rfc5764.Datagram Transport Layer Security (DTLS) E

InternetEngineeringTaskForce(IETF)D.McGrewRequestforComments:5764CiscoSystemsCategory:StandardsTrackE.RescorlaISSN:2070-1721RTFM,Inc.May2010DatagramTransportLayerSecurity(DTLS)ExtensiontoEstablishKeysfortheSecureReal-timeTransportProtocol(SRTP)AbstractThisdocumentdescribesaDatagramTransportLayerSecurity(DTLS)extensiontoestablishkeysforSecureRTP(SRTP)andSecureRTPControlProtocol(SRTCP)flows.DTLSkeyinghappensonthemediapath,independentofanyout-of-bandsignallingchannelpresent.StatusofThisMemoThisisanInternetStandardsTrackdocument.ThisdocumentisaproductoftheInternetEngineeringTaskForce(IETF).ItrepresentstheconsensusoftheIETFcommunity.IthasreceivedpublicreviewandhasbeenapprovedforpublicationbytheInternetEngineeringSteeringGroup(IESG).FurtherinformationonInternetStandardsisavailableinSection2ofRFC5741.Informationaboutthecurrentstatusofthisdocument,anyerrata,andhowtoprovidefeedbackonitmaybeobtainedat(c)2010IETFTrustandthepersonsidentifiedasthedocumentauthors.Allrightsreserved.ThisdocumentissubjecttoBCP78andtheIETFTrust’sLegalProvisionsRelatingtoIETFDocuments()ineffectonthedateofpublicationofthisdocument.Pleasereviewthesedocumentscarefully,astheydescribeyourrightsandrestrictionswithrespecttothisdocument.CodeComponentsextractedfromthisdocumentmustincludeSimplifiedBSDLicensetextasdescribedinSection4.eoftheTrustLegalProvisionsandareprovidedwithoutwarrantyasdescribedintheSimplifiedBSDLicense.McGrew&RescorlaStandardsTrack[Page1]RFC5764SRTPExtensionforDTLSMay2010ThisdocumentmaycontainmaterialfromIETFDocumentsorIETFContributionspublishedormadepubliclyavailablebeforeNovember10,2008.Theperson(s)controllingthecopyrightinsomeofthismaterialmaynothavegrantedtheIETFTrusttherighttoallowmodificationsofsuchmaterialoutsidetheIETFStandardsProcess.Withoutobtaininganadequatelicensefromtheperson(s)controllingthecopyrightinsuchmaterials,thisdocumentmaynotbemodifiedoutsidetheIETFStandardsProcess,andderivativeworksofitmaynotbecreatedoutsidetheIETFStandardsProcess,excepttoformatitforpublicationasanRFCortotranslateitintolanguagesotherthanEnglish.TableofContents1.Introduction.........................32.ConventionsUsedInThisDocument..............33.OverviewofDTLS-SRTPOperation...............44.DTLSExtensionsforSRTPKeyEstablishment..........54.1.Theuse_srtpExtension..................54.1.1.use_srtpExtensionDefinition............74.1.2.SRTPProtectionProfiles...............84.1.3.srtp_mkivalue....................94.2.KeyDerivation......................104.3.KeyScope........................124.4.KeyUsageLimitations..................125.UseofRTPandRTCPoveraDTLS-SRTPChannel.........135.1.DataProtection.....................135.1.1.Transmission.....................135.1.2.Reception......................135.2.RehandshakeandRekey..................166.Multi-PartyRTPSessions...................177.SecurityConsiderations...................177.1.SecurityofNegotiation.................177.2.FramingConfusion....................177.3.SequenceNumberInteractions...............187.3.1.Alerts........................187.3.2.Renegotiation....................187.4.DecryptionCost.....................198.SessionDescriptionforRTP/SAVPoverDTLS..........199.IANAConsiderations.....................2010.Acknowledgments.......................2011.References..........................2111.1.NormativeReferences...................2111.2.InformativeReferences..................21AppendixA.OverviewofDTLS..................23AppendixB.PerformanceofMultipleDTLSHandshakes.......24McGrew&RescorlaStandardsTrack[Page2]RFC5764SRTPExtensionforDTLSMay20101.IntroductionTheSecureRTP(SRTP)profile[RFC3711]canprovideconfidentiality,messageauthentication,andreplayprotectiontoRTPdataandRTPControl(RTCP)traffic.SRTPdoesnotprovidekeymanagementfunctionality,butinsteaddependsonexternalkeymanagementtoexchangesecretmasterkeys,andtonegotiatethealgorithmsandparametersforusewiththosekeys.DatagramTransportLayerSecurity(DTLS)[RFC4347]isachannelsecurityprotocolthatoffersintegratedkeymanagement,parameternegotiation,andsecuredatatransfer.BecauseDTLSdatatransferprotocolisgeneric,itislesshighlyoptimizedforusewithRTPthanisSRTP,whichhasbeenspecificallytunedforthatpurpose.ThisdocumentdescribesDTLS-SRTP,aSRTPextensionforDTLSthatcombinestheperformanceandencryptionflexibilitybenefitsofSRTPwiththeflexibilityandconvenienceofDTLS-integratedkeyandassociationmanagement.DTLS-SRTPcanbeviewedintwoequivalentways:asanewkeymanagementmethodforSRTP,andanewRTP-specificdataformatforDTLS.ThekeypointsofDTLS-SRTParethat:oapplicationdataisprotectedusingSRTP,otheDTLShandshakeisusedtoestablishkeyingmaterial,algorithms,andparametersforSRTP,oaDTLSextensionisusedtonegotiateSRTPalgorithms,andootherDTLSrecord-layercontenttypesareprotectedusingtheordinaryDTLSrecordformat.Theremainderofthismemoisstructuredasfollows.Section2describesconventionsusedtoindicatenormativerequirements.Section3providesanoverviewofDTLS-SRTPoperation.Section4specifiestheDTLSextensio