| draft-ietf-perc-dtls-tunnel-01.txt | draft-ietf-perc-dtls-tunnel-02.txt | |||
|---|---|---|---|---|
| Network Working Group P. Jones | Network Working Group P. Jones | |||
| Internet-Draft Cisco Systems | Internet-Draft Cisco Systems | |||
| Intended status: Standards Track P. Ellenbogen | Intended status: Standards Track P. Ellenbogen | |||
| Expires: October 30, 2017 Princeton University | Expires: May 3, 2018 Princeton University | |||
| N. Ohlmeier | N. Ohlmeier | |||
| Mozilla | Mozilla | |||
| April 28, 2017 | October 30, 2017 | |||
| DTLS Tunnel between a Media Distributor and Key Distributor to | DTLS Tunnel between a Media Distributor and Key Distributor to | |||
| Facilitate Key Exchange | Facilitate Key Exchange | |||
| draft-ietf-perc-dtls-tunnel-01 | draft-ietf-perc-dtls-tunnel-02 | |||
| Abstract | Abstract | |||
| This document defines a DTLS tunneling protocol for use in multimedia | This document defines a DTLS tunneling protocol for use in multimedia | |||
| conferences that enables a Media Distributor to facilitate key | conferences that enables a Media Distributor to facilitate key | |||
| exchange between an endpoint in a conference and the Key Distributor. | exchange between an endpoint in a conference and the Key Distributor. | |||
| The protocol is designed to ensure that the keying material used for | The protocol is designed to ensure that the keying material used for | |||
| hop-by-hop encryption and authentication is accessible to the media | hop-by-hop encryption and authentication is accessible to the media | |||
| distributor, while the keying material used for end-to-end encryption | distributor, while the keying material used for end-to-end encryption | |||
| and authentication is inaccessible to the media distributor. | and authentication is inaccessible to the media distributor. | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on October 30, 2017. | This Internet-Draft will expire on May 3, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2017 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Conventions Used In This Document . . . . . . . . . . . . . . 3 | 2. Conventions Used In This Document . . . . . . . . . . . . . . 3 | |||
| 3. Tunneling Concept . . . . . . . . . . . . . . . . . . . . . . 3 | 3. Tunneling Concept . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. Example Message Flows . . . . . . . . . . . . . . . . . . . . 4 | 4. Example Message Flows . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. Tunneling Procedures . . . . . . . . . . . . . . . . . . . . 6 | 5. Tunneling Procedures . . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.1. Endpoint Procedures . . . . . . . . . . . . . . . . . . . 6 | 5.1. Endpoint Procedures . . . . . . . . . . . . . . . . . . . 6 | |||
| 5.2. Tunnel Establishment Procedures . . . . . . . . . . . . . 6 | 5.2. Tunnel Establishment Procedures . . . . . . . . . . . . . 6 | |||
| 5.3. Media Distributor Tunneling Procedures . . . . . . . . . 7 | 5.3. Media Distributor Tunneling Procedures . . . . . . . . . 7 | |||
| 5.4. Key Distributor Tunneling Procedures . . . . . . . . . . 8 | 5.4. Key Distributor Tunneling Procedures . . . . . . . . . . 8 | |||
| 5.5. Versioning Considerations . . . . . . . . . . . . . . . . 10 | 5.5. Versioning Considerations . . . . . . . . . . . . . . . . 9 | |||
| 6. Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . 10 | 6. Tunneling Protocol . . . . . . . . . . . . . . . . . . . . . 10 | |||
| 6.1. Tunnel Message Format . . . . . . . . . . . . . . . . . . 10 | 6.1. Tunnel Message Format . . . . . . . . . . . . . . . . . . 10 | |||
| 7. Example Binary Encoding . . . . . . . . . . . . . . . . . . . 13 | 7. Example Binary Encoding . . . . . . . . . . . . . . . . . . . 13 | |||
| 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 15 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 16 | 11.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| skipping to change at page 8, line 41 ¶ | skipping to change at page 8, line 41 ¶ | |||
| When processing an incoming endpoint association, the key distributor | When processing an incoming endpoint association, the key distributor | |||
| MUST extract the "tls_id" value transmitted in the "ClientHello" | MUST extract the "tls_id" value transmitted in the "ClientHello" | |||
| message and match that against "tls-id" value the endpoint | message and match that against "tls-id" value the endpoint | |||
| transmitted via SDP. If the values in SDP and the "ClientHello" do | transmitted via SDP. If the values in SDP and the "ClientHello" do | |||
| not match, the DTLS association MUST be rejected. | not match, the DTLS association MUST be rejected. | |||
| The process through which the "tls-id" in SDP is conveyed to the key | The process through which the "tls-id" in SDP is conveyed to the key | |||
| distributor is outside the scope of this document. | distributor is outside the scope of this document. | |||
| Editor's Note: The above can be removed if we agree that the media | ||||
| distributor will always forward SDP to the key distributor. That | ||||
| said, should the media server take on this function or should some | ||||
| other call control function do this? The former assumes the media | ||||
| distributor always has the SDP. | ||||
| The key distributor MUST correlate the certificate fingerprint and | The key distributor MUST correlate the certificate fingerprint and | |||
| "tls_id" received from endpoint's "ClientHello" message with the | "tls_id" received from endpoint's "ClientHello" message with the | |||
| corresponding values received from the SDP transmitted by the | corresponding values received from the SDP transmitted by the | |||
| endpoint. It is through this correlation that the key distributor | endpoint. It is through this correlation that the key distributor | |||
| can be sure to deliver the correct conference key to the endpoint. | can be sure to deliver the correct conference key to the endpoint. | |||
| When sending the "ServerHello" message, the key distributor MUST | When sending the "ServerHello" message, the key distributor MUST | |||
| insert its own "tls_id" value in the "sdp_tls_id" extension. This | insert its own "tls_id" value in the "sdp_tls_id" extension. This | |||
| value MUST also be conveyed back to the client via SDP as a "tls-id" | value MUST also be conveyed back to the client via SDP as a "tls-id" | |||
| attribute. | attribute. | |||
| skipping to change at page 15, line 7 ¶ | skipping to change at page 15, line 7 ¶ | |||
| 10. Acknowledgments | 10. Acknowledgments | |||
| The author would like to thank David Benham and Cullen Jennings for | The author would like to thank David Benham and Cullen Jennings for | |||
| reviewing this document and providing constructive comments. | reviewing this document and providing constructive comments. | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [I-D.ietf-mmusic-dtls-sdp] | [I-D.ietf-mmusic-dtls-sdp] | |||
| Holmberg, C. and R. Shpount, "Using the SDP Offer/Answer | Holmberg, C. and R. Shpount, "Session Description Protocol | |||
| Mechanism for DTLS", draft-ietf-mmusic-dtls-sdp-24 (work | (SDP) Offer/Answer Considerations for Datagram Transport | |||
| in progress), April 2017. | Layer Security (DTLS) and Transport Layer Security (TLS)", | |||
| draft-ietf-mmusic-dtls-sdp-32 (work in progress), October | ||||
| 2017. | ||||
| [I-D.thomson-mmusic-sdp-uks] | [I-D.thomson-mmusic-sdp-uks] | |||
| Thomson, M. and E. Rescorla, "Unknown Key Share Attacks on | Thomson, M. and E. Rescorla, "Unknown Key Share Attacks on | |||
| uses of Transport Layer Security with the Session | uses of Transport Layer Security with the Session | |||
| Description Protocol (SDP)", draft-thomson-mmusic-sdp- | Description Protocol (SDP)", draft-thomson-mmusic-sdp- | |||
| uks-00 (work in progress), April 2017. | uks-00 (work in progress), April 2017. | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc2119>. | editor.org/info/rfc2119>. | |||
| [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model | [RFC3264] Rosenberg, J. and H. Schulzrinne, "An Offer/Answer Model | |||
| with Session Description Protocol (SDP)", RFC 3264, | with Session Description Protocol (SDP)", RFC 3264, | |||
| DOI 10.17487/RFC3264, June 2002, | DOI 10.17487/RFC3264, June 2002, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc3264>. | editor.org/info/rfc3264>. | |||
| [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. | [RFC3550] Schulzrinne, H., Casner, S., Frederick, R., and V. | |||
| Jacobson, "RTP: A Transport Protocol for Real-Time | Jacobson, "RTP: A Transport Protocol for Real-Time | |||
| Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, | Applications", STD 64, RFC 3550, DOI 10.17487/RFC3550, | |||
| July 2003, <http://www.rfc-editor.org/info/rfc3550>. | July 2003, <https://www.rfc-editor.org/info/rfc3550>. | |||
| [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. | [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K. | |||
| Norrman, "The Secure Real-time Transport Protocol (SRTP)", | Norrman, "The Secure Real-time Transport Protocol (SRTP)", | |||
| RFC 3711, DOI 10.17487/RFC3711, March 2004, | RFC 3711, DOI 10.17487/RFC3711, March 2004, | |||
| <http://www.rfc-editor.org/info/rfc3711>. | <https://www.rfc-editor.org/info/rfc3711>. | |||
| [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally | |||
| Unique IDentifier (UUID) URN Namespace", RFC 4122, | Unique IDentifier (UUID) URN Namespace", RFC 4122, | |||
| DOI 10.17487/RFC4122, July 2005, | DOI 10.17487/RFC4122, July 2005, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc4122>. | editor.org/info/rfc4122>. | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
| (TLS) Protocol Version 1.2", RFC 5246, | (TLS) Protocol Version 1.2", RFC 5246, | |||
| DOI 10.17487/RFC5246, August 2008, | DOI 10.17487/RFC5246, August 2008, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc5246>. | editor.org/info/rfc5246>. | |||
| [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer | [RFC5764] McGrew, D. and E. Rescorla, "Datagram Transport Layer | |||
| Security (DTLS) Extension to Establish Keys for the Secure | Security (DTLS) Extension to Establish Keys for the Secure | |||
| Real-time Transport Protocol (SRTP)", RFC 5764, | Real-time Transport Protocol (SRTP)", RFC 5764, | |||
| DOI 10.17487/RFC5764, May 2010, | DOI 10.17487/RFC5764, May 2010, <https://www.rfc- | |||
| <http://www.rfc-editor.org/info/rfc5764>. | editor.org/info/rfc5764>. | |||
| [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
| Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, | Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, | |||
| January 2012, <http://www.rfc-editor.org/info/rfc6347>. | January 2012, <https://www.rfc-editor.org/info/rfc6347>. | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [I-D.ietf-perc-double] | [I-D.ietf-perc-double] | |||
| Jennings, C., Jones, P., and A. Roach, "SRTP Double | Jennings, C., Jones, P., Barnes, R., and A. Roach, "SRTP | |||
| Encryption Procedures", draft-ietf-perc-double-03 (work in | Double Encryption Procedures", draft-ietf-perc-double-07 | |||
| progress), March 2017. | (work in progress), September 2017. | |||
| [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | |||
| Description Protocol", RFC 4566, DOI 10.17487/RFC4566, | Description Protocol", RFC 4566, DOI 10.17487/RFC4566, | |||
| July 2006, <http://www.rfc-editor.org/info/rfc4566>. | July 2006, <https://www.rfc-editor.org/info/rfc4566>. | |||
| Authors' Addresses | Authors' Addresses | |||
| Paul E. Jones | Paul E. Jones | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| 7025 Kit Creek Rd. | 7025 Kit Creek Rd. | |||
| Research Triangle Park, North Carolina 27709 | Research Triangle Park, North Carolina 27709 | |||
| USA | USA | |||
| Phone: +1 919 476 2048 | Phone: +1 919 476 2048 | |||
| End of changes. 17 change blocks. | ||||
| 31 lines changed or deleted | 27 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||