting Distributor is acting as the DTLS server and the endpoint is acting
as the DTLS client. The handling of the messages and certificates is as the DTLS client. The handling of the messages and certificates is
exactly the same as normal DTLS-SRTP procedures between endpoints. exactly the same as normal DTLS-SRTP procedures between endpoints.
The key distributor MUST send a "MediaKeys" message to the media The Key Distributor MUST send a "MediaKeys" message to the Media
distributor as soon as the HBH encryption key is computed and before Distributor as soon as the HBH encryption key is computed and before
it sends a DTLS "Finished" message to the endpoint. The "MediaKeys" it sends a DTLS "Finished" message to the endpoint. The "MediaKeys"
message includes the selected cipher (i.e. protection profile), MKI message includes the selected cipher (i.e. protection profile), MKI
[RFC3711] value (if any), SRTP master keys, and SRTP master salt [RFC3711] value (if any), SRTP master keys, and SRTP master salt
values. The key distributor MUST use the same association identifier values. The Key Distributor MUST use the same association identifier
in the "MediaKeys" message as is used in the "TunneledDtls" messages in the "MediaKeys" message as is used in the "TunneledDtls" messages
for the given endpoint. for the given endpoint.
The key distributor uses the certificate fingerprint of the endpoint The Key Distributor uses the certificate fingerprint of the endpoint
along with the unique identifier received in the along with the unique identifier received in the
"external_session_id" extension to determine which conference a given "external_session_id" extension to determine which conference a given
DTLS association is associated. DTLS association is associated.
The key distributor MUST select a cipher that is supported by both The Key Distributor MUST select a cipher that is supported by both
the endpoint and the media distributor to ensure proper HBH the endpoint and the Media Distributor to ensure proper HBH
operations. operations.
When the DTLS association between the endpoint and the key When the DTLS association between the endpoint and the Key
distributor is terminated, regardless of which entity initiated the Distributor is terminated, regardless of which entity initiated the
termination, the key distributor MUST send an "EndpointDisconnect" termination, the Key Distributor MUST send an "EndpointDisconnect"
message with the association identifier assigned to the endpoint to message with the association identifier assigned to the endpoint to
the media distributor. the Media Distributor.
5.5. Versioning Considerations 5.5. Versioning Considerations
All messages for an established tunnel MUST utilize the same version Since the Media Distributor sends the first message over the tunnel,
value.
Since the media distributor sends the first message over the tunnel,
it effectively establishes the version of the protocol to be used. it effectively establishes the version of the protocol to be used.
If that version is not supported by the key distributor, it MUST If that version is not supported by the Key Distributor, the Key
discard the message, transmit an "UnsupportedVersion" message, and Distributor MUST transmit an "UnsupportedVersion" message containing
close the TLS connection. the highest version number supported, and close the TLS connection.
The media distributor MUST take note of the version received in an The Media Distributor MUST take note of the version received in an
"UnsupportedVersion" message and use that version when attempting to "UnsupportedVersion" message and use that version when attempting to
re-establish a failed tunnel connection. Note that it is not re-establish a failed tunnel connection. Note that it is not
necessary for the media distributor to understand the newer version necessary for the Media Distributor to understand the newer version
of the protocol to understand that the first message received is of the protocol to understand that the first message received is
"UnsupportedVersion". The media distributor can determine from the "UnsupportedVersion". The Media Distributor can determine from the
first two octets received what the version number is and that the first two octets received what the version number is and that the
message is "UnsupportedVersion". The rest of the data received, if message is "UnsupportedVersion". The rest of the data received, if
any, would be discarded and the connection closed (if not already any, would be discarded and the connection closed (if not already
closed). closed).
6. Tunneling Protocol 6. Tunneling Protocol
Tunneled messages are transported via the TLS tunnel as application Tunneled messages are transported via the TLS tunnel as application
data between the media distributor and the key distributor. Tunnel data between the Media Distributor and the Key Distributor. Tunnel
messages are specified using the format described in [RFC5246] messages are specified using the format described in [RFC5246]
section 4. As in [RFC5246], all values are stored in network byte section 4. As in [RFC5246], all values are stored in network byte
(big endian) order; the uint32 represented by the hex bytes 01 02 03 (big endian) order; the uint32 represented by the hex bytes 01 02 03
04 is equivalent to the decimal value 16909060. 04 is equivalent to the decimal value 16909060.
The protocol defines several different messages, each of which This protocol defines several different messages, each of which
containing the the following information: contains the following information:
* Protocol version
* Message type identifier * Message type identifier
* Message body length
* The message body * The message body
Each of these messages is a "TunnelMessage" in the syntax, with a Each of the tunnel messages is a "TunnelMessage" structure with the
message type indicating the actual content of the message body. message type indicating the actual content of the message body.
6.1. Tunnel Message Format 6.1. TunnelMessage Structure
The syntax of the protocol is defined below. "TunnelMessage" defines The "TunnelMessage" defines the structure of all messages sent via
the structure of all messages sent via the tunnel protocol. That the tunnel protocol. That structure includes a field called
structure includes a field called "msg_type" that identifies the "msg_type" that identifies the specific type of message contained
specific type of message contained within "TunnelMessage". within "TunnelMessage".
enum { enum {
supported_profiles(1), supported_profiles(1),
unsupported_version(2), unsupported_version(2),
media_keys(3), media_keys(3),
tunneled_dtls(4), tunneled_dtls(4),
endpoint_disconnect(5), endpoint_disconnect(5),
(255) (255)
} MsgType; } MsgType;
skipping to change at page 11, line 37 skipping to change at page 11, line 30
case supported_profiles: SupportedProfiles; case supported_profiles: SupportedProfiles;
case unsupported_version: UnsupportedVersion; case unsupported_version: UnsupportedVersion;
case media_keys: MediaKeys; case media_keys: MediaKeys;
case tunneled_dtls: TunneledDtls; case tunneled_dtls: TunneledDtls;
case endpoint_disconnect: EndpointDisconnect; case endpoint_disconnect: EndpointDisconnect;
} body; } body;
} TunnelMessage; } TunnelMessage;
The elements of "TunnelMessage" include: The elements of "TunnelMessage" include:
* msg_type: the type of message contained within the structure * "msg_type": the type of message contained within the structure
"body". "body".
* length: the length in octets of the following "body" of the * "length": the length in octets of the following "body" of the
message. message.
* "body": the actual message being conveyed within this
"TunnelMessage" structure.
6.2. SupportedProfiles Message
The "SupportedProfiles" message is defined as: The "SupportedProfiles" message is defined as:
uint8 SRTPProtectionProfile[2]; /* from RFC5764 */ uint8 SRTPProtectionProfile[2]; /* from RFC5764 */
struct { struct {
uint8 version; uint8 version;
SRTPProtectionProfile protection_profiles<0..2^16-1>; SRTPProtectionProfile protection_profiles<0..2^16-1>;
} SupportedProfiles; } SupportedProfiles;
This message contains this single element: This message contains this single element:
* version: indicates the version of this protocol (0x00). * "version": indicates the version of the protocol to use (0x00).
* protection_profiles: The list of two-octet SRTP protection profile * "protection_profiles": The list of two-octet SRTP protection
values as per [RFC5764] supported by the media distributor. profile values as per [RFC5764] supported by the Media
Distributor.
6.3. UnsupportedVersion Message
The "UnsupportedVersion" message is defined as follows: The "UnsupportedVersion" message is defined as follows:
struct { struct {
uint8 highest_version; uint8 highest_version;
} UnsupportedVersion; } UnsupportedVersion;
The elements of "UnsupportedVersion" include: The elements of "UnsupportedVersion" include:
* highest_version: indicates the highest supported protocol version. * "highest_version": indicates the highest version of the protocol
supported by the Key Distributor.
6.4. MediaKeys Message
The "MediaKeys" message is defined as: The "MediaKeys" message is defined as:
struct { struct {
uuid association_id; uuid association_id;
SRTPProtectionProfile protection_profile; SRTPProtectionProfile protection_profile;
opaque mki<0..255>; opaque mki<0..255>;
opaque client_write_SRTP_master_key<1..255>; opaque client_write_SRTP_master_key<1..255>;
opaque server_write_SRTP_master_key<1..255>; opaque server_write_SRTP_master_key<1..255>;
opaque client_write_SRTP_master_salt<1..255>; opaque client_write_SRTP_master_salt<1..255>;
opaque server_write_SRTP_master_salt<1..255>; opaque server_write_SRTP_master_salt<1..255>;
} MediaKeys; } MediaKeys;
The fields are described as follows: The fields are described as follows:
* association_id: A value that identifies a distinct DTLS * "association_id": A value that identifies a distinct DTLS
association between an endpoint and the key distributor. association between an endpoint and the Key Distributor.
* protection_profiles: The value of the two-octet SRTP protection * "protection_profiles": The value of the two-octet SRTP protection
profile value as per [RFC5764] used for this DTLS association. profile value as per [RFC5764] used for this DTLS association.
* mki: Master key identifier [RFC3711]. A zero-length field * "mki": Master key identifier [RFC3711]. A zero-length field
indicates that no MKI value is present. indicates that no MKI value is present.
* client_write_SRTP_master_key: The value of the SRTP master key * "client_write_SRTP_master_key": The value of the SRTP master key
used by the client (endpoint). used by the client (endpoint).
* server_write_SRTP_master_key: The value of the SRTP master key * "server_write_SRTP_master_key": The value of the SRTP master key
used by the server (media distributor). used by the server (Media Distributor).
* client_write_SRTP_master_salt: The value of the SRTP master salt * "client_write_SRTP_master_salt": The value of the SRTP master salt
used by the client (endpoint). used by the client (endpoint).
* server_write_SRTP_master_salt: The value of the SRTP master salt * "server_write_SRTP_master_salt": The value of the SRTP master salt
used by the server (media distributor). used by the server (Media Distributor).
6.5. TunneledDtls Message
The "TunneledDtls" message is defined as: The "TunneledDtls" message is defined as:
struct { struct {
uuid association_id; uuid association_id;
opaque dtls_message<0..2^16-1>; opaque dtls_message<0..2^16-1>;
} TunneledDtls; } TunneledDtls;
The fields are described as follows: The fields are described as follows:
* association_id: An value that identifies a distinct DTLS * "association_id": A value that identifies a distinct DTLS
association between an endpoint and the key distributor. association between an endpoint and the Key Distributor.
* dtls_message: the content of the DTLS message received by the * "dtls_message": the content of the DTLS message received by the
endpoint or to be sent to the endpoint. endpoint or to be sent to the endpoint.
The "EndpointDisconect" message is defined as: 6.6. EndpointDisconnect Message
The "EndpointDisconnect" message is defined as:
struct { struct {
uuid association_id; uuid association_id;
} EndpointDisconnect; } EndpointDisconnect;
The fields are described as follows: The fields are described as follows:
* association_id: An value that identifies a distinct DTLS * "association_id": An value that identifies a distinct DTLS
association between an endpoint and the key distributor. association between an endpoint and the Key Distributor.
7. Example Binary Encoding 7. Example Binary Encoding
The "TunnelMessage" is encoded in binary following the procedures The "TunnelMessage" is encoded in binary following the procedures
specified in [RFC5246]. This section provides an example of what the specified in [RFC5246]. This section provides an example of what the
bits on the wire would look like for the "SupportedProfiles" message bits on the wire would look like for the "SupportedProfiles" message
that advertises support for both that advertises support for both
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and "DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM" and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM [RFC8723]. "DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM" [RFC8723].
TunnelMessage: TunnelMessage:
message_type: 0x01 message_type: 0x01
length: 0x0007 length: 0x0007
SupportedProfiles: SupportedProfiles:
version: 0x00 version: 0x00
protection_profiles: 0x0004 (length) protection_profiles: 0x0004 (length)
0x0009000A (value) 0x0009000A (value)
Thus, the encoding on the wire presented here in network bytes order Thus, the encoding on the wire presented here in network bytes order
would be this stream of octets: would be this stream of octets:
0x0100070000040009000A 0x0100070000040009000A
8. IANA Considerations 8. IANA Considerations
This document establishes a new registry to contain message type This document establishes a new registry to contain message type
values used in the DTLS Tunnel protocol. These data type values are values used in the DTLS Tunnel protocol. These message type values
a single octet in length. This document defines the values shown in are a single octet in length. This document defines the values shown
Table 1 below, leaving the balance of possible values reserved for in Table 1 below, leaving the balance of possible values reserved for
future specifications: future specifications:
+=========+====================================+ +=========+====================================+
| MsgType | Description | | MsgType | Description |
+=========+====================================+ +=========+====================================+
| 0x01 | Supported SRTP Protection Profiles | | 0x01 | Supported SRTP Protection Profiles |
+---------+------------------------------------+ +---------+------------------------------------+
| 0x02 | Unsupported Version | | 0x02 | Unsupported Version |
+---------+------------------------------------+ +---------+------------------------------------+
| 0x03 | Media Keys | | 0x03 | Media Keys |
+---------+------------------------------------+ +---------+------------------------------------+
| 0x04 | Tunneled DTLS | | 0x04 | Tunneled DTLS |
+---------+------------------------------------+ +---------+------------------------------------+
| 0x05 | Endpoint Disconnect | | 0x05 | Endpoint Disconnect |
+---------+------------------------------------+ +---------+------------------------------------+
Table 1: Data Type Values for the DTLS Table 1: Message Type Values for the DTLS
Tunnel Protocol Tunnel Protocol
The value 0x00 and all values in the range 0x06 to 0xFF are reserved. The value 0x00 is reserved and all values in the range 0x06 to 0xFF
are available for allocation. The procedures for updating this table
are those defined as "IETF Review" in section 4.8 of [RFC8126].
The name for this registry is "Datagram Transport Layer Security The name for this registry is "Datagram Transport Layer Security
(DTLS) Tunnel Protocol Data Types for Privacy Enhanced Conferencing". (DTLS) Tunnel Protocol Message Types for Privacy Enhanced
Conferencing".
The procedures for updating this table are those defined as "IETF
Review" in section 4.8 if [!@RFC8126].
9. Security Considerations 9. Security Considerations
The encapsulated data is protected by the TLS connection from the Since the procedures in this document relies on TLS [RFC5246] for
endpoint to key distributor, and the media distributor is merely an transport security, the security considerations for TLS should be
on path entity. The media distributor does not have access to the reviewed when implementing the protocol defined in this document.
end-to-end keying material This does not introduce any additional
security concerns beyond a normal DTLS-SRTP association.
The HBH keying material is protected by the mutual authenticated TLS While the tunneling protocol defined in this document does not use
connection between the media distributor and key distributor. The DTLS-SRTP [[RFC5764] directly, it does convey and negotiate some of
key distributor MUST ensure that it only forms associations with the same information (e.g., protection profile data). As such, a
authorized media distributors or it could hand HBH keying material to review of the security considerations found in that document may be
untrusted parties. useful.
The supported profiles information sent from the media distributor to This document describes a means of securely exchanging keying
the key distributor is not particularly sensitive as it only provides material and cryptographic transforms for both E2E and HBH encryption
the cryptographic algorithms supported by the media distributor. and authentication of media between an endpoint and a Key Distributor
Further, it is still protected by the TLS connection between the via a Media Distributor. Additionally, the procedures result in
media distributor and the key distributor. delivering HBH information to the intermediary Media Distributor.
The Key Distributor and endpoint are the only two entities with
access to both the E2E and HBH keys, while the Media Distributor has
access to only HBH information. Section 8.2 of [RFC8871] enumerates
various attacks against which one must guard when implementing a
Media Distributor and are important to note.
A requirement in this document is that a TLS connection between the
Media Distributor and the Key Distributor be mutually authenticated.
The reason for this requirement is to ensure that only an authorized
Media Distributor receives the HBH keying material. If an
unauthorized Media Distributor gains access to the HBH keying
material, it can easily cause service degradation or denial by
transmitting HBH-valid packets that ultimately fail E2E
authentication or replay protection checks (see Section 3.3.2 of
[RFC3711]). Even if service does not appear degraded in any way,
transmitting and processing bogus packets are a waste of both
computational and network resources.
While E2E keying material passes through the Media Distributor via
the protocol defined in this document, the Media Distributor has no
means of gaining access to that information and therefore cannot
affect the E2E media processing function in the endpoint except to
present it with invalid or replayed data. That said, any entity
along the path that interferes with the DTLS exchange between the
endpoint and the Key Distributor, including a malicious Media
Distributor that is not properly authorized, could prevent an
endpoint from properly communicating with the Key Distributor and,
therefore, prevent successful conference participation.
10. Acknowledgments 10. Acknowledgments
The author would like to thank David Benham and Cullen Jennings for The author would like to thank David Benham and Cullen Jennings for
reviewing this document and providing constructive comments. reviewing this document and providing constructive comments.
11. Normative References 11. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
skipping to change at page 15, line 33 skipping to change at page 16, line 27
[RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model
with Session Description Protocol (SDP)", RFC 3264, with Session Description Protocol (SDP)", RFC 3264,
DOI 10.17487/RFC3264, June 2002, DOI 10.17487/RFC3264, June 2002,
<https://www.rfc-editor.org/info/rfc3264>. <https://www.rfc-editor.org/info/rfc3264>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
July 2003, <https://www.rfc-editor.org/info/rfc3550>. July 2003, <https://www.rfc-editor.org/info/rfc3550>.
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>.
[RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally
Unique IDentifier (UUID) URN Namespace", RFC 4122, Unique IDentifier (UUID) URN Namespace", RFC 4122,
DOI 10.17487/RFC4122, July 2005, DOI 10.17487/RFC4122, July 2005,
<https://www.rfc-editor.org/info/rfc4122>. <https://www.rfc-editor.org/info/rfc4122>.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session
Description Protocol", RFC 4566, DOI 10.17487/RFC4566,
July 2006, <https://www.rfc-editor.org/info/rfc4566>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
[RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for the Secure Security (DTLS) Extension to Establish Keys for the Secure
Real-time Transport Protocol (SRTP)", RFC 5764, Real-time Transport Protocol (SRTP)", RFC 5764,
DOI 10.17487/RFC5764, May 2010, DOI 10.17487/RFC5764, May 2010,
<https://www.rfc-editor.org/info/rfc5764>. <https://www.rfc-editor.org/info/rfc5764>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC8126] Cotton, M., Leiba, B., and T. Narten, "Guidelines for
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, Writing an IANA Considerations Section in RFCs", BCP 26,
January 2012, <https://www.rfc-editor.org/info/rfc6347>. RFC 8126, DOI 10.17487/RFC8126, June 2017,
<https://www.rfc-editor.org/info/rfc8126>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8842] Holmberg, C. and R. Shpount, "Session Description Protocol [RFC8842] Holmberg, C. and R. Shpount, "Session Description Protocol
(SDP) Offer/Answer Considerations for Datagram Transport (SDP) Offer/Answer Considerations for Datagram Transport
Layer Security (DTLS) and Transport Layer Security (TLS)", Layer Security (DTLS) and Transport Layer Security (TLS)",
RFC 8842, DOI 10.17487/RFC8842, January 2021, RFC 8842, DOI 10.17487/RFC8842, January 2021,
<https://www.rfc-editor.org/info/rfc8842>. <https://www.rfc-editor.org/info/rfc8842>.
skipping to change at page 16, line 31 skipping to change at page 17, line 27
RFC 8844, DOI 10.17487/RFC8844, January 2021, RFC 8844, DOI 10.17487/RFC8844, January 2021,
<https://www.rfc-editor.org/info/rfc8844>. <https://www.rfc-editor.org/info/rfc8844>.
[RFC8871] Jones, P., Benham, D., and C. Groves, "A Solution [RFC8871] Jones, P., Benham, D., and C. Groves, "A Solution
Framework for Private Media in Privacy-Enhanced RTP Framework for Private Media in Privacy-Enhanced RTP
Conferencing (PERC)", RFC 8871, DOI 10.17487/RFC8871, Conferencing (PERC)", RFC 8871, DOI 10.17487/RFC8871,
January 2021, <https://www.rfc-editor.org/info/rfc8871>. January 2021, <https://www.rfc-editor.org/info/rfc8871>.
12. Informative References 12. Informative References
[RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
Norrman, "The Secure Real-time Transport Protocol (SRTP)",
RFC 3711, DOI 10.17487/RFC3711, March 2004,
<https://www.rfc-editor.org/info/rfc3711>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <https://www.rfc-editor.org/info/rfc6347>.
[RFC8723] Jennings, C., Jones, P., Barnes, R., and A.B. Roach, [RFC8723] Jennings, C., Jones, P., Barnes, R., and A.B. Roach,
"Double Encryption Procedures for the Secure Real-Time "Double Encryption Procedures for the Secure Real-Time
Transport Protocol (SRTP)", RFC 8723, Transport Protocol (SRTP)", RFC 8723,
DOI 10.17487/RFC8723, April 2020, DOI 10.17487/RFC8723, April 2020,
<https://www.rfc-editor.org/info/rfc8723>. <https://www.rfc-editor.org/info/rfc8723>.
Authors' Addresses Authors' Addresses
Paul E. Jones Paul E. Jones
Cisco Systems, Inc. Cisco Systems, Inc.
skipping to change at page 16, line 47 skipping to change at page 18, line 4
Authors' Addresses Authors' Addresses
Paul E. Jones Paul E. Jones
Cisco Systems, Inc. Cisco Systems, Inc.
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
United States of America United States of America
Phone: +1 919 476 2048 Phone: +1 919 476 2048
Email: paulej@packetizer.com Email: paulej@packetizer.com
Paul M. Ellenbogen Paul M. Ellenbogen
Princeton University Princeton University
Phone: +1 206 851 2069 Phone: +1 206 851 2069
Email: pe5@cs.princeton.edu Email: pe5@cs.princeton.edu
Nils H. Ohlmeier Nils H. Ohlmeier
Mozilla 8x8, Inc.
Phone: +1 408 659 6457 Phone: +1 408 659 6457
Email: nils@ohlmeier.org Email: nils@ohlmeier.org
 End of changes. 119 change blocks. 
217 lines changed or deleted 271 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/