<?xmlversion="1.0" encoding="UTF-8"?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.2.11 --> <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ ]>version='1.0' encoding='utf-8'?> <rfcipr="trust200902" docName="draft-ietf-mmusic-sdp-uks-07"xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std"updates="8122"> <?rfc toc="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?>consensus="true" docName="draft-ietf-mmusic-sdp-uks-07" indexInclude="true" ipr="trust200902" number="8844" prepTime="2021-01-16T23:06:51" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="3" tocInclude="true" updates="8122" xml:lang="en"> <link href="https://datatracker.ietf.org/doc/draft-ietf-mmusic-sdp-uks-07" rel="prev"/> <link href="https://dx.doi.org/10.17487/rfc8844" rel="alternate"/> <link href="urn:issn:2070-1721" rel="alternate"/> <front> <title abbrev="SDP UKS">UnknownKey ShareKey-Share Attacks onusesUses of TLS with the Session Description Protocol (SDP)</title> <seriesInfo name="RFC" value="8844" stream="IETF"/> <author initials="M." surname="Thomson" fullname="Martin Thomson"><organization>Mozilla</organization><organization showOnFrontPage="true">Mozilla</organization> <address> <email>mt@lowentropy.net</email> </address> </author> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"><organization>Mozilla</organization><organization showOnFrontPage="true">Mozilla</organization> <address><email>ekr@rftm.com</email><email>ekr@rtfm.com</email> </address> </author> <dateyear="2019" month="August" day="09"/> <abstract> <t>Thismonth="01" year="2021"/> <keyword>Unknown Key-Share Attack</keyword> <keyword>SDP</keyword> <keyword>DTLS-SRTP</keyword> <keyword>WebRTC</keyword> <keyword>SIP identity</keyword> <abstract pn="section-abstract"> <t indent="0" pn="section-abstract-1">This document describes unknown key-share attacks on the use of Datagram Transport Layer Security for the Secure Real-Time Transport Protocol (DTLS-SRTP). Similar attacks are described on the use of DTLS-SRTP with the identity bindings used in Web Real-Time Communications (WebRTC) and SIP identity. These attacks are difficult to mount, but they cause a victim to bemisleadmisled about the identity of a communicating peer.MitigationThis document defines mitigation techniquesare definedthat implementations of RFC 8122 are encouraged to deploy.</t> </abstract> <boilerplate> <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1"> <name slugifiedName="name-status-of-this-memo">Status of This Memo</name> <t indent="0" pn="section-boilerplate.1-1"> This is an Internet Standards Track document. </t> <t indent="0" pn="section-boilerplate.1-2"> This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. </t> <t indent="0" pn="section-boilerplate.1-3"> Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at <eref target="https://www.rfc-editor.org/info/rfc8844" brackets="none"/>. </t> </section> <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2"> <name slugifiedName="name-copyright-notice">Copyright Notice</name> <t indent="0" pn="section-boilerplate.2-1"> Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. </t> <t indent="0" pn="section-boilerplate.2-2"> This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. </t> </section> </boilerplate> <toc> <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1"> <name slugifiedName="name-table-of-contents">Table of Contents</name> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1"> <li pn="section-toc.1-1.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t> </li> <li pn="section-toc.1-1.2"> <t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-unknown-key-share-attack">Unknown Key-Share Attack</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2"> <li pn="section-toc.1-1.2.2.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.2.1.1"><xref derivedContent="2.1" format="counter" sectionFormat="of" target="section-2.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-limits-on-attack-feasibilit">Limits on Attack Feasibility</xref></t> </li> <li pn="section-toc.1-1.2.2.2"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.2.2.1"><xref derivedContent="2.2" format="counter" sectionFormat="of" target="section-2.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-interactions-with-key-conti">Interactions with Key Continuity</xref></t> </li> <li pn="section-toc.1-1.2.2.3"> <t indent="0" pn="section-toc.1-1.2.2.3.1"><xref derivedContent="2.3" format="counter" sectionFormat="of" target="section-2.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-third-party-call-control">Third-Party Call Control</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.3"> <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-unknown-key-share-attack-wi">Unknown Key-Share Attack with Identity Bindings</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.3.2"> <li pn="section-toc.1-1.3.2.1"> <t indent="0" pn="section-toc.1-1.3.2.1.1"><xref derivedContent="3.1" format="counter" sectionFormat="of" target="section-3.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-example">Example</xref></t> </li> <li pn="section-toc.1-1.3.2.2"> <t indent="0" pn="section-toc.1-1.3.2.2.1"><xref derivedContent="3.2" format="counter" sectionFormat="of" target="section-3.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-the-external_id_hash-tls-ex">The <tt>external_id_hash</tt> TLS Extension</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.3.2.2.2"> <li pn="section-toc.1-1.3.2.2.2.1"> <t indent="0" pn="section-toc.1-1.3.2.2.2.1.1"><xref derivedContent="3.2.1" format="counter" sectionFormat="of" target="section-3.2.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-calculating-external_id_has">Calculating <tt>external_id_hash</tt> for WebRTC Identity</xref></t> </li> <li pn="section-toc.1-1.3.2.2.2.2"> <t indent="0" pn="section-toc.1-1.3.2.2.2.2.1"><xref derivedContent="3.2.2" format="counter" sectionFormat="of" target="section-3.2.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-calculating-external_id_hash">Calculating external_id_hash for PASSporT</xref></t> </li> </ul> </li> </ul> </li> <li pn="section-toc.1-1.4"> <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-unknown-key-share-attack-wit">Unknown Key-Share Attack with Fingerprints</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2"> <li pn="section-toc.1-1.4.2.1"> <t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-example-2">Example</xref></t> </li> <li pn="section-toc.1-1.4.2.2"> <t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-unique-session-identity-sol">Unique Session Identity Solution</xref></t> </li> <li pn="section-toc.1-1.4.2.3"> <t indent="0" pn="section-toc.1-1.4.2.3.1"><xref derivedContent="4.3" format="counter" sectionFormat="of" target="section-4.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-the-external_session_id-tls">The external_session_id TLS Extension</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5"> <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-session-concatenation">Session Concatenation</xref></t> </li> <li pn="section-toc.1-1.6"> <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t> </li> <li pn="section-toc.1-1.7"> <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t> </li> <li pn="section-toc.1-1.8"> <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.8.2"> <li pn="section-toc.1-1.8.2.1"> <t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent="8.1" format="counter" sectionFormat="of" target="section-8.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t> </li> <li pn="section-toc.1-1.8.2.2"> <t indent="0" pn="section-toc.1-1.8.2.2.1"><xref derivedContent="8.2" format="counter" sectionFormat="of" target="section-8.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.9"> <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.a"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgements">Acknowledgements</xref></t> </li> <li pn="section-toc.1-1.10"> <t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.b"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t> </li> </ul> </section> </toc> </front> <middle> <section anchor="introduction"title="Introduction"> <t>Thenumbered="true" toc="include" removeInRFC="false" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t indent="0" pn="section-1-1">The use of Transport Layer Security (TLS) <xreftarget="TLS13"/>target="RFC8446" format="default" sectionFormat="of" derivedContent="TLS13"/> with the Session Description Protocol (SDP) <xreftarget="SDP"/>target="RFC4566" format="default" sectionFormat="of" derivedContent="SDP"/> is defined in <xreftarget="FINGERPRINT"/>.target="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/>. Further use with Datagram Transport Layer Security (DTLS) <xreftarget="DTLS"/>target="RFC6347" format="default" sectionFormat="of" derivedContent="DTLS"/> and the Secure Real-time Transport Protocol (SRTP) <xreftarget="SRTP"/>target="RFC3711" format="default" sectionFormat="of" derivedContent="SRTP"/> is defined as DTLS-SRTP <xreftarget="DTLS-SRTP"/>.</t> <t>Intarget="RFC5763" format="default" sectionFormat="of" derivedContent="DTLS-SRTP"/>.</t> <t indent="0" pn="section-1-2">In these specifications, key agreement is performed using TLS or DTLS, with authentication being tied back to the session description (or SDP) through the use of certificate fingerprints. Communication peers check that a hash, or fingerprint, provided in the SDP matches the certificate that is used in the TLS or DTLS handshake.</t><t>WebRTC<t indent="0" pn="section-1-3">WebRTC identity (seeSection 7 of<xreftarget="WEBRTC-SEC"/>)target="RFC8827" sectionFormat="of" section="7" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8827#section-7" derivedContent="WEBRTC-SEC"/>) and SIP identity <xreftarget="SIP-ID"/>target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/> both provide a mechanism that binds an external identity to the certificate fingerprints from a session description. However, this binding is notintegrity-protectedintegrity protected and is therefore vulnerable to an identity misbindingattack - orattack, also known as an unknown key-share (UKS)attack -attack, where the attacker binds their identity to the fingerprint of another entity. A successful attack leads to the creation of sessions where peers are confused about the identity of the participants.</t><t>This<t indent="0" pn="section-1-4">This document describes a TLS extension that can be used in combination with these identity bindings to prevent this attack.</t><t>A<t indent="0" pn="section-1-5">A similar attack is possible with the use of certificate fingerprints alone. Though attacks in this setting are likely infeasible in existing deployments due to the narrowconditions necessarypreconditions (see <xreftarget="limits"/>),target="limits" format="default" sectionFormat="of" derivedContent="Section 2.1"/>), this document also describes mitigations for this attack.</t><t>The<t indent="0" pn="section-1-6">The mechanisms defined in this document are intended to strengthen the protocol by preventing the use of unknownkey shareskey-share attacks in combination with other protocol or implementation vulnerabilities. RFC 8122 <xreftarget="FINGERPRINT"/>target="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/> is updated by this document to recommend the use of these mechanisms.</t><t>This<t indent="0" pn="section-1-7">This document assumes that signaling is integrity protected. However, asSection 7 of<xreftarget="FINGERPRINT"/>target="RFC8122" sectionFormat="of" section="7" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8122#section-7" derivedContent="FINGERPRINT"/> explains, many deployments that use SDP do not guarantee integrity of session signaling and so are vulnerable to other attacks. <xreftarget="FINGERPRINT"/>target="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/> offers key continuity mechanisms as a potential means of reducing exposure to attack in the absence of integrity protection. <xreftarget="continuity"/>target="continuity" format="default" sectionFormat="of" derivedContent="Section 2.2"/> provides some analysis of the effect of key continuity in relation to the described attacks.</t><t>The<t indent="0" pn="section-1-8"> The key words“MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “NOT RECOMMENDED”, “MAY”,"<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and“OPTIONAL”"<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xreftarget="RFC2119"/> <xref target="RFC8174"/>target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as shownhere.</t>here. </t> </section> <section anchor="uks"title="Unknownnumbered="true" toc="include" removeInRFC="false" pn="section-2"> <name slugifiedName="name-unknown-key-share-attack">Unknown Key-ShareAttack"> <t>InAttack</name> <t indent="0" pn="section-2-1">In an unknown key-share attack <xreftarget="UKS"/>,target="UKS" format="default" sectionFormat="of" derivedContent="UKS"/>, a malicious participant in a protocol claims to control a key that is in reality controlled by some other actor. This arises when the identity associated with a key is not properly bound to the key.</t><t>An<t indent="0" pn="section-2-2">An endpoint that can acquire the certificate fingerprint of another entity can advertise that fingerprint as their own in SDP. An attacker can use a copy of that fingerprint to cause a victim to communicate with another unaware victim, even thoughitthe first victim believes that it is communicating with theattacker.</t> <t>Whenattacker. </t> <t indent="0" pn="section-2-3">When the identity of communicating peers is established by higher-layer signaling constructs, such as those in SIP identity <xreftarget="SIP-ID"/>target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/> or WebRTC <xreftarget="WEBRTC-SEC"/>,target="RFC8827" format="default" sectionFormat="of" derivedContent="WEBRTC-SEC"/>, this allows an attacker to bind their own identity to a session with any other entity.</t><t>The<t indent="0" pn="section-2-4">The attacker obtains an identity assertion for an identity it controls, but binds that to the fingerprint of one peer. The attacker is then able to cause a TLS connection to be established where two victim endpoints communicate. The victim that has its fingerprint copied by the attack correctly believes that it is communicating with the other victim; however, the other victim incorrectly believes that it is communicating with the attacker.</t><t>An<t indent="0" pn="section-2-5">An unknown key-share attack does not result in the attacker having access to any confidential information exchanged between victims. However, the failure in mutual authentication can enable other attacks. A victim might send information to the wrong entity as a result. Where information is interpreted in context, misrepresenting that context could lead to the information being misinterpreted.</t><t>A<t indent="0" pn="section-2-6">A similar attack can be mounted based solely on the SDP<spanx style="verb">fingerprint</spanx><tt>fingerprint</tt> attribute <xreftarget="FINGERPRINT"/>target="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/> without compromising the integrity of the signaling channel.</t><t>This<t indent="0" pn="section-2-7">This attack is an aspect of SDP-based protocolsthatupon which the technique known as third-party call control (3PCC) <xreftarget="RFC3725"/> relies on.target="RFC3725" format="default" sectionFormat="of" derivedContent="RFC3725"/> relies. 3PCC exploits the potential for the identity of a signaling peer to be different than the media peer, allowing the media peer to be selected by the signaling peer. <xreftarget="byebye-3pcc"/>target="byebye-3pcc" format="default" sectionFormat="of" derivedContent="Section 2.3"/> describes the consequences of the mitigations described here for systems that use 3PCC.</t> <section anchor="limits"title="Limitsnumbered="true" toc="include" removeInRFC="false" pn="section-2.1"> <name slugifiedName="name-limits-on-attack-feasibilit">Limits on AttackFeasibility"> <t>TheFeasibility</name> <t indent="0" pn="section-2.1-1">The use of TLS with SDP depends on the integrity of session signaling. Assuming signaling integrity limits the capabilities of an attacker in several ways. In particular:</t><t><list style="numbers"> <t>An<ol spacing="normal" type="1" indent="adaptive" start="1" pn="section-2.1-2"> <li pn="section-2.1-2.1" derivedCounter="1.">An attacker can only modify the parts of the session signaling that they are responsible for producing, namely their own offers andanswers.</t> <t>Noanswers.</li> <li pn="section-2.1-2.2" derivedCounter="2.">No entity will successfully establish a session with a peer unless they are willing to participate in a session with thatpeer.</t> </list></t> <t>Thepeer.</li> </ol> <t indent="0" pn="section-2.1-3">The combination of these two constraints make the spectrum of possible attacks quite limited. An attacker is only able to switch its own certificate fingerprint for a valid certificate that is acceptable to its peer. Attacks therefore rely on joining two separate sessions into a single session. <xreftarget="fp"/>target="fp" format="default" sectionFormat="of" derivedContent="Section 4"/> describes an attack on SDP signaling under these constraints.</t><t>Systems<t indent="0" pn="section-2.1-4">Systems that rely on strong identity bindings, such as those defined in <xreftarget="WEBRTC"/>target="WEBRTC" format="default" sectionFormat="of" derivedContent="WEBRTC"/> or <xreftarget="SIP-ID"/>,target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>, have a different threat model, which admits the possibility of attack by an entity with access to the signaling channel. Attacks under these conditions are more feasible as an attacker is assumed to be abletoboth to observe and to modify signaling messages. <xreftarget="id"/>target="id" format="default" sectionFormat="of" derivedContent="Section 3"/> describes an attack that assumes this threat model.</t> </section> <section anchor="continuity"title="Interactionsnumbered="true" toc="include" removeInRFC="false" pn="section-2.2"> <name slugifiedName="name-interactions-with-key-conti">Interactions with KeyContinuity"> <t>SystemsContinuity</name> <t indent="0" pn="section-2.2-1">Systems that use key continuity (as defined inSection 15.1 of<xreftarget="ZRTP"/>target="RFC6189" sectionFormat="of" section="15.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc6189#section-15.1" derivedContent="ZRTP"/> or as recommended inSection 7 of<xreftarget="FINGERPRINT"/>)target="RFC8122" sectionFormat="of" section="7" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8122#section-7" derivedContent="FINGERPRINT"/>) might be able to detect an unknown key-share attack if a session with either the attacker or the genuine peer (i.e., the victim whose fingerprint was copied by an attacker) was established in the past. Whether this is possible depends on how key continuity is implemented.</t><t>Implementations<t indent="0" pn="section-2.2-2">Implementations that maintain a single database of identities with an indexonof peer keys could discover that the identity saved for the peer key does not match the claimed identity. Such an implementation could notice the disparity between the actual keys (those copied from a victim) and the expected keys (those of the attacker).</t><t>In<t indent="0" pn="section-2.2-3">In comparison, implementations that first match based on peer identity could treat an unknown key-share attack as though their peer had used anewly-configurednewly configured device. The apparent addition of a new device could generate user-visible notices (e.g.,“Mallory"Mallory appears to have a newdevice”).device"). However, such an event is not always considered alarming; some implementations might silently save a new key.</t> </section> <section anchor="byebye-3pcc"title="Third-Partynumbered="true" toc="include" removeInRFC="false" pn="section-2.3"> <name slugifiedName="name-third-party-call-control">Third-Party CallControl"> <t>Third-partyControl</name> <t indent="0" pn="section-2.3-1">Third-party call control (3PCC) <xreftarget="RFC3725"/>target="RFC3725" format="default" sectionFormat="of" derivedContent="RFC3725"/> is a technique where a signaling peer establishes a call that is terminated by a different entity. An unknown key-share attack is very similar in effect to some 3PCC practices, so use of 3PCC could appear to be an attack. However, 3PCC that follows RFC 3725 guidance is unaffected, and peers that are aware of changes made by a 3PCC controller can correctly distinguish actions of a 3PCC controller from an attack.</t><t>3PCC<t indent="0" pn="section-2.3-2">3PCC as described in RFC 3725 is incompatible with SIP identity <xreftarget="SIP-ID"/>target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>, as SIP Identity relies on creating a binding between SIP requests and SDP. The controller is the only entity that generates SIP requests in RFC 3725. Therefore, in a 3PCC context, only the use of the<spanx style="verb">fingerprint</spanx><tt>fingerprint</tt> attribute without additional bindings or WebRTC identity <xreftarget="WEBRTC-SEC"/>target="RFC8827" format="default" sectionFormat="of" derivedContent="WEBRTC-SEC"/> is possible.</t><t>The<t indent="0" pn="section-2.3-3">The attack mitigation mechanisms described in this document will prevent the use of 3PCC if peers have different views of the involvedidentities,identities or the value of SDP<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attributes.</t><t>For<t indent="0" pn="section-2.3-4">For 3PCC to work with the proposed mechanisms, TLS peers need to be aware of the signaling so that they can correctly generate and check the TLS extensions. For a connection to be successfully established, a 3PCC controller needstoeither to forward SDP withoutmodification,modification or to avoid modifications to<spanx style="verb">fingerprint</spanx>, <spanx style="verb">tls-id</spanx>,<tt>fingerprint</tt>, <tt>tls-id</tt>, and<spanx style="verb">identity</spanx><tt>identity</tt> attributes. A controller that follows the best practices in RFC 3725 is expected to forward SDP without modification, thus ensuring the integrity of these attributes.</t> </section> </section> <section anchor="id"title="Unknownnumbered="true" toc="include" removeInRFC="false" pn="section-3"> <name slugifiedName="name-unknown-key-share-attack-wi">Unknown Key-Share Attack with IdentityBindings"> <t>TheBindings</name> <t indent="0" pn="section-3-1">The identity assertions used for WebRTC(Section 7 of <xref target="WEBRTC-SEC"/>)(<xref target="RFC8827" sectionFormat="of" section="7" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8827#section-7" derivedContent="WEBRTC-SEC"/>) and theSIP PASSPoRTPersonal Assertion Token (PASSporT) used in SIP identity (<xreftarget="SIP-ID"/>, <xref target="PASSPoRT"/>)target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>, <xref target="RFC8225" format="default" sectionFormat="of" derivedContent="PASSPORT"/>) are bound to the certificate fingerprint of an endpoint. An attacker can cause an identity binding to be created that binds an identity they control to the fingerprint of a first victim.</t><t>An<t indent="0" pn="section-3-2">An attacker can thereby cause a second victim to believe that they are communicating with an attacker-controlled identity, when they are really talking to the first victim. The attacker does this by creating an identity assertion that covers a certificate fingerprint of the first victim.</t><t>A<t indent="0" pn="section-3-3">A variation on the same technique can be used to cause both victims tobothbelieve they are talking to the attacker when they are talking to each other. In this case, the attacker performs the identity misbinding once for each victim.</t><t>The problem might appear to be caused by the fact that the<t indent="0" pn="section-3-4">The authoritythat certifiescertifying the identity binding is not required to verify that the entity requesting the binding actually controls the keys associated with thefingerprints.fingerprints, and this might appear to be the cause of the problem. SIP and WebRTC identity providers are not required to perform thisvalidation. However, validation of keys by the identity provider is not relevant because verifying control of the associated keys is not a necessary condition for a secure protocol, nor would it be sufficient to prevent attack <xref target="SIGMA"/>.</t> <t>Avalidation.</t> <t indent="0" pn="section-3-5">A simple solution to this problem is suggested by <xreftarget="SIGMA"/>.target="SIGMA" format="default" sectionFormat="of" derivedContent="SIGMA"/>. The identity of endpoints is included under a message authentication code (MAC) during the cryptographic handshake. Endpoints then validate that their peer has provided an identity that matches their expectations. In TLS, the Finished message provides a MAC over the entire handshake, so that including the identity in a TLS extension is sufficient to implement this solution.</t><t>Rather<t indent="0" pn="section-3-6">Rather than include a complete identitybinding -binding, which could besizeable -sizable, a collision- andpre-image-resistantpreimage-resistant hash of the binding is included in a TLS extension as described in <xreftarget="external_id_hash"/>.target="external_id_hash" format="default" sectionFormat="of" derivedContent="Section 3.2"/>. Endpoints then need only validate that the extension contains a hash of the identity binding they received in signaling. If the identity binding is successfully validated, the identity of a peer is verified and bound to the session.</t><t>This<t indent="0" pn="section-3-7">This form of unknown key-share attack is possible without compromising signaling integrity, unless the defenses described in <xreftarget="fp"/>target="fp" format="default" sectionFormat="of" derivedContent="Section 4"/> are used. In order to prevent both forms of attack, endpointsMUST<bcp14>MUST</bcp14> use the<spanx style="verb">external_session_id</spanx><tt>external_session_id</tt> extension (see <xreftarget="external_session_id"/>)target="external_session_id" format="default" sectionFormat="of" derivedContent="Section 4.3"/>) in addition to the<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> (<xreftarget="external_id_hash"/>)target="external_id_hash" format="default" sectionFormat="of" derivedContent="Section 3.2"/>) so that two calls between the same partiescan’tcan't be altered by an attacker.</t> <section anchor="id-example"title="Example"> <t>Innumbered="true" toc="include" removeInRFC="false" pn="section-3.1"> <name slugifiedName="name-example">Example</name> <t indent="0" pn="section-3.1-1">In the example shown in <xreftarget="identity-attack"/>,target="identity-attack" format="default" sectionFormat="of" derivedContent="Figure 1"/>, it is assumed that the attacker also controls the signaling channel.</t><t>Mallory<t indent="0" pn="section-3.1-2">Mallory (the attacker) presents two victims, Norma and Patsy, with two separate sessions. In the first session, Norma is presented with the option to communicate with Mallory; a second session with Norma is presented to Patsy.</t> <figuretitle="Exampleanchor="identity-attack" align="left" suppress-title="false" pn="figure-1"> <name slugifiedName="name-example-attack-on-identity-">Example Attack on IdentityBindings" anchor="identity-attack"><artwork><![CDATA[Bindings</name> <artwork align="left" alt="" pn="section-3.1-3.1"> Norma Mallory Patsy (fp=N) ----- (fp=P) | | ||<----|<---- Signaling1------>|------>| | | Norma=N Mallory=P | | ||<----|<---- Signaling2------>|------>| | | Norma=N Patsy=P | | ||<=================DTLS (fp=N,P)=================>||<=================DTLS (fp=N,P)=================>| | | (peer = Mallory!) (peer = Norma)]]></artwork></figure> <t>The</artwork> </figure> <t indent="0" pn="section-3.1-4">The attack requires that Mallory obtain an identity binding for her own identity with the fingerprints presented by Patsy (P), which Mallory might have obtained previously. This false binding is then presented to Norma(Signaling1('Signaling1' inthe figure).</t> <t>Patsy<xref target="identity-attack" format="default" sectionFormat="of" derivedContent="Figure 1"/>).</t> <t indent="0" pn="section-3.1-5">Patsy could be similarly duped, but in this example, a correct binding betweenNorma’sNorma's identity and fingerprint (N) is faithfully presented by Mallory. This session(Signaling2('Signaling2' inthe figure)<xref target="identity-attack" format="default" sectionFormat="of" derivedContent="Figure 1"/>) can be entirely legitimate.</t><t>A<t indent="0" pn="section-3.1-6">A DTLS session is established directly between Norma and Patsy. In order for this tohappenhappen, Mallory can substitute transport-level information in bothsessions to facilitate this,sessions, though this is not necessary if Mallory is on the network path between Norma andPatsy.</t> <t>AsPatsy. </t> <t indent="0" pn="section-3.1-7">As a result, Patsy correctly believes that she is communicating with Norma. However, Norma incorrectly believes that she is talking to Mallory. As stated in <xreftarget="uks"/>,target="uks" format="default" sectionFormat="of" derivedContent="Section 2"/>, Mallory cannot access media, but Norma might send information to Patsy thatisNorma might not intend or that Patsy might misinterpret.</t> </section> <section anchor="external_id_hash"title="The external_id_hashnumbered="true" toc="include" removeInRFC="false" pn="section-3.2"> <name slugifiedName="name-the-external_id_hash-tls-ex">The <tt>external_id_hash</tt> TLSExtension"> <t>The <spanx style="verb">external_id_hash</spanx>Extension</name> <t indent="0" pn="section-3.2-1">The <tt>external_id_hash</tt> TLS extension carries a hash of the identity assertion that the endpoint sending the extension has asserted to its peer. Both peers include a hash of their own identity assertion.</t><t>The <spanx style="verb">extension_data</spanx><t indent="0" pn="section-3.2-2">The <tt>extension_data</tt> for the<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension contains a<spanx style="verb">ExternalIdentityHash</spanx><tt>ExternalIdentityHash</tt> struct, described below using the syntax defined inSection 3 of<xreftarget="TLS13"/>:</t> <figure><artwork><![CDATA[target="RFC8446" sectionFormat="of" section="3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8446#section-3" derivedContent="TLS13"/>:</t> <sourcecode type="tls-presentation" markers="false" pn="section-3.2-3"> struct { opaquebinding_hash<0..32>;binding_hash<0..32>; } ExternalIdentityHash;]]></artwork></figure> <t>Where</sourcecode> <t indent="0" pn="section-3.2-4">Where an identity assertion has been asserted by a peer, this extension includes aSHA-256SHA-256 hash of the assertion. An empty value is used to indicate support for the extension.</t><t><list style="hanging"> <t hangText='Note:'><dl newline="false" spacing="normal" indent="3" pn="section-3.2-5"> <dt pn="section-3.2-5.1">Note:</dt> <dd pn="section-3.2-5.2"> For both types of identity assertion, ifSHA-256SHA-256 should prove to be inadequateat some pointin the future (see <xreftarget="AGILITY"/>),target="RFC7696" format="default" sectionFormat="of" derivedContent="AGILITY"/>), a new TLS extensioncan be definedthat uses a different hashfunction.</t> </list></t> <t>Identityfunction can be defined.</dd> </dl> <t indent="0" pn="section-3.2-6">Identity bindings might be provided by only one peer. An endpoint that does not produce an identity bindingMUST<bcp14>MUST</bcp14> generate an empty<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension in its ClientHello or--- if a client provides the extension--- in ServerHello or EncryptedExtensions. An empty extension has a zero-lengthbinding_hash<tt>binding_hash</tt> field.</t><t>A<t indent="0" pn="section-3.2-7">A peer that receives an<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension that does not match the value of the identity binding from its peerMUST<bcp14>MUST</bcp14> immediately fail the TLS handshake witha illegal_parameteran <tt>illegal_parameter</tt> alert. The absence of an identity binding does not relax this requirement; if a peer provided no identity binding, a zero-length extensionMUST<bcp14>MUST</bcp14> be present to be considered valid.</t><t>Implementations<t indent="0" pn="section-3.2-8">Implementations written prior to the definition of the extensions in this document will not support this extension for some time. A peer that receives an identity binding but does not receive an<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extensionMAY<bcp14>MAY</bcp14> accept a TLS connection rather than fail a connection where the extension is absent.</t><t>Any<t indent="0" pn="section-3.2-9"> The endpoint performs the validationperformedof the<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extensionis donein addition to the validation required by <xreftarget="FINGERPRINT"/>target="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/> and any verification of the identity assertiondefinition.</t> <t>An <spanx style="verb">external_id_hash</spanx><xref target="RFC8827" format="default" sectionFormat="of" derivedContent="WEBRTC-SEC"/> <xref target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>. An endpoint <bcp14>MUST</bcp14> validate any external_session_id value that is present; see <xref target="external_session_id" format="default" sectionFormat="of" derivedContent="Section 4.3"/>. </t> <t indent="0" pn="section-3.2-10">An <tt>external_id_hash</tt> extension with a <tt>binding_hash</tt> field that is any length other than 0 or 32 is invalid andMUST<bcp14>MUST</bcp14> cause the receiving endpoint to generate a fatal<spanx style="verb">decode_error</spanx><tt>decode_error</tt> alert.</t><t>In<t indent="0" pn="section-3.2-11">In TLS 1.3, an<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension sent by a serverMUST<bcp14>MUST</bcp14> be sent in the EncryptedExtensions message.</t> <section anchor="calculating-externalidhash-for-webrtc-identity"title="Calculating external_id_hashnumbered="true" toc="include" removeInRFC="false" pn="section-3.2.1"> <name slugifiedName="name-calculating-external_id_has">Calculating <tt>external_id_hash</tt> for WebRTCIdentity"> <t>AIdentity</name> <t indent="0" pn="section-3.2.1-1">A WebRTC identity assertion(Section 7 of <xref target="WEBRTC-SEC"/>)(<xref target="RFC8827" sectionFormat="of" section="7" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8827#section-7" derivedContent="WEBRTC-SEC"/>) is provided as a JSON <xreftarget="JSON"/>target="RFC8259" format="default" sectionFormat="of" derivedContent="JSON"/> object that is encoded into a JSON text. The JSON text is encoded using UTF-8 <xreftarget="UTF8"/>target="RFC3629" format="default" sectionFormat="of" derivedContent="UTF8"/> as described bySection 8.1 of<xreftarget="JSON"/>.target="RFC8259" sectionFormat="of" section="8.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8259#section-8.1" derivedContent="JSON"/>. The content of the<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension is produced by hashing the resulting octets withSHA-256SHA-256 <xreftarget="SHA"/>.target="RFC6234" format="default" sectionFormat="of" derivedContent="SHA"/>. This produces the 32 octets of the<spanx style="verb">binding_hash</spanx><tt>binding_hash</tt> parameter, which is the sole contents of the extension.</t><t>The<t indent="0" pn="section-3.2.1-2">The SDP<spanx style="verb">identity</spanx><tt>identity</tt> attribute includes the base64 <xreftarget="BASE64"/>target="RFC4648" format="default" sectionFormat="of" derivedContent="BASE64"/> encoding of the UTF-8 encoding of the same JSON text. The<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> extension is validated by performing base64 decoding on the value of the SDP<spanx style="verb">identity</spanx><tt>identity</tt> attribute, hashing the resulting octets usingSHA-256,SHA-256, and comparing the results with the content of the extension. In pseudocode form, using the<spanx style="verb">identity-assertion-value</spanx><tt>identity-assertion-value</tt> field from the<spanx style="verb">identity</spanx>SDP <tt>identity</tt> attribute grammar as defined in <xreftarget="WEBRTC-SEC"/>:</t> <t><spanx style="verb">target="RFC8827" format="default" sectionFormat="of" derivedContent="WEBRTC-SEC"/>:</t> <sourcecode type="pseudocode" markers="false" pn="section-3.2.1-3"> external_id_hash = SHA-256(b64decode(identity-assertion-value))</spanx></t> <t><list style="hanging"> <t hangText='Note:'></sourcecode> <dl newline="false" spacing="normal" indent="3" pn="section-3.2.1-4"> <dt pn="section-3.2.1-4.1">Note:</dt> <dd pn="section-3.2.1-4.2"> The base64 of the SDP<spanx style="verb">identity</spanx><tt>identity</tt> attribute is decoded to avoid capturing variations in padding. The base64-decoded identity assertion could include leading or trailing whitespace octets. WebRTC identity assertions are not canonicalized; all octets arehashed.</t> </list></t>hashed.</dd> </dl> </section> <section anchor="calculating-externalidhash-for-passport"title="Calculatingnumbered="true" toc="include" removeInRFC="false" pn="section-3.2.2"> <name slugifiedName="name-calculating-external_id_hash">Calculating external_id_hash forPASSPoRT"> <t>WherePASSporT</name> <t indent="0" pn="section-3.2.2-1">Where the compact form ofPASSPoRTPASSporT <xreftarget="PASSPoRT"/>target="RFC8225" format="default" sectionFormat="of" derivedContent="PASSPORT"/> is used, itMUST<bcp14>MUST</bcp14> be expanded into the full form. The base64 encoding used in the SIP Identity (or‘y’)'y') header fieldMUST<bcp14>MUST</bcp14> be decoded then used as input toSHA-256.SHA-256. This produces the32 octet <spanx style="verb">binding_hash</spanx>32-octet <tt>binding_hash</tt> value used for creating or validating the extension. In pseudocode, using the<spanx style="verb">signed-identity-digest</spanx> field<tt>signed-identity-digest</tt> parameter from the<spanx style="verb">Identity</spanx><tt>Identity</tt> header field grammar defined <xreftarget="SIP-ID"/>:</t> <t><spanx style="verb">target="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>:</t> <sourcecode type="pseudocode" markers="false" pn="section-3.2.2-2"> external_id_hash = SHA-256(b64decode(signed-identity-digest))</spanx></t></sourcecode> </section> </section> </section> <section anchor="fp"title="Unknownnumbered="true" toc="include" removeInRFC="false" pn="section-4"> <name slugifiedName="name-unknown-key-share-attack-wit">Unknown Key-Share Attack withFingerprints"> <t>AnFingerprints</name> <t indent="0" pn="section-4-1">An attack on DTLS-SRTP is possible because the identity of peers involved is not established prior to establishing the call. Endpoints use certificate fingerprints as a proxy for authentication, but as long as fingerprints are used in multiple calls, they are vulnerable to attack.</t><t>Even<t indent="0" pn="section-4-2">Even if the integrity of session signaling can be relied upon, an attacker might still be able to create a session where there is confusion about the communicating endpoints by substituting the fingerprint of a communicating endpoint.</t><t>An<t indent="0" pn="section-4-3">An endpoint that is configured to reuse a certificate can be attacked if it is willing to initiate two calls at the same time, one of which is with an attacker. The attacker can arrange for the victim to incorrectly believe that it is calling the attacker when it is in fact calling a second party. The second party correctly believes that it is talking to the victim.</t><t>As<t indent="0" pn="section-4-4">As with the attack on identity bindings, this can be used to cause two victims to both believe they are talking to the attacker when they are talking to each other.</t> <section anchor="fp-example"title="Example"> <t>Tonumbered="true" toc="include" removeInRFC="false" pn="section-4.1"> <name slugifiedName="name-example-2">Example</name> <t indent="0" pn="section-4.1-1">To mount this attack, two sessions need to be created with the same endpoint at almost precisely the same time. One of those sessions is initiated with the attacker, the second session is created toward another honest endpoint. The attacker convinces the first endpoint that their session with the attacker has been successfully established, but media is exchanged with the other honest endpoint. The attacker permits the session with the other honest endpoint to complete only to the extent necessary to convince the other honest endpoint to participate in the attacked session.</t><t>In<t indent="0" pn="section-4.1-2">In addition to the constraints described in <xreftarget="limits"/>,target="limits" format="default" sectionFormat="of" derivedContent="Section 2.1"/>, the attacker in this example also needs the ability to view and drop packets between victims. That is, the attackeris on-pathneeds to be on path for media.</t><t>The<t indent="0" pn="section-4.1-3">The attack shown in <xreftarget="implausible-attack"/>target="implausible-attack" format="default" sectionFormat="of" derivedContent="Figure 2"/> depends on a somewhat implausible set of conditions. It is intended to demonstrate what sort of attack is possible and what conditions are necessary to exploit this weakness in the protocol.</t> <figuretitle="Exampleanchor="implausible-attack" align="left" suppress-title="false" pn="figure-2"> <name slugifiedName="name-example-attack-scenario-usi">Example Attack Scenariousing Fingerprints" anchor="implausible-attack"><artwork><![CDATA[Using Fingerprints</name> <artwork align="left" alt="" pn="section-4.1-4.1"> Norma Mallory Patsy (fp=N) ----- (fp=P) | | | +---Signaling1(fp=N)--->|(fp=N)--->| | +-----Signaling2(fp=N)------------------------>| |<-------------------------Signaling2(fp=N)------------------------>| |<-------------------------Signaling2 (fp=P)----+|<---Signaling1|<---Signaling1 (fp=P)---+ | | | ||=======DTLS1=======>(Forward)======DTLS1======>| |<======DTLS2========(Forward)<=====DTLS2=======| |=======Media1======>(Forward)======Media1=====>| |<======Media2=======(Forward)<=====Media2======||=======DTLS1=======>(Forward)======DTLS1======>| |<======DTLS2========(Forward)<=====DTLS2=======| |=======Media1======>(Forward)======Media1=====>| |<======Media2=======(Forward)<=====Media2======| | | ||=======DTLS2========>(Drop)|=======DTLS2========>(Drop) | | | |]]></artwork></figure> <t>In</artwork> </figure> <t indent="0" pn="section-4.1-5">In this scenario, there are two sessions initiated at the same time by Norma. Signaling is shown with single lines(‘-‘),('-'), DTLS and media with double lines(‘=’).</t> <t>The('=').</t> <t indent="0" pn="section-4.1-6">The first session is established with Mallory, who falsely usesPatsy’sPatsy's certificate fingerprint (denoted with‘fp=P’).'fp=P'). A second session is initiated between Norma and Patsy. Signaling for both sessions is permitted to complete.</t><t>Once<t indent="0" pn="section-4.1-7">Once signaling is complete on the first session, a DTLS connection is established. Ostensibly, this connection is between Mallory andNormaNorma, but Mallory forwards DTLS and media packets sent to her by Norma to Patsy. These packets are denoted‘DTLS1’'DTLS1' because Norma associates these with the first signaling session(‘signaling1’).</t> <t>Mallory('Signaling1').</t> <t indent="0" pn="section-4.1-8">Mallory also intercepts packets from Patsy and forwards those to Norma at the transport address that Norma associates with Mallory. These packets are denoted‘DTLS2’'DTLS2' to indicate that Patsy associates these with the second signaling session(‘signaling2’), however('Signaling2'); however, Norma will interpret these as being associated with the first signaling session(‘signaling1’).</t> <t>The('Signaling1').</t> <t indent="0" pn="section-4.1-9">The second signaling exchange- ‘signaling2’,('Signaling2'), which is between Norma andPatsy -Patsy, is permitted to continue to the point where Patsy believes that it has succeeded. This ensures that Patsy believes that she is communicating with Norma. In the end, Norma believes that she is communicating with Mallory, when she is really communicating with Patsy. Just like the example in <xreftarget="id-example"/>,target="id-example" format="default" sectionFormat="of" derivedContent="Section 3.1"/>, Mallory cannot access media, but Norma might send information to Patsy thatisNorma might not intend or that Patsy might misinterpret.</t><t>Though<t indent="0" pn="section-4.1-10">Though Patsy needs to believe that the second signaling session has been successfully established, Mallory has no real interest in seeing that session also be established. Mallory only needs to ensure that Patsy maintains the active session and does not abandon the session prematurely. For this reason, it might be necessary to permit the signaling from Patsy to reach Norma in order to allow Patsy to receive a call setup completion signal, such as a SIP ACK. Once the second session is established, Mallory might cause DTLS packets sent by Norma to Patsy to be dropped. However, if Mallory allows DTLS packets to pass, it is likely that Patsy will discard them as Patsy will already have a successful DTLS connection established.</t><t>For<t indent="0" pn="section-4.1-11">For the attacked session to be sustained beyond the point that Norma detects errors in the second session, Mallory also needs to block any signaling that Norma might send to Patsy asking for the call to be abandoned. Otherwise, Patsy might receive a notice that the callishas failed and thereby abort the call.</t><t>This<t indent="0" pn="section-4.1-12">This attack creates an asymmetry in the beliefs about the identity of peers. However, this attack is only possible if the victim (Norma) is willing to conduct two sessions nearlysimultaneously,simultaneously; if the attacker (Mallory) is on the network path between thevictims,victims; and if the same certificate--- and therefore the SDP<spanx style="verb">fingerprint</spanx><tt>fingerprint</tt> attribute value--- is used by Norma for both sessions.</t><t>Where ICE<t indent="0" pn="section-4.1-13">Where Interactive Connectivity Establishment (ICE) <xreftarget="ICE"/>target="RFC8445" format="default" sectionFormat="of" derivedContent="ICE"/> is used, Mallory also needs to ensure that connectivity checks between Patsy and Norma succeed, either by forwarding checks or by answering and generating the necessary messages.</t> </section> <section anchor="sess-id"title="Uniquenumbered="true" toc="include" removeInRFC="false" pn="section-4.2"> <name slugifiedName="name-unique-session-identity-sol">Unique Session IdentitySolution"> <t>TheSolution</name> <t indent="0" pn="section-4.2-1">The solution to this problem is to assign a new identifier to communicating peers. Each endpoint assigns their peer a unique identifier during call signaling. The peer echoes that identifier in the TLS handshake, binding that identity into the session. Including this new identity in the TLS handshake means that it will be covered by the TLS Finished message, which is necessary to authenticate it (see <xreftarget="SIGMA"/>).</t> <t>Successful validationtarget="SIGMA" format="default" sectionFormat="of" derivedContent="SIGMA"/>).</t> <t indent="0" pn="section-4.2-2">Successfully validating that the identifier matches the expected value means that the connection corresponds to the signaled session and is therefore established between the correct two endpoints.</t><t>This<t indent="0" pn="section-4.2-3">This solution relies on the unique identifier given to DTLS sessions using the SDP<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attribute <xreftarget="DTLS-SDP"/>.target="RFC8842" format="default" sectionFormat="of" derivedContent="DTLS-SDP"/>. This field is already required to be unique. Thus, no two offers or answers from the same client will have the same value.</t><t>A<t indent="0" pn="section-4.2-4">A new<spanx style="verb">external_session_id</spanx><tt>external_session_id</tt> extension is added to the TLS or DTLS handshake for connections that are established as part of the same call or real-time session. This carries the value of the<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attribute and provides integrity protection for its exchange as part of the TLS or DTLS handshake.</t> </section> <section anchor="external_session_id"title="Thenumbered="true" toc="include" removeInRFC="false" pn="section-4.3"> <name slugifiedName="name-the-external_session_id-tls">The external_session_id TLSExtension"> <t>The <spanx style="verb">external_session_id</spanx>Extension</name> <t indent="0" pn="section-4.3-1">The <tt>external_session_id</tt> TLS extension carries the unique identifier that an endpoint selects. When used with SDP, the valueMUST<bcp14>MUST</bcp14> include the<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attribute from the SDP that the endpoint generated when negotiating the session. This document only defines use of this extension for SDP; other methods of external session negotiation can use this extension to include a unique session identifier.</t><t>The <spanx style="verb">extension_data</spanx><t indent="0" pn="section-4.3-2">The <tt>extension_data</tt> for the<spanx style="verb">external_session_id</spanx><tt>external_session_id</tt> extension contains an ExternalSessionId struct, described below using the syntax defined in <xreftarget="TLS13"/>:</t> <figure><artwork><![CDATA[target="RFC8446" format="default" sectionFormat="of" derivedContent="TLS13"/>:</t> <sourcecode type="tls-presentation" markers="false" pn="section-4.3-3"> struct { opaquesession_id<20..255>;session_id<20..255>; } ExternalSessionId;]]></artwork></figure> <t>For</sourcecode> <t indent="0" pn="section-4.3-4">For SDP, the<spanx style="verb">session_id</spanx><tt>session_id</tt> field of the extension includes the value of the<spanx style="verb">tls-id</spanx><tt>tls-id</tt> SDP attribute as defined in <xreftarget="DTLS-SDP"/>target="RFC8842" format="default" sectionFormat="of" derivedContent="DTLS-SDP"/> (that is, the<spanx style="verb">tls-id-value</spanx><tt>tls-id-value</tt> ABNF production). The value of the<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attribute is encoded using ASCII <xreftarget="ASCII"/>.</t> <t>Wheretarget="RFC0020" format="default" sectionFormat="of" derivedContent="ASCII"/>.</t> <t indent="0" pn="section-4.3-5">Where RTP and RTCP <xreftarget="RTP"/>target="RFC3550" format="default" sectionFormat="of" derivedContent="RTP"/> are not multiplexed, it is possible that the two separate DTLS connections carrying RTP and RTCP can be switched. This is considered benign since these protocols are designed to be distinguishable as SRTP <xreftarget="SRTP"/>target="RFC3711" format="default" sectionFormat="of" derivedContent="SRTP"/> provides key separation. Using RTP/RTCP multiplexing <xreftarget="RTCP-MUX"/>target="RFC5761" format="default" sectionFormat="of" derivedContent="RTCP-MUX"/> further avoids this problem.</t><t>The <spanx style="verb">external_session_id</spanx><t indent="0" pn="section-4.3-6">The <tt>external_session_id</tt> extension is included in aClientHelloClientHello, and-if the extension is present in theClientHello -ClientHello, either ServerHello (for TLS and DTLS versionslessolder than 1.3) or EncryptedExtensions (for TLS 1.3).</t><t>Endpoints MUST<t indent="0" pn="section-4.3-7">Endpoints <bcp14>MUST</bcp14> check that the<spanx style="verb">session_id</spanx><tt>session_id</tt> parameter in the extension that they receive includes the<spanx style="verb">tls-id</spanx><tt>tls-id</tt> attribute value that they received in theirpeer’speer's session description. Endpoints can perform string comparison by ASCII decoding the TLS extension value and comparing it to the SDP attributevalue,value orcompareby comparing the encoded TLS extension octets with the encoded SDP attribute value. An endpoint that receivesa <spanx style="verb">external_session_id</spanx>an <tt>external_session_id</tt> extension that is not identical to the value that it expectsMUST<bcp14>MUST</bcp14> abort the connection with a fatal<spanx style="verb">illegal_parameter</spanx><tt>illegal_parameter</tt> alert.</t><t>Any<t indent="0" pn="section-4.3-8"> The endpoint performs the validationperformedof the<spanx style="verb">external_session_id</spanx><tt>external_id_hash</tt> extensionis donein addition to the validation required by <xreftarget="FINGERPRINT"/>.</t> <t>Antarget="RFC8122" format="default" sectionFormat="of" derivedContent="FINGERPRINT"/>. </t> <t indent="0" pn="section-4.3-9">If an endpointthat is communicatingcommunicates with a peer that does not support thisextensionextension, it will receive a ClientHello,ServerHelloServerHello, or EncryptedExtensions message that does not include this extension. An endpointMAY<bcp14>MAY</bcp14> choose to continue a session without this extension in order to interoperate with peers that do not implement this specification.</t><t>In<t indent="0" pn="section-4.3-10">In TLS 1.3, an<spanx style="verb">external_session_id</spanx><tt>external_session_id</tt> extension sent by a serverMUST<bcp14>MUST</bcp14> be sent in the EncryptedExtensions message.</t><t>This<t indent="0" pn="section-4.3-11">This defense is not effective if an attacker can rewrite<spanx style="verb">tls-id</spanx><tt>tls-id</tt> values in signaling. Only the mechanism in<spanx style="verb">external_id_hash</spanx><tt>external_id_hash</tt> is able to defend against an attacker that can compromise session integrity.</t> </section> </section> <section anchor="concat"title="Session Concatenation"> <t>Usenumbered="true" toc="include" removeInRFC="false" pn="section-5"> <name slugifiedName="name-session-concatenation">Session Concatenation</name> <t indent="0" pn="section-5-1">Use of session identifiers does not prevent an attacker from establishing two concurrent sessions with different peers and forwarding signaling from those peers to each other. Concatenating two signaling sessions in this way creates two signaling sessions, with two session identifiers, but only the TLS connections from a single session are established as a result. In doing so, the attacker creates a situation where both peers believe that they are talking to the attacker when they are talking to each other.</t><t>In<t indent="0" pn="section-5-2">In the absence of any higher-level concept of peer identity,the use of session identifiers does not prevent session concatenation if the attacker is able to copyan attacker who is able to copy the session identifier from one signaling session toanother.another can cause the peers to establish a direct TLS connection even while they think that they are connecting to the attacker. This differs from the attack described in the previous section in that there is only one TLS connection rather than two. This kind of attack is prevented by systems that enable peerauthenticationauthentication, such as WebRTC identity <xreftarget="WEBRTC-SEC"/>target="RFC8827" format="default" sectionFormat="of" derivedContent="WEBRTC-SEC"/> or SIP identity <xreftarget="SIP-ID"/>. However, session concatenation remains possible at higher layers: an attacker can establishtarget="RFC8224" format="default" sectionFormat="of" derivedContent="SIP-ID"/>; however, these systems do not prevent establishing twoindependent sessions and simply forward any data it receives from one intoback-to-back connections as described in theother.</t> <t>Useprevious paragraph.</t> <t indent="0" pn="section-5-3">Use of the<spanx style="verb">external_session_id</spanx><tt>external_session_id</tt> does not guarantee that the identity of the peer at the TLS layer is the same as the identity of the signaling peer. The advantage that an attacker gains by concatenating sessions is limited unless data is exchanged based on the assumption that signaling and TLS peers are the same. If a secondary protocol uses the signaling channel with the assumption that the signaling and TLS peers are thesamesame, then that protocol is vulnerable to attack.AWhile out of scope for this document, a signaling system that can defend against sessionconcatenation, while out of scope for this document,concatenation requires that the signaling layer is authenticated and bound to any TLS connections.</t><t>It<t indent="0" pn="section-5-4">It is important to note that multiple connections can be created within the same signaling session. An attacker might concatenate only part of a session, choosing to terminate some connections (and optionally forward data) while arranging to have peers interact directly for other connections. It is even possible to have different peers interact for each connection. This means that the actual identity of the peer for one connection might differ from the peer on another connection.</t><t>Critically,<t indent="0" pn="section-5-5">Critically, information about the identity of TLS peers provides no assurances about the identity of signaling peers anddodoes not transfer between TLS connections in the same session. Information extracted from a TLS connection thereforeMUST NOT<bcp14>MUST NOT</bcp14> be used in a secondary protocol outside of that connection if that protocol assumes that the signaling protocol has the same peers. Similarly, security-sensitive information from one TLS connectionMUST NOT<bcp14>MUST NOT</bcp14> be used in other TLS connections even if they are established as a result of the same signaling session.</t> </section> <section anchor="security-considerations"title="Security Considerations"> <t>The mitigations in this document, whennumbered="true" toc="include" removeInRFC="false" pn="section-6"> <name slugifiedName="name-security-considerations">Security Considerations</name> <t indent="0" pn="section-6-1">When combined with identity assertions, the mitigations in this document ensure that there is no opportunity to misrepresent the identity of TLS peers. This assurance is provided even if an attacker can modify signaling messages.</t><t>Without<t indent="0" pn="section-6-2">Without identity assertions, the mitigations in this document prevent the session splicing attack described in <xreftarget="fp"/>.target="fp" format="default" sectionFormat="of" derivedContent="Section 4"/>. Defense against session concatenation (<xreftarget="concat"/>)target="concat" format="default" sectionFormat="of" derivedContent="Section 5"/>) additionally requires that protocol peers are not able to claim the certificate fingerprints of other entities.</t> </section> <section anchor="iana-considerations"title="IANA Considerations"> <t>Thisnumbered="true" toc="include" removeInRFC="false" pn="section-7"> <name slugifiedName="name-iana-considerations">IANA Considerations</name> <t indent="0" pn="section-7-1">This document registers two extensions in theTLS “ExtensionType Values”"TLS ExtensionType Values" registry established in <xreftarget="TLS13"/>:</t> <t><list style="symbols"> <t>The <spanx style="verb">external_id_hash</spanx>target="RFC8446" format="default" sectionFormat="of" derivedContent="TLS13"/>:</t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-7-2"> <li pn="section-7-2.1">The <tt>external_id_hash</tt> extension defined in <xreftarget="external_id_hash"/>target="external_id_hash" format="default" sectionFormat="of" derivedContent="Section 3.2"/> has been assigned a code point ofTBD;55; it is recommended and is marked as“CH, EE”"CH, EE" in TLS1.3.</t> <t>The <spanx style="verb">external_session_id</spanx>1.3.</li> <li pn="section-7-2.2">The <tt>external_session_id</tt> extension defined in <xreftarget="external_session_id"/>target="external_session_id" format="default" sectionFormat="of" derivedContent="Section 4.3"/> has been assigned a code point ofTBD;56; it is recommended and is marked as“CH, EE”"CH, EE" in TLS1.3.</t> </list></t>1.3.</li> </ul> </section> </middle> <back> <displayreference target="RFC0020" to="ASCII"/> <displayreference target="RFC3550" to="RTP"/> <displayreference target="RFC3629" to="UTF8"/> <displayreference target="RFC3711" to="SRTP"/> <displayreference target="RFC4566" to="SDP"/> <displayreference target="RFC4648" to="BASE64"/> <displayreference target="RFC5761" to="RTCP-MUX"/> <displayreference target="RFC5763" to="DTLS-SRTP"/> <displayreference target="RFC6189" to="ZRTP"/> <displayreference target="RFC6234" to="SHA"/> <displayreference target="RFC6347" to="DTLS"/> <displayreference target="RFC7696" to="AGILITY"/> <displayreference target="RFC8122" to="FINGERPRINT"/> <displayreference target="RFC8224" to="SIP-ID"/> <displayreference target="RFC8225" to="PASSPORT"/> <displayreference target="RFC8259" to="JSON"/> <displayreference target="RFC8445" to="ICE"/> <displayreference target="RFC8446" to="TLS13"/> <displayreference target="RFC8827" to="WEBRTC-SEC"/> <displayreference target="RFC8842" to="DTLS-SDP"/> <references pn="section-8"> <name slugifiedName="name-references">References</name> <referencestitle='Normative References'>pn="section-8.1"> <name slugifiedName="name-normative-references">Normative References</name> <reference anchor="RFC0020" target="https://www.rfc-editor.org/info/rfc20" quoteTitle="true" derivedAnchor="ASCII"> <front> <title>ASCII format for network interchange</title> <author initials="V.G." surname="Cerf" fullname="V.G. Cerf"> <organization showOnFrontPage="true"/> </author> <date year="1969" month="October"/> </front> <seriesInfo name="STD" value="80"/> <seriesInfo name="RFC" value="20"/> <seriesInfo name="DOI" value="10.17487/RFC0020"/> </reference> <referenceanchor="TLS13" target='https://www.rfc-editor.org/info/rfc8446'>anchor="RFC4648" target="https://www.rfc-editor.org/info/rfc4648" quoteTitle="true" derivedAnchor="BASE64"> <front> <title>The Base16, Base32, and Base64 Data Encodings</title> <author initials="S." surname="Josefsson" fullname="S. Josefsson"> <organization showOnFrontPage="true"/> </author> <date year="2006" month="October"/> <abstract> <t indent="0">This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4648"/> <seriesInfo name="DOI" value="10.17487/RFC4648"/> </reference> <reference anchor="RFC6347" target="https://www.rfc-editor.org/info/rfc6347" quoteTitle="true" derivedAnchor="DTLS"> <front> <title>Datagram Transport Layer Security(TLS) ProtocolVersion1.3</title>1.2</title> <authorinitials='E.' surname='Rescorla' fullname='E. Rescorla'><organization /></author>initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <author initials="N." surname="Modadugu" fullname="N. Modadugu"> <organization showOnFrontPage="true"/> </author> <dateyear='2018' month='August' /> <abstract><t>Thisyear="2012" month="January"/> <abstract> <t indent="0">This document specifies version1.31.2 of the Datagram Transport Layer Security(TLS)(DTLS) protocol.TLSThe DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicateover the Internetin a way that is designed to prevent eavesdropping, tampering,andor messageforgery.</t><t>This document updates RFCs 5705 and 6066, and obsoletes RFCs 5077, 5246, and 6961. This document also specifies new requirements forforgery. The DTLS protocol is based on the Transport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semantics of the underlying transport are preserved by the DTLS protocol. This document updates DTLS 1.0 to work with TLS1.2 implementations.</t></abstract>version 1.2. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfoname='RFC' value='8446'/>name="RFC" value="6347"/> <seriesInfoname='DOI' value='10.17487/RFC8446'/>name="DOI" value="10.17487/RFC6347"/> </reference> <referenceanchor="SDP" target='https://www.rfc-editor.org/info/rfc4566'>anchor="RFC8842" target="https://www.rfc-editor.org/info/rfc8842" quoteTitle="true" derivedAnchor="DTLS-SDP"> <front><title>SDP: Session<title>Session DescriptionProtocol</title>Protocol (SDP) Offer/Answer Considerations for Datagram Transport Layer Security (DTLS) and Transport Layer Security (TLS)</title> <author initials="C." surname="Holmberg" fullname="Christer Holmberg"> <organization showOnFrontPage="true"/> </author> <authorinitials='M.' surname='Handley' fullname='M. Handley'><organization /></author> <author initials='V.' surname='Jacobson' fullname='V. Jacobson'><organization /></author> <author initials='C.' surname='Perkins' fullname='C. Perkins'><organization /></author>initials="R." surname="Shpount" fullname="Roman Shpount"> <organization showOnFrontPage="true"/> </author> <dateyear='2006' month='July' /> <abstract><t>This memo definesmonth="January" year="2021"/> </front> <seriesInfo name="RFC" value="8842"/> <seriesInfo name="DOI" value="10.17487/RFC8842"/> </reference> <reference anchor="RFC5763" target="https://www.rfc-editor.org/info/rfc5763" quoteTitle="true" derivedAnchor="DTLS-SRTP"> <front> <title>Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)</title> <author initials="J." surname="Fischl" fullname="J. Fischl"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Tschofenig" fullname="H. Tschofenig"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="May"/> <abstract> <t indent="0">This document specifies how to use the SessionDescriptionInitiation Protocol(SDP). SDP is intended for describing multimedia sessions for(SIP) to establish a Secure Real-time Transport Protocol (SRTP) security context using thepurposesDatagram Transport Layer Security (DTLS) protocol. It describes a mechanism ofsession announcement, session invitation, and other formstransporting a fingerprint attribute in the Session Description Protocol (SDP) that identifies the key that will be presented during the DTLS handshake. The key exchange travels along the media path as opposed to the signaling path. The SIP Identity mechanism can be used to protect the integrity ofmultimedia session initiation. [STANDARDS-TRACK]</t></abstract>the fingerprint attribute from modification by intermediate proxies. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfoname='RFC' value='4566'/>name="RFC" value="5763"/> <seriesInfoname='DOI' value='10.17487/RFC4566'/>name="DOI" value="10.17487/RFC5763"/> </reference> <referenceanchor="FINGERPRINT" target='https://www.rfc-editor.org/info/rfc8122'>anchor="RFC8122" target="https://www.rfc-editor.org/info/rfc8122" quoteTitle="true" derivedAnchor="FINGERPRINT"> <front> <title>Connection-Oriented Media Transport over the Transport Layer Security (TLS) Protocol in the Session Description Protocol (SDP)</title> <authorinitials='J.' surname='Lennox' fullname='J. Lennox'><organization /></author> <author initials='C.' surname='Holmberg' fullname='C. Holmberg'><organization /></author>initials="J." surname="Lennox" fullname="J. Lennox"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Holmberg" fullname="C. Holmberg"> <organization showOnFrontPage="true"/> </author> <dateyear='2017' month='March' /> <abstract><t>Thisyear="2017" month="March"/> <abstract> <t indent="0">This document specifies how to establish secure connection-oriented media transport sessions over the Transport Layer Security (TLS) protocol using the Session Description Protocol (SDP). It defines the SDP protocol identifier, 'TCP/TLS'. It also defines the syntax and semantics for an SDP 'fingerprint' attribute that identifies the certificate that will be presented for the TLS session. This mechanism allows media transport over TLS connections to be established securely, so long as the integrity of session descriptions isassured.</t><t>Thisassured.</t> <t indent="0">This document obsoletes RFC 4572 by clarifying the usage of multiplefingerprints.</t></abstract>fingerprints.</t> </abstract> </front> <seriesInfoname='RFC' value='8122'/>name="RFC" value="8122"/> <seriesInfoname='DOI' value='10.17487/RFC8122'/>name="DOI" value="10.17487/RFC8122"/> </reference> <referenceanchor="DTLS" target='https://www.rfc-editor.org/info/rfc6347'>anchor="RFC8259" target="https://www.rfc-editor.org/info/rfc8259" quoteTitle="true" derivedAnchor="JSON"> <front><title>Datagram Transport Layer Security Version 1.2</title><title>The JavaScript Object Notation (JSON) Data Interchange Format</title> <authorinitials='E.' surname='Rescorla' fullname='E. Rescorla'><organization /></author> <author initials='N.' surname='Modadugu' fullname='N. Modadugu'><organization /></author>initials="T." surname="Bray" fullname="T. Bray" role="editor"> <organization showOnFrontPage="true"/> </author> <dateyear='2012' month='January' /> <abstract><t>This document specifies version 1.2 of the Datagram Transport Layer Security (DTLS) protocol. The DTLS protocol provides communications privacy for datagram protocols. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocolyear="2017" month="December"/> <abstract> <t indent="0">JavaScript Object Notation (JSON) isbased ona lightweight, text-based, language-independent data interchange format. It was derived from theTransport Layer Security (TLS) protocol and provides equivalent security guarantees. Datagram semanticsECMAScript Programming Language Standard. JSON defines a small set of formatting rules for theunderlying transport are preserved by the DTLS protocol. Thisportable representation of structured data.</t> <t indent="0">This documentupdates DTLS 1.0 to workremoves inconsistencies withTLS version 1.2. [STANDARDS-TRACK]</t></abstract>other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t> </abstract> </front> <seriesInfoname='RFC' value='6347'/>name="STD" value="90"/> <seriesInfoname='DOI' value='10.17487/RFC6347'/>name="RFC" value="8259"/> <seriesInfo name="DOI" value="10.17487/RFC8259"/> </reference> <referenceanchor="SRTP" target='https://www.rfc-editor.org/info/rfc3711'>anchor="RFC8225" target="https://www.rfc-editor.org/info/rfc8225" quoteTitle="true" derivedAnchor="PASSPORT"> <front><title>The Secure Real-time Transport Protocol (SRTP)</title><title>PASSporT: Personal Assertion Token</title> <author initials="C." surname="Wendt" fullname="C. Wendt"> <organization showOnFrontPage="true"/> </author> <authorinitials='M.' surname='Baugher' fullname='M. Baugher'><organization /></author> <author initials='D.' surname='McGrew' fullname='D. McGrew'><organization /></author> <author initials='M.' surname='Naslund' fullname='M. Naslund'><organization /></author> <author initials='E.' surname='Carrara' fullname='E. Carrara'><organization /></author> <author initials='K.' surname='Norrman' fullname='K. Norrman'><organization /></author>initials="J." surname="Peterson" fullname="J. Peterson"> <organization showOnFrontPage="true"/> </author> <dateyear='2004' month='March' /> <abstract><t>Thisyear="2018" month="February"/> <abstract> <t indent="0">This documentdescribes the Secure Real-time Transport Protocol (SRTP),defines aprofilemethod for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representing the originator of personal communications. The Personal Assertion Token, PASSporT, is cryptographically signed to protect the integrity of theReal-time Transport Protocol (RTP), which can provide confidentiality, message authentication,identity of the originator andreplay protectionto verify theRTP traffic andassertion of the identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to thecontrol trafficdestination party over an insecure channel. PASSporT is particularly useful forRTP,many personal-communications applications over IP networks and other multi-hop interconnection scenarios where theReal-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t></abstract> </front> <seriesInfo name='RFC' value='3711'/> <seriesInfo name='DOI' value='10.17487/RFC3711'/> </reference> <reference anchor="DTLS-SRTP" target='https://www.rfc-editor.org/info/rfc5763'> <front> <title>Framework for Establishing a Secure Real-time Transport Protocol (SRTP) Security Context Using Datagram Transport Layer Security (DTLS)</title> <author initials='J.' surname='Fischl' fullname='J. Fischl'><organization /></author> <author initials='H.' surname='Tschofenig' fullname='H. Tschofenig'><organization /></author> <author initials='E.' surname='Rescorla' fullname='E. Rescorla'><organization /></author> <date year='2010' month='May' /> <abstract><t>This document specifies how to use the Session Initiation Protocol (SIP) to establish a Secure Real-time Transport Protocol (SRTP) security context using the Datagram Transport Layer Security (DTLS) protocol. It describes a mechanism of transporting a fingerprint attribute in the Session Description Protocol (SDP) that identifies the key that will be presented during the DTLS handshake. The key exchange travels along the media path as opposed to the signaling path. The SIP Identity mechanism can be used to protect the integrity of the fingerprint attribute from modification by intermediate proxies. [STANDARDS-TRACK]</t></abstract> </front> <seriesInfo name='RFC' value='5763'/> <seriesInfo name='DOI' value='10.17487/RFC5763'/> </reference> <reference anchor="WEBRTC-SEC"> <front> <title>WebRTC Security Architecture</title> <author initials='E' surname='Rescorla' fullname='Eric Rescorla'> <organization /> </author> <date month='July' day='22' year='2019' /> <abstract><t>This document defines the security architecture for WebRTC, a protocol suite intended for use with real-time applications that can be deployed in browsers - "real time communication on the Web".</t></abstract> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-rtcweb-security-arch-20' /> <format type='TXT' target='http://www.ietf.org/internet-drafts/draft-ietf-rtcweb-security-arch-20.txt' /> </reference> <reference anchor="SIP-ID" target='https://www.rfc-editor.org/info/rfc8224'> <front> <title>Authenticated Identity Management in the Session Initiation Protocol (SIP)</title> <author initials='J.' surname='Peterson' fullname='J. Peterson'><organization /></author> <author initials='C.' surname='Jennings' fullname='C. Jennings'><organization /></author> <author initials='E.' surname='Rescorla' fullname='E. Rescorla'><organization /></author> <author initials='C.' surname='Wendt' fullname='C. Wendt'><organization /></author> <date year='2018' month='February' /> <abstract><t>The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of the end users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating the identityoriginating andfor conveyingdestination parties may not have areference to the credentials of the signer.</t><t>This document obsoletes RFC 4474.</t></abstract>direct trusted relationship.</t> </abstract> </front> <seriesInfoname='RFC' value='8224'/>name="RFC" value="8225"/> <seriesInfoname='DOI' value='10.17487/RFC8224'/>name="DOI" value="10.17487/RFC8225"/> </reference> <reference anchor="RFC2119"target='https://www.rfc-editor.org/info/rfc2119'>target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <authorinitials='S.' surname='Bradner' fullname='S. Bradner'><organization /></author>initials="S." surname="Bradner" fullname="S. Bradner"> <organization showOnFrontPage="true"/> </author> <dateyear='1997' month='March' /> <abstract><t>Inyear="1997" month="March"/> <abstract> <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions forimprovements.</t></abstract>improvements.</t> </abstract> </front> <seriesInfoname='BCP' value='14'/>name="BCP" value="14"/> <seriesInfoname='RFC' value='2119'/>name="RFC" value="2119"/> <seriesInfoname='DOI' value='10.17487/RFC2119'/>name="DOI" value="10.17487/RFC2119"/> </reference> <reference anchor="RFC8174"target='https://www.rfc-editor.org/info/rfc8174'>target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <authorinitials='B.' surname='Leiba' fullname='B. Leiba'><organization /></author> <date year='2017' month='May' /> <abstract><t>RFCinitials="B." surname="Leiba" fullname="B. Leiba"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="May"/> <abstract> <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined specialmeanings.</t></abstract>meanings.</t> </abstract> </front> <seriesInfoname='BCP' value='14'/>name="BCP" value="14"/> <seriesInfoname='RFC' value='8174'/>name="RFC" value="8174"/> <seriesInfoname='DOI' value='10.17487/RFC8174'/>name="DOI" value="10.17487/RFC8174"/> </reference> <referenceanchor="PASSPoRT" target='https://www.rfc-editor.org/info/rfc8225'>anchor="RFC4566" target="https://www.rfc-editor.org/info/rfc4566" quoteTitle="true" derivedAnchor="SDP"> <front><title>PASSporT: Personal Assertion Token</title><title>SDP: Session Description Protocol</title> <author initials="M." surname="Handley" fullname="M. Handley"> <organization showOnFrontPage="true"/> </author> <author initials="V." surname="Jacobson" fullname="V. Jacobson"> <organization showOnFrontPage="true"/> </author> <authorinitials='C.' surname='Wendt' fullname='C. Wendt'><organization /></author> <author initials='J.' surname='Peterson' fullname='J. Peterson'><organization /></author>initials="C." surname="Perkins" fullname="C. Perkins"> <organization showOnFrontPage="true"/> </author> <dateyear='2018' month='February' /> <abstract><t>This documentyear="2006" month="July"/> <abstract> <t indent="0">This memo definesa method for creating and validating a token that cryptographically verifies an originating identity or, more generally, a URI or telephone number representingtheoriginator of personal communications. The Personal Assertion Token, PASSporT,Session Description Protocol (SDP). SDP iscryptographically signed to protect the integrity of the identity of the originator and to verifyintended for describing multimedia sessions for theassertionpurposes ofthe identity information at the destination. The cryptographic signature is defined with the intention that it can confidently verify the originating persona even when the signature is sent to the destination party over an insecure channel. PASSporT is particularly useful for many personal-communications applications over IP networkssession announcement, session invitation, and othermulti-hop interconnection scenarios where the originating and destination parties may not have a direct trusted relationship.</t></abstract>forms of multimedia session initiation. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfoname='RFC' value='8225'/>name="RFC" value="4566"/> <seriesInfoname='DOI' value='10.17487/RFC8225'/>name="DOI" value="10.17487/RFC4566"/> </reference> <referenceanchor="JSON" target='https://www.rfc-editor.org/info/rfc8259'>anchor="RFC6234" target="https://www.rfc-editor.org/info/rfc6234" quoteTitle="true" derivedAnchor="SHA"> <front><title>The JavaScript Object Notation (JSON) Data Interchange Format</title><title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title> <author initials="D." surname="Eastlake 3rd" fullname="D. Eastlake 3rd"> <organization showOnFrontPage="true"/> </author> <authorinitials='T.' surname='Bray' fullname='T. Bray' role='editor'><organization /></author>initials="T." surname="Hansen" fullname="T. Hansen"> <organization showOnFrontPage="true"/> </author> <dateyear='2017' month='December' /> <abstract><t>JavaScript Object Notation (JSON) is a lightweight, text-based, language-independent data interchange format. It was derived from the ECMAScript Programming Language Standard. JSON defines a small set of formatting rules for the portable representation of structured data.</t><t>This document removes inconsistencies with other specifications of JSON, repairs specification errors, and offers experience-based interoperability guidance.</t></abstract>year="2011" month="May"/> <abstract> <t indent="0">Federal Information Processing Standard, FIPS</t> </abstract> </front> <seriesInfoname='STD' value='90'/>name="RFC" value="6234"/> <seriesInfoname='RFC' value='8259'/> <seriesInfo name='DOI' value='10.17487/RFC8259'/>name="DOI" value="10.17487/RFC6234"/> </reference> <referenceanchor="UTF8" target='https://www.rfc-editor.org/info/rfc3629'>anchor="RFC8224" target="https://www.rfc-editor.org/info/rfc8224" quoteTitle="true" derivedAnchor="SIP-ID"> <front><title>UTF-8, a transformation format of ISO 10646</title> <author initials='F.' surname='Yergeau' fullname='F. Yergeau'><organization /></author> <date year='2003' month='November' /> <abstract><t>ISO/IEC 10646-1 defines a large character set called<title>Authenticated Identity Management in theUniversal Character Set (UCS) which encompasses mostSession Initiation Protocol (SIP)</title> <author initials="J." surname="Peterson" fullname="J. Peterson"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Jennings" fullname="C. Jennings"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Wendt" fullname="C. Wendt"> <organization showOnFrontPage="true"/> </author> <date year="2018" month="February"/> <abstract> <t indent="0">The baseline security mechanisms in the Session Initiation Protocol (SIP) are inadequate for cryptographically assuring the identity of theworld's writing systems. The originally proposed encodingsend users that originate SIP requests, especially in an interdomain context. This document defines a mechanism for securely identifying originators of SIP requests. It does so by defining a SIP header field for conveying a signature used for validating theUCS, however, were not compatible with many current applications and protocols,identity andthis has ledfor conveying a reference to thedevelopment of UTF-8, the object of this memo. UTF-8 has the characteristiccredentials ofpreservingthefull US-ASCII range, providing compatibility with file systems, parsers and other software that rely on US-ASCII values but are transparent to other values. This memosigner.</t> <t indent="0">This document obsoletesand replacesRFC2279.</t></abstract>4474.</t> </abstract> </front> <seriesInfoname='STD' value='63'/>name="RFC" value="8224"/> <seriesInfoname='RFC' value='3629'/> <seriesInfo name='DOI' value='10.17487/RFC3629'/>name="DOI" value="10.17487/RFC8224"/> </reference> <referenceanchor="SHA" target='https://www.rfc-editor.org/info/rfc6234'>anchor="RFC3711" target="https://www.rfc-editor.org/info/rfc3711" quoteTitle="true" derivedAnchor="SRTP"> <front><title>US<title>The SecureHash Algorithms (SHA and SHA-based HMAC and HKDF)</title>Real-time Transport Protocol (SRTP)</title> <authorinitials='D.' surname='Eastlake 3rd' fullname='D. Eastlake 3rd'><organization /></author>initials="M." surname="Baugher" fullname="M. Baugher"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="McGrew" fullname="D. McGrew"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Naslund" fullname="M. Naslund"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Carrara" fullname="E. Carrara"> <organization showOnFrontPage="true"/> </author> <authorinitials='T.' surname='Hansen' fullname='T. Hansen'><organization /></author>initials="K." surname="Norrman" fullname="K. Norrman"> <organization showOnFrontPage="true"/> </author> <dateyear='2011' month='May' /> <abstract><t>Federal Information Processing Standard, FIPS</t></abstract>year="2004" month="March"/> <abstract> <t indent="0">This document describes the Secure Real-time Transport Protocol (SRTP), a profile of the Real-time Transport Protocol (RTP), which can provide confidentiality, message authentication, and replay protection to the RTP traffic and to the control traffic for RTP, the Real-time Transport Control Protocol (RTCP). [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfoname='RFC' value='6234'/>name="RFC" value="3711"/> <seriesInfoname='DOI' value='10.17487/RFC6234'/>name="DOI" value="10.17487/RFC3711"/> </reference> <referenceanchor="BASE64" target='https://www.rfc-editor.org/info/rfc4648'>anchor="RFC8446" target="https://www.rfc-editor.org/info/rfc8446" quoteTitle="true" derivedAnchor="TLS13"> <front> <title>TheBase16, Base32, and Base64 Data Encodings</title> <author initials='S.' surname='Josefsson' fullname='S. Josefsson'><organization /></author> <date year='2006' month='October' /> <abstract><t>This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK]</t></abstract> </front> <seriesInfo name='RFC' value='4648'/> <seriesInfo name='DOI' value='10.17487/RFC4648'/> </reference> <reference anchor="DTLS-SDP"> <front> <title>Session Description Protocol (SDP) Offer/Answer Considerations for DatagramTransport Layer Security(DTLS) and Transport Layer Security (TLS)</title> <author initials='C' surname='Holmberg' fullname='Christer Holmberg'> <organization /> </author>(TLS) Protocol Version 1.3</title> <authorinitials='R' surname='Shpount' fullname='Roman Shpount'>initials="E." surname="Rescorla" fullname="E. Rescorla"> <organization/>showOnFrontPage="true"/> </author> <datemonth='October' day='29' year='2017' /> <abstract><t>Thisyear="2018" month="August"/> <abstract> <t indent="0">This documentdefinesspecifies version 1.3 of theSession Description Protocol (SDP) offer/ answer procedures for negotiating and establishing a DatagramTransport Layer Security(DTLS) association. The document also defines(TLS) protocol. TLS allows client/server applications to communicate over thecriteria for whenInternet in anew DTLS association must be established. Theway that is designed to prevent eavesdropping, tampering, and message forgery.</t> <t indent="0">This document updatesRFC 5763RFCs 5705 andRFC 7345, by replacing common SDP offer/answer procedures with a reference to this specification. This document defines a new SDP media-level attribute, 'tls-id'.6066, and obsoletes RFCs 5077, 5246, and 6961. This document alsodefines how the 'tls-id' attribute can be used for negotiating and establishing a Transport Layer Security (TLS) connection, in conjunction with the procedures in RFC 4145 and RFC 8122.</t></abstract> </front> <seriesInfo name='Internet-Draft' value='draft-ietf-mmusic-dtls-sdp-32' /> <format type='TXT' target='http://www.ietf.org/internet-drafts/draft-ietf-mmusic-dtls-sdp-32.txt' /> </reference> <reference anchor="ASCII" target='https://www.rfc-editor.org/info/rfc20'> <front> <title>ASCII formatspecifies new requirements fornetwork interchange</title> <author initials='V.G.' surname='Cerf' fullname='V.G. Cerf'><organization /></author> <date year='1969' month='October' />TLS 1.2 implementations.</t> </abstract> </front> <seriesInfoname='STD' value='80'/> <seriesInfo name='RFC' value='20'/>name="RFC" value="8446"/> <seriesInfoname='DOI' value='10.17487/RFC0020'/>name="DOI" value="10.17487/RFC8446"/> </reference></references> <references title='Informative References'><referenceanchor="UKS" >anchor="RFC3629" target="https://www.rfc-editor.org/info/rfc3629" quoteTitle="true" derivedAnchor="UTF8"> <front><title>Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol</title> <author initials="S." surname="Blake-Wilson"> <organization></organization> </author><title>UTF-8, a transformation format of ISO 10646</title> <authorinitials="A." surname="Menezes"> <organization></organization>initials="F." surname="Yergeau" fullname="F. Yergeau"> <organization showOnFrontPage="true"/> </author> <dateyear="1999"/> </front> <seriesInfo name="Lecture Notes in Computer Science 1560, Springer, pp. 154–170" value=""/> </reference> <reference anchor="SIGMA" > <front> <title>SIGMA: The ‘SIGn-and-MAc’approach to authenticated Diffie-Hellman and its use inyear="2003" month="November"/> <abstract> <t indent="0">ISO/IEC 10646-1 defines a large character set called theIKE protocols</title> <author initials="H." surname="Krawczyk"> <organization></organization> </author> <date year="2003"/> </front> <seriesInfo name="Annual International Cryptology Conference, Springer, pp. 400-425" value=""/> </reference> <reference anchor="WEBRTC" > <front> <title>WebRTC 1.0: Real-time Communication Between Browsers</title> <author initials="A." surname="Bergkvist"> <organization></organization> </author> <author initials="D." surname="Burnett"> <organization></organization> </author> <author initials="A." surname="Narayanan"> <organization></organization> </author> <author initials="C." surname="Jennings"> <organization></organization> </author> <author initials="B." surname="Aboba"> <organization></organization> </author> <author initials="T." surname="Brandstetter"> <organization></organization> </author> <author initials="J." surname="Bruaroey"> <organization></organization> </author> <date year="2018" month="November" day="08"/> </front> <seriesInfo name="W3C Editor's Draft" value=""/> </reference> <reference anchor="RFC3725" target='https://www.rfc-editor.org/info/rfc3725'> <front> <title>Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP)</title> <author initials='J.' surname='Rosenberg' fullname='J. Rosenberg'><organization /></author> <author initials='J.' surname='Peterson' fullname='J. Peterson'><organization /></author> <author initials='H.' surname='Schulzrinne' fullname='H. Schulzrinne'><organization /></author> <author initials='G.' surname='Camarillo' fullname='G. Camarillo'><organization /></author> <date year='2004' month='April' /> <abstract><t>Third party call control refers to the ability of one entity to create a call inUniversal Character Set (UCS) whichcommunication is actually between other parties. Third party call control is possible usingencompasses most of themechanisms specified withinworld's writing systems. The originally proposed encodings of theSession Initiation Protocol (SIP). However, there are several possible approaches, eachUCS, however, were not compatible withdifferent benefits and drawbacks. This document discusses bestmany currentpractices for the usage of SIP for third party call control. This document specifies an Internet Best Current Practices for the Internet Community,applications andrequests discussionprotocols, andsuggestions for improvements.</t></abstract> </front> <seriesInfo name='BCP' value='85'/> <seriesInfo name='RFC' value='3725'/> <seriesInfo name='DOI' value='10.17487/RFC3725'/> </reference> <reference anchor="ZRTP" target='https://www.rfc-editor.org/info/rfc6189'> <front> <title>ZRTP: Media Path Key Agreement for Unicast Secure RTP</title> <author initials='P.' surname='Zimmermann' fullname='P. Zimmermann'><organization /></author> <author initials='A.' surname='Johnston' fullname='A. Johnston' role='editor'><organization /></author> <author initials='J.' surname='Callas' fullname='J. Callas'><organization /></author> <date year='2011' month='April' /> <abstract><t>This document defines ZRTP, a protocol for media path Diffie-Hellman exchangethis has led toagree on a session key and parameters for establishing unicast Secure Real-time Transport Protocol (SRTP) sessions for Voice over IP (VoIP) applications. The ZRTP protocol is media path keying because it is multiplexed onthesame port as RTP and does not require support in the signaling protocol. ZRTP does not assume a Public Key Infrastructure (PKI) or require the complexitydevelopment ofcertificates in end devices. ForUTF-8, themedia session, ZRTP provides confidentiality, protection against man-in-the-middle (MiTM) attacks, and, in cases whereobject of this memo. UTF-8 has thesignaling protocol provides end-to-end integrity protection, authentication. ZRTP can utilize a Session Description Protocol (SDP) attribute to provide discovery and authentication throughcharacteristic of preserving thesignaling channel. To provide best effort SRTP, ZRTP utilizes normal RTP/AVP (Audio-Visual Profile) profiles. ZRTP secures media sessions that include a voice media streamfull US-ASCII range, providing compatibility with file systems, parsers andcan also secure media sessionsother software thatdo not include voice by using an optional digital signature.rely on US-ASCII values but are transparent to other values. Thisdocument is not an Internet Standards Track specification; it is published for informational purposes.</t></abstract>memo obsoletes and replaces RFC 2279.</t> </abstract> </front> <seriesInfo name="STD" value="63"/> <seriesInfo name="RFC" value="3629"/> <seriesInfo name="DOI" value="10.17487/RFC3629"/> </reference> <reference anchor="RFC8827" target="https://www.rfc-editor.org/info/rfc8827" quoteTitle="true" derivedAnchor="WEBRTC-SEC"> <front> <title>WebRTC Security Architecture</title> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization showOnFrontPage="true"/> </author> <date month="January" year="2021"/> </front> <seriesInfoname='RFC' value='6189'/>name="RFC" value="8827"/> <seriesInfoname='DOI' value='10.17487/RFC6189'/>name="DOI" value="10.17487/RFC8827"/> </reference> </references> <references pn="section-8.2"> <name slugifiedName="name-informative-references">Informative References</name> <referenceanchor="AGILITY" target='https://www.rfc-editor.org/info/rfc7696'>anchor="RFC7696" target="https://www.rfc-editor.org/info/rfc7696" quoteTitle="true" derivedAnchor="AGILITY"> <front> <title>Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms</title> <authorinitials='R.' surname='Housley' fullname='R. Housley'><organization /></author>initials="R." surname="Housley" fullname="R. Housley"> <organization showOnFrontPage="true"/> </author> <dateyear='2015' month='November' /> <abstract><t>Manyyear="2015" month="November"/> <abstract> <t indent="0">Many IETF protocols use cryptographic algorithms to provide confidentiality, integrity, authentication, or digital signature. Communicating peers must support a common set of cryptographic algorithms for these mechanisms to work properly. This memo provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to-implement algorithm suite to another overtime.</t></abstract>time.</t> </abstract> </front> <seriesInfoname='BCP' value='201'/>name="BCP" value="201"/> <seriesInfoname='RFC' value='7696'/>name="RFC" value="7696"/> <seriesInfoname='DOI' value='10.17487/RFC7696'/>name="DOI" value="10.17487/RFC7696"/> </reference> <referenceanchor="ICE" target='https://www.rfc-editor.org/info/rfc8445'>anchor="RFC8445" target="https://www.rfc-editor.org/info/rfc8445" quoteTitle="true" derivedAnchor="ICE"> <front> <title>Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal</title> <authorinitials='A.' surname='Keranen' fullname='A. Keranen'><organization /></author> <author initials='C.' surname='Holmberg' fullname='C. Holmberg'><organization /></author> <author initials='J.' surname='Rosenberg' fullname='J. Rosenberg'><organization /></author>initials="A." surname="Keranen" fullname="A. Keranen"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Holmberg" fullname="C. Holmberg"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Rosenberg" fullname="J. Rosenberg"> <organization showOnFrontPage="true"/> </author> <dateyear='2018' month='July' /> <abstract><t>Thisyear="2018" month="July"/> <abstract> <t indent="0">This document describes a protocol for Network Address Translator (NAT) traversal for UDP-based communication. This protocol iscalled Interactive Connectivity Establishment (ICE). ICE makes use ofcalled Interactive Connectivity Establishment (ICE). ICE makes use of the Session Traversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).</t> <t indent="0">This document obsoletes RFC 5245.</t> </abstract> </front> <seriesInfo name="RFC" value="8445"/> <seriesInfo name="DOI" value="10.17487/RFC8445"/> </reference> <reference anchor="RFC3725" target="https://www.rfc-editor.org/info/rfc3725" quoteTitle="true" derivedAnchor="RFC3725"> <front> <title>Best Current Practices for Third Party Call Control (3pcc) in the Session Initiation Protocol (SIP)</title> <author initials="J." surname="Rosenberg" fullname="J. Rosenberg"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Peterson" fullname="J. Peterson"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Schulzrinne" fullname="H. Schulzrinne"> <organization showOnFrontPage="true"/> </author> <author initials="G." surname="Camarillo" fullname="G. Camarillo"> <organization showOnFrontPage="true"/> </author> <date year="2004" month="April"/> <abstract> <t indent="0">Third party call control refers to the ability of one entity to create a call in which communication is actually between other parties. Third party call control is possible using the mechanisms specified within the Session Initiation Protocol (SIP). However, there are several possible approaches, each with different benefits and drawbacks. This document discusses best current practices for the usage of SIP for third party call control. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="85"/> <seriesInfo name="RFC" value="3725"/> <seriesInfo name="DOI" value="10.17487/RFC3725"/> </reference> <reference anchor="RFC5761" target="https://www.rfc-editor.org/info/rfc5761" quoteTitle="true" derivedAnchor="RTCP-MUX"> <front> <title>Multiplexing RTP Data and Control Packets on a Single Port</title> <author initials="C." surname="Perkins" fullname="C. Perkins"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Westerlund" fullname="M. Westerlund"> <organization showOnFrontPage="true"/> </author> <date year="2010" month="April"/> <abstract> <t indent="0">This memo discusses issues that arise when multiplexing RTP data packets and RTP Control Protocol (RTCP) packets on a single UDP port. It updates RFC 3550 and RFC 3551 to describe when such multiplexing is and is not appropriate, and it explains how the SessionTraversal Utilities for NAT (STUN) protocol and its extension, Traversal Using Relay NAT (TURN).</t><t>This document obsoletes RFC 5245.</t></abstract>Description Protocol (SDP) can be used to signal multiplexed sessions. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfoname='RFC' value='8445'/>name="RFC" value="5761"/> <seriesInfoname='DOI' value='10.17487/RFC8445'/>name="DOI" value="10.17487/RFC5761"/> </reference> <referenceanchor="RTP" target='https://www.rfc-editor.org/info/rfc3550'>anchor="RFC3550" target="https://www.rfc-editor.org/info/rfc3550" quoteTitle="true" derivedAnchor="RTP"> <front> <title>RTP: A Transport Protocol for Real-Time Applications</title> <authorinitials='H.' surname='Schulzrinne' fullname='H. Schulzrinne'><organization /></author> <author initials='S.' surname='Casner' fullname='S. Casner'><organization /></author> <author initials='R.' surname='Frederick' fullname='R. Frederick'><organization /></author> <author initials='V.' surname='Jacobson' fullname='V. Jacobson'><organization /></author>initials="H." surname="Schulzrinne" fullname="H. Schulzrinne"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Casner" fullname="S. Casner"> <organization showOnFrontPage="true"/> </author> <author initials="R." surname="Frederick" fullname="R. Frederick"> <organization showOnFrontPage="true"/> </author> <author initials="V." surname="Jacobson" fullname="V. Jacobson"> <organization showOnFrontPage="true"/> </author> <dateyear='2003' month='July' /> <abstract><t>Thisyear="2003" month="July"/> <abstract> <t indent="0">This memorandum describes RTP, the real-time transport protocol. RTP provides end-to-end network transport functions suitable for applications transmitting real-time data, such as audio, video or simulation data, over multicast or unicast network services. RTP does not address resource reservation and does not guarantee quality-of- service for real-time services. The data transport is augmented by a control protocol (RTCP) to allow monitoring of the data delivery in a manner scalable to large multicast networks, and to provide minimal control and identification functionality. RTP and RTCP are designed to be independent of the underlying transport and network layers. The protocol supports the use of RTP-level translators and mixers. Most of the text in this memorandum is identical to RFC 1889 which it obsoletes. There are no changes in the packet formats on thewire, only changes to the ruleswire, only changes to the rules and algorithms governing how the protocol is used. The biggest change is an enhancement to the scalable timer algorithm for calculating when to send RTCP packets in order to minimize transmission in excess of the intended rate when many participants join a session simultaneously. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="STD" value="64"/> <seriesInfo name="RFC" value="3550"/> <seriesInfo name="DOI" value="10.17487/RFC3550"/> </reference> <reference anchor="SIGMA" quoteTitle="true" target="https://doi.org/10.1007/978-3-540-45146-4_24" derivedAnchor="SIGMA"> <front> <title>SIGMA: The 'SIGn-and-MAc' Approach to Authenticated Diffie-Hellman and Its Use in the IKE Protocols</title> <author initials="H." surname="Krawczyk"> <organization showOnFrontPage="true"/> </author> <date year="2003" month="August"/> </front> <seriesInfo name="DOI" value="10.1007/978-3-540-45146-4_24"/> <refcontent>Advances in Cryptology -- CRYPTO 2003</refcontent> <refcontent>Lecture Notes in Computer Science</refcontent> <refcontent>Vol. 2729</refcontent> </reference> <reference anchor="UKS" quoteTitle="true" target="https://doi.org/10.1007/3-540-49162-7_12" derivedAnchor="UKS"> <front> <title>Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol</title> <author initials="S." surname="Blake-Wilson"> <organization showOnFrontPage="true"/> </author> <author initials="A." surname="Menezes"> <organization showOnFrontPage="true"/> </author> <date year="1999" month="March"/> </front> <seriesInfo name="DOI" value="10.1007/3-540-49162-7_12"/> <refcontent>Public Key Cryptography</refcontent> <refcontent>Lecture Notes in Computer Science</refcontent> <refcontent>Vol. 1560</refcontent> </reference> <reference anchor="WEBRTC" target="https://www.w3.org/TR/webrtc/" quoteTitle="true" derivedAnchor="WEBRTC"> <front> <title>WebRTC 1.0: Real-time Communication Between Browsers</title> <author initials="C." surname="Jennings" fullname="Cullen Jennings"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Boström" fullname="Henrik Boström"> <organization showOnFrontPage="true"/> </author> <author initials="J-I." surname="Bruaroey" fullname="Jan-Ivar Bruaroey"> <organization showOnFrontPage="true"/> </author> <date/> </front> <refcontent>W3C Proposed Recommendation</refcontent> </reference> <reference anchor="RFC6189" target="https://www.rfc-editor.org/info/rfc6189" quoteTitle="true" derivedAnchor="ZRTP"> <front> <title>ZRTP: Media Path Key Agreement for Unicast Secure RTP</title> <author initials="P." surname="Zimmermann" fullname="P. Zimmermann"> <organization showOnFrontPage="true"/> </author> <author initials="A." surname="Johnston" fullname="A. Johnston" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Callas" fullname="J. Callas"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="April"/> <abstract> <t indent="0">This document defines ZRTP, a protocol for media path Diffie-Hellman exchange to agree on a session key and parameters for establishing unicast Secure Real-time Transport Protocol (SRTP) sessions for Voice over IP (VoIP) applications. The ZRTP protocol is media path keying because it is multiplexed on the same port as RTP andalgorithms governing howdoes not require support in theprotocol is used. The biggest change is an enhancement tosignaling protocol. ZRTP does not assume a Public Key Infrastructure (PKI) or require thescalable timer algorithm for calculating when to send RTCP packetscomplexity of certificates inorder to minimize transmissionend devices. For the media session, ZRTP provides confidentiality, protection against man-in-the-middle (MiTM) attacks, and, inexcess ofcases where theintended rate when many participants joinsignaling protocol provides end-to-end integrity protection, authentication. ZRTP can utilize asession simultaneously. [STANDARDS-TRACK]</t></abstract> </front> <seriesInfo name='STD' value='64'/> <seriesInfo name='RFC' value='3550'/> <seriesInfo name='DOI' value='10.17487/RFC3550'/> </reference> <reference anchor="RTCP-MUX" target='https://www.rfc-editor.org/info/rfc5761'> <front> <title>Multiplexing RTP DataSession Description Protocol (SDP) attribute to provide discovery andControl Packets on a Single Port</title> <author initials='C.' surname='Perkins' fullname='C. Perkins'><organization /></author> <author initials='M.' surname='Westerlund' fullname='M. Westerlund'><organization /></author> <date year='2010' month='April' /> <abstract><t>This memo discusses issuesauthentication through the signaling channel. To provide best effort SRTP, ZRTP utilizes normal RTP/AVP (Audio-Visual Profile) profiles. ZRTP secures media sessions thatarise when multiplexing RTP data packets and RTP Control Protocol (RTCP) packets oninclude asingle UDP port. It updates RFC 3550 and RFC 3551 to describe when such multiplexing isvoice media stream and can also secure media sessions that do not include voice by using an optional digital signature. This document is notappropriate, andan Internet Standards Track specification; itexplains how the Session Description Protocol (SDP) can be used to signal multiplexed sessions. [STANDARDS-TRACK]</t></abstract>is published for informational purposes.</t> </abstract> </front> <seriesInfoname='RFC' value='5761'/>name="RFC" value="6189"/> <seriesInfoname='DOI' value='10.17487/RFC5761'/>name="DOI" value="10.17487/RFC6189"/> </reference> </references> </references> <section anchor="acknowledgements"title="Acknowledgements"> <t>Thisnumbered="false" toc="include" removeInRFC="false" pn="section-appendix.a"> <name slugifiedName="name-acknowledgements">Acknowledgements</name> <t indent="0" pn="section-appendix.a-1">This problem would not have been discovered if itweren’tweren't for discussions withSam Scott, Hugo Krawczyk, and Richard Barnes.<contact fullname="Sam Scott"/>, <contact fullname="Hugo Krawczyk"/>, and <contact fullname="Richard Barnes"/>. A solution similar to the one presented here was first proposed byKarthik Bhargavan<contact fullname="Karthik Bhargavan"/>, who provided valuable input on this document.Thyla<contact fullname="Thyla van derMerweMerwe"/> assisted with a formal model of the solution.Adam Roach<contact fullname="Adam Roach"/> andPaul<contact fullname="Paul E.JonesJones"/> provided significant review and input.</t> </section> <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.b"> <name slugifiedName="name-authors-addresses">Authors' Addresses</name> <author initials="M." surname="Thomson" fullname="Martin Thomson"> <organization showOnFrontPage="true">Mozilla</organization> <address> <email>mt@lowentropy.net</email> </address> </author> <author initials="E." surname="Rescorla" fullname="Eric Rescorla"> <organization showOnFrontPage="true">Mozilla</organization> <address> <email>ekr@rtfm.com</email> </address> </author> </section> </back><!-- ##markdown-source: H4sIAL0GTl0AA6192XLcSLbYe34FrvQg0lNVFqml1epR96UoasRuLbRIuT12 OJpgIUniEgXURaJIVfNqYv7BL/bvzZf4rLkAKEruMUMRIquAxMmTZ98wnU5N V3aVfZ7d+1Rf1c1Nnf1i19nxZd7abK/r8vmVy5o6WzkL/59nJ2+Ps5uyu8y6 S5sdW+dK+PKVdfO2XHb4+1HbdM28qbKt41dH2/dMfnbW2mtYHv7MPv1yfM8U zbzOF/DEos3Pu2lpu/PpYrFy5XzqiuV0deWmD78z87yzF027fp65rjDlsn2e de3KdbsPH37/cNeslgVc4J5nz3Z2d41xXV4Xv+VVU8O6a+vMsnye/Q8AZJK5 pu1ae+7gt/UCf/mfxuSr7rJpn5tsajL4KWtY6N0sO7lsFq6p6TMG8V3edmWd fNG0F/B583tZVTl9YBd5WT3PFt2/Vs2Nrbu2Wa5nte2S1Q9m2UfAUtPKTbz8 QVvO0883rW6v2n9tz7vFbN4sjKmbdpF35bV9bkxZn4e/MkTxc7px5Fing2Ol U+xyPLlp10zlVzi7k+Ntf5T3aD2PM/qZ8raOZ9nLKr+y01/LShHkv9ybZe9s bX+H48BP8cCeZzvff/89/elsW1qH0D/P3tp5twLI3jdwpnBztt8slqvOttnx vLT13GY7T54+nGTHy7asL2w7yZbLGXz2+B9//1873z00sODx4V/e7aU754/g 8Gz2j7//b/irngKVTN/tzf/x9/+TL5dtk8+BkBvaGhxciTRXZK/K8/PSTt/Y qlrkdQa3ZGXnkAMQMsTY4S8H2VKQ4+7AzptZ9kub38x/X19FGAAKfjTAwF5d r/IqO6xh0zUdAvy1366XXVM1F2tASH1uW0RFHwuPHz6cPt59gjj49eDlx5P9 FAm/2jP4LNuZPXwOlJZX065cWMTvYlXjhvG4X9ruxlr4v21uAKi7tgRn+tK2 F1fXpevSb17BN6sW6L4b3PE+b/N1Xuc9+tifZT/buoa9uPSLl7Ns76w5y9NP T+ABLZyG6+AZtk2//Bm/XOVtY9cJqneeTXd2pg+fDRD+66P97KAou6Z94LJX KImMMdPpNMvPXNfmc/jz5LJ0GUir1QKIIytIyJ0Bfa6Eo66AoxxxVJ5yFJIK yMpXeZdftPnCnADYbglyKHubr5Go7XzVlt06A84VQTpH8qfzOcHzCXcoE5qt VyB7p8cfT462Z9lxuSirvPUPRiAUwKIPht7nBbcpCyR3AOCsrAvEP15bIHkD uURgJGTisi0mpm3iiePDI7/OLEMuczaFB/lovqo6ZLFFs6q7SXa26hCAdTbP Ebo8uy7nQJB4xZk1i9JVNi/gCBq+LvOAwj7ybB7AqS+ypbUtPPhd2ZUXTMed nV/W5b+vLAFgCnte1rCt7jLvsnKxrCwepOwFFvz4ep/UB0ELrNWs2vwCr28A l8uqWc+EJBZlUVTWmPvIn21TrOa4BhKIR/LGI94C7G9nt7f/Av/vPHoBz3z2 +PHTL18GWtRs1qJ4O/yPNz9+8hRvRsKU3ZW1ga9fH77/y8HHo4+H70/oGbCt L18AO69XLTyjJTDpiUqUGyFmQqNn4i+42tNHj7+Dh+Kp96m1G6dWgBsJFSHD X3CRR9/t7KSQ5y6iTXncVC9/8t3TR7ADYw6JmAF8t7Tz8lyJcYLsl8FWLJ0q rru0LapCWBmMCSAQtFWAwXDZCW3eRIIesXxm8bKuhDvOgGzx4HF/TsyaIjqQ LViIjqK7bJvVBbORnP3cgpFAgNnsnCQzCujOAfpTOYsU67L5pcVnIVHm2WXu LicApYlunKByuQbSL1ThoO0EKh7udPR3/ESm7sDB+D3s2MjO4QkgMi9BRwMu RRl4rtpylo6ToPsO9wLHwFpkenyw/+Jw+mpG9lnbzW/s2dQJjUzzdn755cu2 EUEQVry9/Qn+nh6+Iirc3X0MR37WAN3JlmDLC+DSvC7dgkFHEQT8Whv7mXRf FRaT89iE3+y8bRaw4Mh5zcwbsMWuUUd2KMVFziGe6gbQBWr2gjaCahz2j9TI 1A0WYgPEfb2qatvmZ5UlA6EOIhOElK7G0g5UEOB6qBS2wBTbDtfc4NpENvwR sBxvHT4q28Gmo42S8AOwkY+9vN0zbjWfw87PV5U+BIWn81hrLVMd3C0YcgIE 0yHCOAezAgnHjItc/HuJJvC8XOZI0ZuVYk7shmdY02HQ2c5zZDJPmiC/YcsM FfEjM/ZQG8EWluA14BPo+Hh/8PS9zCWaj9i+gc3hQXmJ+hW+zMhPmMFWiJNV ZxHvwHoOzAs6XcBPVV7Zag1fnducHwJX2c9g/OAVrCUQEYCSlTWC+TpvwZBC 3IJ9QWivLZ5U3grH3d5WsIvOAQcJfXqE5mBGm4DVhVduToyFGBuofzw3xRqh v2hrieTrgrUbGDi2vkBRyCesJsbZWtFOcjFgMiLujIjbjR1nxiTqlwN4U63r uaqsYF8WBaTXwakOY0XBTh4I5zVtyPgNwR5ai9aAFZUkcDI9BZQM6DV3Dn5x TJ2uvABxI2LBi4TMiwQAz0uR3Jm+nEzBtZ+XVV6iXgKnYZ2QBj0MIUQxXjQo gcwF2KrAUdZGDw6MGoGGYsk1dISpTGJkC/HOzACg5vwcuRyPDCgRTnRF0iuQ S45Mu4S9wpcgdRc2J7PItBYMHHw0bKlxqOlRAgq7McWAjUxeGUA8wBtJ39vb 8EyARYQ/8FYD5gJ4AtXalU4ljAVI5yTlesCCadPaSmw75q1g5PqdExvgnTdN C+Lv3rtPxyf3Jvx/9v4D/f7x4L98Ovx48Ap/P36z9/at/0WvOH7z4dNb+N7I b+HO/Q/v3h28f8U3w6dZ76N3e3+F//Cc7n04Ojn88H7v7T3lQZPwIFm5hDGQ RLZjEyjsCO55uX+U7TxG6gLG2N3Z+R6Qx3882/kOdKkBAV7zw5oaBBP/SRY1 OLQW5CIsklcVSN5l2YEwQcoFlkXmRdGPFu39bFNIILu9v7pyX8jmAsm9yc8B iEC1ffkyQWUOVDovm5WL9QQBEeTAHBhjQUIdz7YF6zCn81LLBa4GXVXhicsF FTM9UYvQ+Rw8NXIzAKl5W2I46kYFmFcgwN7NvCSZQQKJnyNKH+ABCxGQBqqu LpSg4ALUKyDV62LZlKRxRHPl839flayzN+mSoWrGO01eXOP1Tqyz+IZcFT5i FnYOMgG1eZ15qwAfzc7RvFmiVDCDRRCVAwcqeEeiChWwVZ3fkPygSycGJTwA QcqvBAPMViV8JHKqpCNJPS2vWBVGNCUHyEeNO3DQHK5mXQdSq3SXfKyX5QWA Na3Q7TBB0sHZg2IC3wpDdav5JaOq4bDLuJGJYq7N2Ko1iemK1MnKsqqaG7Qv A4KRDUtWHHoOkfHl7UkjSFxnienF8sYv1px1KPbxATEZ4vGD1EKdHX8D2BUS d+QMGzUB826D4QeWinq6yXNLoiPYlagDoQeDVhg8ohZlxSInPgCxQ28aJR0l /PjULT/OKHUhfOCqUCAsBhAotFQF7cXDvGlBO3fIaT3SMptJi3HMz/shuwzW e/oV0IJf3vwxyt27Q7IVjWVhASYORi5U3ynWL/NrUspkebNnsDZoRPMJo/Oi 4dgGDUVUthhSOJMIG2/CxZYFnXleVisy0sxi1WEgsOepokywNZ11qvdBdChm FsBWYNSgSRQBoUbpTdugSlcCBTLnLcIKvxJFxICLPaRaimw9+PtzN8EYTWvh c+etxLzTb+H/VVWQG6LUHK/K7jYsEK09ZtOL10AhI3LN0X1wTYWWeBMc4tOI EE/xXtCiq84OLSEkAvRugDRAB9DzLwS4yPQizz8IIzi42lZqQAZvAwUJRiKI OQGMKYPnw8HCy7CYj0ZlTGxgQoJEaospakrUE6imRSFuPTra38eYy08UKdl9 AmC3SN0YU4Qjwq/JxGxKMiitCYabBhHTWFnYCkoPkQMYksMoMik5xuTCFmVu 8JoJy0pFDn0R3+xsxZ6ycHv6BLT5ztYW/k0fLedzgD94MaRAQbpbQAaYjd7w i72bYAYRNcKmjFu7zi4i+xmxQBbM/ewtOVBIDmK6vCYHrSQr4va++FdpiE5T V2SG26VFySv0dLcRjlyGjgP8GumrcA8/jbeZL717w8ZBJLJhSeR5OLObfI28 e1gbNptWQP7PjdmZDSwBMvMWDZzc2rvjHoFDd0Gpb00R0CxDLl8Cfsl3RUpZ UvwSLp1QDqpaR2pQXAa0LsEXuIHfAdu7s+x9o4LjpgSiDYEHuNurligQI7YX 0c6qrkhURiDhIgRrE4zGzrLRmCxBm2HiooOMHU7v7aEmY9MhJyW2yK/YZCMu bVcLvNTHCERuGrDsOssHR45ejHb0TBDrqlodADO/JN2HWIpMwThqx7o+u4Zz KEYDdKg0lp0uiquJXpd8nAnRp1ZE3b+BXiZMwR6dBWThej6YAw8lcwWuqPzH MxAi50vwFKLQjO4Nl0TiD+QChrBtBZEREgHfxzHzKTzwPWqRQcCmb7AlsWk2 ythUw3iwWG4TVKZowcZCCWNWSO22moChUuKaxSKIPOdZHFmL9wTSiJSj0CdS ntfOG2S6JkB7u9doDdoDCzwGH/TJUwMSD5MCCYUkLvRQKdLZgHPc4s6AjYRx AwwLjANdUOjj9rYsEjHpH8EGf4hVkK0XUCMikHKF+Zxhpo1j5n4/uM+39yMn vHeiKBN73vZWnoSQNNyx82S2wxGPn/67xOaf7jwDxxTjO3CLD8Skt0mU5KdE FW+LkXJmPXMVFoMGGGHdaJSV533BYEsyghLTTLTghYXd1JY0WrZVzuyMTSwx km6IPmO2vcldZMZGx7yNX5nYdBZrcJk7MZsEitIlcchIt4Ad20MzmsA+Kkb2 z2EvM0Xns0A+zFkkMn8XOQCSsyoTBkQdI04KwFbYz/BI3jg804k1VpRu3lwT nHkvwuuAAQtvP+iNwQimlIMhtYYuPGIgJPyOiePrfoiPHwp3l3MWw/B8EFwk LdgIpgWBbtHMJTi3WGjIIUhQn89r2yedwPhh6yO+hZWAD6hvc7oI7TwMETT1 ZJD2E1e6dbI7sS4lORNQQ9swHTHdXaEQFnmSEAI1Sqtc5gXHvHNT25tqPSUP 4QIsfDgOCzuz6s0tAVCKDhUsfNh2g5vkOkEnELVF2Y8Zp3Z6XTKdMZIBGXZ2 McNAFNpvrUaCSACKiA0L3tuOfA/j5Aw51C5xkrxC64TUAaADYc7BOkHj5weO yPRxSjwNhlEFH1VMVfJMDq6gsDohy/eILN99tHz3xfK9vR9bjWRuf7uJjII4 srPZtY1sX2aGwMJ4OS2qOhkk6AItCmH+SBeFRIs/fTOUTC4DPK69A4PJAQ5m otmAuCLDfUliGo4Kq5HEHDX0DR+vhO7YzPYSKHYS6WKm3YYDGhg4RyxkF6uy yMGqRsGyqnN6vC04RsgRGNYmCDWFgTBOQ24p2kqF5Y0LNBJ9I9PTBD++4ITH isy8uU+gD29j5tX8BH3bD3F6wMnJJF7tQvpmY5wHA/Dw3aF+570jSXShV+7T fOpu4x0teh2uY7OWo20Y2YiA5lAK23waB0KUKde5dJ1oD5hDEpttwvarRwg6 y7xkmp/Y6Laql6qiAKSjz4f5IFeCmzjaFSugJEQVOVlprig6kjRbRDZ+SL8R 8AaAp62BLmaiIskS2OW6tDfeLSnr66a6DuqiRMoXLQP28YqWIxe+q9y0LCI0 oOn5Gi5lgm8wpn8VojgYwm1QsIadTMivY5hqqxZZIHXUD8H8ck3kIaF7FWhc T5voRHP0Ns1qotkG0Jl8GGIbd4qIEQdcgnCSeGY7xgD9ALhEnT5YQZajhH8Y eWDrXzdlkXxDqyQUNTGKVBYBp0oxCZIxbBQBlEgW3DWYo53xYqvPtl4Xw8O/ Dnt3uQIzqnardlPchQuHAgGMpiiICDz7v1TWuL0PVjQT/DD+KlUR54F/tjZX O6B5KtYGiZqjvePjo+bjiU9fJ7JpK3Fl4A+9XAofntByADdlGzQKd2cawUdi RxICEt4NoWSjso7Jj4Sg1jppSUUU1760PrkyHmgGmmaziA0vjpMmIJB7ehZK t5xFnymp4KJwbC8GMRKQjYzsaZTxUWgnPrNDK1ByCOVoXl2hTvfgR9D2guNk wXLhxzrSD2MheiMBzGuKfNx1QIOHYujyGgxNCUiwc+DyRRz6iysgfJSe3EQJ BavbaAL2ZNuyXz0uv7kUOdFVFstZKTw846opDIeDeTtJ75cyKZf6AlFZS4Op XeQZXND4zZ6wAAYFo7HmxG6hrfng4Hk+74LHwaWkqliNINn2QOgV6aDCLVvG G5wOB8BkQeEB0ckqV3QBTbFogs8NEoM9+gehg8yN3N/Xs5K6lnqZPlyCS8K1 odAPEUNsuoVPJcPtFEeDZ8jOMeltrzGPemaZYHj70daUHqN90cpqwoeKE+MD GxKgcly9pwHrCdwANEV2KCUDQZNh3WYpdRZqCEhk4vaWqqqpMo8C90sMPTXV KiTp0RIRMsFqmtUFWJpiYIe7mWGjkLUJaSg2DKsVRhQ4RJNr3GSQF2nAgN16 tweOQeH1i5lT3fRFmy8vy3lUAJdlB/4hlDyTswkiK3hwzhfhmVSQ5l1cigc3 sDZkdUwx3YwKDvF4Xpc1Rw4EfOMLIfIMgM7EL2d6hkPxoE68pcKY8JrTJxJr yfWFiitCdnx03k/jQ9FTgpP7mEvkggIHhGour4UbuhGOnEowjt2VM7SofrcU wZnSfRXYOthCwE5Ha6flAnY7ba0rsTODcoeXSrMRm+sxG7Kd0+30/YbbWy0Q /K0sfsMFiYx6J4qmlSGze3C20drIRZy1TSAb7BulLHDj3JbXDEScEjjccBOd Q2QMKiAF0YQpkzQNRx0cc3gpZYhJgYLGdSUTReImLcka+KRJRdwg8xW8Y2+H TaIwPcYAAU12gH6MKpMQRDnPhN60FEBtjEoJ0mysXXyEdhJlmKkmZ+U4MnTq D1T2CAd7asIpSa3cyFVoWyHJaNREUHXap5BTszVGNtvBD8DkAVgXzruMXodT asKiBq0fdBTkrTqKhqRRQolvHHzOSRSiOTq1/McXLV7O5AMpxCFsKhlMeSE0 IjmB7SPLXnnKkwzWBqa6bSxfqVGgrfje7UxSti7K/IPv9B6Ts0RzR3nn1hPR jlG6wWi6gU88GEHyua5BUp8eEevYZinnYwbVKQLnD8GSTEK8I6vCKROUsMm/ /e1vJpNrhj+KguEP3Q93bp0vX7zfHrlgij8jn9MdR9vURvIfY9/f/QXf92da /FgPbYefNv3xa/dlstUX73VrL46+5Xkbv+4BsusB+fr+FBDCJIPx1edt/FG8 vOj/UOU6HdLkaHvw7dfgvPN5WyRyXygm/2WMCvhHr6QtbxPN3T7P7vc4lzut XtxTCbDnU20DZ/XelyQyI4akBOiUaLmgKHFWVLOgAYd6Oy5ZMqP2bMQ1IK7o rLKto21Nqumz2IynUA4/FpQninIs6KvWUm4HtnzlErVNmjbhS+bErYi0OVdi OOyNgXkGQi0IDZlicHG1RN2IrUEaixJ5OSHjggI0/dCeoSc+cJFHBxIk9ti2 gL8JeMAPK+IEJ4ICLSlU2bMVMUWp4o62oK4cm2qwXGUvQPsssFgKbWEiWV2m V/RWlL4girVMT+7G2hQrHzjlh+F78LBqf1wIgVudgcPTrdCw0babKbgLNi09 AtjJq/TJYgzV5HNMnrJNVLpJyFyU3nMIlerluX9uqXUSpgb4MSK3BANy42YA G6G+aJLpwY8XhTk0oUbLtmjZqJFDNEI9spIsEvnC4XgBFtflnWajscAVdG2E UnKYOGVMNS9Mivy08Zoqr4mM5hHiq7XBBGt0JbTGKOCv4/onnxxh4zS2Usga PvC20O39gRnDsmRo8/Ts6HneYtfjJlO3FwhhZ0QqYXHf6nmEBdE34ruY96NK hpfU6YOxWBPciuix/XJL//BZtBl6ym+Y7jz1ucmRXY5Z8+b0QK5T2fuGruW6 0klk0QLpNDfSJ0aW1BrW+BwXLmig8JEECql/78uX52p8yKLZrTSiNsscAz4i pwjIPz+czR7t/vgDXvElGwPtB1rMcAXeeAkpovsM2czjnBI2XLEl0tK7gIx0 Z/Ls+M3edPfJ0+TQA7opwGgXy27NAXnfQIbnCRsgM82tltTUxxIpIgE4LezU BlQ8x3A4W/3desklT8M9TFCYKEBgA6MKQE84VMTnBehCtDazDGUCZs6YBFUG r6g/XDyCn/b+cvj28OSvGGr97un3T6mPhjOOCe3DaiK0k1ZQmmUQ5/oIR+er WpoXzGFP8bpQtuA7887WnN2J6nMHReSaSDdcdGVHlTq5RFHyQY7lLopHdxm5 br9CVx8b1RsUNVOulJjTp6HnIuXeKRdptCBS9UZzUFPExBYHcaLDU0iP9bPf bduAysEOooTcQVPaiis6uWyQS4fIe6Zw9J1cnGBMkvOocpg+N3nolHBUCcS4 LBckxjvU0VhYq2kc46MrWqBWVqDDARr0dBYWxw3kFVCsRpNDk8vIuZmoVLgC yUGcKBYdxlx+4MMgsDzR1M1gHSBcEyM0IIQ2QyRHZouGWUNangILIwUkN+DS d2ShlZw3Eq++rH2NQUITvvXNpDlA3JzKgJ6gQblMXIr9v5RNGj3xQaM5qdYI c3TlV0nj3d5fpXrOcJQoyr61USiLTjvJzfmmyzRORkfbUY5jHQdoQwexJmvv AouSprWNIxGanIjW9OFiin/2SpO51HI9po7DgXEu5uvMQ9XJaJcSITUBLw9R Ojza5YgbgUaNu0RgHGBGmPk0qPHLS7EmkkyAXjCwstPCYtT1N9u2TXsqHEOR DjyZndmjyVfPk8iZtBhVyrWe1OkL8RxGhJKGUdlsuo+FJFg523GzWs9+ipJ+ Ks9RMvXj+0HRfiU1WIaIMNfP/3z84T0Wm+P/nPR7gu1azdm/Wc19IM/UiK1C izXx4gyLA0TI+L/hWqPXslny6eT19BnCAb88ow76p7vfUyVEbMesfcXdM63T I4gwQn/CdddYKP6tBC2aivt04GsNqbMxT9mheWc7qTtTnY650Dd7VBq4++ix hPfDaqyDgADlXmppAlhi5XGaeSmsXqrUZWDlv27DDYSXWI5UTTCS6vYmEYee c2efUnvdy73jg6ePaaLC08fPsH8TcU/7Y+AY+9GnITLYP8Ov4NT4ADAiVUQM yUKGhviJ826hQkIfmO7L+H1N4tPJBqfDFCTHw4UAUhWX3OFC9KBHJwG/5Jou nV2BcsBsC0I/CZazOQ3xEGWlKW3hlO0BVtF03mPng7MoFtj74UxUfNrjPrA0 T09PzYDHX+gWt86ePma5tLUJnO1tWiNYrieBIEaRHROR41NiA5nLMOb5sqOU E1iZPgtMqnSJ2oBSBOERU71/RPBwTEQIFVbD/hk6yxZd/JLiu8ARnXXLHO0R OmIsQN0kynyukg3gBv3qqvzdFj9Qb6jQSE4JJ4xPfLM81RoH9ViYcICu5p1P TPiyiagmQtq5HcZ5ys6Le/t5mdec/tGk/qqihpZFgrzAhvGQi6QcDOdzPFg/ 2DaXgDyMohDp6YP84WHgiisz8aSWK1JxQkNjQsuo0OoLK2ZSX13iawzgd9X9 fcdZ+j08J0VMlJ1iJN8WU0+8RYlZ0yELHXrqFMbxXBPVo/y/sMv4g5VZNlfi vI6jjbf3z5dfoooRFGVhtEuckdKMdmLMN1pUFgrH2G+KY2jemvUfKvIwgZNk AvEBG7o0tO29bT7z+KU0ocyxH7ikwj6H3PXmRkjyC/2vBQpcjPdS+kh7sIeT Q7QW8gCbbkutj7uz5V98VqpwBGNg2VDHdyjgkHrbDm30qJKeS4DiUnnl0VZC bDjrg1KrOuyjV5wT8nTYfK2BRkVzv14pjdn5/P1YN7U8XUqgaXqDdDhH5Tay bdlmgciijJiJ+oXIIqYApk/cSdCK627AG5mQSw4AeiNCao58mXi/Woh6vdsW S2J9wClUNY0EHLmKRfpNcwFuUKJTanM71cLodT7bRSXOUowaf3RH+2wvxhng 5JBrr9kVmXCkU0fKgkbKkqLMoNFmlv8/VUlGqpJ6qdLzZZQqPZEhYVk042Qi qUiJYUf1nVrv5vdM5++pDo4nrxaNwzCInZdO+twClQDiP9RiZWEnQWiqcp7I wuqedCaSkk/ylYhPLb9rqBhSO+8vgRRdF9f1ncTzf2AV8LfUPua0aso4HDPt NcUl/cjOUHBwc/kpCjTu5SQPXjuSe43XDKlJIU1qxnyL4wCa0b1KzpcLSrgO ugn6ME408FwIQsTdy/WaBSNEFFGVxOGwLiBuD+wVNeggnl6NnAZENHFPqXcp 26XQEHehYWVaaW/Ivi7aZgkcDLd3oZpA+73BRyEx2H8MJlamlExBwUPHlFZv xxUDAAnwKapRXzQQ9xrlFJG50WF3cimOMzI0mkH729AO6bTFW0cCFXbBSML0 POVlMOoTuuwiHU6xgxtp+4575pIjlWZl5uYbm1/VmGDRDiopPvvDmfw/msf/ J7L4nHP+EywbZTn5+Xfk8MNd0X274b7Rnx/jeoHRn95SR7TUn8JdPRDp+z/d BeEfw8Z/ROn6HU3Ob73mkvDtwXc/pvl+/GZXc/r+rj8Pvkuf9Q6ZRBfsPSv6 rvcs+kYX7D0r/u5ubGz8fIANv68ft16BYBgtMvijz/KFCAOBsKEW4Xhua/BQ G3E4YtP9nhYpYdWaXDYRmzGXOSFRw7Eqxr7RhQaj5GuP46laLL5IU0gbI3yD LWsPpg+2J5wzpz5ZUlB0XdGszvQ6s/XgxYNtkYhJ2VE/wx6XFGH8qOGqBVA7 lO0hefHAmU3l3VtgJzVe4z9AlnmwTXHtoa73WDCbs/kBCeeaH4stDFankj9V LQnb/IA6MBlLFqnQsdqrnFEYRbzLpGV1ln1w5H6eVWs1/eJrvaLyvYOwCd4O TqfRT6XJw/UPTNWd5idQcSslhHItGQ5r9GoeVsv4fkDi4YH3CwWVWtZM6tbZ uGgb9h839GjdxgP/2Q5RjN8Qam5KuGP+wHmQyaXmvDxVjugO2Rz0JS1M6MaX WqBt0XKlZN4NoY3J0A/FHdm3oX3vPkjyrVGpwGYEKD36Is4RDOwib8kIHYGR Ejq+7kAWpcwyOSW+jNykmM6+AdMnI1B5QzObZjFck01FI5iXdKbHF9QzbdWK YzuQnVq+Z+AfYX6SLGFbYFSLwjnUeaTXjN33tQoUrXtE41irUL51hUgioZHO 13E/y1hjjPLLzytAPc6eFIuZpbnUjXqfKZSxmH+ujCVLyljMHyljkVmafIXv b+t3BA3pRKlKqxzMZkdGORovrRvCIlM0+gk0W4XH+dKJyAgv4v50ANYsWJXk loRmvJqHHUY7lSZ8DgViM9x1cH/I5tdMZn4Gf2oHkFwAmAE8r7BWjNsGNUec Y2c6hg98VUFiOTMT8FJBjQRxReETbPXxYpbm9pjoW0mrcq8zOACrpSqSEGkK MztyCqXu7f9CTjF7YWao90YPg7fAspuUQ6ISIl0QwMN4LJhEy3TAZlRuJiPb kuVoVoxzUiRtZC5rdFYk4HDWAfrfsIEF7iz6Kq8AacVaO+Kj4bn4HBNpxZhW uBl1zNP0bZ+O6ybhj3UjswoiB563z0MuQDNjztR7QSmKJ1misgIPVQ3OGajX vSk/ZsDanp1zd6Wmh8ZHtS2W6ZRQ/wGtvJsS+8PYneKlAvX4IQ7CvLQOl1RW 8cBkzOSecZGABGPTqVkcHJHRWevFwnbtWnFAEuLcbRj5TlHh/izn4JES//rQ sgRXJXK3xVW7HP/T+CE1Q2HRVi+sRHWorsSYbl5bKn6d6HreWd+S89n+Wj1k gMJx6q2MkoexBTpNh06bO6aaScJh6gu1PGsNDMyZZmcO9w+wWAr+k7HzT+I8 zDi1RULQ88Q1DcTAjuhgLwbLiaEQrTvR0Sxn3mjk7gS8mQbG0FypUgbbSnGB xk+DGPRjcjhk+ImbKfV9Mz7rc6yNZ7f3cfdT3wp8V0caCkyHvCQlY0xw5yUP OkuD2kyAWXaA8jZEF+l27f+iypc8WzGM0WrSkYYcYeLGIQSQB1PMLxtvvYT7 whD3uCEs9CRh7Dn0gfXahNBaCR1jmEfxW+zWo0sbnvyrNtSNpBWoJTY0dOIt /Xa2KFEfa7B4zL7FJaVsT3r/0GY8DuI3KpXpTaghZMRj733fOTNDgNtIlE9F OIXQce5ZGIfOBxDJb2JMF7gvlvsmZmWtQEeZ4TMkKuI8oYV5FHjPkBguSpq6 2iR14i7Ko4/PQwjvRXh1FMbxy+uSCrzcFctQcMHpQhyRK+oublY9U7jo6pXD 1k/alcx98+zpQsIRZZaRikKiDNKfXprRQVDFH5LZaENXr/KqkICj0tTgNQVU bhrOMhpfEvv7OQ8cTuoySD/Beq1/MYWPCp9w0oMroQdFFiNo50ZGqaD0+ToT ZlyT3MWQuPd0eiCNbm6s4DvganPNd9T61i/7jlE9Xvk9TpCM1tpE1d4439Hx ZCtJk+u8xEmENC6ylPLuGH2hOiXQD1L1sLBci8oK9otqe9FgSMUXYyfH5osS Sd1zutuFiSqDukR45A+SRABT47IpqODIv11C+d8/VMarclY6WY2zf1LGLhhU zyJg8ttr18e5IpSv10ZrxEXTHRZ/qHT926vVA0R/3n04m+0+edKvVveQSKn6 a8YwE8RpvCOWPf36obQAK2Y7P6iEiCRivWQM3bfJP7PVxQkWWVnrkPZevn8t ZR143Nuig0dlgEmqftKKvL3j/cNDhIh+QaPq4cPdh9QLzxYXVjug5Ph4sn9E k6rk1TdPnjyU3lmqbZbSgc9SDhPXRyivmGTkYy/Ix6KM5gEkT5SsLs+rJBv/ hFt7TFQ1fGZrtH2c5ttcSMf490hRTYifGetnP+U8C9HIC3t+6r3ax8tLek0E w84myScnsP5ngtMjAE0sQtP+0fTdp/8m7/3Btc7lvUVUa+USG252lwRMlI2f IkDt5XG1PKJsKna56RVA2qgKNblpqsZtXD6/hWyuUVFyJXGSCB2SdFTDoezM Hm2jMhirafUL4EVYKJI2S0dvCxpwXKhbL+se1/kZLNq+nvLhiMZjbgizW+K2 92DoPgitcvHrduLqG6RCnYsBUoenVuhEPjQnmY207NGosgzAMyhp0WLpB6Sn 0oKupQFJfK3lVhXh23TduHQ1vmpkRep/MGkyPhS2f5X4NKBGQbSCbeEqKg5X TMOu2KiV04786KiInbsVqPzanA6aFkIN9rdXs29kGSloN/0U+jcWtG8s/hnO AIo6BnwYLe42iNiSDM8Ql4h4ctJrZRnlMPIQ/DOC5RLr+l77DnYcgHMmqQAf iU7fDcARi14Dlp+JwLFJfOWEb3mPxvHxa2DCiA5u+UxecXZXUf34+X2trp5Y 4+66era4eAKEEjCPNCQZkg60Rk5vLbabRBKFqBtlb+LzftBJeOHtX+VolwB1 Z+ho2HMMa+UXaB11JnmFg76jw0+2CHFXb63zJDENGuw3NfqjMj6aZuPC32BO f2JL0t/uDTsXCNNPwYlgIBs3LUa8oQjTfNVSW1l46xblNX27mbx+K2Sdkqkc ajs3jofYut5opyzeic6G7sfTw9usbvK1BuDM+KXJ0IcBDjiN4AcZprHS8Aq2 Mp5BPeatRe8bAKouGoKAU81RQZRGCmHBbpVHLTxnvrN0fMxYVHFmkqjdN03L 0jkdSctXeFEJdVfjwdplp2HJaFoZ+VcJEZk7iUixNE8osh9uDIxg6D0wcWoh cuPoAFBoD3Mq9HoKJRpi7Ct87QnOegtFPQwTS/Nk4L68boKjW+nUJU0cyItX opmUSdU+yuNN8zzj0L8iLcUHZk/QK4pGt8uBZPTmGPd8IIvCLHrkRJyIjMVR CSvS67RQ6vr4JJ00emyojL2K92jVAJsvYfwUjfIclcf+vMM7voajl8UFYux2 PmBAO/ONLxjUyN3Yjf2XL0hhYYFTw2hMVoQZEp80CC+RG3E9gszB1ylAjA3U wFotKGEtmk2zDLG69DVlYRBn3oYYEU9KyiWhhBFCdTe4NCPdjcyxiUode4/s knmemx+Lv8gt/nk4Z2m0Onsv5h5igqBhUi00zrwUCMV3s6xolKIDhtVS4iiA MelN/Eh37o8+fRs17ND4eVBIqj1XEIUXV/Mt0HTKuRADiwz4IaFOPXEf634R reakMN43ECW9gZSS9PMYkAJPjX55K2liyIbScmGdtcydozE8W/RCsyWPvY1Y Ewlxm3FruEJb1qIopPYM8Bj8MGQDEc/xnxhPWvWI8s4Ef7vpT7LtrapzEKO1 VJr24s8y0nzw/kzLQz1ImkRWPSORnxviZXQ1Jq7r/g7goPfBqkFHgrJTUR5/ PHkW+MI75jWlPlYtzot2G975mUoWJ3luEmhUBYPgani8bw1ERJQkJOJXItHL tcOc95Sco3dg6Ov74heIavF8IkVgExjbYHxzVaovcJJ3p/lrk/c/9uSoXnOZ R+JXMpDHOq1mkvl34Dq0ntksjjboFUevLivajtHt8BH3Yzs2dIqs77Kk/HRj wvaAZcX4lddQ70sAiLvU5NWh0et3+lOgpWKF37iigeCRTrOJZAz99JBW3AZg Z5RH4PVxnXT83qjNpOrf8KdUmrTdKmb6en/zWzaM+VUctVHYu69gIR6D7eMe bomvPKz9639HxuTBNl6JD9XTGz0jZ4telIl+CE4L9pO/q3VQFZ4ug47jihOx DfHNDBwx2PS6W3yLXOffYFfqiOXDvfd7I3QRb7+1FyVow5anxvUHBjCN3/N+ 5MkatN5/JffvnuFb26SGR+K5ITb9n77eP5uEgoej/ELhUCZpWWQSngvKrjyS 18tXP0igNX5biWQAF3l7xZx1b//NJDs4uAdrld7zng3BHPe+xyGNhxZSu0bm p7n8U8DCOgpuCiy9sR5fZ45nvDfH5r3KFhcUZdAD1mz4jb6sg5UgAabvC/Ed WDeoFx+wJsQvV5FXa47zRXY8bzoQGG9WF032S5vfzH9fX3Hhw8cS7DnQ4y/z tpap4z5hqu9MkABTg+9s8QO6SI7cUP9d67ow9x2s2F/Ayrgsr7KXsPJFDgYv Vft6GYHhB+QNw+2dTY+jScCsK3xPE55Ym72z7Q1ZmaWLXhtK8rzi1+14Oavz U2EbBWz7Y5PT2zOwgnFVZQez7GfsWQmg4AETQxIn+UYRAmxm/i8eEtWQe4cA AA== --></rfc>