Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)
draft-ietf-avtcore-srtp-encrypted-header-ext-05

[Ballot comment]
- Feedback from Joel Jaeggli, part of the OPS directorate, on which I would appreciate an answer:
  Section 4.1 proposes negotiating the sending of a header element in either encrypted and unecrypted
  forms which  seems a bit self defeating. and I find it a little difficult  to stomach to say well its' important
  that this information be encrypted, but since you can't we'll just send it in the clear.

- Really an editorial detail. Take it or leave it. 

  A number of recent proposals for header
  extensions using the General Mechanism for RTP Header Extensions
  [RFC5285] carry information for which confidentiality could be
  desired or essential.  Notably, two recent specifications ([RFC6464]
  and [RFC6465]) carry information about per-packet sound levels of the
  media data carried in the RTP payload, and exposing this to an
  eavesdropper is unacceptable in many circumstances.

"exposing this to an eavesdropper is unacceptable in many circumstances." was not obvious to me, and I kept thinking about that one while reading through the rest of the doc.
In the end, I came back to it, and researched this: this is well described in the RFC 6464 and RFC 6465 Security Considerations.

NEW (last sentence)
  Notably, two recent specifications ([RFC6464]
  and [RFC6465]) carry information about per-packet sound levels of the
  media data carried in the RTP payload, and exposing this to an
  eavesdropper is unacceptable in many circumstances (as described
  in the respective RFC Security Considerations sections)

[Ballot comment]
Really an editorial detail. Take it or leave it. 

  A number of recent proposals for header
  extensions using the General Mechanism for RTP Header Extensions
  [RFC5285] carry information for which confidentiality could be
  desired or essential.  Notably, two recent specifications ([RFC6464]
  and [RFC6465]) carry information about per-packet sound levels of the
  media data carried in the RTP payload, and exposing this to an
  eavesdropper is unacceptable in many circumstances.

"exposing this to an eavesdropper is unacceptable in many circumstances." was not obvious to me, and I kept thinking about that one while reading through the rest of the doc.
In the end, I came back to it, and researched this: this is well described in the RFC 6464 and RFC 6465 Security Considerations.

NEW (last sentence)
  Notably, two recent specifications ([RFC6464]
  and [RFC6465]) carry information about per-packet sound levels of the
  media data carried in the RTP payload, and exposing this to an
  eavesdropper is unacceptable in many circumstances (as described
  in the respective RFC Security Considerations sections)

[Ballot discuss]

Other than point 1, I'm mostly just checking things here so a
few quick mails should be enough to sort this out at which
point my ballot will turn into a yes.

(1) p9, 2nd para - I don't get why you say that a node MAY send
both plaintext and ciphertext - what'd be the (security)
benefit in doing that? Seems like a dangerous thing to allow
since it'd be likely to remain turned on accidentally if ever
turned on. If you do need this then I think some better warning
text is needed, but I'm not sure what, since I don't get when
you want to have both plain and ciphertext present, nor quite
how that'd look in e.g. SDP.

(2) The masking is fairly elegant, but just to check, that
assumes that all header fields are structured as TLVs always,
and there's never a header we might want to encrypt that's e.g.
a NULL terminated string or the moral equivalent.  I think it
also assumes that plaintext values never use escaping either,
which could extend their length.  Is that correct and ok? If
there were non-TLV headers or escaping then I think you'd need
to say a little more about how and when to calculate the mask
from e.g.  the SDP extmap attribute.

(3) Again, just checking. This scheme would break if headers
were moved, inserted before ciphertext, or deleted by
middleboxes, right? Are such changes ever done by middleboxes
that possess the right authentication keys?  Do you need to say
that such middleboxes that are part of the security association
MUST NOT mess about with headers ever, since they don't know
that this is being used over and above the authentication
provided by SRTP? (And they don't know that, right?)

(4) The 3711 KDF has a key_derivation_rate input that you don't
mention here. I assume the idea is that new keystreams are
generated for headers at the same rate as for payloads but
don't you need to say that? Otherwise, some might use just the
first keystream for all headers and others might roll the
keystream breaking interop.

(5) Slightly off into flakey concerns land;-) Is there any way
a bad actor could use this to probe a keystream or verify bits
of a keystream one or a few at a time e.g. via a
million-message type attack? I don't see how to do that, and
will just believe you if you say its ok, but just wondered if
you'd thought about that.

[Ballot comment]

- p4, last para - the description of the mask is a bit hard
to follow - maybe moving the example earlier might help, but
one does get the right idea after reading further, so just
a suggestion

- p8, figure 4 has a bunch of numbers that I at least don't
understand - what are "2^20|1:32" and "25@600/24" ? I'd like
to know why I don't need to understand those:-)

- p10, 3rd para - is it even possible to use this with CBC or
ECB? Block padding would seem to just break the header syntax
except if the plaintext is a multiple of the block size for
ECB. I think the note could be deleted or replaced with one
that says that this is for stream ciphers only and use of a
block cipher would break the header syntax. In any case the
MUST NOT seems wrong or moot.

- Would it be worth adding an additional security consideration
saying that since some headers may well have easily guessed
plaintext (some bits anyway) and we're using a stream cipher,
the authentication is really really needed or very bad things
could happen if attackers flipped bits of ciphertext knowing
the likely plaintext and the effects that might ensue?

IANA has reviewed draft-ietf-avtcore-srtp-encrypted-header-ext-04 and has
the following comments:

IANA has a question about the IANA Action requested in this document.

IANA understands that, upon approval of this document, there is a single action which IANA must complete.

In the RTP Compact Header Extensions subregistry of the Real-Time Transport Protocol (RTP) Parameters registry located at:

http://www.iana.org/assignments/rtp-parameters/rtp-parameters.xml#rtp-parameters-10

a new RTP Compact Header Extension is to be registered as follows:

Extension URI: urn:ietf:params:rtp-hdrext:encrypt
Description: Encrypted extension header element
Reference: [ RFC-to-be ]

Currently the RTP Compact Header Extensions subregistry is maintained through extert review as defined in RFC 5226.

IANA Question -> has the document and registration request been reviewed by the RTP Compact Header Extensions subregistry expert?

IANA understands this to be the only action that needs to be completed upon approval of this document.

Note: The actions requested in this document will not be completed
until the document has been approved for publication as an RFC.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Subject: Last Call:  (Encryption of Header Extensions in the Secure Real-Time Transport Protocol (SRTP)) to Proposed Standard


The IESG has received a request from the Audio/Video Transport Core
Maintenance WG (avtcore) to consider the following document:
- 'Encryption of Header Extensions in the Secure Real-Time Transport
  Protocol (SRTP)'
  as Proposed
Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2013-01-17. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The Secure Real-Time Transport Protocol (SRTP) provides
  authentication, but not encryption, of the headers of Real-Time
  Transport Protocol (RTP) packets.  However, RTP header extensions may
  carry sensitive information for which participants in multimedia
  sessions want confidentiality.  This document provides a mechanism,
  extending the mechanisms of SRTP, to selectively encrypt RTP header
  extensions in SRTP.

  This document updates RFC 3711, the Secure Real-Time Transport
  Protocol specification, to require that all future SRTP encryption
  transforms specify how RTP header extensions are to be encrypted.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-encrypted-header-ext/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-avtcore-srtp-encrypted-header-ext/ballot/


No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard, Internet
Standard, Informational, Experimental, or Historic)? Why is this the proper
type of RFC? Is this type of RFC indicated in the title page header?

This is a standard track RFC updating RFC3711 adding a procedure that allows
to encrypt part of the RTP header.

The title page header indicates it.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved documents.
The approval announcement contains the following sections:

Technical Summary:

The Secure Real-Time Transport Protocol (SRTP) provides authentication, but
not encryption, of the headers of Real-Time Transport Protocol (RTP)
packets. However, RTP header extensions may carry sensitive information for
which participants in multimedia sessions want confidentiality. This
document provides a mechanism, extending the mechanisms of SRTP, to
selectively encrypt RTP header extensions in SRTP.

This document updates RFC 3711, the Secure Real-Time Transport Protocol
specification, to require that all SRTP encryption transforms specify how
RTP header extensions are to be encrypted.

Working Group Summary:

This document went through two working group last call. As a result of the
first one there were proposals to add some technical changes that were
consented in the second working group last call.

Document Quality:

The document got good reviews from AVTcore members including SRTP and
security experts.

Personnel:

Roni Even is the Document Shepherd and the Responsible Area Director is
Robert Sparks.

(3) Briefly describe the review of this document that was performed by the
Document Shepherd. If this version of the document is not ready for
publication, please explain why the document is being forwarded to the IESG.


The shepherd reviewed the document very carefully in version -03

(4) Does the document Shepherd have any concerns about the depth or breadth
of the reviews that have been performed?

This document got a good review by key people from AVTcore including SRTP
experts.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP,
XML, or internationalization? If so, describe the review that took place.

No need for any such review.

(6) Describe any specific concerns or issues that the Document Shepherd has
with this document that the Responsible Area Director and/or the IESG should
be aware of? For example, perhaps he or she is uncomfortable with certain
parts of the document, or has concerns whether there really is a need for
it. In any event, if the WG has discussed those issues and has indicated
that it still wishes to advance the document, detail those concerns here.

No concerns

(7) Has each author confirmed that any and all appropriate IPR disclosures
required for full conformance with the provisions of BCP 78 and BCP 79 have
already been filed. If not, explain why?

Yes, the shepherd has confirmed with all authors.

(8) Has an IPR disclosure been filed that references this document? If so,
summarize any WG discussion and conclusion regarding the IPR disclosures.

No IPR disclosure

(9) How solid is the WG consensus behind this document? Does it represent
the strong concurrence of a few individuals, with others being silent, or
does the WG as a whole understand and agree with it?

There was a strong consensus that header extension encryption is needed and
this document is already referenced by new RTP header extensions in RFC6464
and RFC6465.

(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate email
messages to the Responsible Area Director. (It should be in a separate email
because this questionnaire is publicly available.)

No

(11) Identify any ID nits the Document Shepherd has found in this document.
(See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist).
Boilerplate checks are not enough; this check needs to be thorough.

No ID nits in this document.

(12) Describe how the document meets any required formal review criteria,
such as the MIB Doctor, media type, and URI type reviews.

Not applicable

(13) Have all references within this document been identified as either
normative or informative?

yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

no

(15) Are there downward normative references (see RFC 3967)? If so, list
these downward references to support the Area Director in the Last Call
procedure.

no

(16) Will publication of this document change the status of any existing
RFCs? Are those RFCs listed on the title page header, listed in the
abstract, and discussed in the introduction? If the RFCs are not listed in
the Abstract and Introduction, explain why, and point to the part of the
document where the relationship of this document to the other RFCs is
discussed. If this information is not in the document, explain why the WG
considers it unnecessary.

This document updates RFC3711 and it appears in the title page header,
listed in the abstract and discussed in the introduction section.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes are
associated with the appropriate reservations in IANA registries. Confirm
that any referenced IANA registries have been clearly identified. Confirm
that newly created IANA registries include a detailed specification of the
initial contents for the registry, that allocations procedures for future
registrations are defined, and a reasonable name for the new registry has
been suggested (see RFC 5226).

This document defines a new extension URI to the RTP Compact Header
Extensions sub-registry of the Real-Time Transport Protocol (RTP)
Parameters registry. The registration was reviewed by the document shepherd
and it follows the registration requirements.

No new IANA registries are defined.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find useful in
selecting the IANA Experts for these new registries.

No new IANA registries.

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal language,
such as XML code, BNF rules, MIB definitions, etc.

No formal language.