draft-ietf-sip-dtls-srtp-framework-06.txt   draft-ietf-sip-dtls-srtp-framework-07.txt 
SIP J. Fischl SIP J. Fischl
Internet-Draft CounterPath Corporation Internet-Draft CounterPath Corporation
Intended status: Standards Track H. Tschofenig Intended status: Standards Track H. Tschofenig
Expires: September 1, 2009 Nokia Siemens Networks Expires: September 8, 2009 Nokia Siemens Networks
E. Rescorla E. Rescorla
RTFM, Inc. RTFM, Inc.
February 28, 2009 March 07, 2009
Framework for Establishing an SRTP Security Context using DTLS Framework for Establishing an SRTP Security Context using DTLS
draft-ietf-sip-dtls-srtp-framework-06.txt draft-ietf-sip-dtls-srtp-framework-07.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from IETF Standards Process. Without obtaining an adequate license from
skipping to change at page 1, line 45 skipping to change at page 1, line 45
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 1, 2009. This Internet-Draft will expire on September 8, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info). publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 10 skipping to change at page 3, line 10
exchange travels along the media path as opposed to the signaling exchange travels along the media path as opposed to the signaling
path. The SIP Identity mechanism can be used to protect the path. The SIP Identity mechanism can be used to protect the
integrity of the fingerprint attribute from modification by integrity of the fingerprint attribute from modification by
intermediate proxies. intermediate proxies.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 2. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 8 3. Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 8
4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 8 4. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 9
5. Establishing a Secure Channel . . . . . . . . . . . . . . . . 9 5. Establishing a Secure Channel . . . . . . . . . . . . . . . . 9
6. Miscellaneous Considerations . . . . . . . . . . . . . . . . . 11 6. Miscellaneous Considerations . . . . . . . . . . . . . . . . . 11
6.1. Anonymous Calls . . . . . . . . . . . . . . . . . . . . . 11 6.1. Anonymous Calls . . . . . . . . . . . . . . . . . . . . . 11
6.2. Early Media . . . . . . . . . . . . . . . . . . . . . . . 12 6.2. Early Media . . . . . . . . . . . . . . . . . . . . . . . 12
6.3. Forking . . . . . . . . . . . . . . . . . . . . . . . . . 12 6.3. Forking . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.4. Delayed Offer Calls . . . . . . . . . . . . . . . . . . . 12 6.4. Delayed Offer Calls . . . . . . . . . . . . . . . . . . . 12
6.5. Multiple Associations . . . . . . . . . . . . . . . . . . 12 6.5. Multiple Associations . . . . . . . . . . . . . . . . . . 12
6.6. Session Modification . . . . . . . . . . . . . . . . . . . 12 6.6. Session Modification . . . . . . . . . . . . . . . . . . . 12
6.7. Middlebox Interaction . . . . . . . . . . . . . . . . . . 13 6.7. Middlebox Interaction . . . . . . . . . . . . . . . . . . 13
6.7.1. ICE Interaction . . . . . . . . . . . . . . . . . . . 13 6.7.1. ICE Interaction . . . . . . . . . . . . . . . . . . . 13
skipping to change at page 5, line 48 skipping to change at page 5, line 48
The fingerprint mechanism allows one side of the connection to verify The fingerprint mechanism allows one side of the connection to verify
that the certificate presented in the DTLS handshake matches the that the certificate presented in the DTLS handshake matches the
certificate used by the party in the signalling. However, this certificate used by the party in the signalling. However, this
requires some form of integrity protection on the signalling. S/MIME requires some form of integrity protection on the signalling. S/MIME
signatures, as described in RFC 3261, or SIP Identity, as described signatures, as described in RFC 3261, or SIP Identity, as described
in [RFC4474] provides the highest level of security because they are in [RFC4474] provides the highest level of security because they are
not susceptible to modification by malicious intermediaries. not susceptible to modification by malicious intermediaries.
However, even hop-by-hop security such as provided by SIPS provides However, even hop-by-hop security such as provided by SIPS provides
some protection against modification by attackers who are not in some protection against modification by attackers who are not in
control of on-path sigaling elements. control of on-path sigaling elements. Because DTLS-SRTP only
requires message integrity and not confidentiality for the signaling,
the number of elements which must have credentials and be trusted is
significantly reduced. In particular, if RFC 4474 is used, only the
Authentication Service need have a certificate and be trusted.
Intermediate elements cannot undetectably modify the message and
therefore cannot mount a MITM attack. By comparison, because
SDESCRIPTIONS [RFC4568] requires confidentiality for the signaling,
all intermediate elements must be trusted.
This approach differs from previous attempts to secure media traffic This approach differs from previous attempts to secure media traffic
where the authentication and key exchange protocol (e.g., MIKEY where the authentication and key exchange protocol (e.g., MIKEY
[RFC3830]) is piggybacked in the signaling message exchange. With [RFC3830]) is piggybacked in the signaling message exchange. With
DTLS-SRTP, establishing the protection of the media traffic between DTLS-SRTP, establishing the protection of the media traffic between
the endpoints is done by the media endpoints without involving the the endpoints is done by the media endpoints with only a
SIP/SDP communication. It allows RTP and SIP to be used in the usual cryptographic binding of the media keying to the SIP/SDP
manner when there is no encrypted media. communication. It allows RTP and SIP to be used in the usual manner
when there is no encrypted media.
In SIP, typically the caller sends an offer and the callee may In SIP, typically the caller sends an offer and the callee may
subsequently send one-way media back to the caller before a SIP subsequently send one-way media back to the caller before a SIP
answer is received by the caller. The approach in this answer is received by the caller. The approach in this
specification, where the media key negotiation is decoupled from the specification, where the media key negotiation is decoupled from the
SIP signaling, allows the early media to be set up before the SIP SIP signaling, allows the early media to be set up before the SIP
answer is received while preserving the important security property answer is received while preserving the important security property
of allowing the media sender to choose some of the keying material of allowing the media sender to choose some of the keying material
for the media. This also allows the media sessions to be changed, for the media. This also allows the media sessions to be changed,
re-keyed, and otherwise modified after the initial SIP signaling re-keyed, and otherwise modified after the initial SIP signaling
skipping to change at page 8, line 34 skipping to change at page 8, line 34
support for PRACK [RFC3262] while preserving the important support for PRACK [RFC3262] while preserving the important
security property of allowing the offerer to choose keying security property of allowing the offerer to choose keying
material for encrypting the media. material for encrypting the media.
o The establishment of security protection for the media path is o The establishment of security protection for the media path is
also provided along the media path and not over the signaling also provided along the media path and not over the signaling
path. In many deployment scenarios, the signaling and media path. In many deployment scenarios, the signaling and media
traffic travel along a different path through the network. traffic travel along a different path through the network.
o When RFC 4474 Identity is used, this solution works even when the o When RFC 4474 Identity is used, this solution works even when the
SIP proxies downstream of the authentication service are not SIP proxies downstream of the authentication service are not
trusted. There is no need to reveal keys in the SIP signaling or trusted. There is no need to reveal keys in the SIP signaling or
in the SDP message exchange. Retargeting of a dialog-forming in the SDP message exchange, as is done in SDESCRIPTIONS
request (changing the value of the Request-URI), the UA that [RFC4568]. Retargeting of a dialog-forming request (changing the
receives it (the User Agent Server, UAS) can have a different value of the Request-URI), the UA that receives it (the User Agent
identity from that in the To header field. When RFC 4916 is used Server, UAS) can have a different identity from that in the To
then it is possible to supply its identity to the peer UA by means header field. When RFC 4916 is used then it is possible to supply
of a request in the reverse direction, and for that identity to be its identity to the peer UA by means of a request in the reverse
signed by an Authentication Service. direction, and for that identity to be signed by an Authentication
Service.
o In this method, SSRC collisions do not result in any extra SIP o In this method, SSRC collisions do not result in any extra SIP
signaling. signaling.
o Many SIP endpoints already implement TLS. The changes to existing o Many SIP endpoints already implement TLS. The changes to existing
SIP and RTP usage are minimal even when DTLS-SRTP SIP and RTP usage are minimal even when DTLS-SRTP
[I-D.ietf-avt-dtls-srtp] is used. [I-D.ietf-avt-dtls-srtp] is used.
4. Terminology 4. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
skipping to change at page 32, line 34 skipping to change at page 32, line 34
Description Protocol (SDP) and Real Time Streaming Description Protocol (SDP) and Real Time Streaming
Protocol (RTSP)", RFC 4567, July 2006. Protocol (RTSP)", RFC 4567, July 2006.
[RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session [RFC4568] Andreasen, F., Baugher, M., and D. Wing, "Session
Description Protocol (SDP) Security Descriptions for Media Description Protocol (SDP) Security Descriptions for Media
Streams", RFC 4568, July 2006. Streams", RFC 4568, July 2006.
[I-D.zimmermann-avt-zrtp] [I-D.zimmermann-avt-zrtp]
Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media Zimmermann, P., Johnston, A., and J. Callas, "ZRTP: Media
Path Key Agreement for Secure RTP", Path Key Agreement for Secure RTP",
draft-zimmermann-avt-zrtp-14 (work in progress), draft-zimmermann-avt-zrtp-15 (work in progress),
February 2009. March 2009.
[I-D.mcgrew-srtp-ekt] [I-D.mcgrew-srtp-ekt]
McGrew, D., "Encrypted Key Transport for Secure RTP", McGrew, D., "Encrypted Key Transport for Secure RTP",
draft-mcgrew-srtp-ekt-03 (work in progress), July 2007. draft-mcgrew-srtp-ekt-03 (work in progress), July 2007.
[I-D.ietf-avt-dtls-srtp] [I-D.ietf-avt-dtls-srtp]
McGrew, D. and E. Rescorla, "Datagram Transport Layer McGrew, D. and E. Rescorla, "Datagram Transport Layer
Security (DTLS) Extension to Establish Keys for Secure Security (DTLS) Extension to Establish Keys for Secure
Real-time Transport Protocol (SRTP)", Real-time Transport Protocol (SRTP)",
draft-ietf-avt-dtls-srtp-06 (work in progress), draft-ietf-avt-dtls-srtp-07 (work in progress),
October 2008. February 2009.
[I-D.ietf-sip-media-security-requirements] [I-D.ietf-sip-media-security-requirements]
Wing, D., Fries, S., Tschofenig, H., and F. Audet, Wing, D., Fries, S., Tschofenig, H., and F. Audet,
"Requirements and Analysis of Media Security Management "Requirements and Analysis of Media Security Management
Protocols", draft-ietf-sip-media-security-requirements-09 Protocols", draft-ietf-sip-media-security-requirements-09
(work in progress), January 2009. (work in progress), January 2009.
[I-D.ietf-mmusic-sdp-capability-negotiation] [I-D.ietf-mmusic-sdp-capability-negotiation]
Andreasen, F., "SDP Capability Negotiation", Andreasen, F., "SDP Capability Negotiation",
draft-ietf-mmusic-sdp-capability-negotiation-09 (work in draft-ietf-mmusic-sdp-capability-negotiation-09 (work in
skipping to change at page 34, line 7 skipping to change at page 34, line 7
[I-D.ietf-mmusic-media-path-middleboxes] [I-D.ietf-mmusic-media-path-middleboxes]
Stucker, B. and H. Tschofenig, "Analysis of Middlebox Stucker, B. and H. Tschofenig, "Analysis of Middlebox
Interactions for Signaling Protocol Communication along Interactions for Signaling Protocol Communication along
the Media Path", the Media Path",
draft-ietf-mmusic-media-path-middleboxes-01 (work in draft-ietf-mmusic-media-path-middleboxes-01 (work in
progress), July 2008. progress), July 2008.
[I-D.ietf-sip-ua-privacy] [I-D.ietf-sip-ua-privacy]
Munakata, M., Schubert, S., and T. Ohba, "UA-Driven Munakata, M., Schubert, S., and T. Ohba, "UA-Driven
Privacy Mechanism for SIP", draft-ietf-sip-ua-privacy-05 Privacy Mechanism for SIP", draft-ietf-sip-ua-privacy-06
(work in progress), February 2009. (work in progress), March 2009.
Appendix A. Requirements Analysis Appendix A. Requirements Analysis
[I-D.ietf-sip-media-security-requirements] describes security [I-D.ietf-sip-media-security-requirements] describes security
requirements for media keying. This section evaluates this proposal requirements for media keying. This section evaluates this proposal
with respect to each requirement. with respect to each requirement.
A.1. Forking and retargeting (R-FORK-RETARGET, R-BEST-SECURE, A.1. Forking and retargeting (R-FORK-RETARGET, R-BEST-SECURE,
R-DISTINCT) R-DISTINCT)
 End of changes. 11 change blocks. 
22 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/