draft-ietf-perc-dtls-tunnel-11.txt   draft-ietf-perc-dtls-tunnel-12.txt 
Network Working Group P. Jones Network Working Group P. Jones
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Informational P. Ellenbogen Intended status: Informational P. Ellenbogen
Expires: 28 April 2022 Princeton University Expires: 16 May 2022 Princeton University
N. Ohlmeier N. Ohlmeier
8x8, Inc. 8x8, Inc.
25 October 2021 12 November 2021
DTLS Tunnel between a Media Distributor and Key Distributor to DTLS Tunnel between a Media Distributor and Key Distributor to
Facilitate Key Exchange Facilitate Key Exchange
draft-ietf-perc-dtls-tunnel-11 draft-ietf-perc-dtls-tunnel-12
Abstract Abstract
This document defines a protocol for tunneling DTLS traffic in This document defines a protocol for tunneling DTLS traffic in
multimedia conferences that enables a Media Distributor to facilitate multimedia conferences that enables a Media Distributor to facilitate
key exchange between an endpoint in a conference and the Key key exchange between an endpoint in a conference and the Key
Distributor. The protocol is designed to ensure that the keying Distributor. The protocol is designed to ensure that the keying
material used for hop-by-hop encryption and authentication is material used for hop-by-hop encryption and authentication is
accessible to the Media Distributor, while the keying material used accessible to the Media Distributor, while the keying material used
for end-to-end encryption and authentication is inaccessible to the for end-to-end encryption and authentication is inaccessible to the
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 April 2022. This Internet-Draft will expire on 16 May 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 8, line 44 skipping to change at page 8, line 44
When processing an incoming endpoint association, the Key Distributor When processing an incoming endpoint association, the Key Distributor
MUST extract the "external_session_id" value transmitted in the MUST extract the "external_session_id" value transmitted in the
"ClientHello" message and match that against the "tls-id" value the "ClientHello" message and match that against the "tls-id" value the
endpoint transmitted via SDP. If the values in SDP and the endpoint transmitted via SDP. If the values in SDP and the
"ClientHello" do not match, the DTLS association MUST be rejected. "ClientHello" do not match, the DTLS association MUST be rejected.
The process through which the "tls-id" in SDP is conveyed to the Key The process through which the "tls-id" in SDP is conveyed to the Key
Distributor is outside the scope of this document. Distributor is outside the scope of this document.
The Key Distributor MUST match the certificate fingerprint and The Key Distributor MUST match the fingerprint of the certificate and
"external_session_id" [RFC8844] received from endpoint via DTLS with "external_session_id" [RFC8844] received from endpoint via DTLS with
the expected fingerprint [RFC8122] and "tls-id" [RFC8842] values the expected fingerprint [RFC8122] and "tls-id" [RFC8842] values
received via SDP. It is through this process that the Key received via SDP. It is through this process that the Key
Distributor can be sure to deliver the correct conference key to the Distributor can be sure to deliver the correct conference key to the
endpoint. endpoint.
The Key Distributor MUST report its own unique identifier in the The Key Distributor MUST report its own unique identifier in the
"external_session_id" extension. This extension is sent in the "external_session_id" extension. This extension is sent in the
"EncryptedExtensions" message in DTLS 1.3, and the "ServerHello" in "EncryptedExtensions" message in DTLS 1.3, and the "ServerHello" in
previous DTLS versions. This value MUST also be conveyed back to the previous DTLS versions. This value MUST also be conveyed back to the
 End of changes. 5 change blocks. 
5 lines changed or deleted 5 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/