Network Working Group                                        C. Jennings
Internet-Draft                                                  P. Jones
Intended status: Standards Track                               R. Barnes
Expires: February 9, 2018                                  Cisco Systems
Expires: December 31, 2017
                                                                A. Roach
                                                           June 29,
                                                          August 8, 2017

                   SRTP Double Encryption Procedures


   In some conferencing scenarios, it is desirable for an intermediary
   to be able to manipulate some RTP parameters, while still providing
   strong end-to-end security guarantees.  This document defines SRTP
   procedures that use two separate but related cryptographic operations
   to provide hop-by-hop and end-to-end security guarantees.  Both the
   end-to-end and hop-by-hop cryptographic algorithms can utilize an
   authenticated encryption with associated data scheme or take
   advantage of future SRTP transforms with different properties.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on December 31, 2017. February 9, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Cryptographic Context . . . . . . . . . . . . . . . . . . . .   3   4
   4.  Original Header Block . . . . . . . . . . . . . . . . . . . .   4
   5.  RTP Operations  . . . . . . . . . . . . . . . . . . . . . . .   6   5
     5.1.  Encrypting a Packet . . . . . . . . . . . . . . . . . . .   6   5
     5.2.  Relaying a Packet . . . . . . . . . . . . . . . . . . . .   6
     5.3.  Decrypting a Packet . . . . . . . . . . . . . . . . . . .   8   7
   6.  RTCP Operations . . . . . . . . . . . . . . . . . . . . . . .   9   8
   7.  Use with Other RTP Mechanisms . . . . . . . . . . . . . . . .   9   8
     7.1.  RTX . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.2.  DTMF  RED . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.3.  FEC . . . . . . . . . . . . . . . . . . . . . . . . . . .   9
     7.4.  DTMF  . . . . . . . . . . . . . . . . . . . . . . . . . .   9
   8.  Recommended Inner and Outer Cryptographic Algorithms  . . . .  10   9
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  10
   10. IANA Considerations . . . . . . . . . . . . . . . . . . . . .  11
     10.1.  RTP Header Extension . . . . . . . . . . . . . . . . . .  11
     10.2.  DTLS-SRTP  . . . . . . . . . . . . . . . . . . . . . . .  12  11
   11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .  13  12
   12. References  . . . . . . . . . . . . . . . . . . . . . . . . .  13
     12.1.  Normative References . . . . . . . . . . . . . . . . . .  13
     12.2.  Informative References . . . . . . . . . . . . . . . . .  13
   Appendix A.  Encryption Overview  . . . . . . . . . . . . . . . .  14
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  15

1.  Introduction

   Cloud conferencing systems that are based on switched conferencing
   have a central Media Distributor device that receives media from
   endpoints and distributes it to other endpoints, but does not need to
   interpret or change the media content.  For these systems, it is
   desirable to have one cryptographic key from the sending endpoint to
   the receiving endpoint that can encrypt and authenticate the media
   end-to-end while still allowing certain RTP header information to be
   changed by the Media Distributor.  At the same time, a separate
   cryptographic key provides integrity and optional confidentiality for
   the media flowing between the Media Distributor and the endpoints.

   See the framework document that describes this concept in more detail
   in more detail in [I-D.ietf-perc-private-media-framework].

   This specification defines an SRTP transform that uses the AES-GCM
   algorithm [RFC7714] to provide encryption and integrity for an RTP
   packet for the end-to-end cryptographic key as well as a hop-by-hop
   cryptographic encryption and integrity between the endpoint and the
   Media Distributor.  The Media Distributor decrypts and checks
   integrity of the hop-by-hop security.  The Media Distributor MAY
   change some of the RTP header information that would impact the end-
   to-end integrity.  The original value of any RTP header field that is
   changed is included in a new RTP header extension called the Original
   Header Block.  The new RTP packet is encrypted with the hop-by-hop
   cryptographic algorithm before it is sent.  The receiving endpoint
   decrypts and checks integrity using the hop-by-hop cryptographic
   algorithm and then replaces any parameters the Media Distributor
   changed using the information in the Original Header Block before
   decrypting and checking the end-to-end integrity.

   One can think of the double as a normal SRTP transform for encrypting
   the RTP in a way where things that only know half of the key, can
   decrypt and modify part of the RTP packet but not other parts of if
   including the media payload.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

   Terms used throughout this document include:

   o  Media Distributor: media distribution device that routes media
      from one endpoint to other endpoints

   o  end-to-end: meaning the link from one endpoint through one or more
      Media Distributors to the endpoint at the other end.

   o  hop-by-hop: meaning the link from the endpoint to or from the
      Media Distributor.

   o  OHB: Original Header Block is an RTP header extension octet string that contains the
      original values from the RTP header that might have been changed
      by a Media Distributor.

3.  Cryptographic Context

   This specification uses a cryptographic context with two parts: an
   inner (end-to-end) part that is used by endpoints that originate and
   consume media to ensure the integrity of media end-to-end, and an
   outer (hop-by-hop) part that is used between endpoints and Media
   Distributors to ensure the integrity of media over a single hop and
   to enable a Media Distributor to modify certain RTP header fields.
   RTCP is also handled using the hop-by-hop cryptographic part.  The
   RECOMMENDED cipher for the hop-by-hop and end-to-end algorithm is
   AES-GCM.  Other combinations of SRTP ciphers that support the
   procedures in this document can be added to the IANA registry.

   The keys and salt for these algorithms are generated with the
   following steps:

   o  Generate key and salt values of the length required for the
      combined inner (end-to-end) and outer (hop-by-hop) algorithms.

   o  Assign the key and salt values generated for the inner (end-to-
      end) algorithm to the first half of the key and salt for the
      double algorithm.

   o  Assign the key and salt values for the outer (hop-by-hop)
      algorithm to the second half of the key and salt for the double
      algorithm.  The first half of the key is revered referred to as the inner
      key while the second out half is referred to as the outer key.  When a
      key is used by a cryptographic algorithm, the salt used is the
      part of the salt generated with that key.

   Obviously, if the Media Distributor is to be able to modify header
   fields but not decrypt the payload, then it must have cryptographic
   key for the outer algorithm, but not the inner (end-to-end)
   algorithm.  This document does not define how the Media Distributor
   should be provisioned with this information.  One possible way to
   provide keying material for the outer (hop-by-hop) algorithm is to
   use [I-D.ietf-perc-dtls-tunnel].

4.  Original Header Block

   Any SRTP packet processed following these procedures MAY contain an

   The Original Header Block (OHB) RTP header extension.

   The OHB contains the original values of any
   modified header fields
   and MUST be placed after any already-existing RTP header extensions.
   Placement of fields.  In the encryption process, the OHB after any original header extensions is
   important so that
   appended to the RTP payload.  In the decryption process, the
   receiving endpoint can properly authenticate uses it to reconstruct the original packet and any originally included RTP header
   extensions.  The receiving endpoint will authenticate header, so
   that it can pass the original
   packet by restoring proper AAD value to the modified inner transform.

   The OHB can reflect modifications to the following fields in an RTP header field values
   header: the payload type, the sequence number, and the marker bit.

   All other fields in the RTP header
   extensions.  It does this by copying MUST remain unmodified; since the
   OHB cannot reflect their original values from values, the receiver will be unable
   to verify the E2E integrity of the packet.

   The OHB
   and then removing has the following syntax (in ABNF):

   BYTE = %x00-FF

   PT = BYTE
   SEQ = 2BYTE
   Config = BYTE

   OHB extension = ?PT ?SEQ Config

   If present, the PT and any other RTP header
   extensions that appear after SEQ parts of the OHB extension.

   The Media Distributor is only permitted to modify contain the extension (X)
   bit, original
   payload type (PT) field, and the RTP sequence number field. fields, respectively.  The OHB extension is either one final
   "config" octet in length, two octets in
   length, or three octets in length.  The length of the OHB indicates
   what data is contained in the extension.

   If the OHB is one octet in length, it contains specifies whether these fields are present,
   and the original PT field
   value.  In this case, value of the OHB has this form:

    0                   1
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5
   |  ID   | len=0 |R| marker bit (if necessary):

   |R R R R B M P Q|

   o  P: PT      |

   Note that "R" indicates a reserved is present

   o  Q: SEQ is present

   o  M: Marker bit that is present

   o  B: Value of marker bit

   o  R: Reserved, MUST be set to zero when
   sending a packet and ignored upon receipt.  ID is the RTP Header
   Extension identifier negotiated in the SDP.

   If the OHB is two octets in length, it contains the original RTP
   packet sequence number.  In this case, the OHB has this form: 0                   1                   2
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3
   |  ID   | len=1 |        Sequence Number        |

   If the OHB is three octets in length, it contains the original PT
   field value and RTP packet sequence number.

   In this case, the OHB
   has this form:

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 6 4 5 6 7 8 9 1
   |  ID   | len=2 |R|     PT      |        Sequence Number        |

   If a Media Distributor modifies particular, an original RTP header value, the
   Media Distributor MUST include the all-zero OHB extension to reflect the
   changed value, setting the X bit in the RTP header to 1 if config octet (0x00) indicates that
   there have been no header
   extensions were originally present.  If another Media Distributor
   along the media path makes additional changes to the RTP header and
   any original value is already present in the OHB, the Media
   Distributor must extend the OHB by adding the changed value to modifications from the
   OHB.  To properly preserve original RTP header values, a Media
   Distributor MUST NOT change a value already present in the OHB
   extension. header.

5.  RTP Operations

5.1.  Encrypting a Packet

   To encrypt a packet, the endpoint encrypts the packet using the inner
   (end-to-end) cryptographic key and then encrypts using the outer
   (hop-by-hop) cryptographic key.  The encryption also supports a mode
   for repair packets that only does the outer (hop-by-hop) encryption.
   The processes is as follows:


   1.  Form an RTP packet.  If there are any header extensions, they
       MUST use [RFC5285].


   2.  If the endpoint wishes packet is for repair mode data, skip to insert header extensions that can be
      modified by an Media Distributor, it MUST insert an OHB header
      extension at the end of any header extensions protected end-to-end
      (if any), then add any Media Distributor-modifiable header
      extensions.  In other cases, step 6.

   3.  Form a synthetic RTP packet with the endpoint SHOULD still insert an
      OHB header extension. following contents:

       *  Header: The OHB MUST replicate the information
      found in the RTP header following the application of the inner
      cryptographic algorithm.  If not already set, the endpoint MUST
      set original packet with the
          following modifications:

       *  The X bit in the RTP is set to zero

       *  The header is truncated to 1 when introducing remove any extensions (12 + 4 * CC

       *  Payload: The RTP payload of the OHB

   o original packet

   4.  Apply the inner cryptographic algorithm to the RTP packet.  If
      encrypting RTP

   5.  Replace the header extensions end-to-end, then [RFC6904] MUST
      be used when encrypting of the protected RTP packet using with the inner
      cryptographic key.

   o header of
       the original packet, and append to the payload of the packet (1)
       the authentication tag from the original transform, and (2) an
       empty OHB (0x00).

   6.  Apply the outer cryptographic algorithm to the RTP packet.  If
       encrypting RTP header extensions hop-by-hop, then [RFC6904] MUST
       be used when encrypting the RTP packet using the outer
       cryptographic key.

   When using EKT [I-D.ietf-perc-srtp-ekt-diet], the EKT Field comes
   after the SRTP packet exactly like using EKT with any other SRTP

5.2.  Relaying a Packet

   The Media Distributor does has the part of the key for the outer
   (hop-by-hop) (hop-by-
   hop), but it does not have the part of the key for the (end-to-
   end) (end-to-end)
   cryptographic algorithm.  The cryptographic algorithm and key used to
   decrypt a packet and any encrypted RTP header extensions would be the
   same as those used in the endpoint's outer algorithm and key.

   In order to modify a packet, the Media Distributor decrypts the
   packet, modifies the packet, updates the OHB with any modifications
   not already present in the OHB, and re-encrypts the packet using the
   cryptographic using the outer (hop-by-hop) key.


   1.  Apply the outer (bop-by-hop) (hop-by-hop) cryptographic algorithm to decrypt
       the packet.  If decrypting RTP header extensions hop-by-hop, then
       [RFC6904] MUST be used.

   o  Note that the RTP payload produced by
       this decryption operation contains the original encrypted payload
       with the tag from the inner transform and the OHB appended.

   2.  Change any parts of the RTP packet that the relay wishes to
       change and are allowed to be changed.


   3.  If a changed RTP header field is not already in the OHB, add it
       with its original value to the OHB.  A Media Distributor can add
       information to the OHB, but MUST NOT change existing information
       in the OHB.


   4.  If the Media Distributor resets a parameter to its original
       value, it MAY drop it from the OHB as long as there are no other header
      extensions following the OHB.  Note that this might result
       in a decrease in the size of the OHB.  It is also possible for the
      Media Distributor to remove the OHB entirely if all parameters in
      the RTP header are reset to their original values and no other
      header extensions follow the OHB.  If the OHB is removed and no
      other extension is present, the X bit in the RTP header MUST be
      set to 0.

   o  The Media Distributor MUST NOT delete any header extensions before
      the OHB, but MAY add, delete, or modify any that follow the OHB.

      *  If the Media Distributor adds any header extensions, it must
         append them and it must maintain the order of the original
         header extensions in the [RFC5285] block.

      *  If the Media Distributor appends header extensions, then it
         MUST add the OHB header extension (if not present), even if the
         OHB merely replicates the original header field values, and
         append the new extensions following the OHB.  The OHB serves as
         a demarcation point between original RTP header extensions
         introduced by the endpoint and those introduced by a Media

   o  The Media Distributor MAY modify any header extension appearing
      after the OHB, but MUST NOT modify header extensions that are
      present before the OHB.


   5.  Apply the outer (hop-by-hop) cryptographic algorithm to the
       packet.  If the RTP Sequence Number has been modified, SRTP
       processing happens as defined in SRTP and will end up using the
       new Sequence Number.  If encrypting RTP header extensions hop-by-
       hop, then [RFC6904] MUST be used.

5.3.  Decrypting a Packet

   To decrypt a packet, the endpoint first decrypts and verifies using
   the outer (hop-by-hop) cryptographic key, then uses the OHB to
   reconstruct the original packet, which it decrypts and verifies with
   the inner (end-to-end) cryptographic key.


   1.  Apply the outer cryptographic algorithm to the packet.  If the
       integrity check does not pass, discard the packet.  The result of
       this is referred to as the outer SRTP packet.  If decrypting RTP
       header extensions hop-by-hop, then [RFC6904] MUST be used when
       decrypting the RTP packet using the outer cryptographic key.

   o  Form a new synthetic SRTP

   2.  If the packet with:

      *  Header = Received header, with header fields replaced with
         values from OHB (if present).

      *  Insert all header extensions up to is for repair mode data, skip the OHB extension, but
         exclude rest of the OHB

   3.  Remove the inner authentication tag and any header extensions that follow the OHB.
         If there are no extensions remaining, then OHB from the end of
       the payload of the outer SRTP packet.

   4.  Form a new synthetic SRTP packet with:

       *  Header = Received header, with the following modifications:

       *  Header fields replaced with values from OHB (if any)

       *  The X bit MUST bet is set to 0.  If there are extensions remaining, then the
         remaining extensions MUST be padded to the first 32-bit
         boundary and the overall length of the zero

       *  The header is truncated to remove any extensions
         adjusted accordingly. (12 + 4 * CC

       *  Payload is the encrypted payload from the outer SRTP packet
          (after the inner tag and OHB have been stripped).

       *  Authentication tag is the inner authentication tag from the
          outer SRTP packet.


   5.  Apply the inner cryptographic algorithm to this synthetic SRTP
       packet.  Note if the RTP Sequence Number was changed by the Media
       Distributor, the synthetic packet has the original Sequence
       Number.  If the integrity check does not pass, discard the
      If decrypting RTP header extensions end-to-end, then [RFC6904]
      MUST be used when decrypting the RTP packet using the inner
      cryptographic key.

   Once the packet has been successfully decrypted, the application
   needs to be careful about which information it uses to get the
   correct behaviour.  The application MUST use only the information
   found in the synthetic SRTP packet and MUST NOT use the other data
   that was in the outer SRTP packet with the following exceptions:

   o  The PT from the outer SRTP packet is used for normal matching to
      SDP and codec selection.

   o  The sequence number from the outer SRTP packet is used for normal
      RTP ordering.

   The PT and sequence number from the inner SRTP packet can be used for
   collection of various statistics.

   If any of the following RTP headers extensions are found in the outer
   SRTP packet, they MAY be used:

   o  Mixer-to-client audio level indicators (See [RFC6465])

6.  RTCP Operations

   Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
   two separate cryptographic key, RTCP is encrypted using only the
   outer (hop-by-hop) cryptographic key.  The procedures for RTCP
   encryption are specified in [RFC3711] and this document introduces no
   additional steps.

7.  Use with Other RTP Mechanisms

   There are some RTP related extensions that need special consideration
   to be used by a relay when using the double transform due to the end-
   to-end protection of the RTP.  The repair mechanism, when used with
   double, typically operate on the double encrypted data then take the
   results of theses operations and encrypted them using only the HBH
   key.  This results in three cryptography operation happening to the
   repair data sent over the wire.

7.1.  RTX

   When using RTX [RFC4588] is not useable by with double, the relay for hop-by-hop repair.
   Some modification or extension would be need to cached payloads MUST be made the
   encrypted packets with the bits that are sent over the wire to RTX before the
   other side.  When encrypting a retransmission packet, it could MUST be used
   encrypted in this way.  The problem repair mode packet.

7.2.  RED

   TODO - Add text to explain how to use RED as described in Option A of
   slides presented at IETF 99.

7.3.  FEC

   When using RTX Flex FEC [I-D.ietf-payload-flexible-fec-scheme] with
   double, the negotiation of double for the crypto is the out of band
   signaling that indicates that the
   relay would need repair packets MUST use the order
   of operations of SRTP followed by FEC when encrypting.  This is to be able
   ensure that the original media is not reveled to read the first two byes of Media
   Distributor but at the payload
   of same time allow the retransmissions Media Distributor to
   repair media.  When encrypting a packet which contain the original sequence
   number.  However, this data that contains the Flex FEC
   data, which is end-to-end already encrypted, it MUST be encrypted so the relay can in repair mode

   The algorithm recommend in [I-D.ietf-rtcweb-fec] for repair of video
   is Flex FEC [I-D.ietf-payload-flexible-fec-scheme].  Note that for
   interoperability with WebRTC, [I-D.ietf-rtcweb-fec] recommends not read it.

   using additional FEC only m-line in SDP for the repair packets.

7.4.  DTMF

   When DTMF is sent with [RFC4733], it is end-to-end encrypted and the
   relay can not read it so it can not be used to controll the relay.
   Other out of band methods to controll the relay can need to be used

7.3.  FEC

   The algorithms recommended in [I-D.ietf-rtcweb-fec] for audio work
   with no additional considerations.

   The algorithm recommend in [I-D.ietf-rtcweb-fec] for video is Flex
   FEC [I-D.ietf-payload-flexible-fec-scheme].

   Open Issue: The WG is currently considering how to handle Flex FEC.
   The main issue of concern is that the FEC Header, which is needed for
   repair, is part of the RTP payload.  Flex FEC and be done before or
   after the SRTP process with the order controlled by signalling.
   [I-D.ietf-rtcweb-fec] recommends not using additional FEC only m-line
   in SDP for the repair packets.

8.  Recommended Inner and Outer Cryptographic Algorithms

   This specification recommends and defines AES-GCM as both the inner
   and outer cryptographic algorithms, identified as
   DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM.  These algorithm provide
   for authenticated encryption and will consume additional processing
   time double-encrypting for hop-by-hop and end-to-end.  However, the
   approach is secure and simple, and is thus viewed as an acceptable
   trade-off in processing efficiency.

   Note that names for the cryptographic transforms are of the form
   DOUBLE_(inner algorithm)_(outer algorithm).

   While this document only defines a profile based on AES-GCM, it is
   possible for future documents to define further profiles with
   different inner and outer crypto in this same framework.  For
   example, if a new SRTP transform was defined that encrypts some or
   all of the RTP header, it would be reasonable for systems to have the
   option of using that for the outer algorithm.  Similarly, if a new
   transform was defined that provided only integrity, that would also
   be reasonable to use for the hop-by-hop as the payload data is
   already encrypted by the end-to-end.

   The AES-GCM cryptographic algorithm introduces an additional 16
   octets to the length of the packet.  When using AES-GCM for both the
   inner and outer cryptographic algorithms, the total additional length
   is 32 octets.  If no other header extensions are present in the
   packet and the OHB is introduced, that will consume an additional 8
   octets.  If other extensions are already present, the OHB will
   consume up to 4 additional octets.

9.  Security Considerations

   To summarize what is encrypted and authenticated, we will refer to
   all the RTP fields and headers created by the sender and before the
   pay load as the initial envelope and the RTP payload information with
   the media as the payload.  Any additional headers added by the Media
   Distributor are referred to as the extra envelope.  The sender uses
   the end-to-end key to encrypts the payload and authenticate the
   payload + initial envelope which using an AEAD cipher results in a
   slight longer new payload.  Then the sender uses the hop-by-hop key
   to encrypt the new payload and authenticate the initial envelope and
   new payload.

   The Media Distributor has the hop-by-hop key so it can check the
   authentication of the received packet across the initial envelope and
   payload data but it can't decrypt the payload as it does not have the
   end-to-end key.  It can add extra envelope information.  It then
   authenticates the initial plus extra envelope information plus
   payload with a hop-by-hop key.  This hop-by-hop for the outgoing
   packet is typically different than the hop-by-hop key for the
   incoming packet.

   The receiver can check the authentication of the initial and extra
   envelope information.  This, along with the OHB, is used to construct
   a synthetic packet that is should be identical to one the sender
   created and the receiver can check that it is identical and then
   decrypt the original payload.

   The end result is that if the authentications succeed, the receiver
   knows exactly what the original sender sent, as well as exactly which
   modifications were made by the Media Distributor.

   It is obviously critical that the intermediary has only the outer
   (hop-by-hop) algorithm key and not the half of the key for the the
   inner (end-to-end) algorithm.  We rely on an external key management
   protocol to assure this property.

   Modifications by the intermediary result in the recipient getting two
   values for changed parameters (original and modified).  The recipient
   will have to choose which to use; there is risk in using either that
   depends on the session setup.

   The security properties for both the inner (end-to-end) and outer
   (hop-by-hop) key holders are the same as the security properties of
   classic SRTP.

10.  IANA Considerations

10.1.  RTP Header Extension

   This document defines a new extension URI in the RTP Compact Header
   Extensions part of the Real-Time Transport Protocol (RTP) Parameters
   registry, according to the following data:

   Extension URI: urn:ietf:params:rtp-hdrext:ohb

   Description: Original Header Block

   Contact: Cullen Jennings <>

   Reference: RFCXXXX

   Note to RFC Editor: Replace RFCXXXX with the RFC number of this

10.2.  DTLS-SRTP

   We request IANA to add the following values to defines a DTLS-SRTP
   "SRTP Protection Profile" defined in [RFC5764].

   | Value      | Profile                                  | Reference |
   | {0x00,     | DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM | RFCXXXX   |
   | 0x09}      |                                          |           |
   | {0x00,     | DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM | RFCXXXX   |
   | 0x0A}      |                                          |           |

   Note to IANA: Please assign value RFCXXXX and update table to point
   at this RFC for these values.

   The SRTP transform parameters for each of these protection are:

       cipher:                 AES_128_GCM then AES_128_GCM
       cipher_key_length:      256 bits
       cipher_salt_length:     192 bits
       aead_auth_tag_length:   32 octets
       auth_function:          NULL
       auth_key_length:        N/A
       auth_tag_length:        N/A
       maximum lifetime:       at most 2^31 SRTCP packets and
                               at most 2^48 SRTP packets

       cipher:                 AES_256_GCM then AES_256_GCM
       cipher_key_length:      512 bits
       cipher_salt_length:     192 bits
       aead_auth_tag_length:   32 octets
       auth_function:          NULL
       auth_key_length:        N/A
       auth_tag_length:        N/A
       maximum lifetime:       at most 2^31 SRTCP packets and
                               at most 2^48 SRTP packets

   The first half of the key and salt is used for the inner (end-to-end)
   algorithm and the second half is used for the outer (hop-by-hop)

11.  Acknowledgments

   Many thanks to Richard Barnes for sending significant text for this
   specification.  Thank you for reviews and improvements from David
   Benham, Paul Jones, Suhas Nandakumar, Nils Ohlmeier, and Magnus

12.  References

12.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, 10.17487/
              RFC2119, March 1997,

   [RFC3711]  Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
              Norrman, "The Secure Real-time Transport Protocol (SRTP)",
              RFC 3711, DOI 10.17487/RFC3711, March 2004,

   [RFC5285]  Singer, D. and H. Desineni, "A General Mechanism for RTP
              Header Extensions", RFC 5285, DOI 10.17487/RFC5285, July
              2008, <>.

   [RFC5764]  McGrew, D. and E. Rescorla, "Datagram Transport Layer
              Security (DTLS) Extension to Establish Keys for the Secure
              Real-time Transport Protocol (SRTP)", RFC 5764, DOI
              10.17487/RFC5764, May 2010,

   [RFC6904]  Lennox, J., "Encryption of Header Extensions in the Secure
              Real-time Transport Protocol (SRTP)", RFC 6904, DOI
              10.17487/RFC6904, April 2013,

   [RFC7714]  McGrew, D. and K. Igoe, "AES-GCM Authenticated Encryption
              in the Secure Real-time Transport Protocol (SRTP)", RFC
              7714, DOI 10.17487/RFC7714, December 2015,

12.2.  Informative References

              Singh, V., Begen, A., Zanaty, M., and G. Mandyam, "RTP
              Payload Format for Flexible Forward Error Correction
              (FEC)", draft-ietf-payload-flexible-fec-scheme-04 draft-ietf-payload-flexible-fec-scheme-05 (work in
              progress), March July 2017.

              Jones, P., Ellenbogen, P., and N. Ohlmeier, "DTLS Tunnel
              between a Media Distributor and Key Distributor to
              Facilitate Key Exchange", draft-ietf-perc-dtls-tunnel-01
              (work in progress), April 2017.

              Jones, P., Benham, D., and C. Groves, "A Solution
              Framework for Private Media in Privacy Enhanced RTP
              Conferencing", draft-ietf-perc-private-media-framework-03 draft-ietf-perc-private-media-framework-04
              (work in progress), March July 2017.

              Jennings, C., Mattsson, J., McGrew, D., and D. Wing,
              "Encrypted Key Transport for DTLS and Secure RTP", draft-
              ietf-perc-srtp-ekt-diet-05 (work in progress), April June 2017.

              Uberti, J., "WebRTC Forward Error Correction
              Requirements", draft-ietf-rtcweb-fec-05 draft-ietf-rtcweb-fec-06 (work in
              progress), May July 2017.

   [RFC4588]  Rey, J., Leon, D., Miyazaki, A., Varsa, V., and R.
              Hakenberg, "RTP Retransmission Payload Format", RFC 4588,
              DOI 10.17487/RFC4588, July 2006,

   [RFC4733]  Schulzrinne, H. and T. Taylor, "RTP Payload for DTMF
              Digits, Telephony Tones, and Telephony Signals", RFC 4733,
              DOI 10.17487/RFC4733, December 2006,

   [RFC6465]  Ivov, E., Ed., Marocco, E., Ed., and J. Lennox, "A Real-
              time Transport Protocol (RTP) Header Extension for Mixer-
              to-Client Audio Level Indication", RFC 6465, DOI 10.17487/RFC6465, 10.17487/
              RFC6465, December 2011,

Appendix A.  Encryption Overview

   The following figure shows a double encrypted SRTP packet.  The sides
   indicate the parts of the packet that are encrypted and authenticated
   by the hob-by-hop and end-to-end operations.

       0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    |V=2|P|X|  CC   |M|     PT      |       sequence number         | I O
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
    |                           timestamp                           | I O
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
    |           synchronization source (SSRC) identifier            | I O
    +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
    |            contributing source (CSRC) identifiers             | I O
    |                               ....                            | I O
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
    |                    RTP extension (OPTIONAL) ...               | | O
+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
O I |                          payload  ...                         | I O
O I |                               +-------------------------------+ I O
O I |                               | RTP padding   | RTP pad count | I O
O +>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O
O | |                    E2E authentication tag                     | | O
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
O | |                            OHB ...                            | | O
+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+
| | |                    HBH authentication tag                     | | |
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
| |                                                                   | |
| +- E2E Encrypted Portion               E2E Authenticated Portion ---+ |
|                                                                       |
+--- HBH Encrypted Portion               HBH Authenticated Portion -----+

Authors' Addresses

   Cullen Jennings
   Cisco Systems


   Paul E. Jones
   Cisco Systems


   Richard Barnes
   Cisco Systems

   Adam Roach