Minutes for PERC at IETF-95
Privacy Enhanced RTP Conferencing
||Minutes for PERC at IETF-95
Privacy Enhanced RTP Conferencing
Session 2016-04-04 1550-1720: Buen Ayre A
Scribe: Harald Alvestrand , Mo Zanaty
* SRTP Transform specification (draft-jennings-perc-double)
- updated version reflected the outcome of virtual interim
- agree to remove the NULL HBH transform
* EKT Specification (draft-jennings-perc-srtp-ekt-diet )
- Trimmed down version of the EKT spec with Ekt mechanism defined for
DTLS-SRTP alone - Authors to submit an updated version fixing omission errors
- AD to add milestone for this spec for PERC WG
* Tunnel Specification (draft-jones-perc-dtls-tunnel)
- needs more discussion on MTU considerations
- more work needed to incorporate alternate tunnel transports (TLS?)
* Solution Framework documents (draft-jones-perc-private-media-framework)
- Covered as part of overall perc solution
- to be adopted as WG document
* Consensus on the adopting the documents
- draft-jennings-perc-double : adopt as WG document
- draft-jennings-perc-srtp-ekt-diet : Add milestone to PERC WG
- draft-jones-perc-private-media-framework-02 : Adopt as WG document
* Open Issues
- Naming conventions for EKT Field, EKT key and SPI
- Timing of EKT key rekeying
- Integrity protection of the EKT Field and mechanisms for preventing replay
attack - MTU considerations for DTLS tunnel - Alternative transport
considerations for Tunnel protocol (TLS?)
Raw notes (From Mo Zanaty)
PERC WG - IETF 95, Buenos Aires, AR
Monday, April 4, 2016 15:50-17:20
Chairs: Richard Barnes , Suhas Nandakumar
Area Director:Ben Campbell
Jabber scribe: ?
Notetakers: Mo Zanaty
ACTIONS: Double and framework drafts adopted as WG items.
Raw preliminary notes.
1550-1555 Administriva, Chairs
1555-1605 Recap of layers/framework and SRTP / SRTCP transform requirements,
1605-1625 A Big Picture of the PERC Solution, Adam Roach
Magnus Westerlund: Should we revisit immutable SSRC discussion?
Chair: Let's discuss on list.
Jonathan Lennox: Why is KMF deciding hop by hop keys? It does not need to be
involved. Adam: So it can look like a single DTLS association followed by HBH
key establishment. Roni Even: How is trust established between endpoint and
KMF? Richard (floor mic): This is just an overall framework. Protocols will be
needed. Cullen Jennings: Identity assertions and trust work the same way
whether there is a DTLS tunnel or direct connection. There must be signaling
and proocol for establishing the identity and trust of the endpoint-to-KMF
connection, just as in direct P2P today (e.g. DTLS cert fingerprints are
signaled and verified).
Patrick Linskey: Allowing an endpoint to embed a KMF would not be accetpable
for enterprises. Adam: Two separate models. Enterprise model would not want KMF
in endpoints but non-enterprise model would. Service decides this choice.
Russ Housley: Service should be able to designate which endpoint hosts the KMF.
Simpler and more understandable trust model.
Roni: Is session setup call flow steps 1-4 once per conference or call?
Adam: Once per conference.
Richard (floor mic): (missed point)
Patrick: Can the EKT key remain the same upon new joiners?
Some discussion and confusion on this point, need to clarify on list.
Magnus: Recording of E2E encrypted is possible.
Adam: Yes, and a recorder endpoint is also possible.
1625-1645 SRTP Double Encryption Procedures, Cullen Jennings
Jonathan: Why header extensions not payload headers or trailers within the
transform? Russ: I understand the encryption. What about integrity? Cullen:
First HBH integrity, then E2E integrity checked separately. Russ: NULL
integrity is bad. Magnus: Idea was DTLS not SRTP providing HBH encryption and
integrity in NULL cases.
1645-1705 EKT on Diet, Cullen Jennings
Patrick: Rather than spec'ing 250ms, need some metrics from real conferences.
Magnus: RTCP RTT may be useful here.
Adam: Let the KMF announce a future time/seq when the new keys become active
rather than a fixed key delay time. John Mattson: Replay issues with ISN-like
approach. Russ: Integrity checks must be over EKT field (or whatever needs
Harald: On special EKT key for announcements (slide 15), securiy properties are
like everyone joins 2 conferences where the announcements are in 1. Is it worth
the complexity? Cullen: Agreed, but 1 tunnel is simpler than 2.
1705-1720 DTLS Tunnel, Paul Jones
Richard (floor mic): Clarifying questions on message diagram. Paul clarified.
Jonathan: Don't like KMF doing keygen for MDD HBH keys.
Mo: Agree, for
Chair: Call to adopt double draft: Moderate hums in favor in room and jabber,
none opposed. Will confirm on the list. Chair: Does AD feel EKT work can be
done here in PERC instead of AVTCORE? Ben (as AD): Yes, seems reasonable.
Magnus: What about framework draft?
Chair: Call to adopt framework draft: Moderate hums in favor in room and
jabber, none opposed. Will confirm on the list.
Raw notes (From Harald Alvestrand)
Notes from PERC meeting, Monday April 4 1550-1720
Note taker: Harlad Alvestrand
1550 - 1555 5 minutes Chairs Administriva
Chairs reviewed milestones and meetings since last IETF.
Magnus: Please revisit consensus on whether SSRC is immutable or not.
Chairs: Will do offline.
1555 - 1605 10 minutes Chairs
Recap of layers/framework and SRTP / SRTCP transform requirements
1605 - 1625 20 minutes Adam Roach
A Big Picture of the PERC Solution
See slides. https://www.ietf.org/proceedings/95/slides/slides-95-perc-4.pdf
MDD: Media Distribution Device
HBH: Hop-by-Hop (key)
KMF: Key Management Function
Roni Even: Questioning protection of the KMF/MDD separation.
Adam Roach: MDD is no more trusted than an IP router for the key setup.
Jonathan Lennox: Is moving the KMF in scope?
Adam Roach: Interesting question, we'll get to it down the road.
Russ Housley: If KMF movable, it's important that backup KMF is designated,
not chosen at random or by some algorithm.
1625 - 1645 20 minutes Cullen Jennings
SRTP Double Encryption Procedures draft-jennings-perc-double
See slides: https://www.ietf.org/proceedings/95/slides/slides-95-perc-1.pdf
Jonathan Lennox: Why OHB headers instead of part of the encryption format?
Cullen Jennings: Trying to reuse existing code.
Russ Housley: What parts are integrity protected?
Cullen Jennings: - effectively normal protection, with
restoration of changed fields before final checking of initial MAC.
1645 - 1705 20 minutes Cullen Jennings
EKT on Diet draft-jennings-perc-srtp-ekt-diet
See slides: https://www.ietf.org/proceedings/95/slides/slides-95-perc-0.pdf
Reduced from 40 pages to 15 by ripping out everything irrelevant to this
use case. Not intended as a fork.
Suggestion (slide): Using 250 ms timeouts before starting to use a new key.
Pat Lezinski: should use measurements rather than out-of-a-hat
Magnus Westerlund: Could use RTT info to get a proper timeout value
Adam Roach: Could set the timeout as a parameter in the "change-key"
: Need to keep decoding with old key for a while after
Russ Housley: Maybe integrity protection needs to conver part of the
Cullen: Thought we'd eliminated that by including SSRC in EKT data.
: Discussing security properties of "announcement server"
Harald Alvestrand: we can do this with 2 conferences. is the
optimization worth it?
Cullen: Worth thinking about.
No decisions made.
1705 - 1720 15 minutes Paul Jones
DTLS Tunnel draft-jones-perc-dtls-tunnel/
Magnus Westerlund: What's the transport? Are we getting MTU problems?
Richard Barnes: We could use TLS/TCP and avoid this problem.
Paul Jones: The only reason for doing DTLS is KMF/client colocation -
we already depend on getting media through firewalls.
Jonathan Lennox: WebRTC data channels seem to have the properties we
Jonathan Lennox questions the wisdom of letting the KMF pick the
hop-by-hop keys. Not clear that there is a problem.
Jon Peterson: Would be nice to explain why we trust the KMF in the
intro - what models we support.
Mo Zanaty: Yes, we need to explain these roles properly.
Jonathan Lennox: There's no real reason for the KMF to need to know
the HBH keys - no identified threat either.
Cullen Jennings: Only one crypto context is an important point.
- Adopt -double-transform as WG document? Hum.
Several in favor (incl Randell on jabber), none against.
- Should we adopt EKT from AVTCORE?
Ben (AD hat): I think it is reasonable.
Chairs: Another rev (fix errors), will call for adoption on the list.
- Is -tunnel on the right track?
Not yet ready for the adoption call.
Magnus: What about the framework draft?
- draft-jones-perc-private-media-framework: Adopt? Hum.
Several in favor, none against. Randell and Varun humming on room.
Ended at 17:22