draft-ietf-perc-private-media-framework-00.txt   draft-ietf-perc-private-media-framework-01.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft D. Benham Internet-Draft D. Benham
Intended status: Standards Track Cisco Intended status: Standards Track Cisco
Expires: November 14, 2016 May 13, 2016 Expires: January 9, 2017 C. Groves
Huawei
July 8, 2016
A Solution Framework for Private Media in Privacy Enhanced RTP A Solution Framework for Private Media in Privacy Enhanced RTP
Conferencing Conferencing
draft-ietf-perc-private-media-framework-00 draft-ietf-perc-private-media-framework-01
Abstract Abstract
This document describes a solution framework for ensuring that media This document describes a solution framework for ensuring that media
confidentiality and integrity are maintained end-to-end within the confidentiality and integrity are maintained end-to-end within the
context of a switched conferencing environment where media context of a switched conferencing environment where media
distribution devices are not trusted with the end-to-end media distribution devices are not trusted with the end-to-end media
encryption keys. The solution aims to build upon existing security encryption keys. The solution aims to build upon existing security
mechanisms defined for the real-time transport protocol (RTP). mechanisms defined for the real-time transport protocol (RTP).
skipping to change at page 1, line 36 skipping to change at page 1, line 38
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 14, 2016. This Internet-Draft will expire on January 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 13 skipping to change at page 2, line 15
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 4 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 4
3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5 3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5
3.1.1. MDD . . . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 5
3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6
3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 6 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 6
3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 6 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 6
3.2.2. KMF . . . . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7
4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7
4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7
4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 8 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 8
4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9
4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 9 4.4. HBH Keys and Hop Operations . . . . . . . . . . . . . . . 9
4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10
4.5.1. Initial Key Exchange and KMF . . . . . . . . . . . . 10 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10
4.5.2. Key Exchange during a Conference . . . . . . . . . . 11 4.5.2. Key Exchange during a Conference . . . . . . . . . . 11
5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 11 5. Entity Trust . . . . . . . . . . . . . . . . . . . . . . . . 12
5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 12
5.2. Certificate Fingerprints in Session Signaling . . . . . . 12 5.2. Certificate Fingerprints in Session Signaling . . . . . . 12
6. Attacks on Privacy Enhanced RTP Conferencing . . . . . . . . 12 6. Attacks on Privacy Enhanced RTP Conferencing . . . . . . . . 13
6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 13 6.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 13
6.2. MDD Attacks . . . . . . . . . . . . . . . . . . . . . . . 13 6.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 14
6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 13 6.2.1. Denial of service . . . . . . . . . . . . . . . . . . 14
6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 14 6.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 14
6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 14 6.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 15
6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 14 6.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 15
7. To-Do List . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. To-Do List . . . . . . . . . . . . . . . . . . . . . . . . . 15
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
9. Security Considerations . . . . . . . . . . . . . . . . . . . 15 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 16
11.1. Normative References . . . . . . . . . . . . . . . . . . 16 11.1. Normative References . . . . . . . . . . . . . . . . . . 16
11.2. Informative References . . . . . . . . . . . . . . . . . 17 11.2. Informative References . . . . . . . . . . . . . . . . . 17
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18
1. Introduction 1. Introduction
Switched conferencing is an increasingly popular model for multimedia Switched conferencing is an increasingly popular model for multimedia
conferences with multiple participants using a combination of audio, conferences with multiple participants using a combination of audio,
video, text, and other media types. With this model, real-time media video, text, and other media types. With this model, real-time media
flows from conference participants are not mixed, transcoded, flows from conference participants are not mixed, transcoded,
transrated, recomposed, or otherwise manipulated by a media transrated, recomposed, or otherwise manipulated by a Media
distribution device (MDD), as might be the case with a traditional Distributor, as might be the case with a traditional media server or
media server or multipoint control unit (MCU). Instead, media flows multipoint control unit (MCU). Instead, media flows transmitted by
transmitted by conference participants are simply forwarded by the conference participants are simply forwarded by the Media Distributor
MDD to each of the other participants, often forwarding only a subset to each of the other participants, often forwarding only a subset of
of flows based on voice activity detection or other criteria. In flows based on voice activity detection or other criteria. In some
some instances, the MDDs may make limited modifications to RTP instances, the Media Distributors may make limited modifications to
[RFC3550] headers, for example, but the actual media content (e.g., RTP [RFC3550] headers, for example, but the actual media content
voice or video data) is unaltered. (e.g., voice or video data) is unaltered.
An advantage of switched conferencing is that media distribution An advantage of switched conferencing is that Media Distributors can
devices can be more easily deployed on general-purpose computing be more easily deployed on general-purpose computing hardware,
hardware, including virtualized environments in private and public including virtualized environments in private and public clouds.
clouds. Deploying conference resources in a public cloud environment Deploying conference resources in a public cloud environment might
might introduce a higher security risk. Whereas traditional introduce a higher security risk. Whereas traditional conference
conference resources were usually deployed in private networks that resources were usually deployed in private networks that were
were protected, cloud-based conference resources might be viewed as protected, cloud-based conference resources might be viewed as less
less secure since they are not always physically controlled by those secure since they are not always physically controlled by those who
who use them. Additionally, there are usually several ports open to use them. Additionally, there are usually several ports open to the
the public in cloud deployments, such as for remote administration, public in cloud deployments, such as for remote administration, and
and so on. so on.
This document defines a solution framework wherein media privacy is This document defines a solution framework wherein media privacy is
ensured by making it impossible for an media distribution device to ensured by making it impossible for a media distribution device to
gain access to keys needed to decrypt or authenticate the actual gain access to keys needed to decrypt or authenticate the actual
media content sent between conference participants. At the same media content sent between conference participants. At the same
time, the framework allows for the media distribution device to time, the framework allows for the Media Distributors to modify
modify certain RTP headers; add, remove, encrypt, or decrypt RTP certain RTP headers; add, remove, encrypt, or decrypt RTP header
header extensions; and encrypt and decrypt RTCP packets. The extensions; and encrypt and decrypt RTCP packets. The framework also
framework also prevents replay attacks by authenticating each packet prevents replay attacks by authenticating each packet transmitted
transmitted between a given participant and the media distribution between a given participant and the media distribution device using a
device using a unique key per endpoint that is independent from the unique key per endpoint that is independent from the key for media
key for media encryption and authentication. encryption and authentication.
A goal of this document is to define a framework for enhanced privacy A goal of this document is to define a framework for enhanced privacy
in RTP-based conferencing environments while utilizing existing in RTP-based conferencing environments while utilizing existing
security procedures defined for RTP with minimal enhancements. security procedures defined for RTP with minimal enhancements.
2. Conventions Used in This Document 2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] when they document are to be interpreted as described in [RFC2119] when they
appear in ALL CAPS. These words may also appear in this document in appear in ALL CAPS. These words may also appear in this document in
lower case as plain English words, absent their normative meanings. lower case as plain English words, absent their normative meanings.
Additionally, this solution framework uses the following conventions, Additionally, this solution framework uses the following conventions,
terms and acronyms: terms and acronyms:
E2E (End-to-End): Communications from one endpoint through one or End-to-End (E2E): Communications from one endpoint through one or
more Media Distribution Devices to the endpoint at the other end. more Media Distribution Devices to the endpoint at the other end.
HBH (Hop-by-Hop): Communications between an endpoint and an Media Hop-by-Hop (HBH): Communications between an endpoint and a Media
Distribution Device or between Media Distribution Devices. Distribution Device or between Media Distribution Devices.
Endpoint: An RTP flow terminating entity that has possession of E2E Endpoint: An RTP flow terminating entity that has possession of E2E
media encryption keys and terminates E2E encryption. This may media encryption keys and terminates E2E encryption. This may
include embedded user conferencing equipment or browsers on include embedded user conferencing equipment or browsers on
computers, media gateways, MCUs, media recording device and more that computers, media gateways, MCUs, media recording device and more that
are in the trusted domain for a given deployment. are in the trusted domain for a given deployment.
MDD (Media Distribution Device): An RTP middlebox that is not allowed Media Distributor (MD): An RTP middlebox that is not allowed to to
to to have access to E2E encryption keys. It may operate according have access to E2E encryption keys. It may operate according to any
to any of the RTP topologies [I-D.ietf-avtcore-rtp-topologies-update] of the RTP topologies [I-D.ietf-avtcore-rtp-topologies-update] per
per the constraints defined by the PERC system, which includes, but the constraints defined by the PERC system, which includes, but not
not limited to, having no access to RTP media unencrypted and having limited to, having no access to RTP media unencrypted and having
limits on what RTP header field it can alter. limits on what RTP header field it can alter.
KMF (Key Management Function): An entity that is a logical function Key Distributor: An entity that is a logical function which passes
which passes keying material and related information to endpoints and keying material and related information to endpoints and Media
Media Distribution Devices that is appropriate for each. The KMF Distributor(s) that is appropriate for each. The Key Distributor
might be co-resident with another entity trusted with E2E keying might be co-resident with another entity trusted with E2E keying
material. material.
Conference: Two or more participants communicating via trusted Conference: Two or more participants communicating via trusted
endpoints to exchange RTP flows through one or more Media endpoints to exchange RTP flows through one or more Media
Distribution Devices. Distributor.
Third Party: Any entity that is not an Endpoint, MDD, KMF or Call Third Party: Any entity that is not an Endpoint, Media Distributor,
Processing entity as described in this document. Key Distributor or Call Processing entity as described in this
document.
3. PERC Entities and Trust Model 3. PERC Entities and Trust Model
The following figure depicts the trust relationships, direct or The following figure depicts the trust relationships, direct or
indirect, between entities described in the subsequent sub-sections. indirect, between entities described in the subsequent sub-sections.
Note that these entities may be co-located or further divided into Note that these entities may be co-located or further divided into
multiple, separate physical devices. multiple, separate physical devices.
Please note that some entities classified as untrusted in the simple, Please note that some entities classified as untrusted in the simple,
general deployment scenario used most commonly in this document might general deployment scenario used most commonly in this document might
skipping to change at page 5, line 12 skipping to change at page 5, line 14
focused by only using the the simple, most general deployment focused by only using the the simple, most general deployment
scenario. scenario.
| |
+----------+ | +-----------------+ +----------+ | +-----------------+
| Endpoint | | | Call Processing | | Endpoint | | | Call Processing |
+----------+ | +-----------------+ +----------+ | +-----------------+
| |
| |
+----------------+ | +--------------------+ +----------------+ | +--------------------+
| Key Management | | | Media Distribution | | Key Distributor| | | Media Distributor |
| Function | | | Device |
+----------------+ | +--------------------+ +----------------+ | +--------------------+
| |
Trusted | Untrusted Trusted | Untrusted
Entities | Entities Entities | Entities
| |
Figure 1: Trusted and Untrusted Entities in PERC Figure 1: Trusted and Untrusted Entities in PERC
3.1. Untrusted Entities 3.1. Untrusted Entities
skipping to change at page 5, line 37 skipping to change at page 5, line 38
is below the level needed to assume the privacy of participant's is below the level needed to assume the privacy of participant's
media will not be compromised. The conferencing infrastructure in media will not be compromised. The conferencing infrastructure in
such a domain is still trusted with reliably connecting the such a domain is still trusted with reliably connecting the
participants together in a conference, but not trusted with keying participants together in a conference, but not trusted with keying
material needed to decrypt any of the participant's media. Entities material needed to decrypt any of the participant's media. Entities
in such lower trustworthiness domains will simply be referred to as in such lower trustworthiness domains will simply be referred to as
untrusted entities from this point forward. This does not mean that untrusted entities from this point forward. This does not mean that
they are completely untrusted as they may be trusted with most non- they are completely untrusted as they may be trusted with most non-
media related aspects of hosting a conference. media related aspects of hosting a conference.
3.1.1. MDD 3.1.1. Media Distributor
A Media Distribution Device (MDD) forwards RTP flows between A Media Distributor forwards RTP flows between endpoints in the
endpoints in the conference while performing per-hop authentication conference while performing per-hop authentication of each RTP
of each RTP packet. The MDD may need access to one or more RTP packet. The Media Distributor may need access to one or more RTP
headers or header extensions, potentially adding or modifying a headers or header extensions, potentially adding or modifying a
certain subset. The MDD will also relay secured messaging between certain subset. The Media Distributor will also relay secured
the endpoints and the key management function and will acquire per- messaging between the endpoints and the Key Distributor and will
hop key information from the KMF. The actual media content MUST NOT acquire per-hop key information from the Key Distributor. The actual
not be decryptable by an MDD, so it is untrusted to have access to media content MUST NOT not be decryptable by a Media Distributor, so
the E2E media encryption keys, which this framework's key exchange it is untrusted to have access to the E2E media encryption keys,
mechanisms will prevent. which this framework's key exchange mechanisms will prevent.
An endpoint's ability to join a conference hosted by an MDD MUST NOT An endpoint's ability to join a conference hosted by a Media
alone be interpreted as being authorized to have access to the E2E Distributor MUST NOT alone be interpreted as being authorized to have
media encryption keys, as the MDD does not have the ability to access to the E2E media encryption keys, as the Media Distributor
determine whether an endpoint is authorized. does not have the ability to determine whether an endpoint is
authorized.
An MDD MUST perform its role in properly forwarding media packets A Media Distributor MUST perform its role in properly forwarding
while taking measures to mitigate the adverse effects of denial of media packets while taking measures to mitigate the adverse effects
service attacks (refer to Section 6), etc, to a level equal to or of denial of service attacks (refer to Section 6), etc, to a level
better than traditional conferencing (i.e. pre-PERC) deployments. equal to or better than traditional conferencing (i.e. pre-PERC)
deployments.
An MDD or associated conferencing infrastructure may also initiate or A Media Distributor or associated conferencing infrastructure may
terminate various conference control related messaging, which is also initiate or terminate various conference control related
outside the scope of this framework document. messaging, which is outside the scope of this framework document.
3.1.2. Call Processing 3.1.2. Call Processing
The call processing function is untrusted in the simple, general The call processing function is untrusted in the simple, general
deployment scenario. When a physical subset of the call processing deployment scenario. When a physical subset of the call processing
function resides in facilities outside the trusted domain, it should function resides in facilities outside the trusted domain, it should
not be trusted to have access to E2E key information. not be trusted to have access to E2E key information.
The call processing function may include the processing of call The call processing function may include the processing of call
signaling messages, as well as the signing of those messages. It may signaling messages, as well as the signing of those messages. It may
also authenticate the endpoints for the purpose of call signaling and also authenticate the endpoints for the purpose of call signaling and
subsequently joining of a conference hosted through one or more MDDs. subsequently joining of a conference hosted through one or more Media
Call processing may optionally ensure the privacy of call signaling Distributors. Call processing may optionally ensure the privacy of
messages between itself, the endpoint, and other entities. call signaling messages between itself, the endpoint, and other
entities.
In any deployment scenario where the call processing function is In any deployment scenario where the call processing function is
considered trusted, the call processing function MUST ensure the considered trusted, the call processing function MUST ensure the
integrity of received messages before forwarding to other entities. integrity of received messages before forwarding to other entities.
3.2. Trusted Entities 3.2. Trusted Entities
From the PERC model system perspective, entities considered trusted From the PERC model system perspective, entities considered trusted
(refer to Figure 1) can be in possession of the E2E media encryption (refer to Figure 1) can be in possession of the E2E media encryption
key(s) for one or more conferences. key(s) for one or more conferences.
skipping to change at page 7, line 5 skipping to change at page 7, line 8
An endpoint is considered trusted and will have access to E2E key An endpoint is considered trusted and will have access to E2E key
information. While it is possible for an endpoint to be compromised, information. While it is possible for an endpoint to be compromised,
subsequently performing in undesired ways, defining endpoint subsequently performing in undesired ways, defining endpoint
resistance to compromise is outside the scope of this document. resistance to compromise is outside the scope of this document.
Endpoints will take measures to mitigate the adverse effects of Endpoints will take measures to mitigate the adverse effects of
denial of service attacks (refer to Section 6) from other entities, denial of service attacks (refer to Section 6) from other entities,
including from other endpoints, to a level equal to or better than including from other endpoints, to a level equal to or better than
traditional conference (i.e., pre-PERC) deployments. traditional conference (i.e., pre-PERC) deployments.
3.2.2. KMF 3.2.2. Key Distributor
The KMF, which may be collocated with an endpoint or exist The Key Distributor, which may be collocated with an endpoint or
standalone, is responsible for providing key information to endpoints exist standalone, is responsible for providing key information to
for both end-to-end and hop-by-hop security and for providing key endpoints for both end-to-end and hop-by-hop security and for
information to MDDs for the hop-by-hop security. providing key information to Media Distributors for the hop-by-hop
security.
Interaction between the KMF and the call processing function may be Interaction between the Key Distributor and the call processing
necessary to for proper conference-to-endpoint mappings, which may or function may be necessary to for proper conference-to-endpoint
may not be satisfied by getting information directly from the mappings, which may or may not be satisfied by getting information
endpoints or via some other means. See Section 7 for a related item directly from the endpoints or via some other means. See Section 7
in the To Do list. for a related item in the To Do list.
The KMF needs to be secured and managed in a way to prevent The Key Distributor needs to be secured and managed in a way to
exploitation by an adversary, as any kind of compromise of the KMF prevent exploitation by an adversary, as any kind of compromise of
puts the security of the conference at risk. the Key Distributor puts the security of the conference at risk.
4. Framework for PERC 4. Framework for PERC
The purpose for this framework is to define a means through which The purpose for this framework is to define a means through which
media privacy can be ensured when communicating within a conferencing media privacy can be ensured when communicating within a conferencing
environment consisting of one or more MDDs that only switch, hence environment consisting of one or more Media Distributors that only
not terminate, media. It does not otherwise attempt to hide the fact switch, hence not terminate, media. It does not otherwise attempt to
that a conference between endpoints is taking place. hide the fact that a conference between endpoints is taking place.
This framework reuses several specified RTP security technologies, This framework reuses several specified RTP security technologies,
including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and including SRTP [RFC3711], PERC EKT [I-D.ietf-perc-srtp-ekt-diet], and
DTLS-SRTP [RFC5764]. DTLS-SRTP [RFC5764].
4.1. End-to-End and Hop-by-Hop Authenticated Encryption 4.1. End-to-End and Hop-by-Hop Authenticated Encryption
This solution framework focuses on the end-to-end privacy and This solution framework focuses on the end-to-end privacy and
integrity of the participant's media by limiting access to end-to-end integrity of the participant's media by limiting access to end-to-end
key information to trusted entities. However, this framework does key information to trusted entities. However, this framework does
give an MDD access to RTP headers and all or most header extensions, give a Media Distributor access to RTP headers and all or most header
as well as the ability to modify a certain subset of those headers extensions, as well as the ability to modify a certain subset of
and to add header extensions. Packets received by an MDD or an those headers and to add header extensions. Packets received by a
endpoint are authenticated hop-by-hop. Media Distributor or an endpoint are authenticated hop-by-hop.
To enable all of the above, this framework defines the use of two To enable all of the above, this framework defines the use of two
security contexts and two associated encryption keys; an "inner" key security contexts and two associated encryption keys; an "inner" key
(E2E Key(i); i={a given endpoint}) for authenticated encryption of (E2E Key(i); i={a given endpoint}) for authenticated encryption of
RTP media between endpoints and an "outer" key (HBH Key(j); j={a RTP media between endpoints and an "outer" key (HBH Key(j); j={a
given hop}) for the hop between an endpoint and an MDD or between given hop}) for the hop between an endpoint and a Media Distributor
MDDs. Reference the following figure. or between Media Distributor. Reference the following figure.
+--------+ HBH +-----+ HBH +-----+ HBH +--------+ +-------------+ +-------------+
| |=============| |=========| |=============| | | |################################| |
|Endpoint|-E2E Key(A)->| MDD |-------->| MDD |------------>|Endpoint| | Media |------------------------------->| Media |
| A |<------------| X |<--------| Y |<-E2E Key(B)-| B | | Distributor |<-------------------------------| Distributor |
| |=============| |=========| |=============| | | X |################################| Y |
+--------+ Key(AX) +-----+ Key(XY) +-----+ Key(YB) +--------+ | | HBH Key (XY) | |
+-------------+ +-------------+
# ^ | # # ^ | #
# | | # HBH HBH # | | #
# | | # <== Key(AX) Key(YB) ==> # | | #
# | | # # | | #
# |<+--#---- E2E Key (A) E2E Key (B) ---#->| | #
# | | # # | | #
# | v # # | v #
+-------------+ +-------------+
| Endpoint A | | Endpoint B |
+-------------+ +-------------+
E2E and HBH Keys Used for Authenticated Encryption E2E and HBH Keys Used for Authenticated Encryption
The PERC Double draft specification [I-D.ietf-perc-double] uses The PERC Double draft specification [I-D.ietf-perc-double] uses
standard SRTP keying material and recommended cryptographic standard SRTP keying material and recommended cryptographic
transform(s) to first form the inner, end-to-end SRTP cryptographic transform(s) to first form the inner, end-to-end SRTP cryptographic
context. That end-to-end SRTP cryptographic context MAY be used to context. That end-to-end SRTP cryptographic context MAY be used to
encrypt some RTP header extensions along with RTP media content. The encrypt some RTP header extensions along with RTP media content. The
output of this is treated like an RTP packet and encrypted again output of this is treated like an RTP packet and encrypted again
using the outer hop-by-hop cryptographic context. The endpoint using the outer hop-by-hop cryptographic context. The endpoint
executes the entire Double operation while the MDD just performs the executes the entire Double operation while the Media Distributor just
outer, hop-by-hop operation. performs the outer, hop-by-hop operation.
RTCP can only be encrypted hop-by-hop, not end-to-end. This RTCP can only be encrypted hop-by-hop, not end-to-end. This
framework introduces no additional step for RTCP authenticated framework introduces no additional step for RTCP authenticated
encryption, so the procedures needed are specified in [RFC3711] and encryption, so the procedures needed are specified in [RFC3711] and
use the same outer, hop-by-hop cryptographic context chosen in the use the same outer, hop-by-hop cryptographic context chosen in the
Double operation described above. Double operation described above.
4.2. E2E Key Confidentiality 4.2. E2E Key Confidentiality
To ensure the confidentiality of E2E keys shared between endpoints, To ensure the confidentiality of E2E keys shared between endpoints,
endpoints will make use of a common Key Encryption Key (KEK) that is endpoints will make use of a common Key Encryption Key (KEK) that is
known only by the trusted entities in a conference. That KEK, known only by the trusted entities in a conference. That KEK,
defined in the PERC EKT [I-D.ietf-perc-srtp-ekt-diet] as the EKT Key, defined in the PERC EKT [I-D.ietf-perc-srtp-ekt-diet] as the EKT Key,
will be used to subsequently encrypt SRTP master keys used for E2E will be used to subsequently encrypt SRTP master keys used for E2E
authenticated encryption (E2E Key(i); i={a given endpoint}) of media authenticated encryption (E2E Key(i); i={a given endpoint}) of media
sent by a given endpoint. sent by a given endpoint.
+---------------------+------------+-------+-------+------------+ +---------------------+------------+-------+-------+------------+
| Key / Entity | Endpoint A | MDD X | MDD Y | Endpoint B | | Key / Entity | Endpoint A | MD X | MD Y | Endpoint B |
+---------------------+------------+---------------+------------+ +---------------------+------------+-------+-------+------------+
| KEK | Yes | No | No | Yes | | KEK | Yes | No | No | Yes |
+---------------------+------------+---------------+------------+ +---------------------+------------+-------+-------+------------+
| E2E Key (i) | Yes | No | No | Yes | | E2E Key (i) | Yes | No | No | Yes |
+---------------------+------------+---------------+------------+ +---------------------+------------+-------+-------+------------+
| HBH Key (A<=>MDD X) | Yes | Yes | No | No | | HBH Key (A<=>MD X) | Yes | Yes | No | No |
+---------------------+------------+---------------+------------+ +---------------------+------------+-------+-------+------------+
| HBH Key (B<=>MDD Y) | No | No | Yes | Yes | | HBH Key (B<=>MD Y) | No | No | Yes | Yes |
+---------------------+------------+---------------+------------+ +---------------------+------------+---------------+------------+
Figure 2: Keys per Entity Figure 2: Keys per Entity
4.3. E2E Keys and Endpoint Operations 4.3. E2E Keys and Endpoint Operations
Any given RTP media flow can be identified by its SSRC, and endpoints Any given RTP media flow can be identified by its SSRC, and endpoints
might send more than one at a time and change the mix of media flows might send more than one at a time and change the mix of media flows
transmitted during the life of a conference. transmitted during the life of a conference.
Thus, endpoints MUST maintain a list of SSRCs from received RTP flows Thus, endpoints MUST maintain a list of SSRCs from received RTP flows
and each SSRC's associated E2E Key(i) information. Following a and each SSRC's associated E2E Key(i) information. Following a
change of the KEK (i.e., EKT Key), prior E2E Key(i) information change of the KEK (i.e., EKT Key), prior E2E Key(i) information
SHOULD be retained for a period long enough to ensure that late- SHOULD be retained for a period long enough to ensure that late-
arriving or out-of-order packets from other endpoints can be arriving or out-of-order packets from other endpoints can be
successfully decrypted. The endpoint MUST discard the E2E Key(i) and successfully decrypted. The endpoint MUST discard the E2E Key(i) and
KEK information no later than when it leaves the conference. KEK information no later than when it leaves the conference.
If there is a need to encrypt one or more RTP header extensions end- If there is a need to encrypt one or more RTP header extensions end-
to-end, an encryption key is derived from the end-to-end SRTP master to-end, an encryption key is derived from the end-to-end SRTP master
key to encrypt header extensions as per [RFC6904]. The MDD will not key to encrypt header extensions as per [RFC6904]. The Media
be able use the information contained in those header extensions Distributor will not be able use the information contained in those
encrypted with E2E keys. See Section 7 for a related item in the To header extensions encrypted with E2E keys. See Section 7 for a
Do list. related item in the To Do list.
4.4. HBH Keys and Hop Operations 4.4. HBH Keys and Hop Operations
To ensure the integrity of transmitted media packets, this framework To ensure the integrity of transmitted media packets, this framework
requires that every packet be authenticated hop-by-hop (HBH) between requires that every packet be authenticated hop-by-hop (HBH) between
an endpoint and an MDD, as well between MDDs. The authentication key an endpoint and a Media Distributor, as well between Media
used for hop-by-hop authentication is derived from an SRTP master key Distributors. The authentication key used for hop-by-hop
shared only on the respective hop (HBH Key(j); j={a given hop}). authentication is derived from an SRTP master key shared only on the
Each HBH Key(j) is distinct per hop and no two hops ever respective hop (HBH Key(j); j={a given hop}). Each HBH Key(j) is
intentionally use the same SRTP master key. distinct per hop and no two hops ever intentionally use the same SRTP
master key.
Using hop-by-hop authentication gives the MDD the ability to change Using hop-by-hop authentication gives the Media Distributor the
certain RTP header values. Which values the MDD can change in the ability to change certain RTP header values. Which values the Media
RTP header are defined in [I-D.ietf-perc-double]. RTCP can only be Distributor can change in the RTP header are defined in
encrypted, giving the MDD the flexibility to forward RTCP content [I-D.ietf-perc-double]. RTCP can only be encrypted, giving the Media
unchanged, transmit compound RTCP packets or to initiate RTCP packets Distributor the flexibility to forward RTCP content unchanged,
for reporting statistics or conveying other information. Performing transmit compound RTCP packets or to initiate RTCP packets for
hop-by-hop authentication for all RTP and RTCP packets also helps reporting statistics or conveying other information. Performing hop-
provide replay protection (see Section 6). by-hop authentication for all RTP and RTCP packets also helps provide
replay protection (see Section 6).
If there is a need to encrypt one or more RTP header extensions hop- If there is a need to encrypt one or more RTP header extensions hop-
by-hop, an encryption key is derived from the hop-by-hop SRTP master by-hop, an encryption key is derived from the hop-by-hop SRTP master
key to encrypt header extensions as per [RFC6904]. This will still key to encrypt header extensions as per [RFC6904]. This will still
give the switching MDD visibility into header extensions, such as the give the Media Distributor visibility into header extensions, such as
one used to determine audio level [RFC6464] of conference the one used to determine audio level [RFC6464] of conference
participants. Note that when RTP header extensions are encrypted, participants. Note that when RTP header extensions are encrypted,
all hops - in the untrusted domain at least - will need to decrypt all hops - in the untrusted domain at least - will need to decrypt
and re-encrypt these encrypted header extensions. and re-encrypt these encrypted header extensions.
4.5. Key Exchange 4.5. Key Exchange
To facilitate key exchange required to establish or generate an E2E To facilitate key exchange required to establish or generate an E2E
key and a HBH key for an endpoint and the same HBH key for the MDD, key and a HBH key for an endpoint and the same HBH key for the Media
this framework utilizes a DTLS-SRTP [RFC5764] association between an Distributor, this framework utilizes a DTLS-SRTP [RFC5764]
endpoint and the KMF. To establish this association, an endpoint association between an endpoint and the Key Distributor. To
will send DTLS-SRTP messages to the MDD which will then forward them establish this association, an endpoint will send DTLS-SRTP messages
to the MDD as defined in [I-D.jones-perc-dtls-tunnel]. The Key to the Media Distributor which will then forward them to the Media
Encryption Key (KEK) (i.e., EKT Key) is also conveyed by the KMF over Distributor as defined in [I-D.jones-perc-dtls-tunnel]. The Key
the DTLS association to endpoints via procedures defined in PERC EKT Encryption Key (KEK) (i.e., EKT Key) is also conveyed by the Key
[I-D.ietf-perc-srtp-ekt-diet]. Distributor over the DTLS association to endpoints via procedures
defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet].
MDDs use DTLS-SRTP [RFC5764] directly with a peer MDD to establish Media Distributors use DTLS-SRTP [RFC5764] directly with a peer Media
HBH keys for transmitting RTP and RTCP packets that peer MDD. The Distributor to establish HBH keys for transmitting RTP and RTCP
KMF does not facilitate establishing HBH keys for use between MDDs. packets that peer Media Distributor. The Key Distributor does not
facilitate establishing HBH keys for use between Media Distributors.
4.5.1. Initial Key Exchange and KMF 4.5.1. Initial Key Exchange and Key Distributor
The procedures defined in DTLS Tunnel for PERC The procedures defined in DTLS Tunnel for PERC
[I-D.jones-perc-dtls-tunnel] establish one or more DTLS tunnels [I-D.jones-perc-dtls-tunnel] establish one or more DTLS tunnels
between the MDD and KMF, making it is possible for the MDD to between the Media Distributor and Key Distributor, making it is
facilitate the establishment of a secure DTLS association between possible for the Media Distributor to facilitate the establishment of
each endpoint and the KMF as shown the following figure. The DTLS a secure DTLS association between each endpoint and the Key
association between endpoints and the KMF will enable each endpoint Distributor as shown the following figure. The DTLS association
between endpoints and the Key Distributor will enable each endpoint
to receive E2E key information, Key Encryption Key (KEK) information to receive E2E key information, Key Encryption Key (KEK) information
(i.e., EKT Key), and HBH key information. At the same time, the KMF (i.e., EKT Key), and HBH key information. At the same time, the Key
can securely provide the HBH key information to the MDD. The key Distributor can securely provide the HBH key information to the Media
information summarized here may include the SRTP master key, SRTP Distributor. The key information summarized here may include the
master salt, and the negotiated cryptographic transform. SRTP master key, SRTP master salt, and the negotiated cryptographic
transform.
KEK info +---------+ HBH Key info +-----------+
to endpoints | KMF | to endpoints & MDD KEK info | Key | HBH Key info to
+---------+ to Endpoints |Distributor| Endpoints & Media Distributor
| ^ ^ | +-----------+
| | | |-DTLS Tunnel # ^ ^ #
| | | | # | | #-DTLS Tunnel
+-----------+ +---------+ +-----------+ # | | #
| Endpoint | DTLS | MDD | DTLS | Endpoint | +-----------+ +-----------+ +-----------+
| KEK |<--------| |-------->| KEK | | Endpoint | DTLS | Media | DTLS | Endpoint |
| HBH Key(j)| to KMF | HBH Keys| to KMF | HBH Key(j)| | KEK |<------------|Distributor|------------>| KEK |
+-----------+ +---------+ +-----------+ | HBH Key(j)| to Key Dist | HBH Keys | to Key Dist | HBH Key(j)|
+-----------+ +-----------+ +-----------+
Figure 3: Exchanging Key Information Between Entities Figure 3: Exchanging Key Information Between Entities
Endpoints will establish a DTLS-SRTP association over the RTP Endpoints will establish a DTLS-SRTP association over the RTP
session's media ports for the purposes of key information exchange session's media ports for the purposes of key information exchange
with the KMF. The MDD will not terminate the DTLS signaling, but with the Key Distributor. The Media Distributor will not terminate
will instead forward DTLS packets received from an endpoint on to the the DTLS signaling, but will instead forward DTLS packets received
KMF (and vice versa) via a tunnel established between MDD and the from an endpoint on to the Key Distributor (and vice versa) via a
KMF. This tunnel used to encapsulate the DTLS-SRTP signaling between tunnel established between Media Distributor and the Key Distributor.
the KMF and endpoints will also be used to convey HBH key information This tunnel used to encapsulate the DTLS-SRTP signaling between the
from the KMF to the MDD, so no additional protocol or interface is Key Distributor and endpoints will also be used to convey HBH key
required. information from the Key Distributor to the Media Distributor, so no
additional protocol or interface is required.
4.5.2. Key Exchange during a Conference 4.5.2. Key Exchange during a Conference
Following the initial key information exchange with the KMF, Following the initial key information exchange with the Key
endpoints will be able to encrypt media end-to-end with their E2E Distributor, endpoints will be able to encrypt media end-to-end with
Key(i), sending that E2E Key(i) to other endpoints encrypted with their E2E Key(i), sending that E2E Key(i) to other endpoints
KEK, and will be able to encrypt and authenticate RTP packets using encrypted with KEK, and will be able to encrypt and authenticate RTP
local HBH Key(j). The procedures defined do not allow the MDD to packets using local HBH Key(j). The procedures defined do not allow
gain access to the KEK information, preventing it from gaining access the Media Distributor to gain access to the KEK information,
to any endpoint's E2E key and subsequently decrypting media. preventing it from gaining access to any endpoint's E2E key and
subsequently decrypting media.
The KEK (i.e., EKT Key) may need to change from time-to-time during The KEK (i.e., EKT Key) may need to change from time-to-time during
the life of a conference, such as when a new participant joins or the life of a conference, such as when a new participant joins or
leaves a conference. Dictating if, when or how often a conference is leaves a conference. Dictating if, when or how often a conference is
to be re-keyed is outside the scope of this document, but this to be re-keyed is outside the scope of this document, but this
framework does accommodate re-keying during the life of a conference. framework does accommodate re-keying during the life of a conference.
When a KMF decides to rekey a conference, it transmits a specific When a Key Distributor decides to rekey a conference, it transmits a
message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to each of specific message defined in PERC EKT [I-D.ietf-perc-srtp-ekt-diet] to
the conference participants. The endpoint MUST create a new SRTP each of the conference participants. The endpoint MUST create a new
master key and prepare to send that key inside a Full EKT Field using SRTP master key and prepare to send that key inside a Full EKT Field
the new EKT Key. Since it may take some time for all of the endpoints using the new EKT Key. Since it may take some time for all of the
in conference to finish re-keying, senders MUST delay a short period endpoints in conference to finish re-keying, senders MUST delay a
of time before sending media encrypted with the new master key, but short period of time before sending media encrypted with the new
it MUST be prepared to make use of the information from a new inbound master key, but it MUST be prepared to make use of the information
EKT Key immediately. See Section 2.2.2 of from a new inbound EKT Key immediately. See Section 2.2.2 of
[I-D.ietf-perc-srtp-ekt-diet]. [I-D.ietf-perc-srtp-ekt-diet].
5. Entity Trust 5. Entity Trust
It is important to this solution framework that the entities can It is important to this solution framework that the entities can
trust and validate the authenticity of other entities, especially the trust and validate the authenticity of other entities, especially the
KMF and endpoints. The details of this are outside the scope of Key Distributor and endpoints. The details of this are outside the
specification but a few possibilities are discussed in the following scope of specification but a few possibilities are discussed in the
sections. The key requirements is that endpoints can verify they are following sections. The key requirements is that endpoints can
connected to the correct KMF for the conference and the KMF can verify they are connected to the correct Key Distributor for the
verify the endpoints are the correct endpoints for the conference. conference and the Key Distributor can verify the endpoints are the
correct endpoints for the conference.
Two possible approaches to solve this are Identity Assertions and Two possible approaches to solve this are Identity Assertions and
Certificate Fingerprints. Certificate Fingerprints.
5.1. Identity Assertions 5.1. Identity Assertions
WebRTC Identity assertion (EDITOR NOTE: add I-D reference) can be WebRTC Identity assertion (EDITOR NOTE: add I-D reference) can be
used to bind the identity of the user of the endpoint to the used to bind the identity of the user of the endpoint to the
fingerprint of the DTLS-SRTP certificate used for the call. This fingerprint of the DTLS-SRTP certificate used for the call. This
certificate is unique for a given call and a conference. This allows certificate is unique for a given call and a conference. This allows
the KMF to ensure that only authorized users participate in the the Key Distributor to ensure that only authorized users participate
conference. Similarly the KMF can create a WeBRTC Identity assertion in the conference. Similarly the Key Distributor can create a WeBRTC
bound the fingerprint of the unique certificate used by the KMF for Identity assertion bound the fingerprint of the unique certificate
this conference so that the endpoint can validate it is talking to used by the Key Distributor for this conference so that the endpoint
the correct KMF. can validate it is talking to the correct Key Distributor.
5.2. Certificate Fingerprints in Session Signaling 5.2. Certificate Fingerprints in Session Signaling
Entities managing session signaling are generally assumed to be Entities managing session signaling are generally assumed to be
untrusted in the PERC framework. However, there are some deployment untrusted in the PERC framework. However, there are some deployment
scenarios where parts of the session signaling may be assumed scenarios where parts of the session signaling may be assumed
trustworthy for the purposes of exchanging, in a manner that can be trustworthy for the purposes of exchanging, in a manner that can be
authenticated, the fingerprint of an entity's certificate. authenticated, the fingerprint of an entity's certificate.
As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to
skipping to change at page 12, line 37 skipping to change at page 13, line 13
User Agent would send an INVITE message containing SDP for the media User Agent would send an INVITE message containing SDP for the media
session along with the endpoint's certificate fingerprint, which can session along with the endpoint's certificate fingerprint, which can
be signed using the procedures described in [RFC4474] for the benefit be signed using the procedures described in [RFC4474] for the benefit
of forwarding the message to other entities. Other entities can now of forwarding the message to other entities. Other entities can now
verify the fingerprints match the certificates found in the DTLS-SRTP verify the fingerprints match the certificates found in the DTLS-SRTP
connections to find the identity of the far end of the DTLS-SRTP connections to find the identity of the far end of the DTLS-SRTP
connection and check that is the authorized entity. connection and check that is the authorized entity.
Ultimately, if using session signaling, an endpoint's certificate Ultimately, if using session signaling, an endpoint's certificate
fingerprint would need to be securely mapped to a user and conveyed fingerprint would need to be securely mapped to a user and conveyed
to the KMF so that it can check that that user is authorized. to the Key Distributor so that it can check that that user is
Similarly, the KMF's certificate fingerprint can be conveyed to authorized. Similarly, the Key Distributor's certificate fingerprint
endpoint in a manner that can be authenticated as being an authorized can be conveyed to endpoint in a manner that can be authenticated as
KMF for this conference. being an authorized Key Distributor for this conference.
6. Attacks on Privacy Enhanced RTP Conferencing 6. Attacks on Privacy Enhanced RTP Conferencing
This framework, and the individual protocols defined to support it, This framework, and the individual protocols defined to support it,
must take care to not increase the exposure to Denial of Service must take care to not increase the exposure to Denial of Service
(DoS) attacks by untrusted or third-party entities and should take (DoS) attacks by untrusted or third-party entities and should take
measures to mitigate, where possible, more serious DoS attacks from measures to mitigate, where possible, more serious DoS attacks from
on-path and off-path attackers. on-path and off-path attackers.
The following section enumerates the kind of attacks that will be The following section enumerates the kind of attacks that will be
skipping to change at page 13, line 14 skipping to change at page 13, line 38
6.1. Third Party Attacks 6.1. Third Party Attacks
On-path attacks are mitigated by HBH integrity protection and On-path attacks are mitigated by HBH integrity protection and
encryption. The integrity protection mitigates packet modification encryption. The integrity protection mitigates packet modification
and encryption makes selective blocking of packets harder, but not and encryption makes selective blocking of packets harder, but not
impossible. impossible.
Off-path attackers may try connecting to different PERC entities and Off-path attackers may try connecting to different PERC entities and
send specifically crafted packets. A successful attacker might be send specifically crafted packets. A successful attacker might be
able to get the MDD to forward such packets. If not making use of able to get the Media Distributor to forward such packets. If not
HBH authentication on the MDD, such an attack could only be detected making use of HBH authentication on the Media Distributor, such an
in the receiving endpoints where the forged packets would finally be attack could only be detected in the receiving endpoints where the
dropped. forged packets would finally be dropped.
Another potential attack is a third party claiming to be an MDD, Another potential attack is a third party claiming to be a Media
fooling endpoints in to sending packets to the false MDD instead of Distributor, fooling endpoints in to sending packets to the false
the correct one. The deceived sending endpoints could incorrectly Media Distributor instead of the correct one. The deceived sending
assuming their packets have been delivered to endpoints when they in endpoints could incorrectly assuming their packets have been
fact have not. Further, the false MDD may cascade to another delivered to endpoints when they in fact have not. Further, the
legitimate MDD creating a false version of the real conference. false Media Distributor may cascade to another legitimate Media
Distributor creating a false version of the real conference.
This attack can be mitigated by the false MDD not being authenticated This attack can be mitigated by the false Media Distributor not being
by the KMF during PERC Tunnel establishment. Without the tunnel in authenticated by the Key Distributor during PERC Tunnel
place, endpoints will not establish secure associations with the KMF establishment. Without the tunnel in place, endpoints will not
and receive the KEK, causing the conference to not proceed. establish secure associations with the Key Distributor and receive
the KEK, causing the conference to not proceed.
6.2. MDD Attacks 6.2. Media Distributor Attacks
The MDD can attack the session in a number of possible ways. The Media Distributor can attack the session in a number of possible
ways.
6.2.1. Denial of service 6.2.1. Denial of service
Any modification of the end-to-end authenticated data will result in Any modification of the end-to-end authenticated data will result in
the receiving endpoint getting an integrity failure when performing the receiving endpoint getting an integrity failure when performing
authentication on the received packet. authentication on the received packet.
The MDD can also attempt to perform resource consumption attacks on The Media Distributor can also attempt to perform resource
the receiving endpoint. One such attack would be to insert random consumption attacks on the receiving endpoint. One such attack would
SSRC/CSRC values in any RTP packet with an inband key-distribution be to insert random SSRC/CSRC values in any RTP packet with an inband
message attached (i.e., Full EKT Field). Since such a message would key-distribution message attached (i.e., Full EKT Field). Since such
trigger the receiver to form a new cryptographic context, the MDD can a message would trigger the receiver to form a new cryptographic
attempt to consume the receiving endpoints resources. context, the Media Distributor can attempt to consume the receiving
endpoints resources.
Another denial of service attack is where the MDD rewrites the PT Another denial of service attack is where the Media Distributor
field to indicate a different codec. The effect of this attack is rewrites the PT field to indicate a different codec. The effect of
that any payload packetized and encoded according to one RTP payload this attack is that any payload packetized and encoded according to
format is then processed using another payload format and codec. one RTP payload format is then processed using another payload format
Assuming that the implementation is robust to random input, it is and codec. Assuming that the implementation is robust to random
unlikely to cause crashes in the receiving software/hardware. input, it is unlikely to cause crashes in the receiving software/
However, it is not unlikely that such rewriting will cause severe hardware. However, it is not unlikely that such rewriting will cause
media degradation. severe media degradation.
For audio formats, this attack is likely to cause highly disturbing For audio formats, this attack is likely to cause highly disturbing
audio and/or can be damaging to hearing and playout equipment. audio and/or can be damaging to hearing and playout equipment.
6.2.2. Replay Attack 6.2.2. Replay Attack
Replay attack is when an already received packets from a previous Replay attack is when an already received packets from a previous
point in the RTP stream is replayed as new packet. This could, for point in the RTP stream is replayed as new packet. This could, for
example, allow an MDD to transmit a sequence of packets identified as example, allow a Media Distributor to transmit a sequence of packets
a user saying "yes", instead of the "no" the user actually said. identified as a user saying "yes", instead of the "no" the user
actually said.
The mitigation for a replay attack is to prevent old packets beyond a The mitigation for a replay attack is to prevent old packets beyond a
small-to-modest jitter and network re-ordering sized window to be small-to-modest jitter and network re-ordering sized window to be
rejected. End-to-end replay protection MUST be provided for the rejected. End-to-end replay protection MUST be provided for the
whole duration of the conference. whole duration of the conference.
6.2.3. Delayed Playout Attack 6.2.3. Delayed Playout Attack
The delayed playout attack is a variant of the replay attack. This The delayed playout attack is a variant of the replay attack. This
attack is possible even if E2E replay protection is in place. attack is possible even if E2E replay protection is in place.
However, due to fact that the MDD is allowed to select a sub-set of However, due to fact that the Media Distributor is allowed to select
streams and not forward the rest to a receiver, such as in forwarding a sub-set of streams and not forward the rest to a receiver, such as
only the most active speakers, the receiver has to accept gaps in the in forwarding only the most active speakers, the receiver has to
E2E packet sequence. The issue with this is that an MDD can select accept gaps in the E2E packet sequence. The issue with this is that
to not deliver a particular stream for a while. a Media Distributor can select to not deliver a particular stream for
a while.
Within the window from last packet forwarded to the receiver and the Within the window from last packet forwarded to the receiver and the
latest received by the MDD, the MDD can select an arbitrary starting latest received by the Media Distributor, the Media Distributor can
point when resuming forwarding packets. Thus what the media source select an arbitrary starting point when resuming forwarding packets.
said can be substantially delayed at the receiver with the receiver Thus what the media source said can be substantially delayed at the
believing that it is what was said just now, and only delayed due to receiver with the receiver believing that it is what was said just
transport delay. now, and only delayed due to transport delay.
6.2.4. Splicing Attack 6.2.4. Splicing Attack
The splicing attack is an attack where an MDD receiving multiple The splicing attack is an attack where a Media Distributor receiving
media sources splices one media stream into the other. If the MDD is multiple media sources splices one media stream into the other. If
able to change the SSRC without the receiver having any method for the Media Distributor is able to change the SSRC without the receiver
verifying the original source ID, then the MDD could first deliver having any method for verifying the original source ID, then the
stream A and then later forward stream B under the same SSRC as Media Distributor could first deliver stream A and then later forward
stream A was previously using. Not allowing the MDD to change the stream B under the same SSRC as stream A was previously using. Not
SSRC mitigates this attack. allowing the Media Distributor to change the SSRC mitigates this
attack.
7. To-Do List 7. To-Do List
o The mapping of endpoints-to-conference identifiers may need to be o The mapping of endpoints-to-conference identifiers may need to be
conveyed in the framework. Need Revisit this text after a design conveyed in the framework. Need Revisit this text after a design
choice is made between alternatives. choice is made between alternatives.
o Consider adding a list of RTP header extensions that should/must o Consider adding a list of RTP header extensions that should/must
not be E2E encrypted. not be E2E encrypted.
o Endpoints, KMF and MDD provider must securely convey their o Endpoints, Key Distributor and Media Distributor provider must
respective certificate information directly or indirectly via some securely convey their respective certificate information directly
means, such as via an identity service provider. or indirectly via some means, such as via an identity service
provider.
o If as in "Double" draft, the ROC value is no longer in the clear o If as in "Double" draft, the ROC value is no longer in the clear
and associated with the "outer" protection scheme, we may need to and associated with the "outer" protection scheme, we may need to
require that the MDD maintain a separate ROC value for each SSRC require that the Media Distributor maintain a separate ROC value
sent to each endpoint. This ROC value should start at 0 for each SSRC sent to each endpoint. This ROC value should start
regardless of the sequence number in that first packet sent to an at 0 regardless of the sequence number in that first packet sent
endpoint. to an endpoint.
o Investigate adding ability to enable the transmission of one-way o Investigate adding ability to enable the transmission of one-way
media from a non-trusted device (e.g., announcements). One media from a non-trusted device (e.g., announcements). One
possible solution is to have the KMF send an "ekt_key" message possible solution is to have the Key Distributor send an "ekt_key"
that is explicitly labeled for receive-only and giving that to message that is explicitly labeled for receive-only and giving
announcement servers. A possible approach would be to define EKT that to announcement servers. A possible approach would be to
Keys with a SPI > 32000, for example, for this purpose and define EKT Keys with a SPI > 32000, for example, for this purpose
endpoints should only use those EKT Keys to decrypt Full EKT and endpoints should only use those EKT Keys to decrypt Full EKT
Fields received from such transmitters. Endpoints would never Fields received from such transmitters. Endpoints would never
send media with EKT Keys with those SPI values. send media with EKT Keys with those SPI values.
8. IANA Considerations 8. IANA Considerations
There are no IANA considerations for this document. There are no IANA considerations for this document.
9. Security Considerations 9. Security Considerations
[TBD] [TBD]
skipping to change at page 16, line 22 skipping to change at page 17, line 8
progress), May 2016. progress), May 2016.
[I-D.ietf-perc-srtp-ekt-diet] [I-D.ietf-perc-srtp-ekt-diet]
Mattsson, J., McGrew, D., Wing, D., and C. Jennings, Mattsson, J., McGrew, D., Wing, D., and C. Jennings,
"Encrypted Key Transport for Secure RTP", draft-ietf-perc- "Encrypted Key Transport for Secure RTP", draft-ietf-perc-
srtp-ekt-diet-00 (work in progress), May 2016. srtp-ekt-diet-00 (work in progress), May 2016.
[I-D.jones-perc-dtls-tunnel] [I-D.jones-perc-dtls-tunnel]
Jones, P., "DTLS Tunnel between Media Distribution Device Jones, P., "DTLS Tunnel between Media Distribution Device
and Key Management Function to Facilitate Key Exchange", and Key Management Function to Facilitate Key Exchange",
draft-jones-perc-dtls-tunnel-02 (work in progress), March draft-jones-perc-dtls-tunnel-03 (work in progress), July
2016. 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997, RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>. <http://www.rfc-editor.org/info/rfc2119>.
[RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V.
Jacobson, "RTP: A Transport Protocol for Real-Time Jacobson, "RTP: A Transport Protocol for Real-Time
Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550,
skipping to change at page 17, line 42 skipping to change at page 18, line 29
2010, <http://www.rfc-editor.org/info/rfc5763>. 2010, <http://www.rfc-editor.org/info/rfc5763>.
[RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time [RFC6464] Lennox, J., Ed., Ivov, E., and E. Marocco, "A Real-time
Transport Protocol (RTP) Header Extension for Client-to- Transport Protocol (RTP) Header Extension for Client-to-
Mixer Audio Level Indication", RFC 6464, DOI 10.17487/ Mixer Audio Level Indication", RFC 6464, DOI 10.17487/
RFC6464, December 2011, RFC6464, December 2011,
<http://www.rfc-editor.org/info/rfc6464>. <http://www.rfc-editor.org/info/rfc6464>.
Authors' Addresses Authors' Addresses
Paul Jones Paul E. Jones
Cisco Cisco
7025 Kit Creek Rd. 7025 Kit Creek Rd.
Research Triangle Park, North Carolina 27709 Research Triangle Park, North Carolina 27709
USA USA
Phone: +1 919 476 2048 Phone: +1 919 476 2048
Email: paulej@packetizer.com Email: paulej@packetizer.com
David Benham David Benham
Cisco Cisco
170 West Tasman Drive 170 West Tasman Drive
San Jose, California 95134 San Jose, California 95134
USA USA
Email: dbenham@cisco.com Email: dbenham@cisco.com
Christian Groves
Huawei
Melbourne
Australia
Email: Christian.Groves@nteczone.com
 End of changes. 76 change blocks. 
270 lines changed or deleted 306 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/