Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)
RFC 4572
| Document | Type |
RFC - Proposed Standard
(July 2006; No errata)
Obsoleted by RFC 8122
Updates RFC 4145
|
|
|---|---|---|---|
| Author | Jonathan Lennox | ||
| Last updated | 2018-12-20 | ||
| Stream | Internet Engineering Task Force (IETF) | ||
| Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
| Stream | WG state | WG Document | |
| Document shepherd | No shepherd assigned | ||
| IESG | IESG state | RFC 4572 (Proposed Standard) | |
| Action Holders |
(None)
|
||
| Consensus Boilerplate | Unknown | ||
| Telechat date | |||
| Responsible AD | Allison Mankin | ||
| Send notices to | jo@acm.org, csp@csperkins.org, jon.peterson@neustar.biz | ||
Network Working Group J. Lennox
Request for Comments: 4572 Columbia U.
Updates: 4145 July 2006
Category: Standards Track
Connection-Oriented Media Transport over the Transport Layer Security
(TLS) Protocol in the Session Description Protocol (SDP)
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document specifies how to establish secure connection-oriented
media transport sessions over the Transport Layer Security (TLS)
protocol using the Session Description Protocol (SDP). It defines a
new SDP protocol identifier, 'TCP/TLS'. It also defines the syntax
and semantics for an SDP 'fingerprint' attribute that identifies the
certificate that will be presented for the TLS session. This
mechanism allows media transport over TLS connections to be
established securely, so long as the integrity of session
descriptions is assured.
This document extends and updates RFC 4145.
Lennox Standards Track [Page 1]
RFC 4572 Comedia over TLS in SDP July 2006
Table of Contents
1. Introduction ....................................................3
2. Terminology .....................................................4
3. Overview ........................................................4
3.1. SDP Operational Modes ......................................4
3.2. Threat Model ...............................................5
3.3. The Need for Self-Signed Certificates ......................5
3.4. Example SDP Description for TLS Connection .................6
4. Protocol Identifiers ............................................6
5. Fingerprint Attribute ...........................................7
6. Endpoint Identification .........................................9
6.1. Certificate Choice .........................................9
6.2. Certificate Presentation ..................................10
7. Security Considerations ........................................10
8. IANA Considerations ............................................12
9. References .....................................................14
9.1. Normative References ......................................14
9.2. Informative References ....................................15
Lennox Standards Track [Page 2]
RFC 4572 Comedia over TLS in SDP July 2006
1. Introduction
The Session Description Protocol (SDP) [1] provides a general-purpose
format for describing multimedia sessions in announcements or
invitations. For many applications, it is desirable to establish, as
part of a multimedia session, a media stream that uses a connection-
oriented transport. RFC 4145, Connection-Oriented Media Transport in
the Session Description Protocol (SDP) [2], specifies a general
mechanism for describing and establishing such connection-oriented
streams; however, the only transport protocol it directly supports is
TCP. In many cases, session participants wish to provide
confidentiality, data integrity, and authentication for their media
sessions. This document therefore extends the Connection-Oriented
Media specification to allow session descriptions to describe media
sessions that use the Transport Layer Security (TLS) protocol [3].
The TLS protocol allows applications to communicate over a channel
that provides confidentiality and data integrity. The TLS
specification, however, does not specify how specific protocols
establish and use this secure channel; particularly, TLS leaves the
question of how to interpret and validate authentication certificates
as an issue for the protocols that run over TLS. This document
specifies such usage for the case of connection-oriented media
transport.
Complicating this issue, endpoints exchanging media will often be
unable to obtain authentication certificates signed by a well-known
root certification authority (CA). Most certificate authorities
charge for signed certificates, particularly host-based certificates;
additionally, there is a substantial administrative overhead to
obtaining signed certificates, as certification authorities must be
able to confirm that they are issuing the signed certificates to the
correct party. Furthermore, in many cases endpoints' IP addresses
Show full document text