Message info
 
To:Iñaki Baz Castillo From:Fabio Pietrosanti (naif) Subject:Re: [rtcweb] DTLS-SRTP implementation diffusion: Why not SDES-SRTP? Date:Thu, 29 Mar 2012 09:05:40 +0200
 

On 3/28/12 9:53 PM, Iñaki Baz Castillo wrote:
> 2012/3/28 Fabio Pietrosanti (naif) <lists@infosecurity.ch>:
>> Hi all,
>>
>> i read that 80% of Sipit participant support SDES-SRTP but 0% support
>> DTLS-SRTP https://www.sipit.net/SIPit29_summary .
>>
>> At SIPit there were 34 attendees from 17 companies visiting from 12
>> countries with 25 distinct VoIP implementations.
>
> Right, but this is rtcweb, not SIP.
>
>
>
>> I do not really see which is the rationale in making DTLS-SRTP mandatory
>> while plain SRTP with SDES key exchange is already so well know and used.
>
> That's a good reason to *also* allow (and mandate) SDES-SRTP support
> in WebRTC clients, much better than the interoperability with SIP
> (again: this is rtcweb, not SIP world).

That's true, but it's also true that the "rtcweb world" will strictly
inter-operate with the "sip world".

It would be reasonable to expect that current existing PBX software
would evolve also with support for Rtcweb, to provide Web phone systems.

In particular all opensource software will setup the path for the
adoption of the standard, as we know history will repeat.

It appear me as natural behavior of diffusion of implementation, and for
that reason i see the need to "easily" inter-operate with the SIP world
is a key value point.

Creating an incompatible "media format" would require a lot of more
effort because the "amount of compatibility testing to be done with
DTLS-SRTP will be significantly higher than SDES-SRTP" .

So it would provide an advantage for the *few vendor* supporting it,
practically introducing a *technological entrance barrier*.

This is a bad practice already see in other standard bodies.

>
>
>> Anyone can provide some very strong and valuable point about using
>> DTLS-SRTP (considering it's weak diffusion and incompatibility risks)?
>
> Lot of recent threads about this topic in this maillist. But also
> check a recent presentation (yesterday in IETF Pairs):
>
> http://tools.ietf.org/agenda/83/slides/slides-83-rtcweb-3.pdf

I would like to strongly argue against the SLIDE 3 statement that
"DTLS-SRTP meets RTCWEB's technical requirements" .

DTLS-SRTP doesn't meet the RTCWEB's technical requirements because:

- It does NOT provide inter-operation with existing SIP endpoints

This is confirmed by the October 2011 SIPit data, with 80% of
participants supporting, with good interoperability, SDES but with 0%
supporting DTLS-SRTP .

In order to try to "try to improve it's non-interoperability issue" the
DTLS-SRTP is re-proposing him-selves as DTLS-SRTP-EKT .

To speaking about the fact that even EKT draft explain that:
" Today, Security Descriptions [RFC4568] is used for distributing SRTP
keys in several different IP PBX systems and is expected to be used
by 3GPP's Long Term Evolution (LTE). "

http://tools.ietf.org/html/draft-ietf-avt-srtp-ekt-01#section-6.1

So:
- Internt is using SDES-SRTP
- 3GPP LTE is using SDES-SRTP
- WebRTC is going to use DTLS-SRTP

I do not really see how we can rationally accept to follow this
different direction.

I mean, we are discussing about a "new standard" that's based on "new
technologies" rather than using existing, widely implemented technology.

Do we really understand how much effort we are going to cause on the
overall technological and security ecosystem by selecting DTLS-SRTP
rather than SDES-SRTP?

All US Federal Government will not be able to use WebRTC because NSA
standardized SDES-SRTP for use in Classified communication:
http://www.nsa.gov/ia/programs/mobility_program/index.shtml

The argument that DTLS is *more secure* must face the reality that
no-one is using it and that SDES-SRTP is *widely diffused and
interoperable*.

All Internet operators will have to introduce Protocol Gateway.
All mobile operators will have to introduce Protocol Gateway.

All that subjects, if using just SDES-SRTP, would just need to "update
the software they already use to run VoIP infrastructure" with no need
to handle modification to the Media for Interworking.

So definitely the choice to go for DTLS-SRTP is imho a wrong choice,
against any rationale for the diffusion of WebRTC standard, introducing
artificially complexity where it may be possible to keep it simple.

--
Fabio Pietrosanti
Founder, CTO

Tel: +39 02 911930893 + ext: 907
Mobile: +39 340 1801049
E-mail: fabio.pietrosanti@privatewave.com
Skype: fpietrosanti
Linkedin: http://linkedin.com/in/secret

PrivateWave Italia S.p.A.
Via Gaetano Giardino 1 - 20123 Milano - Italy
www.privatewave.com
_______________________________________________
rtcweb mailing list
rtcweb@ietf.org
https://www.ietf.org/mailman/listinfo/rtcweb