ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [AVTCORE] Last Call: <draft-ietf-avt-srtp-not-mandatory-14.txt> (Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution) to Informational RFC

2013-12-10 00:53:30
from [Colin Perkins] [Permanent Link] 
On 10 Dec 2013, at 00:55, Cullen Jennings (fluffy) 
<fluffy(_at_)cisco(_dot_)com> wrote:

WebRTC is a framework. HTTP is a framework. SIP is a framework. All of these 
can be used in very different ways with different deployments.


So is RTP. That is the point of writing this draft.


I don't see RTP being a somehow special relative to many other protocols the 
IETF develops from the point of view of not having a minimal interoperable 
way of securing it. 


What would that be? SRTP does not make sense for many deployments, and even if 
it did, doesn't address keying.


So lets be blunt here - this document is about justifying that RTP will not 
have any MTI security.


Absolutely not. It's about saying that the appropriate MTI security depends on 
the class of applications. What makes sense for telephony doesn't necessarily 
make sense for IPTV, etc.


I will note that rtp-security-options also does not add any MTI security 
requirements to RTP.  


No, but it references documents that describe the MTI security for some 
particular scenarios where RTP is used (e.g., the WebRTC security arch). 


I'm OK with that. All I am raising is that was  that I don't believe that has 
IETF consensus based on the question at the last plenary.  If you think it 
does, now would be a great time to outline that argument. 


I believe there is IETF consensus that RTP needs strong security. This draft 
discusses how to achieve that.


Lets just keep in perspective here that what we are talking about is the 
protocol use for transporting people voice when the PSTN is replaced in the 
US and the position of this RFC, and presumable the IETF if it is published, 
is that the IETF is not going to mandate a way to secure this. 


That's kind-of the point: RTP is not *just* the protocol that transports voice 
when the PSTN is replaced; it's used in a myriad of other scenarios that are 
outlined in the draft. If RTP were just used for telephony, this problem would 
be straight-forward, and we'd have a draft specifying MTI security. As RTP is 
used much more widely, the requirements are more complex. This draft outlines 
some of the issues, it doesn't claim to provide the solution to RTP security.

Again, if there is specific text in the draft that makes this unclear, let us 
know and we will fix this.

Colin
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: I-D Action: draft-moonesamy-ietf-conduct-3184bis-04.txt, Jari Arkko
Next by Date:  Matthew's Objections: was Re: [rtcweb] Straw Poll on Video Codec Alternatives, Magnus Westerlund
Previous by Thread:  Re: [AVTCORE] Last Call: <draft-ietf-avt-srtp-not-mandatory-14.txt> (Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution) to Informational RFC, Cullen Jennings (fluffy)
Next by Thread:  Re: [AVTCORE] Last Call: <draft-ietf-avt-srtp-not-mandatory-14.txt> (Securing the RTP Protocol Framework: Why RTP Does Not Mandate a Single Media Security Solution) to Informational RFC, Richard Barnes
Indexes:  [Date] [Thread] [Top] [All Lists]