[VOIPSEC] SRTP

Mark Baugher mbaugher at cisco.com
Tue Mar 21 07:13:28 CST 2006 

On Mar 20, 2006, at 1:31 PM, Randell Jesup wrote:

> Nathan Allen Stratton <nathan at robotics.net> writes:
>> There is MIKEY, but it is a bit overkill for most CPE vendors to
>> implement. It looks like draft-ietf-mmusic-sdescriptions-12.txt is 
>> getting
>> the most traction. I know of at least 4 CPE and 2 SBC that support 
>> it, I
>> know there is at least one KIKEY CPE, but I don't know of any major 
>> SBC
>> vendor that has implemented it.
>
> The problem with sdescriptions is that it solves only one part of the
> problem - how to put a key in SDP.  It doesn't provide the AKE to 
> secure
> the key exchange.

sdesc is not a key management protocol but is designed to be carried in 
a secure channel, which is established by a key management protocol.  
So if there is an IPsec, TLS, S/MIME or other secure channel, sdesc 
allows application-level keying to occur without the need for 
developing a key management protocol for each application that can 
signal the unique key and session parameters for that protocol.  The 
fact that there is no AKE is intrinsic to its design.  I'm skeptical 
that anyone is going to develop a general-purpose key management system 
that supports different data-security protocols; that was tried with 
ISAKMP and I expect it to be tried again - there's a good reason for 
such a framework.  But we don't have one but are likely to continue to 
have new types of application-level security protocols.

That being said, 
http://www.ietf.org/internet-drafts/draft-baugher-mmusic-sdp-dh-00.txt 
does have an authentication method defined for it.  The primary goal in 
this document is to compensate for uncertainty in how secure a channel 
is end to end:  sdp-dh allows public keying material.

> So sdescription support is NOT sufficient, and honestly
> while useful it's not the hard part.  Then there's early media, 
> forking,
> grouping of secure vs. insecure streams, etc.

Please explain what you mean about "grouping of secure vs. insecure 
streams" and "etc".

Mark
>
> -- 
> Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga 
> OS team
> rjesup at wgate.com
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>

More information about the Voipsec mailing list