[VOIPSEC] Key Negotiation for SRTP
ldondeti at qualcomm.com
Fri Aug 26 14:47:06 PDT 2005
A summary of my thoughts on this at the moment:
There are really two standards-based options, and both involve SDP.
1) sdescriptions: Amounts to just sending the key in the clear (base-64
encoded) via SDP, and so needs a secure channel. There are two options
there again and one is hop-by-hop security using TLS and the other is
S/MIME. The question in my mind is whether sdescriptions is a long-term
solution (more on that later).
2) MIKEY via SDP (sdp-keymgmt I-D): There are several options, but it is
not too difficult to distill them down. I'd use one of the RSA options (I
have further thoughts on how to reconcile the one in the RFC and the one I
am co-authoring, but that is still being discussed. We may have written it
in the I-D, otherwise contact me offline) and use the amortization
technique suggested in 3830 and use the PSK mode where a PSK is already
established (no need to manually set up PSKs if you don't want to).
There is also another dimension to this. Granted sdescriptions is a decent
near-term solution to get going, but when we think about the upgrade path,
TLS, S/MIME are on the horizon, and IMO MIKEY.
If a deployment starts out with MIKEY-NULL, your upgrade path is much simpler.
Anyway, hope that helps.
More information about the Voipsec