Second part of a talk given on the VUC (http://www.voipusersconference.org/2014/vuc506-turn-and-stun-the-ice/) with Emil Ivov about how WebRTC uses ICE to get through firewalls.
3. Make a secure P2P media
+ data connection?
Use existing protocols:
SRTP x2 - encrypted RTP for voice + video
DTLS - secure set up
SCTP - datagram protocol
RTCP - channel stats and management
4. Multiplex all the things
+----------------+
| 127 < B < 192 -+--> forward to RTP
| |
packet --> | 19 < B < 64 -+--> forward to DTLS
| |
| B < 2 -+--> forward to ICE
+----------------+
5. Huh ? Why is ICE there ?
Continuing consent to send:
We are sending ~1mbit/s of video
Imagine the user closes the receiving tab
Signalling is gone
ICE re-tests connection every 30s
Can re-establish a session over different path
6. We know all about RTP
Maybe not:
SRTP - but uses DTLS to exchange the keys.
Possibly multiple multiplexed streams
RTCP too.
Optional Headers (voice level etc)
7. DTLS - what is that?
TLS (aka SSL) ’s UDP cousin:
Uses Public key crypto to exchange session key
Session key extracted and used for SRTP key
Also carries datachannel messages
Does not carry media
8. DTLS - not quite like SSL
DTLS in webRTC has different requirements:
Does not use PKI - no certs to buy
Has heartbeat
DTLS is client server
Peers have to agree who is the client (rant)
9. Was all that worth it?
Probably:
Secure - selectable crypto suites
No passwords
No central authority
Distributed system - but existing SRTP code used
10. You forgot STCP
Oops:
Originally designed to run alongside TCP
webRTC uses it to provide Datachannel transport
Run over DTLS (over UDP)
Useful semantics - more flexible that TCP
More widely used than you think (telcos)
11. A new layer?
Perhaps:
We have a modern set of secure peer to peer network
protocols supported by > 1bn endpoints and counting.
It runs well over the existing internet infrastructure
Lets use it to build fun stuff.