draft-ietf-mmusic-4572-update-09.txt   draft-ietf-mmusic-4572-update-10.txt 
Network Working Group J. Lennox Network Working Group J. Lennox
Internet-Draft Vidyo Internet-Draft Vidyo
Obsoletes: 4572 (if approved) C. Holmberg Obsoletes: 4572 (if approved) C. Holmberg
Intended status: Standards Track Ericsson Intended status: Standards Track Ericsson
Expires: July 6, 2017 January 2, 2017 Expires: July 9, 2017 January 5, 2017
Connection-Oriented Media Transport over TLS in SDP Connection-Oriented Media Transport over TLS in SDP
draft-ietf-mmusic-4572-update-09 draft-ietf-mmusic-4572-update-10
Abstract Abstract
This document specifies how to establish secure connection-oriented This document specifies how to establish secure connection-oriented
media transport sessions over the Transport Layer Security (TLS) media transport sessions over the Transport Layer Security (TLS)
protocol using the Session Description Protocol (SDP). It defines a protocol using the Session Description Protocol (SDP). It defines a
new SDP protocol identifier, 'TCP/TLS'. It also defines the syntax new SDP protocol identifier, 'TCP/TLS'. It also defines the syntax
and semantics for an SDP 'fingerprint' attribute that identifies the and semantics for an SDP 'fingerprint' attribute that identifies the
certificate that will be presented for the TLS session. This certificate that will be presented for the TLS session. This
mechanism allows media transport over TLS connections to be mechanism allows media transport over TLS connections to be
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 6, 2017. This Internet-Draft will expire on July 9, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 7, line 35 skipping to change at page 7, line 35
Internet Explorer display them when viewing the details of a Internet Explorer display them when viewing the details of a
certificate.) certificate.)
A fingerprint is represented in SDP as an attribute (an 'a' line). A fingerprint is represented in SDP as an attribute (an 'a' line).
It consists of the name of the hash function used, followed by the It consists of the name of the hash function used, followed by the
hash value itself. The hash value is represented as a sequence of hash value itself. The hash value is represented as a sequence of
uppercase hexadecimal bytes, separated by colons. The number of uppercase hexadecimal bytes, separated by colons. The number of
bytes is defined by the hash function. (This is the syntax used by bytes is defined by the hash function. (This is the syntax used by
openssl and by the browsers' certificate managers. It is different openssl and by the browsers' certificate managers. It is different
from the syntax used to represent hash values in, e.g., HTTP digest from the syntax used to represent hash values in, e.g., HTTP digest
authentication [24], which uses unseparated lowercase hexadecimal authentication [25], which uses unseparated lowercase hexadecimal
bytes. It was felt that consistency with other applications of bytes. It was felt that consistency with other applications of
fingerprints was more important.) fingerprints was more important.)
The formal syntax of the fingerprint attribute is given in Augmented The formal syntax of the fingerprint attribute is given in Augmented
Backus-Naur Form [9] in Figure 2. This syntax extends the BNF syntax Backus-Naur Form [9] in Figure 2. This syntax extends the BNF syntax
of SDP [8]. of SDP [8].
attribute =/ fingerprint-attribute attribute =/ fingerprint-attribute
fingerprint-attribute = "fingerprint" ":" hash-func SP fingerprint fingerprint-attribute = "fingerprint" ":" hash-func SP fingerprint
hash-func = "sha-1" / "sha-224" / "sha-256" / hash-func = "sha-1" / "sha-224" / "sha-256" /
"sha-384" / "sha-512" / "sha-384" / "sha-512" /
"md5" / token "md5" / "md2" / token
; Additional hash functions can only come ; Additional hash functions can only come
; from updates to RFC 3279 ; from updates to RFC 3279
fingerprint = 2UHEX *(":" 2UHEX) fingerprint = 2UHEX *(":" 2UHEX)
; Each byte in upper-case hex, separated ; Each byte in upper-case hex, separated
; by colons. ; by colons.
UHEX = DIGIT / %x41-46 ; A-F uppercase UHEX = DIGIT / %x41-46 ; A-F uppercase
Figure 2: Augmented Backus-Naur Syntax for the Fingerprint Attribute Figure 2: Augmented Backus-Naur Syntax for the Fingerprint Attribute
Following RFC 3279 [5] as updated by RFC 4055 [6], therefore, the Following RFC 3279 [5] as updated by RFC 4055 [6], therefore, the
defined hash functions are 'SHA-1' [1] [16], 'SHA-224' [1], 'SHA-256' defined hash functions are 'SHA-1' [1] [16], 'SHA-224' [1], 'SHA-256'
[1], 'SHA-384'[1], 'SHA-512' [1], 'MD5' [13], with 'SHA-256' [1], 'SHA-384'[1], 'SHA-512' [1], 'MD5' [13] and 'MD2' [24], with
preferred. A new IANA registry of Hash Function Textual Names, 'SHA-256' preferred. A new IANA registry of Hash Function Textual
specified in Section 8, allows for addition of future tokens, but Names, specified in Section 8, allows for addition of future tokens,
they may only be added if they are included in RFCs that update or but they may only be added if they are included in RFCs that update
obsolete RFC 3279 [5]. or obsolete RFC 3279 [5].
For backward compatibility with implementations compliant with RFC
4572 [21], the MD2 and MD5 cipher suites are still listed in the
syntax. However, implementations compliant to this specification
MUST NOT use them.
The fingerprint attribute may be either a session-level or a media- The fingerprint attribute may be either a session-level or a media-
level SDP attribute. If it is a session-level attribute, it applies level SDP attribute. If it is a session-level attribute, it applies
to all TLS sessions for which no media-level fingerprint attribute is to all TLS sessions for which no media-level fingerprint attribute is
defined. defined.
5.1. Multiple Fingerprints 5.1. Multiple Fingerprints
Multiple SDP fingerprint attributes can be associated with an m- Multiple SDP fingerprint attributes can be associated with an m-
line. This can occur if multiple fingerprints have been calculated line. This can occur if multiple fingerprints have been calculated
skipping to change at page 13, line 14 skipping to change at page 13, line 19
send standard unsecured RTP packets over TLS using the mechanisms send standard unsecured RTP packets over TLS using the mechanisms
described in this document. The group consensus was to wait until a described in this document. The group consensus was to wait until a
use-case requiring secure connection-oriented RTP was presented. use-case requiring secure connection-oriented RTP was presented.
TLS is not always the most appropriate choice for secure connection- TLS is not always the most appropriate choice for secure connection-
oriented media; in some cases, a higher- or lower-level security oriented media; in some cases, a higher- or lower-level security
protocol may be appropriate. protocol may be appropriate.
This document improves security from the RFC 4572 [21]. It updates This document improves security from the RFC 4572 [21]. It updates
the preferred hash function cipher suite from SHA-1 to SHA-256, and the preferred hash function cipher suite from SHA-1 to SHA-256, and
removes the reference to the MD2 cipher suite. deprecates the usage of the MD2 and MD5 cipher suites.
By clarifying the usage and handling of multiple fingerprints, the By clarifying the usage and handling of multiple fingerprints, the
document also enables hash agility, and incremental deployment of document also enables hash agility, and incremental deployment of
newer, and more secure, cipher suites. newer, and more secure, cipher suites.
8. IANA Considerations 8. IANA Considerations
Note to IANA. No IANA considerations are changed from RFC4572 [21] Note to IANA. No IANA considerations are changed from RFC4572 [21]
so the only actions required are to update the registries to point at so the only actions required are to update the registries to point at
this specification. this specification.
skipping to change at page 14, line 22 skipping to change at page 14, line 26
o A reference to the standards-track RFC, updating or obsoleting RFC o A reference to the standards-track RFC, updating or obsoleting RFC
3279 [5], defining the use of the hash function in X.509 3279 [5], defining the use of the hash function in X.509
certificates. certificates.
Table 1 contains the initial values of this registry. Table 1 contains the initial values of this registry.
+--------------------+------------------------+-----------+ +--------------------+------------------------+-----------+
| Hash Function Name | OID | Reference | | Hash Function Name | OID | Reference |
+--------------------+------------------------+-----------+ +--------------------+------------------------+-----------+
| "md2" | 1.2.840.113549.2.2 | RFC 3279 |
| "md5" | 1.2.840.113549.2.5 | RFC 3279 | | "md5" | 1.2.840.113549.2.5 | RFC 3279 |
| "sha-1" | 1.3.14.3.2.26 | RFC 3279 | | "sha-1" | 1.3.14.3.2.26 | RFC 3279 |
| "sha-224" | 2.16.840.1.101.3.4.2.4 | RFC 4055 | | "sha-224" | 2.16.840.1.101.3.4.2.4 | RFC 4055 |
| "sha-256" | 2.16.840.1.101.3.4.2.1 | RFC 4055 | | "sha-256" | 2.16.840.1.101.3.4.2.1 | RFC 4055 |
| "sha-384" | 2.16.840.1.101.3.4.2.2 | RFC 4055 | | "sha-384" | 2.16.840.1.101.3.4.2.2 | RFC 4055 |
| "sha-512" | 2.16.840.1.101.3.4.2.3 | RFC 4055 | | "sha-512" | 2.16.840.1.101.3.4.2.3 | RFC 4055 |
+--------------------+------------------------+-----------+ +--------------------+------------------------+-----------+
Table 1: IANA Hash Function Textual Name Registry Table 1: IANA Hash Function Textual Name Registry
skipping to change at page 17, line 10 skipping to change at page 17, line 14
[22] Taylor, T., "Reclassification of RFC 3525 to Historic", [22] Taylor, T., "Reclassification of RFC 3525 to Historic",
RFC 5125, DOI 10.17487/RFC5125, February 2008, RFC 5125, DOI 10.17487/RFC5125, February 2008,
<http://www.rfc-editor.org/info/rfc5125>. <http://www.rfc-editor.org/info/rfc5125>.
[23] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet [23] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Message Mail Extensions (S/MIME) Version 3.2 Message
Specification", RFC 5751, DOI 10.17487/RFC5751, January Specification", RFC 5751, DOI 10.17487/RFC5751, January
2010, <http://www.rfc-editor.org/info/rfc5751>. 2010, <http://www.rfc-editor.org/info/rfc5751>.
[24] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP [24] Turner, S. and L. Chen, "MD2 to Historic Status",
RFC 6149, DOI 10.17487/RFC6149, March 2011,
<http://www.rfc-editor.org/info/rfc6149>.
[25] Shekh-Yusef, R., Ed., Ahrens, D., and S. Bremer, "HTTP
Digest Access Authentication", RFC 7616, Digest Access Authentication", RFC 7616,
DOI 10.17487/RFC7616, September 2015, DOI 10.17487/RFC7616, September 2015,
<http://www.rfc-editor.org/info/rfc7616>. <http://www.rfc-editor.org/info/rfc7616>.
Appendix A. Acknowledgments Appendix A. Acknowledgments
This version of the document included significant contributions by This version of the document included significant contributions by
Cullen Jennings, Paul Kyzivat, Roman Shpount, and Martin Thomson. Cullen Jennings, Paul Kyzivat, Roman Shpount, and Martin Thomson.
Authors' Addresses Authors' Addresses
 End of changes. 9 change blocks. 
12 lines changed or deleted 22 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/