Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)
RFC 4572
Document | Type |
RFC - Proposed Standard
(July 2006; No errata)
Obsoleted by RFC 8122
Updates RFC 4145
|
|
---|---|---|---|
Author | Jonathan Lennox | ||
Last updated | 2018-12-20 | ||
Stream | Internet Engineering Task Force (IETF) | ||
Formats | plain text html pdf htmlized (tools) htmlized bibtex | ||
Stream | WG state | WG Document | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4572 (Proposed Standard) | |
Action Holders |
(None)
|
||
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | Allison Mankin | ||
Send notices to | jo@acm.org, csp@csperkins.org, jon.peterson@neustar.biz |
Network Working Group J. Lennox Request for Comments: 4572 Columbia U. Updates: 4145 July 2006 Category: Standards Track Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP) Status of This Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document specifies how to establish secure connection-oriented media transport sessions over the Transport Layer Security (TLS) protocol using the Session Description Protocol (SDP). It defines a new SDP protocol identifier, 'TCP/TLS'. It also defines the syntax and semantics for an SDP 'fingerprint' attribute that identifies the certificate that will be presented for the TLS session. This mechanism allows media transport over TLS connections to be established securely, so long as the integrity of session descriptions is assured. This document extends and updates RFC 4145. Lennox Standards Track [Page 1] RFC 4572 Comedia over TLS in SDP July 2006 Table of Contents 1. Introduction ....................................................3 2. Terminology .....................................................4 3. Overview ........................................................4 3.1. SDP Operational Modes ......................................4 3.2. Threat Model ...............................................5 3.3. The Need for Self-Signed Certificates ......................5 3.4. Example SDP Description for TLS Connection .................6 4. Protocol Identifiers ............................................6 5. Fingerprint Attribute ...........................................7 6. Endpoint Identification .........................................9 6.1. Certificate Choice .........................................9 6.2. Certificate Presentation ..................................10 7. Security Considerations ........................................10 8. IANA Considerations ............................................12 9. References .....................................................14 9.1. Normative References ......................................14 9.2. Informative References ....................................15 Lennox Standards Track [Page 2] RFC 4572 Comedia over TLS in SDP July 2006 1. Introduction The Session Description Protocol (SDP) [1] provides a general-purpose format for describing multimedia sessions in announcements or invitations. For many applications, it is desirable to establish, as part of a multimedia session, a media stream that uses a connection- oriented transport. RFC 4145, Connection-Oriented Media Transport in the Session Description Protocol (SDP) [2], specifies a general mechanism for describing and establishing such connection-oriented streams; however, the only transport protocol it directly supports is TCP. In many cases, session participants wish to provide confidentiality, data integrity, and authentication for their media sessions. This document therefore extends the Connection-Oriented Media specification to allow session descriptions to describe media sessions that use the Transport Layer Security (TLS) protocol [3]. The TLS protocol allows applications to communicate over a channel that provides confidentiality and data integrity. The TLS specification, however, does not specify how specific protocols establish and use this secure channel; particularly, TLS leaves the question of how to interpret and validate authentication certificates as an issue for the protocols that run over TLS. This document specifies such usage for the case of connection-oriented media transport. Complicating this issue, endpoints exchanging media will often be unable to obtain authentication certificates signed by a well-known root certification authority (CA). Most certificate authorities charge for signed certificates, particularly host-based certificates; additionally, there is a substantial administrative overhead to obtaining signed certificates, as certification authorities must be able to confirm that they are issuing the signed certificates to the correct party. Furthermore, in many cases endpoints' IP addressesShow full document text