draft-ietf-avtcore-srtp-vbr-audio-00.txt   draft-ietf-avtcore-srtp-vbr-audio-01.txt 
Network Working Group C. Perkins Network Working Group C. Perkins
Internet-Draft University of Glasgow Internet-Draft University of Glasgow
Intended status: BCP JM. Valin Intended status: BCP JM. Valin
Expires: July 31, 2011 Octasic Inc. Expires: October 29, 2011 Octasic Inc.
January 27, 2011 April 27, 2011
Guidelines for the use of Variable Bit Rate Audio with Secure RTP Guidelines for the use of Variable Bit Rate Audio with Secure RTP
draft-ietf-avtcore-srtp-vbr-audio-00.txt draft-ietf-avtcore-srtp-vbr-audio-01.txt
Abstract Abstract
This memo discusses potential security issues that arise when using This memo discusses potential security issues that arise when using
variable bit rate audio with the secure RTP profile. Guidelines to variable bit rate audio with the secure RTP profile. Guidelines to
mitigate these issues are suggested. mitigate these issues are suggested.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 31, 2011. This Internet-Draft will expire on October 29, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Scenario-Dependent Risk . . . . . . . . . . . . . . . . . . . . 3 2. Scenario-Dependent Risk . . . . . . . . . . . . . . . . . . . . 3
3. Guidelines for use of VBR Audio with SRTP . . . . . . . . . . . 4 3. Guidelines for use of VBR Audio with SRTP . . . . . . . . . . . 4
4. Guidelines for use of Voice Activity Detection with SRTP . . . 4 4. Guidelines for use of Voice Activity Detection with SRTP . . . 4
5. Padding the output of VBR codecs . . . . . . . . . . . . . . . 5 5. Padding the output of VBR codecs . . . . . . . . . . . . . . . 5
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . . 6
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 6
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
9.1. Normative References . . . . . . . . . . . . . . . . . . . 6 9.1. Normative References . . . . . . . . . . . . . . . . . . . 6
9.2. Informative References . . . . . . . . . . . . . . . . . . 6 9.2. Informative References . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction 1. Introduction
The secure RTP framework (SRTP) [RFC3711] is a widely used framework The secure RTP framework (SRTP) [RFC3711] is a widely used framework
skipping to change at page 5, line 32 skipping to change at page 5, line 32
The application of a random overhang period to each talkspurt will The application of a random overhang period to each talkspurt will
reduce the effectiveness of VAD in SRTP sessions when compared to reduce the effectiveness of VAD in SRTP sessions when compared to
non-SRTP sessions. It is, however, still expected that the use of non-SRTP sessions. It is, however, still expected that the use of
VAD will provide a significant bandwidth saving for many encrypted VAD will provide a significant bandwidth saving for many encrypted
sessions. sessions.
5. Padding the output of VBR codecs 5. Padding the output of VBR codecs
For scenarios where VBR is considered unsafe, the codec SHOULD be For scenarios where VBR is considered unsafe, the codec SHOULD be
operated in CBR mode. However, if the codec does not support CBR, operated in constant bit rate (CBR) mode. However, if the codec does
RTP padding SHOULD be used to reduce the information leak to an not support CBR, RTP padding SHOULD be used to reduce the information
insignificant level. Packets may be padded to a constant size, or leak to an insignificant level. Packets may be padded to a constant
may be padded to a size that varies with time. In the case where the size ([spot-me] achieves good results by padding to the next multiple
size of the padded packets varies in time, the same concerns as for of 16 octets, but the amount of padding needed to hide the variation
VAD apply. That is, the padding SHOULD NOT be reduced without in packet size will depend on the codec), or may be padded to a size
waiting for a certain (random) time. The RECOMMENDED "hold time" is that varies with time. In the case where the size of the padded
the same as the one for VAD. packets varies in time, the same concerns as for VAD apply. That is,
the padding SHOULD NOT be reduced without waiting for a certain
(random) time. The RECOMMENDED "hold time" is the same as the one
for VAD.
Note that SRTP encrypts the count of the number of octets of padding Note that SRTP encrypts the count of the number of octets of padding
added to a packet, but not the bit in the RTP header that indicates added to a packet, but not the bit in the RTP header that indicates
that the packet has been padded. For this reason, it is RECOMMENDED that the packet has been padded. For this reason, it is RECOMMENDED
to add at least one octet of padding to all packets in a media to add at least one octet of padding to all packets in a media
stream, so an attacker cannot tell which packets needed padding. stream, so an attacker cannot tell which packets needed padding.
6. Security Considerations 6. Security Considerations
The security considerations of [RFC3711] apply. The security considerations of [RFC3711] apply.
 End of changes. 5 change blocks. 
13 lines changed or deleted 16 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/