draft-ietf-sipbrandy-osrtp-07.txt   draft-ietf-sipbrandy-osrtp-08.txt 
SIPBRANDY Working Group A. Johnston SIPBRANDY Working Group A. Johnston
Internet-Draft Villanova University Internet-Draft Villanova University
Intended status: Informational B. Aboba Intended status: Informational B. Aboba
Expires: June 6, 2019 Microsoft Expires: September 27, 2019 Microsoft
A. Hutton A. Hutton
Atos Atos
R. Jesske R. Jesske
Deutsche Telekom Deutsche Telekom
T. Stach T. Stach
Unaffiliated Unaffiliated
December 3, 2018 March 26, 2019
An Opportunistic Approach for Secure Real-time Transport Protocol An Opportunistic Approach for Secure Real-time Transport Protocol
(OSRTP) (OSRTP)
draft-ietf-sipbrandy-osrtp-07 draft-ietf-sipbrandy-osrtp-08
Abstract Abstract
Opportunistic Secure Real-time Transport Protocol (OSRTP) is an Opportunistic Secure Real-time Transport Protocol (OSRTP) is an
implementation of the Opportunistic Security mechanism, as defined in implementation of the Opportunistic Security mechanism, as defined in
RFC 7435, applied to Real-time Transport Protocol (RTP). OSRTP RFC 7435, applied to Real-time Transport Protocol (RTP). OSRTP
allows encrypted media to be used in environments where support for allows encrypted media to be used in environments where support for
encryption is not known in advance, and not required. OSRTP does not encryption is not known in advance, and not required. OSRTP does not
require SDP extensions or features and is fully backwards compatible require SDP extensions or features and is fully backwards compatible
with existing implementations using encrypted and authenticated media with existing implementations using encrypted and authenticated media
skipping to change at page 1, line 49 skipping to change at page 1, line 49
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 6, 2019. This Internet-Draft will expire on September 27, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 29 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Applicability Statement . . . . . . . . . . . . . . . . . 3 1.1. Applicability Statement . . . . . . . . . . . . . . . . . 3
2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 3
3. SDP Offer/Answer Considerations . . . . . . . . . . . . . . . 3 3. SDP Offer/Answer Considerations . . . . . . . . . . . . . . . 3
3.1. Generating the Initial OSRTP Offer . . . . . . . . . . . 4 3.1. Generating the Initial OSRTP Offer . . . . . . . . . . . 4
3.2. Generating the Answer . . . . . . . . . . . . . . . . . . 4 3.2. Generating the Answer . . . . . . . . . . . . . . . . . . 4
3.3. Offerer Processing the Answer . . . . . . . . . . . . . . 4 3.3. Offerer Processing the Answer . . . . . . . . . . . . . . 4
3.4. Modifying the Session . . . . . . . . . . . . . . . . . . 4 3.4. Modifying the Session . . . . . . . . . . . . . . . . . . 5
4. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. Security Considerations . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5
6. Implementation Status . . . . . . . . . . . . . . . . . . . . 5 6. Implementation Status . . . . . . . . . . . . . . . . . . . . 5
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6
8.2. Informative References . . . . . . . . . . . . . . . . . 7 8.2. Informative References . . . . . . . . . . . . . . . . . 8
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
Opportunistic Security [RFC7435] (OS) is an approach to security that Opportunistic Security [RFC7435] (OS) is an approach to security that
defines a third mode for security between "cleartext" and defines a third mode for security between "cleartext" and
"comprehensive protection" that allows encryption and authentication "comprehensive protection" that allows encryption and authentication
to be used if supported but will not result in failures if it is not of media to be used if supported but will not result in failures if
supported. In terms of secure media, cleartext is RTP [RFC3550] it is not supported. In terms of secure media, cleartext is RTP
media which is negotiated with the RTP/AVP (Audio Video Profile) [RFC3550] media which is negotiated with the RTP/AVP (Audio Video
[RFC3551] or the RTP/AVPF profile [RFC4585]. Comprehensive Profile) [RFC3551] or the RTP/AVPF profile [RFC4585]. Comprehensive
protection is Secure RTP [RFC3711], negotiated with a secure profile, protection is Secure RTP [RFC3711], negotiated with a secure profile,
such as SAVP or SAVPF [RFC5124]. OSRTP allows SRTP to be negotiated such as SAVP or SAVPF [RFC5124]. OSRTP allows SRTP to be negotiated
with the RTP/AVP profile, with fallback to RTP if SRTP is not with the RTP/AVP profile, with fallback to RTP if SRTP is not
supported. supported.
There have been some extensions to SDP to allow profiles to be There have been some extensions to SDP to allow profiles to be
negotiated such as SDP Capabilities Negotiation (capneg) [RFC5939] . negotiated such as SDP Capabilities Negotiation (capneg) [RFC5939] .
However, these approaches are complex and have very limited However, these approaches are complex and have very limited
deployment in communication systems. Other key management protocols deployment in communication systems. Other key management protocols
for SRTP have been developed which by design use OS, such as ZRTP for SRTP have been developed which by design use OS, such as ZRTP
skipping to change at page 3, line 36 skipping to change at page 3, line 36
OSRTP is a transitional approach that provides a migration path from OSRTP is a transitional approach that provides a migration path from
unencrypted communication (RTP) to fully encrypted communication unencrypted communication (RTP) to fully encrypted communication
(SRTP). It is only to be used in existing deployments which are (SRTP). It is only to be used in existing deployments which are
attempting to transition to fully secure communications. New attempting to transition to fully secure communications. New
applications and new deployments will not use OSRTP. applications and new deployments will not use OSRTP.
2. Requirements Language 2. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in BCP
2119 [RFC2119]. 14 RFC 2119 [RFC2119] RFC 8174 [RFC8174] when, and only when, they
appear in all capitals, as shown here.
3. SDP Offer/Answer Considerations 3. SDP Offer/Answer Considerations
This section defines the SDP offer/answer considerations for This section defines the SDP offer/answer considerations for
opportunistic security. opportunistic security.
The procedures are for a specific m- section describing RTP-based The procedures are for a specific m- section describing RTP-based
media. If an SDP offer or answer contains multiple such m- sections, media. If an SDP offer or answer contains multiple such m- sections,
the procedures are applied to each m- section individually. the procedures are applied to each m- section individually.
"Initial OSRTP offer" refers to the offer in which oportunistic "Initial OSRTP offer" refers to the offer in which oportunistic
security is offered for an m- section for the first time within an security is offered for an m- section for the first time within an
SDP session. SDP session.
It is important to note that OSRTP makes no changes, and has no It is important to note that OSRTP makes no changes, and has no
effect on media sessions in which the offer contains a secure profile effect on media sessions in which the offer contains a secure profile
of RTP, such as SAVP or SAVPF. As discussed in [RFC7435], this is of RTP, such as SAVP or SAVPF. As discussed in [RFC7435], that is
the "comprehensive protection" for media mode. the "comprehensive protection" for media mode.
3.1. Generating the Initial OSRTP Offer 3.1. Generating the Initial OSRTP Offer
To indicate support for OSRTP in an SDP offer, the offerer uses the To indicate support for OSRTP in an SDP offer, the offerer uses the
RTP/AVP profile [RFC3551] or the RTP/AVPF profile [RFC4585] but RTP/AVP profile [RFC3551] or the RTP/AVPF profile [RFC4585] but
includes SRTP keying attributes. OSRTP is not specific to any key includes SRTP keying attributes. OSRTP is not specific to any key
management technique for SRTP. For example: management technique for SRTP and multiple key management techniques
can be included on the SDP offer. For example:
If the offerer supports DTLS-SRTP key agreement [RFC5763], then an If the offerer supports DTLS-SRTP key agreement [RFC5763], then an
a=fingerprint attribute will be present, or a=fingerprint attribute will be present, or
If the offerer supports SDP Security Descriptions key agreement If the offerer supports SDP Security Descriptions key agreement
[RFC4568], then an a=crypto attribute will be present, or [RFC4568], then an a=crypto attribute will be present, or
If the offerer supports ZRTP key agreement [RFC6189], then an If the offerer supports ZRTP key agreement [RFC6189], then an
a=zrtp-hash attribute will be present. a=zrtp-hash attribute will be present.
skipping to change at page 4, line 50 skipping to change at page 5, line 7
If the offerer of OSRTP receives an SDP answer which does not contain If the offerer of OSRTP receives an SDP answer which does not contain
SRTP keying attributes, then the media session proceeds with RTP. If SRTP keying attributes, then the media session proceeds with RTP. If
the SDP answer contains SRTP keying attributes then the associated the SDP answer contains SRTP keying attributes then the associated
SRTP key management approach is followed and SRTP media is used for SRTP key management approach is followed and SRTP media is used for
this session. If the SRTP key management fails, the media session this session. If the SRTP key management fails, the media session
MUST fail. MUST fail.
3.4. Modifying the Session 3.4. Modifying the Session
When an offerer generates a subsequent offer it should do so When an offerer generates a subsequent SDP offer it should do so
following the principles of [RFC6337] meaning that the decision to following the principles of [RFC6337] meaning that the decision to
create an OSRTP type offer or something else should not be influenced create the new SDP offer should not be influenced by what was
by what was previously negotiated. For example if a previous OSRTP previously negotiated. For example if a previous OSRTP offer did not
offer did not result in SRTP being established the offerer may try result in SRTP being established the offerer may try again and
again and generate a new OSRTP offer as specified in section [3.1]. generate a new OSRTP offer as specified in section [3.1].
4. Security Considerations 4. Security Considerations
The security considerations of [RFC7435] apply to OSRTP, as well as The security considerations of [RFC7435] apply to OSRTP, as well as
the security considerations of the particular SRTP key agreement the security considerations of the particular SRTP key agreement
approach used. However, the authentication requirements of a approach used. However, the authentication requirements of a
particular SRTP key agreement approach are relaxed when that key particular SRTP key agreement approach are relaxed when that key
agreement is used with OSRTP. For example: agreement is used with OSRTP, which is consistent with the
Opportunistic Security approach described [RFC7435]. For example:
For DTLS-SRTP key agreement [RFC5763], an authenticated signaling For DTLS-SRTP key agreement [RFC5763], an authenticated signaling
channel does not need to be used with OSRTP if it is not channel does not need to be used with OSRTP if it is not
available. available.
For SDP Security Descriptions key agreement [RFC4568], an For SDP Security Descriptions key agreement [RFC4568], an
authenticated signaling channel does not need to be used with authenticated signaling channel does not need to be used with
OSRTP if it is not available, although an encrypted signaling OSRTP if it is not available, although an encrypted signaling
channel must still be used. channel must still be used.
skipping to change at page 7, line 46 skipping to change at page 8, line 5
[RFC6189] Zimmermann, P., Johnston, A., Ed., and J. Callas, "ZRTP: [RFC6189] Zimmermann, P., Johnston, A., Ed., and J. Callas, "ZRTP:
Media Path Key Agreement for Unicast Secure RTP", Media Path Key Agreement for Unicast Secure RTP",
RFC 6189, DOI 10.17487/RFC6189, April 2011, RFC 6189, DOI 10.17487/RFC6189, April 2011,
<https://www.rfc-editor.org/info/rfc6189>. <https://www.rfc-editor.org/info/rfc6189>.
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
8.2. Informative References 8.2. Informative References
[I-D.kaplan-mmusic-best-effort-srtp] [I-D.kaplan-mmusic-best-effort-srtp]
Audet, F. and H. Kaplan, "Session Description Protocol Audet, F. and H. Kaplan, "Session Description Protocol
(SDP) Offer/Answer Negotiation For Best-Effort Secure (SDP) Offer/Answer Negotiation For Best-Effort Secure
Real-Time Transport Protocol", draft-kaplan-mmusic-best- Real-Time Transport Protocol", draft-kaplan-mmusic-best-
effort-srtp-01 (work in progress), October 2006. effort-srtp-01 (work in progress), October 2006.
[IMTC-SIP] [IMTC-SIP]
"Best Practices for SIP Security", IMTC SIP Parity Group, I. S. P. A., "Best Practices for SIP Security",
IMTC SIP Parity
Group http://www.imtc.org/uc/sip-parity-activity-group/, Group http://www.imtc.org/uc/sip-parity-activity-group/,
2011, <http://www.imtc.org>. 2011, <http://www.imtc.org>.
[RFC5939] Andreasen, F., "Session Description Protocol (SDP) [RFC5939] Andreasen, F., "Session Description Protocol (SDP)
Capability Negotiation", RFC 5939, DOI 10.17487/RFC5939, Capability Negotiation", RFC 5939, DOI 10.17487/RFC5939,
September 2010, <https://www.rfc-editor.org/info/rfc5939>. September 2010, <https://www.rfc-editor.org/info/rfc5939>.
[RFC6337] Okumura, S., Sawada, T., and P. Kyzivat, "Session [RFC6337] Okumura, S., Sawada, T., and P. Kyzivat, "Session
Initiation Protocol (SIP) Usage of the Offer/Answer Initiation Protocol (SIP) Usage of the Offer/Answer
Model", RFC 6337, DOI 10.17487/RFC6337, August 2011, Model", RFC 6337, DOI 10.17487/RFC6337, August 2011,
<https://www.rfc-editor.org/info/rfc6337>. <https://www.rfc-editor.org/info/rfc6337>.
[RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running [RFC6982] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", RFC 6982, Code: The Implementation Status Section", RFC 6982,
DOI 10.17487/RFC6982, July 2013, DOI 10.17487/RFC6982, July 2013,
<https://www.rfc-editor.org/info/rfc6982>. <https://www.rfc-editor.org/info/rfc6982>.
[SIPCONNECT] [SIPCONNECT]
"SIP-PBX / Service Provider Interoperability SIPconnect Group, S. F. S. 2. T., "SIP-PBX / Service Provider
2.0 - Technical Recommendation", SIP Forum http://www.sipf Interoperability SIPconnect 2.0 - Technical
orum.org/component/option,com_docman/task,doc_download/ Recommendation", SIP Forum http://www.sipforum.org/compone
gid,838/Itemid,261/, 2017, <http://www.sipforum.org>. nt/option,com_docman/task,doc_download/gid,838/
Itemid,261/, 2017, <http://www.sipforum.org>.
Authors' Addresses Authors' Addresses
Alan Johnston Alan Johnston
Villanova University Villanova University
Villanova, PA Villanova, PA
USA USA
Email: alan.b.johnston@gmail.com Email: alan.b.johnston@gmail.com
Bernard Aboba Bernard Aboba
Microsoft Microsoft
One Microsoft Way One Microsoft Way
Redmond, WA 98052 Redmond, WA 98052
USA USA
Email: bernard.aboba@gmail.com Email: bernard.aboba@gmail.com
Andrew Hutton Andrew Hutton
Atos Atos
Mid City Place Mid City Place
London WC1V 6EA London WC1V 6EA
UK UK
Email: andrew.hutton@atos.net Email: andrew.hutton@atos.net
Roland Jesske Roland Jesske
Deutsche Telekom Deutsche Telekom
 End of changes. 19 change blocks. 
27 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/