<?xmlversion="1.0" encoding="UTF-8"?>version='1.0' encoding='utf-8'?> <!DOCTYPE rfc SYSTEM'rfc2629.dtd' []>"rfc2629-xhtml.ent"> <rfcipr="trust200902"xmlns:xi="http://www.w3.org/2001/XInclude" number="8723" updates="" obsoletes="" category="std"docName="draft-ietf-perc-double-12"> <?rfc toc="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?> <?rfc private=""?> <?rfc topblock="yes"?> <?rfc comments="no"?>consensus="true" submissionType="IETF" ipr="trust200902" sortRefs="true" symRefs="true" xml:lang="en" docName="draft-ietf-perc-double-12" tocInclude="true" version="3"> <front> <title abbrev="DoubleSRTP">SRTP DoubleSRTP">Double EncryptionProcedures</title>Procedures for the Secure Real-Time Transport Protocol (SRTP)</title> <seriesInfo name="RFC" value="8723"/> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>fluffy@iii.ca</email><uri></uri></address> </author> <author initials="P." surname="Jones" fullname="Paul E. Jones"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>paulej@packetizer.com</email><uri></uri></address> </author> <author initials="R." surname="Barnes" fullname="Richard Barnes"> <organization>Cisco Systems</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>rlb@ipv.sx</email><uri></uri></address> </author> <author initials="A.B." surname="Roach" fullname="Adam Roach"> <organization>Mozilla</organization> <address><postal> <street></street> <city></city> <code></code> <country></country> <region></region> </postal> <phone></phone><email>adam@nostrum.com</email><uri></uri></address> </author> <dateyear="2019" month="August" day="29"/>year="2020" month="April"/> <area>Internet</area><workgroup></workgroup><workgroup/> <keyword>PERC</keyword> <keyword>SRTP</keyword> <keyword>RTP</keyword> <keyword>conferencing</keyword> <keyword>encryption</keyword> <abstract> <t>In some conferencing scenarios, it is desirable for an intermediary to be able to manipulate some parameters inReal TimeReal-time Transport Protocol (RTP) packets, while still providing strong end-to-end security guarantees. This document defines a cryptographic transform for the SecureReal TimeReal-time Transport Protocol (SRTP) that uses two separate but related cryptographic operations to provide hop-by-hop and end-to-end security guarantees. Both the end-to-end and hop-by-hop cryptographic algorithms can utilize an authenticated encryption with associated data (AEAD) algorithm or take advantage of future SRTP transforms with different properties. </t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>Cloud conferencing systems that are based on switched conferencing have a central Media Distributor (MD) device that receives media from endpoints and distributes it to other endpoints, but does not need to interpret or change the media content. For these systems, it is desirable to have one cryptographic key that enables encryption and authentication of the media end-to-end while still allowing certain information in the header ofa Real Time Protocol (RTP)an RTP packet to be changed by theMedia Distributor.MD. At the same time, a separate cryptographic key provides integrity and optional confidentiality for the media flowing between theMedia DistributorMD and the endpoints. The framework document <xreftarget="I-D.ietf-perc-private-media-framework"/>target="I-D.ietf-perc-private-media-framework" format="default"/> describes this concept in more detail. </t> <t>This specification defines a transform forthe Secure Real Time Protocol (SRTP)SRTP that uses 1) theAES-GCMAES Galois/Counter Mode (AES-GCM) algorithm <xreftarget="RFC7714"/>target="RFC7714" format="default"/> to provide encryption and integrity for an RTP packet for the end-to-end cryptographic keyas well asand 2) a hop-by-hop cryptographic encryption and integrity between the endpoint and theMedia Distributor.MD. TheMedia DistributorMD decrypts and checks integrity of the hop-by-hop security. TheMedia Distributor MAYMD <bcp14>MAY</bcp14> change some of the RTP header information that would impact the end-to-end integrity. In that case, the original value of any RTP header field that is changed is included in an"Original"Original HeaderBlock"Block" that is added to the packet. The new RTP packet is encrypted with the hop-by-hop cryptographic algorithm before it is sent. The receiving endpoint decrypts and checks integrity using the hop-by-hop cryptographic algorithm and then replaces any parameters theMedia DistributorMD changed using the information in the Original Header Block before decrypting and checking the end-to-end integrity. </t> <t>One can think of the double transform as a normal SRTP transform for encrypting the RTP in a waywheresuch that things that only know half of the key, can decrypt and modify part of the RTP packet but not other parts, including the media payload. </t> </section> <section anchor="terminology"title="Terminology">numbered="true" toc="default"> <name>Terminology</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"/>target="RFC2119" format="default"/> <xreftarget="RFC8174"/>target="RFC8174" format="default"/> when, and only when, they appear in all capitals, as shown here. </t> <t>Terms used throughout this document include: </t><t> <list style="symbols"> <t>Media Distributor: A<dl spacing="normal"> <dt>Media Distributor (MD):</dt> <dd>A device that receives media from endpoints and distributes it to other endpoints, but does not need to interpret or change the media content (see also <xreftarget="I-D.ietf-perc-private-media-framework"/>)</t> <t>end-to-end: Thetarget="I-D.ietf-perc-private-media-framework" format="default"/>).</dd> <dt>end-to-end:</dt> <dd>The path from one endpoint through one or moreMedia DistributorsMDs to the endpoint at the otherend.</t> <t>hop-by-hop: Theend.</dd> <dt>hop-by-hop:</dt> <dd>The path from the endpoint to or from theMedia Distributor.</t> <t>OriginalMD.</dd> <dt>Original Header Block(OHB): An(OHB):</dt> <dd>An octet string that contains the original values from the RTP header that might have been changed bya Media Distributor.</t> </list> </t>an MD.</dd> </dl> </section> <section anchor="cryptographic-context"title="Cryptographic Context">numbered="true" toc="default"> <name>Cryptographic Context</name> <t>This specification uses a cryptographic context with two parts: </t><t> <list style="symbols"> <t>An<ul spacing="normal"> <li>An inner (end-to-end) part that is used by endpoints that originate and consume media to ensure the integrity of media end-to-end,and</t> <t>Anand</li> <li>An outer (hop-by-hop) part that is used between endpoints andMedia DistributorsMDs to ensure the integrity of media over a single hop and to enablea Media Distributoran MD to modify certain RTP header fields. RTCP is also handled using the hop-by-hop cryptographicpart.</t> </list> </t>part.</li> </ul> <t>TheRECOMMENDED<bcp14>RECOMMENDED</bcp14> cipher for the hop-by-hop and end-to-endalgorithmalgorithms is AES-GCM. Other combinations of SRTP ciphers that support the procedures in this document can be added to the IANA registry. </t> <t>The keys and salt for these algorithms are generated with the following steps: </t><t> <list style="symbols"> <t>Generate<ul spacing="normal"> <li>Generate key and salt values of the length required for the combined inner (end-to-end) and outer (hop-by-hop)algorithms.</t> <t>Assignalgorithms.</li> <li>Assign the key and salt values generated for the inner (end-to-end) algorithm to the first half of the key and the first half of the salt for the doublealgorithm.</t> <t>Assignalgorithm.</li> <li>Assign the key and salt values for the outer (hop-by-hop) algorithm to the second half of the key and second half of the salt for the double algorithm. The first half of the key is referred to as the inner key while the second half is referred to as the outer key. When a key is used by a cryptographic algorithm, the salt that is used is the part of the salt generated with thatkey.</t> <t>the SSRCkey.</li> <li>the synchronization source (SSRC) is the same for both the inner andoutouter algorithms as itcan notcannot bechanged.</t> <t>The SEQchanged.</li> <li>The sequence number (SEQ) andROCrollover counter (ROC) are tracked independently for the inner and outeralgorithms.</t> </list> </t>algorithms.</li> </ul> <t>If theMedia DistributorMD is to be able to modify header fields but not decrypt the payload, then it must have a cryptographic key for the outeralgorithm,algorithm but not the inner (end-to-end) algorithm. This document does not define how theMedia DistributorMD should be provisioned with this information. One possible way to provide keying material for the outer (hop-by-hop) algorithm is to use <xreftarget="I-D.ietf-perc-dtls-tunnel"/>.target="I-D.ietf-perc-dtls-tunnel" format="default"/>. </t> <section anchor="key-derivation"title="Key Derivation">numbered="true" toc="default"> <name>Key Derivation</name> <t>Although SRTP uses a single master key to derive keys for an SRTP session, this transform requires separate inner and outer keys. In order to allow the inner and outer keys to be managed independently via the master key, the transforms defined in this documentMUST<bcp14>MUST</bcp14> be used with the followingpseudo-randompseudorandom function (PRF), which preserves the separation between the two halves of the key. Given a positive integer<spanx style="verb">n</spanx><tt>n</tt> representing the desired output length, a master key<spanx style="verb">k_master</spanx>,<tt>k_master</tt>, and an input<spanx style="verb">x</spanx>:<tt>x</tt>: </t><figure align="center"><artwork align="center"> PRF\_double\_n(k\_master,x)<artwork align="center" name="" type="" alt=""><![CDATA[ PRF_double_n(k_master,x) =PRF\_(n/2)(inner(k\_master),x)PRF_(n/2)(inner(k_master),x) ||PRF\_(n/2)(outer(k\_master),x) </artwork></figure>PRF_(n/2)(outer(k_master),x) ]]></artwork> <t>Here<spanx style="verb">PRF_n(k, x)</spanx><tt>PRF_double_n(k_master, x)</tt> represents the AES_CM PRFKDFKey Derivation Function (KDF) (seeSection 4.3.3 of<xreftarget="RFC3711"/>)target="RFC3711" section="4.3.3" sectionFormat="of" format="default"/>) for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and AES_256_CM_PRF KDF <xreftarget="RFC6188"/>target="RFC6188" format="default"/> for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM algorithm.<spanx style="verb">inner(key)</spanx>The term <tt>inner(k_master)</tt> represents the first half of thekey, and <spanx style="verb">outer(key)</spanx>key; <tt>outer(k_master)</tt> represents the second half of the key. </t> </section> </section> <section anchor="ohb"title="Originalnumbered="true" toc="default"> <name>Original HeaderBlock">Block</name> <t>TheOriginal Header Block (OHB)OHB contains the original values of any modified RTP header fields. In the encryption process, the OHB is included in an SRTP packet as described in <xreftarget="rtp-operations"/>.target="rtp-operations" format="default"/>. In the decryption process, the receiving endpoint uses it to reconstruct the original RTPheader,header so that it can pass the properAADadditional authenticated data (AAD) value to the inner transform. </t> <t>The OHB can reflect modifications to the following fields in an RTP header: the payloadtype,type (PT), thesequence number,SEQ, and the marker bit. All other fields in the RTP headerMUST<bcp14>MUST</bcp14> remain unmodified; since the OHB cannot reflect their original values, the receiver will be unable to verify theE2Eend-to-end integrity of the packet. </t> <t>The OHB has the following syntax (in ABNF <xreftarget="RFC5234"/>):target="RFC5234" format="default"/>): </t><figure align="left"><artwork align="left"><sourcecode name="" src="" type="abnf" markers="false"><![CDATA[ OCTET = %x00-FF PT = OCTET SEQ = 2OCTET Config = OCTET OHB = [ PT ] [ SEQ ] Config</artwork></figure>]]></sourcecode> <t>If present, the PT and SEQ parts of the OHB contain the original payload type and sequence number fields, respectively. The final"config""Config" octet of the OHB specifies whether these fields are present, and the original value of the marker bit (if necessary): </t><figure align="left"><artwork align="left"><artwork align="left" name="" type="" alt=""><![CDATA[ +-+-+-+-+-+-+-+-+ |R R R R B M P Q| +-+-+-+-+-+-+-+-+</artwork></figure> <t> <list style="symbols"> <t>P:]]></artwork> <ul spacing="normal"> <li>P: PT ispresent</t> <t>Q:present</li> <li>Q: SEQ ispresent</t> <t>M:present</li> <li>M: Marker bit ispresent</t> <t>B:present</li> <li>B: Value of markerbit</t> <t>R:bit</li> <li>R: Reserved,MUST<bcp14>MUST</bcp14> be set to0</t> </list> </t>0</li> </ul> <t>In particular, an all-zero OHBconfigConfig octet(0x00)(<tt>0x00</tt>) indicates that there have been no modifications from the original header. </t> <t>If the marker bit is not present (M=0), thenB MUST<tt>B</tt> <bcp14>MUST</bcp14> be set to zero. That is, if<spanx style="verb">C</spanx><tt>C</tt> represents the value of theconfigConfig octet, then the masked value<spanx style="verb">C<tt>C &0x0C</spanx> MUST NOT0x0C</tt> <bcp14>MUST NOT</bcp14> have the value<spanx style="verb">0x80</spanx>.<tt>0x80</tt>. </t> </section> <section anchor="rtp-operations"title="RTP Operations">numbered="true" toc="default"> <name>RTP Operations</name> <t>As implied by the use of the word"double""double" above, this transform applies AES-GCM to the SRTP packet twice. This allows media distributors to be able to modify some header fields while allowing endpoints to verify the end-to-end integrity of a packet. </t> <t>The first,"inner""inner" application of AES-GCM encrypts the SRTP payload andintegrity-protectsprotects the integrity of a version of the SRTP header with extensions truncated. Omitting extensions from the inner integrity check means that they can be modified bya media distributoran MD holding only the"outer"outer key. </t> <t>The second,"outer""outer" application of AES-GCM encrypts the ciphertext produced by the inner encryption (i.e., the encrypted payload and authentication tag), plus an OHB that expresses any changes made between the inner and outer transforms. </t><t>A media distributor<t>An MD that has the outer key but not the inner key may modify the header fields that can be included in the OHB by decrypting, modifying, and re-encrypting the packet. </t> <section anchor="encrypt"title="Encrypting a Packet"> <t>To encryptnumbered="true" toc="default"> <name>Encrypting apacket, thePacket</name> <t>An endpoint encryptsthea packet by using the inner (end-to-end) cryptographic key and thenencrypts usingthe outer (hop-by-hop) cryptographic key. The encryption also supports a mode for repair packets that only does the outer (hop-by-hop) encryption. The processes is as follows: </t><t> <list style="numbers"> <t>Form<ol spacing="normal" type="1"> <li>Form an RTP packet. If there are any header extensions, theyMUST<bcp14>MUST</bcp14> use <xreftarget="RFC8285"/>.</t> <t>Iftarget="RFC8285" format="default"/>.</li> <li>If the packet is for repair mode data, skip tostep 6.</t><xref target="step6" format="none">step 6</xref>.</li> <li> <t>Form a synthetic RTP packet with the followingcontents: <list style="symbols">contents:</t> <ul spacing="normal"> <li> <t>Header: The RTP header of the original packet with the following modifications:</t><t>The<ul spacing="normal"> <li>The X bit is set tozero</t> <t>Thezero.</li> <li>The header is truncated to remove any extensions (i.e., keep only the first 12 + 4 *CCCSRC count (CC) bytes of theheader)</t> <t>Payload:header).</li> </ul> </li> <li>Payload: The RTP payload of the original packet (including padding whenpresent) </t> </list></t> <t>Applypresent).</li> </ul> </li> <li anchor="step4a">Apply the inner cryptographic algorithm to the synthetic RTP packet from the previousstep.</t> <t>Replacestep.</li> <li>Replace the header of the protected RTP packet with the header of the original packet (to restore any header extensions and reset the X bit), and append an empty OHB(0x00)(<tt>0x00</tt>) to the encrypted payload (with the authentication tag) obtained fromthe step 4.</t> <t>Apply<xref target="step4a" format="none">step 4</xref>.</li> <li anchor="step6">Apply the outer cryptographic algorithm to the RTP packet. If encrypting RTP header extensions hop-by-hop, then <xreftarget="RFC6904"/> MUSTtarget="RFC6904" format="default"/> <bcp14>MUST</bcp14> be used when encrypting the RTP packet using the outer cryptographickey.</t> </list> </t>key.</li> </ol> <t>When usingEKTEncrypted Key Transport (EKT) <xreftarget="I-D.ietf-perc-srtp-ekt-diet"/>,target="I-D.ietf-perc-srtp-ekt-diet" format="default"/>, theEKT FieldEKTField comes after the SRTPpacketpacket, exactly like using EKT with any other SRTP transform. </t> </section> <section anchor="relay"title="Relayingnumbered="true" toc="default"> <name>Relaying aPacket">Packet</name> <t>TheMedia DistributorMD has the part of the key for the outer (hop-by-hop) cryptographic algorithm, but it does not have the part of the key for the inner (end-to-end) cryptographic algorithm. The cryptographic algorithm and key used to decrypt a packet and any encrypted RTP header extensions would be the same as those used in the endpoint's outer algorithm and key. </t> <t>In order to modify a packet, theMedia DistributorMD decrypts the received packet, modifies the packet, updates the OHB with any modifications not already present in the OHB, and re-encrypts the packet using thetheouter (hop-by-hop) cryptographic key beforetransmitting.transmitting using the following steps: </t><t> <list style="numbers"> <t>Apply<ol spacing="normal" type="1"> <li anchor="step1">Apply the outer (hop-by-hop) cryptographic algorithm to decrypt the packet. If decrypting RTP header extensions hop-by-hop, then <xreftarget="RFC6904"/> MUSTtarget="RFC6904" format="default"/> <bcp14>MUST</bcp14> be used. Note that the RTP payload produced by this decryption operation contains the original encrypted payload with the tag from the inner transform and the OHBappended.</t> <t>Makeappended.</li> <li>Make any desired changes to the fields that are allowed to be changed, i.e., PT, SEQ, and M. TheMedia Distributor MAYMD <bcp14>MAY</bcp14> also make modifications to header extensions, without the need to reflect these changes in theOHB.</t>OHB.</li> <li> <t>Reflect any changes to header fields in the OHB:<list style="symbols"> <t>If Media Distributor</t> <ul spacing="normal"> <li>If the MD changed a field that is not already in the OHB, then itMUST<bcp14>MUST</bcp14> add the original value of the field to the OHB. Note that this might result in an increase in the size of theOHB.</t> <t>IfOHB.</li> <li>If theMedia DistributorMD took a field that had previously been modified and reset to its original value, then itSHOULD<bcp14>SHOULD</bcp14> drop the corresponding information from the OHB. Note that this might result in a decrease in the size of theOHB.</t> <t>Otherwise,OHB.</li> <li>Otherwise, theMedia Distributor MUST NOTMD <bcp14>MUST NOT</bcp14> modify theOHB.</t> </list></t> <t>ApplyOHB.</li> </ul> </li> <li anchor="step4">Apply the outer (hop-by-hop) cryptographic algorithm to the packet. If the RTPSequence Numbersequence number has been modified, SRTP processing happens as defined in SRTP and will end up using the newSequence Number.sequence number. If encrypting RTP header extensions hop-by-hop, then <xreftarget="RFC6904"/> MUSTtarget="RFC6904" format="default"/> <bcp14>MUST</bcp14> beused.</t> </list> </t>used.</li> </ol> <t>In order to avoid nonce reuse, the cryptographic contexts used instep 1steps <xref target="step1" format="counter">1</xref> andstep 5 MUST<xref target="step4" format="counter">4</xref> <bcp14>MUST</bcp14> use different, independent master keys. Note that this means that the key used for decryption by the MDMUST<bcp14>MUST</bcp14> be different from the key used for re-encryption to the end recipient. </t> <t>Note that if multiple MDs modify the same packet, then the first MD to alter a given header field is the one that adds it to the OHB. If a subsequent MD changes the value of a header field that has already been changed, then the original value will already be in the OHB, so no update to the OHB is required. </t><t>A Media Distributor<t>An MD that decrypts, modifies, and re-encrypts packets in this wayMUST<bcp14>MUST</bcp14> use an independent key for each recipient, andMUST NOT<bcp14>MUST NOT</bcp14> re-encrypt the packet using the sender's keys. If theMedia DistributorMD decrypts and re-encrypts with the same key and salt, it will result in the reuse of a (key, nonce) pair, undermining the security of AES-GCM. </t> </section> <section anchor="decrypt"title="Decryptingnumbered="true" toc="default"> <name>Decrypting aPacket">Packet</name> <t>To decrypt a packet, the endpoint first decrypts and verifies using the outer (hop-by-hop) cryptographic key, then uses the OHB to reconstruct the original packet, which it decrypts and verifies with the inner (end-to-end) cryptographickey.key using the following steps: </t><t> <list style="numbers"> <t>Apply<ol spacing="normal" type="1"> <li>Apply the outer cryptographic algorithm to the packet. If the integrity check does not pass, discard the packet. The result of this is referred to as the outer SRTP packet. If decrypting RTP header extensions hop-by-hop, then <xreftarget="RFC6904"/> MUSTtarget="RFC6904" format="default"/> <bcp14>MUST</bcp14> be used when decrypting the RTP packet using the outer cryptographickey.</t> <t>Ifkey.</li> <li>If the packet is for repair mode data, skip the rest of the steps. Note that the packet that results from the repair algorithm will still have encrypted data that needs to be decrypted as specified by the repair algorithmsections.</t> <t>Removesections.</li> <li>Remove the inner authentication tag and the OHB from the end of the payload of the outer SRTPpacket.</t>packet.</li> <li> <t>Form a new synthetic SRTP packet with:<list style="symbols"></t> <ul spacing="normal"> <li> <t>Header = Received header, with the following modifications:</t><t>Header<ul spacing="normal"> <li>Header fields replaced with values from OHB (ifany)</t> <t>Theany).</li> <li>The X bit is set tozero</t> <t>Thezero.</li> <li>The header is truncated to remove any extensions (i.e., keep only the first 12 + 4 * CC bytes of theheader)</t> <t>Payloadheader).</li> </ul> </li> <li>Payload is the encrypted payload from the outer SRTP packet (after the inner tag and OHB have beenstripped).</t> <t>Authenticationstripped).</li> <li>Authentication tag is the inner authentication tag from the outer SRTPpacket.</t> </list></t> <t>Applypacket.</li> </ul> </li> <li>Apply the inner cryptographic algorithm to this synthetic SRTP packet. Note if the RTPSequence Numbersequence number was changed by theMedia Distributor,MD, the synthetic packet has the originalSequence Number.sequence number. If the integrity check does not pass, discard thepacket.</t> </list> </t>packet.</li> </ol> <t>Once the packet has been successfully decrypted, the application needs to be careful about which information it uses to get the correct behavior. The applicationMUST<bcp14>MUST</bcp14> use only the information found in the synthetic SRTP packet andMUST NOT<bcp14>MUST NOT</bcp14> use the other data that was in the outer SRTP packet with the following exceptions: </t><t> <list style="symbols"> <t>The<ul spacing="normal"> <li>The PT from the outer SRTP packet is used for normal matching toSDPSession Description Protocol (SDP) and codecselection.</t> <t>Theselection.</li> <li>The sequence number from the outer SRTP packet is used for normal RTPordering.</t> </list> </t>ordering.</li> </ul> <t>The PT and sequence number from the inner SRTP packet can be used for collection of various statistics. </t> <t>If the RTP header of the outer packet contains extensions, theyMAY<bcp14>MAY</bcp14> be used. However, because extensions are not protected end-to-end, implementationsSHOULD<bcp14>SHOULD</bcp14> reject an RTP packet containing headers that would require end-to-end protection. </t> </section> </section> <section anchor="rtcp-operations"title="RTCP Operations">numbered="true" toc="default"> <name>RTCP Operations</name> <t>Unlike RTP, which is encrypted both hop-by-hop and end-to-end using two separate cryptographic keys, RTCP is encrypted using only the outer (hop-by-hop) cryptographic key. The procedures for RTCP encryption are specified in <xreftarget="RFC3711"/>target="RFC3711" format="default"/>, and this document introduces no additional steps. </t> </section> <section anchor="use-with-other-rtp-mechanisms"title="Usenumbered="true" toc="default"> <name>Use with Other RTPMechanisms"> <t>Media DistributorsMechanisms</name> <t>MDs sometimes interact with RTP media packets sent by endpoints, e.g., to provide recovery or receive commands viaDTMF.dual-tone multi-frequency (DTMF) signaling. When media packets are encrypted end-to-end, these procedures require modification. (End-to-end interactions, including end-to-end recovery, are not affected by end-to-end encryption.) </t> <t>Repair mechanisms, in general, will need to perform recovery on encrypted packets (double-encrypted when using this transform), since theMedia DistributorMD does not have access to the plaintext of the packet, only an intermediate, E2E-encrypted form. </t> <t>When the recovery mechanism calls for the recovery packet itself to be encrypted, it is encrypted with only the outer, hop-by-hop key. This allowsa media distributoran MD to generate recovery packets without having access to the inner, end-to-end keys. However, it also results in recovery packets being triple-encrypted, twice for the base transform, and once for the recovery protection. </t> <section anchor="rtx"title="RTPnumbered="true" toc="default"> <name>RTP Retransmission(RTX)">(RTX)</name> <t>When using RTX <xreftarget="RFC4588"/>target="RFC4588" format="default"/> withdouble,the double transform, the cached payloadsMUST<bcp14>MUST</bcp14> be the double-encrypted packets, i.e., the bits that are sent over the wire to the other side. When encrypting a retransmission packet, itMUST<bcp14>MUST</bcp14> be encryptedthelike a packet in repair mode (i.e., with only the hop-by-hop key). </t> <t>If theMedia DistributorMD were to cache the inner, E2E-encrypted payload and retransmitthatit with an RTXOSNoriginal sequence number field prepended, then the modifications to the payload would cause the inner integrity check to fail at the receiver. </t> <t>A typical RTX receiver would decrypt the packet, undo the RTX transformation, then process the resulting packet normally by using the steps in <xreftarget="decrypt"/>.target="decrypt" format="default"/>. </t> </section> <section anchor="red"title="Redundantnumbered="true" toc="default"> <name>Redundant Audio Data(RED)">(RED)</name> <t>When using RED <xreftarget="RFC2198"/>target="RFC2198" format="default"/> withdouble,the double transform, the processing at the sender and receiver is the same as when using RED with any other SRTP transform. </t> <t>The main difference between the double transform and any other transform is that in an intermediated environment, usage of RED must be end-to-end.A Media DistributorAn MD cannot synthesize RED packets, because it lacks access to the plaintext media payloads that are combined to form a RED payload. </t> <t>Note thatFlexFECFlexible Forward Error Correction (Flex FEC) may often provide similar or better repair capabilities compared to RED. For most applications,FlexFECFlex FEC is a better choice than RED; in particular,FlexFECFlex FEC has modes in which theMedia DistributorMD can synthesize recovery packets. </t> </section> <section anchor="fec"title="Forwardnumbered="true" toc="default"> <name>Forward Error Correction(FEC)">(FEC)</name> <t>When using Flex FEC <xreftarget="I-D.ietf-payload-flexible-fec-scheme"/>target="RFC8627" format="default"/> withdouble,the double transform, repair packetsMUST<bcp14>MUST</bcp14> be constructed by first double-encrypting the packet, then performing FEC. Processing of repair packets proceeds in the opposite order, performing FEC recovery and then decrypting. This ensures that the original media is not revealed to theMedia Distributor butMD but, at the sametimetime, allows theMedia DistributorMD to repair media. When encrypting a packet that contains the Flex FEC data, which is already encrypted, itMUST<bcp14>MUST</bcp14> be encrypted with only the outer, hop-by-hop transform. </t> <t>The algorithm recommended in <xreftarget="I-D.ietf-rtcweb-fec"/>target="I-D.ietf-rtcweb-fec" format="default"/> for repair of video is Flex FEC <xreftarget="I-D.ietf-payload-flexible-fec-scheme"/>.target="RFC8627" format="default"/>. Note that for interoperability with WebRTC, <xreftarget="I-D.ietf-rtcweb-fec"/>target="I-D.ietf-rtcweb-fec" format="default"/> recommends not using additionalFEC only m-lineFEC-only "m=" lines in SDP for the repair packets. </t> </section> <section anchor="dtmf"title="DTMF">numbered="true" toc="default"> <name>DTMF</name> <t>When DTMF is sent using the mechanism in <xreftarget="RFC4733"/>,target="RFC4733" format="default"/>, it is end-to-endencrypted andencrypted; the relaycan notcannot read it, so it cannot be used to control the relay. Otherout of bandout-of-band methods to control the relay need to be used instead. </t> </section> </section> <section anchor="recommended-inner-and-outer-cryptographic-algorithms"title="Recommendednumbered="true" toc="default"> <name>Recommended Inner and Outer CryptographicAlgorithms">Algorithms</name> <t>This specification recommends and defines AES-GCM as both the inner and outer cryptographic algorithms, identified as DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM. Thesealgorithmalgorithms provide for authenticated encryption and will consume additional processing time double-encrypting for hop-by-hop and end-to-end. However, the approach is secure andsimple, andsimple; thus, it isthusviewed as an acceptable trade-off in processing efficiency. </t> <t>Note that names for the cryptographic transforms are of the form DOUBLE_(inner algorithm)_(outer algorithm). </t> <t>While this document only defines a profile based on AES-GCM, it is possible for future documents to define further profiles with different inner and outer algorithms in this same framework. For example, if a new SRTP transformwaswere defined that encrypts some or all of the RTP header, it would be reasonable for systems to have the option of using that for the outer algorithm. Similarly, if a new transformwaswere defined that provided only integrity, that would also be reasonable to use for the outer transform as the payload data is already encrypted by the inner transform. </t> <t>The AES-GCM cryptographic algorithm introduces an additional 16 octets to the length of the packet. When using AES-GCM for both the inner and outer cryptographic algorithms, the total additional length is 32 octets. The OHB will consume an additional 1-4 octets. Packets in repair mode will carry additional repair data, further increasing their size. </t> </section> <section anchor="sec"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>This SRTP transform provides protection against two classes of attacker:Ana network attacker that knows neither the inner nor outerkeys,keys and a malicious MD that knows the outer key. Obviously, it provides no protections against an attacker that holds both the inner and outer keys. </t> <t>The protections with regard to the network are the same as with the normal SRTP AES-GCM transforms. The major difference is that the double transforms are designed to work better in a group context. In such contexts, it is important to note that because these transforms are symmetric, they do not protect against attacks within the group. Any member of the group can generate valid SRTP packets for any SSRC in use by the group. </t> <t>With regard to a malicious MD, the recipient can verify the integrity of the base header fields and confidentiality and integrity of the payload. The recipient has no assurance, however, of the integrity of the header extensions in the packet. </t> <t>The main innovation of this transform relative to other SRTP transforms is that it allows apartly-trustedpartly trusted MD to decrypt, modify, and re-encrypt a packet. When this is done, the cryptographic contexts used for decryption and re-encryptionMUST<bcp14>MUST</bcp14> use different, independent master keys. If the same context is used, the nonce formation rules for SRTP will cause the same key and nonce to be used with two different plaintexts, which substantially degrades the security of AES-GCM. </t> <t>In other words, from the perspective of the MD, re-encrypting packets using this protocol will involve the same cryptographic operations as if it had established independent AES-GCM crypto contexts with the sender and the receiver.IfThis property allows theMD doesn't modify any header fields, thenuse of an MD that supports AES-GCMcould be unused unmodified.but does not modify any header fields, without requiring any modification to the MD. </t> </section> <section anchor="iana"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="dtlssrtp"title="DTLS-SRTP"> <t>We request IANA to addnumbered="true" toc="default"> <name>DTLS-SRTP</name> <t>IANA has added the followingvaluesprotection profiles todefines a DTLS-SRTP "SRTPthe "DTLS-SRTP ProtectionProfile"Profiles" registry defined in <xreftarget="RFC5764"/>.target="RFC5764" format="default"/>. </t><texttable> <ttcol align="left">Value</ttcol> <ttcol align="left">Profile</ttcol> <ttcol align="left">Reference</ttcol> <c>{0x00, 0x09}</c><c>DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</c><c>RFCXXXX</c> <c>{0x00, 0x0A}</c><c>DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</c><c>RFCXXXX</c> </texttable> <t>Note to IANA: Please assign value RFCXXXX and update table<table align="center"> <name>Updates topoint at this RFC for these values. </t>the DTLS-SRTP Protection Profiles Registry</name> <thead> <tr> <th align="left">Value</th> <th align="left">Profile</th> <th align="left">Reference</th> </tr> </thead> <tbody> <tr> <td align="left">{0x00, 0x09}</td> <td align="left">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</td> <td align="left">RFC 8723</td> </tr> <tr> <td align="left">{0x00, 0x0A}</td> <td align="left">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</td> <td align="left">RFC 8723</td> </tr> </tbody> </table> <t>The SRTP transform parameters for each of these protection profiles are: </t><figure align="left"><artwork align="left"> DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM cipher: AES_128_GCM<table align="center"> <name>SRTP Transform Parameters for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</name> <tbody> <tr> <th colspan="2">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</th> </tr> <tr> <td>cipher:</td> <td>AES_128_GCM thenAES_128_GCM cipher_key_length: 256 bits cipher_salt_length: 192 bits aead_auth_tag_length: 256 bits auth_function: NULL auth_key_length: N/A auth_tag_length: N/A maximum lifetime: atAES_128_GCM</td> </tr> <tr> <td>cipher_key_length:</td><td>256 bits</td> </tr> <tr> <td>cipher_salt_length:</td><td>192 bits</td> </tr> <tr> <td>aead_auth_tag_length:</td><td>256 bits</td> </tr> <tr> <td>auth_function:</td><td>NULL</td> </tr> <tr> <td>auth_key_length:</td><td>N/A</td> </tr> <tr> <td>auth_tag_length:</td><td>N/A</td> </tr> <tr> <td>maximum lifetime:</td><td>at most2^312<sup>31</sup> SRTCP packets and at most2^482<sup>48</sup> SRTPpackets DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM cipher: AES_256_GCMpackets</td> </tr> </tbody> </table> <table align="center"> <name>SRTP Transform Parameters for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</name> <tbody> <tr> <th colspan="2">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</th> </tr> <tr> <td>cipher:</td><td>AES_256_GCM thenAES_256_GCM cipher_key_length: 512 bits cipher_salt_length: 192 bits aead_auth_tag_length: 256 bits auth_function: NULL auth_key_length: N/A auth_tag_length: N/A maximum lifetime: atAES_256_GCM</td> </tr> <tr> <td>cipher_key_length:</td><td>512 bits</td> </tr> <tr> <td>cipher_salt_length:</td><td>192 bits</td> </tr> <tr> <td>aead_auth_tag_length:</td><td>256 bits</td> </tr> <tr> <td>auth_function:</td><td>NULL</td> </tr> <tr> <td>auth_key_length:</td><td>N/A</td> </tr> <tr> <td>auth_tag_length:</td><td>N/A</td> </tr> <tr> <td>maximum lifetime:</td><td>at most2^312<sup>31</sup> SRTCP packets and at most2^482<sup>48</sup> SRTPpackets </artwork></figure>packets</td> </tr> </tbody> </table> <t>The first half of the key and salt is used for the inner (end-to-end) algorithm and the second half is used for the outer (hop-by-hop) algorithm. </t> </section> </section><section anchor="acknowledgments" title="Acknowledgments"> <t>Thank you for reviews and improvements to this specification from Alex Gouaillard, David Benham, Magnus Westerlund, Nils Ohlmeier, Paul Jones, Roni Even, and Suhas Nandakumar. In addition, thank you to Sergio Garcia Murillo proposed the change of transporting the OHB information in the RTP payload instead of the RTP header. </t> </section></middle> <back><references title="Normative References"> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6188.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6904.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7714.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8285.xml"?><displayreference target="I-D.ietf-perc-dtls-tunnel" to="DTLS-TUNNEL"/> <displayreference target="I-D.ietf-perc-private-media-framework" to="PRIVATE-MEDIA-FRAMEWORK"/> <displayreference target="I-D.ietf-perc-srtp-ekt-diet" to="EKT-SRTP"/> <displayreference target="I-D.ietf-rtcweb-fec" to="WEBRTC-FEC"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3711.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5764.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6188.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6904.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7714.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8285.xml"/> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8627.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-perc-dtls-tunnel-06.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-perc-private-media-framework-12.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-perc-srtp-ekt-diet-10.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml3/reference.I-D.draft-ietf-rtcweb-fec-10.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2198.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4588.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4733.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"/> </references><references title="Informative References"> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-payload-flexible-fec-scheme.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-perc-dtls-tunnel.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-perc-private-media-framework.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-perc-srtp-ekt-diet.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-rtcweb-fec.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2198.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4588.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4733.xml"?> <?rfc include="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.5234.xml"?></references> <section anchor="encryption-overview"title="Encryption Overview">numbered="true" toc="default"> <name>Encryption Overview</name> <t>The followingfigure showsfigures show adouble encrypteddouble-encrypted SRTP packet. The sides indicate the parts of the packet that are encrypted and authenticated by the hop-by-hop and end-to-end operations. </t><figure align="center"><artwork align="center"><artwork alt="" type="ascii-art"><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |V=2|P|X| CC |M| PT | sequence number |IO+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+IO| timestamp |IO+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+IO| synchronization source (SSRC) identifier |IO+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+IO| contributing source (CSRC) identifiers |IO| .... |IO +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | RTP extension (OPTIONAL) ... ||O +>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+>+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ O I | payload ... |IOO I | +-------------------------------+IOO I | | RTP padding | RTP pad count |IOO+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+O+>+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ O | | E2E authentication tag ||OO | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|OO | | OHB ... ||O +>|+>| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|+| | | HBH authentication tag |||| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+||| |||| +- E2E Encrypted PortionE2E Authenticated Portion ---+| || +--- HBH Encrypted Portion ]]></artwork> <artwork alt="" type="ascii-art"><![CDATA[ 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+<+ |V=2|P|X| CC |M| PT | sequence number | I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O | timestamp | I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O | synchronization source (SSRC) identifier | I O +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O | contributing source (CSRC) identifiers | I O | .... | I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O | RTP extension (OPTIONAL) ... | | O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O | payload ... | I O | +-------------------------------+ I O | | RTP padding | RTP pad count | I O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+<+ O | E2E authentication tag | | O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O | OHB ... | | O +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |<+ | HBH authentication tag | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | | E2E Authenticated Portion----+ </artwork></figure>---+ | | HBH Authenticated Portion -----+ ]]></artwork> </section> <section anchor="acknowledgments" numbered="false" toc="default"> <name>Acknowledgments</name> <t>Thank you to <contact fullname="Alex Gouaillard"/>, <contact fullname="David Benham"/>, <contact fullname="Magnus Westerlund"/>, <contact fullname="Nils Ohlmeier"/>, <contact fullname="Roni Even"/>, and <contact fullname="Suhas Nandakumar"/> for reviews and improvements to this specification. In addition, thank you to <contact fullname="Sergio Garcia Murillo"/>, who proposed the change of transporting the OHB information in the RTP payload instead of the RTP header. </t> </section> </back> </rfc>