--- 1/draft-ietf-perc-private-media-framework-08.txt 2019-02-19 20:13:09.763203496 -0800 +++ 2/draft-ietf-perc-private-media-framework-09.txt 2019-02-19 20:13:09.815204759 -0800 @@ -1,21 +1,21 @@ Network Working Group P. Jones Internet-Draft Cisco Intended status: Standards Track D. Benham -Expires: July 27, 2019 C. Groves +Expires: August 23, 2019 C. Groves Independent - January 23, 2019 + February 19, 2019 A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing - draft-ietf-perc-private-media-framework-08 + draft-ietf-perc-private-media-framework-09 Abstract This document describes a solution framework for ensuring that media confidentiality and integrity are maintained end-to-end within the context of a switched conferencing environment where media distributors are not trusted with the end-to-end media encryption keys. The solution aims to build upon existing security mechanisms defined for the real-time transport protocol (RTP). @@ -27,79 +27,81 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 27, 2019. + This Internet-Draft will expire on August 23, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 - 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 4 + 3. PERC Entities and Trust Model . . . . . . . . . . . . . . . . 5 3.1. Untrusted Entities . . . . . . . . . . . . . . . . . . . 5 - 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 5 + 3.1.1. Media Distributor . . . . . . . . . . . . . . . . . . 6 3.1.2. Call Processing . . . . . . . . . . . . . . . . . . . 6 - 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 6 + 3.2. Trusted Entities . . . . . . . . . . . . . . . . . . . . 7 3.2.1. Endpoint . . . . . . . . . . . . . . . . . . . . . . 7 3.2.2. Key Distributor . . . . . . . . . . . . . . . . . . . 7 4. Framework for PERC . . . . . . . . . . . . . . . . . . . . . 7 - 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 7 + 4.1. End-to-End and Hop-by-Hop Authenticated Encryption . . . 8 4.2. E2E Key Confidentiality . . . . . . . . . . . . . . . . . 9 4.3. E2E Keys and Endpoint Operations . . . . . . . . . . . . 9 - 4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 9 + 4.4. HBH Keys and Per-hop Operations . . . . . . . . . . . . . 10 4.5. Key Exchange . . . . . . . . . . . . . . . . . . . . . . 10 - 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 10 + 4.5.1. Initial Key Exchange and Key Distributor . . . . . . 11 4.5.2. Key Exchange during a Conference . . . . . . . . . . 12 5. Authentication . . . . . . . . . . . . . . . . . . . . . . . 13 5.1. Identity Assertions . . . . . . . . . . . . . . . . . . . 13 - 5.2. Certificate Fingerprints in Session Signaling . . . . . . 13 + 5.2. Certificate Fingerprints in Session Signaling . . . . . . 14 5.3. Conferences Identification . . . . . . . . . . . . . . . 14 6. PERC Keys . . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 6.1. Key Inventory and Management Considerations . . . . . . . 14 + 6.1. Key Inventory and Management Considerations . . . . . . . 15 6.2. DTLS-SRTP Exchange Yields HBH Keys . . . . . . . . . . . 15 6.3. The Key Distributor Transmits the KEK (EKT Key) . . . . . 16 6.4. Endpoints fabricate an SRTP Master Key . . . . . . . . . 17 6.5. Summary of Key Types and Entity Possession . . . . . . . 17 7. Encrypted Media Packet Format . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 8.1. Third Party Attacks . . . . . . . . . . . . . . . . . . . 19 8.2. Media Distributor Attacks . . . . . . . . . . . . . . . . 20 8.2.1. Denial of service . . . . . . . . . . . . . . . . . . 20 - 8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 20 + 8.2.2. Replay Attack . . . . . . . . . . . . . . . . . . . . 21 8.2.3. Delayed Playout Attack . . . . . . . . . . . . . . . 21 8.2.4. Splicing Attack . . . . . . . . . . . . . . . . . . . 21 - 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 21 - 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 21 + 8.2.5. RTCP Attacks . . . . . . . . . . . . . . . . . . . . 22 + 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 22 + 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 22 11.1. Normative References . . . . . . . . . . . . . . . . . . 22 - 11.2. Informative References . . . . . . . . . . . . . . . . . 22 + 11.2. Informative References . . . . . . . . . . . . . . . . . 23 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 1. Introduction Switched conferencing is an increasingly popular model for multimedia conferences with multiple participants using a combination of audio, video, text, and other media types. With this model, real-time media flows from conference participants are not mixed, transcoded, transrated, recomposed, or otherwise manipulated by a Media Distributor, as might be the case with a traditional media server or @@ -107,37 +109,37 @@ conference participants are simply forwarded by Media Distributors to each of the other participants. Media Distributors often forward only a subset of flows based on voice activity detection or other criteria. In some instances, Media Distributors may make limited modifications to RTP [RFC3550] headers, for example, but the actual media content (e.g., voice or video data) is unaltered. An advantage of switched conferencing is that Media Distributors can be more easily deployed on general-purpose computing hardware, including virtualized environments in private and public clouds. - While virutalized public cloud environments have been viewed as less - secure since resources are not always physically controlled by those - who use them and since there are usually several ports open to the - public, this draft aims to improve security so as to lower the - barrier to taking advantage of those environments. + Virtualized public cloud environments have been viewed as less secure + since resources are not always physically controlled by those who use + them and since there are usually several ports open to the public. + This document aims to improve security so as to lower the barrier to + taking advantage of those environments. This document defines a solution framework wherein media privacy is ensured by making it impossible for a media distributor to gain access to keys needed to decrypt or authenticate the actual media content sent between conference participants. At the same time, the framework allows for the Media Distributors to modify certain RTP headers; add, remove, encrypt, or decrypt RTP header extensions; and - encrypt and decrypt RTCP packets. The framework also prevents replay - attacks by authenticating each packet transmitted between a given - participant and the media distributor using a unique key per endpoint - that is independent from the key for media encryption and - authentication. + encrypt and decrypt RTP Control Protocol (RTCP) [RFC3550] packets. + The framework also prevents replay attacks by authenticating each + packet transmitted between a given participant and the media + distributor using a unique key per endpoint that is independent from + the key for media encryption and authentication. A goal of this document is to define a framework for enhanced privacy in RTP-based conferencing environments while utilizing existing security procedures defined for RTP with minimal enhancements. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP @@ -150,30 +152,38 @@ End-to-End (E2E): Communications from one endpoint through one or more Media Distributors to the endpoint at the other end. Hop-by-Hop (HBH): Communications between an endpoint and a Media Distributor or between Media Distributors. Trusted Endpoint: An RTP flow terminating entity that has possession of E2E media encryption keys and terminates E2E encryption. This may include embedded user conferencing equipment or browsers on computers, media gateways, MCUs, media recording device and more that - are in the trusted domain for a given deployment. + are in the trusted domain for a given deployment. In the context of + WebRTC, where control of a session is divided between a JavaScript + application and a browser, the browser acts as the Trusted Endpoint + for purposes of this framework (just as it acts as the endpoint for + DTLS-SRTP [RFC5764] in one-to-one calls). Media Distributor (MD): An RTP middlebox that forwards endpoint media content (e.g., voice or video data) unaltered, either a subset or all - of the flows at any given time, and is never allowed have access to - E2E encryption keys. It operates according to the Selective + of the flows at any given time, and is never allowed to have access + to E2E encryption keys. It operates according to the Selective Forwarding Middlebox RTP topologies [RFC7667] per the constraints defined by the PERC system, which includes, but not limited to, having no access to RTP media unencrypted and having limits on what - RTP header field it can alter. + RTP header field it can alter. This header fields that may be + modified by a Media Distributor are enumerated in Section 4 of the + Double cryptographic transform specification [I-D.ietf-perc-double] + and chosen with respect to utility and the security considerations + outlined in this document. Key Distributor: An entity that is a logical function which distributes keying material and related information to trusted endpoints and Media Distributor(s), only that which is appropriate for each. The Key Distributor might be co-resident with another entity trusted with E2E keying material. Conference: Two or more participants communicating via trusted endpoints to exchange RTP flows through one or more Media Distributor. @@ -300,37 +310,38 @@ 3.2.2. Key Distributor The Key Distributor, which may be colocated with an endpoint or exist standalone, is responsible for providing key information to endpoints for both end-to-end (E2E) and hop-by-hop (HBH) security and for providing key information to Media Distributors for the hop-by-hop security. Interaction between the Key Distributor and the call processing - function is necessary to for proper conference-to-endpoint mappings. + function is necessary for proper conference-to-endpoint mappings. This is described in Section 5.3. The Key Distributor needs to be secured and managed in a way to prevent exploitation by an adversary, as any kind of compromise of the Key Distributor puts the security of the conference at risk. 4. Framework for PERC The purpose for this framework is to define a means through which media privacy is ensured when communicating within a conferencing environment consisting of one or more Media Distributors that only switch, hence not terminate, media. It does not otherwise attempt to hide the fact that a conference between endpoints is taking place. This framework reuses several specified RTP security technologies, - including SRTP [RFC3711], EKT [I-D.ietf-perc-srtp-ekt-diet], and + including Secure Real-time Transport Protocol (SRTP) [RFC3711], + Encrypted Key Transport (EKT) [I-D.ietf-perc-srtp-ekt-diet], and DTLS-SRTP [RFC5764]. 4.1. End-to-End and Hop-by-Hop Authenticated Encryption This solution framework focuses on the end-to-end privacy and integrity of the participant's media by limiting access to only trusted entities to the E2E key used for authenticated end-to-end encryption. However, this framework does give a Media Distributor access to RTP headers and all or most header extensions, as well as the ability to modify a certain subset of those headers and to add @@ -549,31 +560,31 @@ gain access to the KEK information, preventing it from gaining access to any endpoint's E2E key and subsequently decrypting media. The KEK (i.e., EKT Key) may need to change from time-to-time during the life of a conference, such as when a new participant joins or leaves a conference. Dictating if, when or how often a conference is to be re-keyed is outside the scope of this document, but this framework does accommodate re-keying during the life of a conference. When a Key Distributor decides to re-key a conference, it transmits a - new EKTKey message [I-D.ietf-perc-srtp-ekt-diet] to each of the - conference participants containing the new EKT Key. Upon receipt of - the new EKT Key, the endpoint MUST create a new SRTP master key and - prepare to send that key inside a Full EKT Field using the new EKT - Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet]. In order to - allow time for all endpoints in the conference to receive the new - keys, the sender should follow the recommendations in Section 4.7 of - [I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT Key, endpoints - MUST be prepared to decrypt EKT tags using the new key. The EKT SPI - field is used to differentiate between tags encrypted with the old - and new keys. + new EKTKey message containing the new EKT Key + [I-D.ietf-perc-srtp-ekt-diet] to each of the conference participants. + Upon receipt of the new EKT Key, the endpoint MUST create a new SRTP + master key and prepare to send that key inside a Full EKT Field using + the new EKT Key as per Section 4.5 of [I-D.ietf-perc-srtp-ekt-diet]. + In order to allow time for all endpoints in the conference to receive + the new keys, the sender should follow the recommendations in + Section 4.7 of [I-D.ietf-perc-srtp-ekt-diet]. On receiving a new EKT + Key, endpoints MUST be prepared to decrypt EKT tags using the new + key. The EKT SPI field is used to differentiate between tags + encrypted with the old and new keys. After re-keying, an endpoint SHOULD retain prior SRTP master keys and EKT Key for a period of time sufficient for the purpose of ensuring it can decrypt late-arriving or out-of-order packets or packets sent by other endpoints that used the prior keys for a period of time after re-keying began. An endpoint MAY retain old keys until the end of the conference. Endpoints MAY follow the procedures in section 5.2 of [RFC5764] to renegotiate HBH keys as desired. If new HBH keys are generated, the @@ -616,77 +627,76 @@ and the Key Distributor. 5.2. Certificate Fingerprints in Session Signaling Entities managing session signaling are generally assumed to be untrusted in the PERC framework. However, there are some deployment scenarios where parts of the session signaling may be assumed trustworthy for the purposes of exchanging, in a manner that can be authenticated, the fingerprint of an entity's certificate. - As a concrete example, SIP [RFC3261] and SDP [RFC4566] can be used to - convey the fingerprint information per [RFC5763]. An endpoint's SIP - User Agent would send an INVITE message containing SDP for the media - session along with the endpoint's certificate fingerprint, which can - be signed using the procedures described in [RFC8224] for the benefit - of forwarding the message to other entities by the Focus [RFC4353]. - Other entities can verify the fingerprints match the certificates - found in the DTLS-SRTP connections to find the identity of the far - end of the DTLS-SRTP connection and verify that is the authorized - entity. + As a concrete example, SIP [RFC3261] and Session Description Protocol + (SDP) [RFC4566] can be used to convey the fingerprint information per + [RFC5763]. An endpoint's SIP User Agent would send an INVITE message + containing SDP for the media session along with the endpoint's + certificate fingerprint, which can be signed using the procedures + described in [RFC8224] for the benefit of forwarding the message to + other entities by the Focus [RFC4353]. Other entities can verify the + fingerprints match the certificates found in the DTLS-SRTP + connections to find the identity of the far end of the DTLS-SRTP + connection and verify that is the authorized entity. Ultimately, if using session signaling, an endpoint's certificate fingerprint would need to be securely mapped to a user and conveyed to the Key Distributor so that it can check that that user is authorized. Similarly, the Key Distributor's certificate fingerprint can be conveyed to endpoint in a manner that can be authenticated as being an authorized Key Distributor for this conference. 5.3. Conferences Identification The Key Distributor needs to know what endpoints are being added to a given conference. Thus, the Key Distributor and the Media Distributor need to know endpoint-to-conference mappings, which is enabled by exchanging a conference-specific unique identifier defined in [I-D.ietf-perc-dtls-tunnel]. How this unique identifier is assigned is outside the scope of this document. 6. PERC Keys - This section describes the various keys employed by PERC, how they - are derived, conveyed, and so forth. + This section describes the various keys employed by PERC. 6.1. Key Inventory and Management Considerations This section summarizes the several different keys used in the PERC framework, how they are generated, and what purpose they serve. The keys are described in the order in which they would typically be acquired. The various keys used in PERC are shown in Figure 4 below. +-----------+----------------------------------------------------+ | Key | Description | +-----------+----------------------------------------------------+ | KEK | Key shared by all endpoints and used to encrypt | - | (EKT Key) | each endpoint's SRTP master key so receiving | + | (EKT Key) | each endpoint's E2E SRTP master key so receiving | | | endpoints can decrypt media. | +-----------+----------------------------------------------------+ - | HBH Key | Key used to encrypt media hop-by-hop. | + | HBH Key | SRTP master key used to encrypt media hop-by-hop. | +-----------+----------------------------------------------------+ - | E2E Key | Key used to encrypt media end-to-end. | + | E2E Key | SRTP master key used to encrypt media end-to-end. | +-----------+----------------------------------------------------+ Figure 4: Key Inventory - While the number key types is very small, it should be understood + While the number of key types is very small, it should be understood that the actual number of distinct keys can be large as the conference grows in size. As an example, with 1,000 participants in a conference, there would be at least 1,000 distinct SRTP master keys, all of which share the same master salt. Each of those keys are passed through the KDF defined in [RFC3711] to produce the actual encryption and authentication keys. Complicating key management is the fact that the KEK can change and, @@ -753,24 +764,24 @@ specified via the EKTKey message (e.g., AES Key Wrap with a 128-bit key). This cipher is different than the cipher used to protect media and is only used to encrypt the endpoint's SRTP master key (and other EKT Tag data as per [I-D.ietf-perc-srtp-ekt-diet]). The media distributor is not given the KEK (i.e., EKT Key). 6.4. Endpoints fabricate an SRTP Master Key As stated earlier, the E2E key determined via DTLS-SRTP MAY be - discarded in favor of a locally-generated SRTP master key. While the - DTLS-SRTP-derived SRTP master key can be used initially, the endpoint - might choose to change the SRTP master key periodically and MUST - change the SRTP master key as a result of the EKT key changing. + discarded in favor of a locally-generated E2E SRTP master key. While + the DTLS-SRTP-derived SRTP master key can be used initially, the + endpoint might choose to change the SRTP master key periodically and + MUST change the SRTP master key as a result of the EKT key changing. A locally-generated SRTP master key is used along with the master salt transmitted to the endpoint from the key distributor via the EKTKey message to encrypt media end-to-end. Since the media distributor is not involved in E2E functions, it does not create this key nor have access to any endpoint's E2E key. Note, too, that even the key distributor is unaware of the locally- generated E2E keys used by each endpoint. @@ -860,43 +871,53 @@ 8. Security Considerations 8.1. Third Party Attacks On-path attacks are mitigated by hop-by-hop integrity protection and encryption. The integrity protection mitigates packet modification and encryption makes selective blocking of packets harder, but not impossible. - Off-path attackers may try connecting to different PERC entities and - send specifically crafted packets. A successful attacker might be - able to get the Media Distributor to forward such packets. The Media - Distributor mitigates such an attack by performing hop-by-hop + Off-path attackers could try connecting to different PERC entities + and send specifically crafted packets. Endpoints and Media + Distributors mitigate such an attack by performing hop-by-hop authentication and discarding packets that fail authentication. - Another potential attack is a third party claiming to be a Media + Another attack vector is a third party claiming to be a Media Distributor, fooling endpoints in to sending packets to the false Media Distributor instead of the correct one. The deceived sending - endpoints could incorrectly assuming their packets have been - delivered to endpoints when they in fact have not. Further, the - false Media Distributor may cascade to another legitimate Media - Distributor creating a false version of the real conference. + endpoints could incorrectly assume their packets have been delivered + to endpoints when they in fact have not. While this attack is + possible, the result is a simple denial of service with no leakage of + confidential information, since the false Media Distributor would not + have access to either HBH or E2E encryption keys. - This attack is be mitigated by the false Media Distributor not being - authenticated by the Key Distributor. They Key Distributor will fail - to establish the secure association with the endpoint if the Media - Distributor cannot be authenticated. + If mutual DTLS authentication is not employed, a false Media + Distributor could cascade to another legitimate Media Distributor + that is part of a larger conference. However, this scenario will + also produce no positive results for the false Media Distributor + since it would not have access to keying material. + + A third party could cause a denial-of-service by transmitting many + bogus or replayed packets toward receiving devices that ultimately + degrade conference or device performance. Therefore, implementations + might wish to devise mechanisms to safeguard against such + illegitimate packets, such as utilizing rate-limiting or performing + basic sanity-checks on packets (e.g., looking at packet length or + expected sequence number ranges) before performing more expensive + decryption operations. 8.2. Media Distributor Attacks - The Media Distributor can attack the session in a number of possible - ways. + A malicious or compromised Media Distributor can attack the session + in a number of possible ways. 8.2.1. Denial of service A simple form of attack is discarding received packets that should be forwarded. This solution framework does not introduce any mitigation for Media Distributors that fail to forward media packets. Another form of attack is modifying received packets before forwarding. With this solution framework, any modification of the end-to-end authenticated data results in the receiving endpoint @@ -905,73 +926,87 @@ The Media Distributor can also attempt to perform resource consumption attacks on the receiving endpoint. One such attack would be to insert random SSRC/CSRC values in any RTP packet with an inband key-distribution message attached (i.e., Full EKT Tag). Since such a message would trigger the receiver to form a new cryptographic context, the Media Distributor can attempt to consume the receiving endpoints resources. While E2E authentication would fail and the cryptographic context would be destroyed, the key derivation operation would nonetheless consume some computational resources. + While resource consumption attacks cannot be mitigated entirely, + rate-limiting packets might help reduce the impact of such attacks. 8.2.2. Replay Attack - A replay attack is when an already received packets from a previous + A replay attack is when an already received packet from a previous point in the RTP stream is replayed as new packet. This could, for example, allow a Media Distributor to transmit a sequence of packets identified as a user saying "yes", instead of the "no" the user actually said. - The mitigation for a replay attack is to prevent old packets beyond a - small-to-modest jitter and network re-ordering sized window to be - rejected. End-to-end replay protection MUST be provided for the - whole duration of the conference. + The mitigation for a replay attack is to implement replay protection + as described in Section 3.3.2 of [RFC3711]. End-to-end replay + protection MUST be provided for the whole duration of the conference. 8.2.3. Delayed Playout Attack The delayed playout attack is a variant of the replay attack. This attack is possible even if E2E replay protection is in place. However, due to fact that the Media Distributor is allowed to select - a sub-set of streams and not forward the rest to a receiver, such as + a subset of streams and not forward the rest to a receiver, such as in forwarding only the most active speakers, the receiver has to accept gaps in the E2E packet sequence. The issue with this is that a Media Distributor can select to not deliver a particular stream for a while. Within the window from last packet forwarded to the receiver and the latest received by the Media Distributor, the Media Distributor can select an arbitrary starting point when resuming forwarding packets. Thus what the media source said can be substantially delayed at the receiver with the receiver believing that it is what was said just now, and only delayed due to transport delay. 8.2.4. Splicing Attack - The splicing attack is an attack where a Media Distributor receiving + A splicing attack is an attack where a Media Distributor receiving multiple media sources splices one media stream into the other. If - the Media Distributor is able to change the SSRC without the receiver - having any method for verifying the original source ID, then the - Media Distributor could first deliver stream A and then later forward - stream B under the same SSRC as stream A was previously using. By - not allowing the Media Distributor to change the SSRC, PERC mitigates - this attack. + the Media Distributor were able to change the SSRC without the + receiver having any method for verifying the original source ID, then + the Media Distributor could first deliver stream A and then later + forward stream B under the same SSRC as stream A was previously + using. By including the SSRC in the integrity check for each packet, + both HBH and E2E, PERC prevents splicing attacks. + +8.2.5. RTCP Attacks + + PERC does not provide end-to-end protection of RTCP messages. This + allows a compromised Media Distributor to impact any message that + might be transmitted via RTCP, including media statistics, picture + requests, or loss indication. It is also possible for a compromised + Media Distributor to forge requests, such as requests to the endpoint + to send a new picture. Such requests can consume significant + bandwidth and impair conference performance. 9. IANA Considerations There are no IANA considerations for this document. 10. Acknowledgments - The authors would like to thank Mo Zanaty and Christian Oien for - invaluable input on this document. Also, we would like to - acknowledge Nermeen Ismail for serving on the initial versions of - this document as a co-author. + The authors would like to thank Mo Zanaty, Christian Oien, and + Richard Barnes for invaluable input on this document. Also, we would + like to acknowledge Nermeen Ismail for serving on the initial + versions of this document as a co-author. We would also like to + acknowledge John Mattsson, Mats Naslund, and Magnus Westerlund for + providing some of the text in the document, including much of the + original text in the security considerations section. 11. References 11.1. Normative References [I-D.ietf-perc-double] Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP Double Encryption Procedures", draft-ietf-perc-double-10 (work in progress), October 2018. @@ -984,52 +1019,52 @@ [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. Jacobson, "RTP: A Transport Protocol for Real-Time Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, July 2003, . + [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. + Norrman, "The Secure Real-time Transport Protocol (SRTP)", + RFC 3711, DOI 10.17487/RFC3711, March 2004, + . + [RFC6904] Lennox, J., "Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)", RFC 6904, DOI 10.17487/RFC6904, April 2013, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 11.2. Informative References [I-D.ietf-perc-dtls-tunnel] Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel between a Media Distributor and Key Distributor to Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-04 (work in progress), October 2018. [I-D.ietf-rtcweb-security-arch] Rescorla, E., "WebRTC Security Architecture", draft-ietf- - rtcweb-security-arch-17 (work in progress), November 2018. + rtcweb-security-arch-18 (work in progress), February 2019. [RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, DOI 10.17487/RFC3261, June 2002, . - [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. - Norrman, "The Secure Real-time Transport Protocol (SRTP)", - RFC 3711, DOI 10.17487/RFC3711, March 2004, - . - [RFC4353] Rosenberg, J., "A Framework for Conferencing with the Session Initiation Protocol (SIP)", RFC 4353, DOI 10.17487/RFC4353, February 2006, . [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session Description Protocol", RFC 4566, DOI 10.17487/RFC4566, July 2006, . [RFC5763] Fischl, J., Tschofenig, H., and E. Rescorla, "Framework