Privacy Enhanced RTP Conferencing
IETF 95
Session 2016-04-04 1550-1720: Buen Ayre A

Scribe: Harald Alvestrand , Mo Zanaty
Summary:

* SRTP Transform specification (draft-jennings-perc-double)
  - updated version reflected the outcome of virtual interim
  - agree to remove the NULL HBH transform

* EKT Specification (draft-jennings-perc-srtp-ekt-diet )
  - Trimmed down version of the EKT spec with Ekt mechanism defined for DTLS-SRTP alone
  - Authors to submit an updated version fixing omission errors
  - AD to add milestone for this spec for PERC WG

* Tunnel Specification (draft-jones-perc-dtls-tunnel)
  - needs more discussion on MTU considerations
  - more work needed to incorporate alternate tunnel transports (TLS?)
  
* Solution Framework documents (draft-jones-perc-private-media-framework)
  - Covered as part of overall perc solution 
  - to be adopted as WG document

* Consensus on the adopting the documents 
  - draft-jennings-perc-double : adopt as WG document
  - draft-jennings-perc-srtp-ekt-diet : Add milestone to PERC WG
  - draft-jones-perc-private-media-framework-02  : Adopt as WG document

  
* Open Issues
 - Naming conventions for EKT Field, EKT key and SPI
 - Timing of EKT key rekeying
 - Integrity protection of the EKT Field and mechanisms for preventing replay attack
 - MTU considerations for DTLS tunnel 
 - Alternative transport considerations for Tunnel protocol (TLS?)


------------------------------------------------------------
Raw notes (From Mo Zanaty)
------------------------------------------------------------


PERC WG - IETF 95, Buenos Aires, AR
Monday, April 4, 2016 15:50-17:20

Chairs: Richard Barnes <rlb@ipv.sx>, Suhas Nandakumar <snandaku@cisco.com>
Area Director:Ben Campbell <ben@nostrum.com>
Jabber scribe: ?
Notetakers: Mo Zanaty

ACTIONS: Double and framework drafts adopted as WG items.

Raw preliminary notes.

1550-1555 Administriva, Chairs

1555-1605 Recap of layers/framework and SRTP / SRTCP transform requirements, Chairs

1605-1625 A Big Picture of the PERC Solution, Adam Roach

Magnus Westerlund: Should we revisit immutable SSRC discussion?
Chair: Let's discuss on list.
Jonathan Lennox: Why is KMF deciding hop by hop keys? It does not need to be involved.
Adam: So it can look like a single DTLS association followed by HBH key establishment.
Roni Even: How is trust established between endpoint and KMF?
Richard (floor mic): This is just an overall framework. Protocols will be needed.
Cullen Jennings: Identity assertions and trust work the same way whether there is a DTLS tunnel or direct connection. There must be signaling and proocol for establishing the identity and trust of the endpoint-to-KMF connection, just as in direct P2P today (e.g. DTLS cert fingerprints are signaled and verified).

Patrick Linskey: Allowing an endpoint to embed a KMF would not be accetpable for enterprises.
Adam: Two separate models. Enterprise model would not want KMF in endpoints but non-enterprise model would. Service decides this choice.

Russ Housley: Service should be able to designate which endpoint hosts the KMF. Simpler and more understandable trust model.

Roni: Is session setup call flow steps 1-4 once per conference or call?
Adam: Once per conference.
Richard (floor mic): (missed point) 

Patrick: Can the EKT key remain the same upon new joiners?
Some discussion and confusion on this point, need to clarify on list.

Magnus: Recording of E2E encrypted is possible.
Adam: Yes, and a recorder endpoint is also possible.

1625-1645 SRTP Double Encryption Procedures, Cullen Jennings
draft-jennings-perc-double
Jonathan: Why header extensions not payload headers or trailers within the transform?
Russ: I understand the encryption. What about integrity?
Cullen: First HBH integrity, then E2E integrity checked separately.
Russ: NULL integrity is bad.
Magnus: Idea was DTLS not SRTP providing HBH encryption and integrity in NULL cases.

1645-1705 EKT on Diet, Cullen Jennings
draft-jennings-perc-srtp-ekt-diet
Patrick: Rather than spec'ing 250ms, need some metrics from real conferences.
Magnus: RTCP RTT may be useful here.
Adam: Let the KMF announce a future time/seq when the new keys become active rather than a fixed key delay time.
John Mattson: Replay issues with ISN-like approach.
Russ: Integrity checks must be over EKT field (or whatever needs integrity).

Harald: On special EKT key for announcements (slide 15), securiy properties are like everyone joins 2 conferences where the announcements are in 1. Is it worth the complexity?
Cullen: Agreed, but 1 tunnel is simpler than 2.

1705-1720 DTLS Tunnel, Paul Jones
draft-jones-perc-dtls-tunnel
Richard (floor mic): Clarifying questions on message diagram. Paul clarified.
Jonathan: Don't like KMF doing keygen for MDD HBH keys.
Mo: Agree, for

Chair: Call to adopt double draft: Moderate hums in favor in room and jabber, none opposed. Will confirm on the list.
Chair: Does AD feel EKT work can be done here in PERC instead of AVTCORE?
Ben (as AD): Yes, seems reasonable.

Magnus: What about framework draft?
Chair: Call to adopt framework draft: Moderate hums in favor in room and jabber, none opposed. Will confirm on the list.



------------------------------------------------------------
Raw notes (From Harald Alvestrand)
------------------------------------------------------------


Notes from PERC meeting, Monday April 4 1550-1720
Note taker: Harlad Alvestrand

1550 - 1555        5 minutes        Chairs        Administriva

Chairs reviewed milestones and meetings since last IETF.
Magnus: Please revisit consensus on whether SSRC is immutable or not.
Chairs: Will do offline.
         
1555 - 1605        10 minutes        Chairs
Recap of layers/framework and SRTP / SRTCP transform requirements           
1605 - 1625        20 minutes        Adam Roach
A Big Picture of the PERC Solution

See slides. https://www.ietf.org/proceedings/95/slides/slides-95-perc-4.pdf
MDD: Media Distribution Device
HBH: Hop-by-Hop (key)
KMF: Key Management Function
Roni Even: Questioning protection of the KMF/MDD separation.
Adam Roach: MDD is no more trusted than an IP router for the key setup.
Jonathan Lennox: Is moving the KMF in scope?
Adam Roach: Interesting question, we'll get to it down the road.
Russ Housley: If KMF movable, it's important that backup KMF is designated,
not chosen at random or by some algorithm.
         
1625 - 1645        20 minutes Cullen Jennings
SRTP Double Encryption Procedures        draft-jennings-perc-double

See slides: https://www.ietf.org/proceedings/95/slides/slides-95-perc-1.pdf
Jonathan Lennox: Why OHB headers instead of part of the encryption format?
Cullen Jennings: Trying to reuse existing code.
Russ Housley: What parts are integrity protected?
Cullen Jennings: <explanation> - effectively normal protection, with
restoration of changed fields before final checking of initial MAC.

1645 - 1705        20 minutes Cullen Jennings
EKT on Diet        draft-jennings-perc-srtp-ekt-diet
See slides: https://www.ietf.org/proceedings/95/slides/slides-95-perc-0.pdf
Reduced from 40 pages to 15 by ripping out everything irrelevant to this
use case. Not intended as a fork.
Suggestion (slide): Using 250 ms timeouts before starting to use a new key.
Pat Lezinski: should use measurements rather than out-of-a-hat
Magnus Westerlund: Could use RTT info to get a proper timeout value
Adam Roach: Could set the timeout as a parameter in the "change-key"
msg.
<multiple>: Need to keep decoding with old key for a while after
change.

Russ Housley: Maybe integrity protection needs to conver part of the
EKT data?
Cullen: Thought we'd eliminated that by including SSRC in EKT data.

<multiple>: Discussing security properties of "announcement server"
idea.
Harald Alvestrand: we can do this with 2 conferences. is the
optimization worth it?
Cullen: Worth thinking about.

No decisions made.

1705 - 1720        15 minutes        Paul Jones
DTLS Tunnel        draft-jones-perc-dtls-tunnel/  
Slides: https://www.ietf.org/proceedings/95/slides/slides-95-perc-3.pdf

Magnus Westerlund: What's the transport? Are we getting MTU problems?
Richard Barnes: We could use TLS/TCP and avoid this problem.
Paul Jones: The only reason for doing DTLS is KMF/client colocation -
we already depend on getting media through firewalls.
Jonathan Lennox: WebRTC data channels seem to have the properties we
want.

Jonathan Lennox questions the wisdom of letting the KMF pick the
hop-by-hop keys. Not clear that there is a problem.
Jon Peterson: Would be nice to explain why we trust the KMF in the
intro - what models we support.
Mo Zanaty: Yes, we need to explain these roles properly.
Jonathan Lennox: There's no real reason for the KMF to need to know
the HBH keys - no identified threat either.
Cullen Jennings: Only one crypto context is an important point.

Chair questions:

- Adopt -double-transform as WG document? Hum.
Several in favor (incl Randell on jabber), none against.
- Should we adopt EKT from AVTCORE?
Ben (AD hat): I think it is reasonable.
Chairs: Another rev (fix errors), will call for adoption on the list.
- Is -tunnel on the right track?
Not yet ready for the adoption call.

Magnus: What about the framework draft?
Chairs:
- draft-jones-perc-private-media-framework: Adopt? Hum.
Several in favor, none against. Randell and Varun humming on room.

Ended at 17:22