File: rfc8723.html

package info (click to toggle)
doc-rfc 20230121-1
links: PTS, VCS
area: non-free
in suites: bookworm, forky, sid, trixie
size: 1,609,944 kB
file content (2280 lines) | stat: -rw-r--r-- 97,571 bytes
parent folder | download | duplicates (2)
<!DOCTYPE html>
<html lang="en" class="RFC">
<head>
<meta charset="utf-8">
<meta content="Common,Latin" name="scripts">
<meta content="initial-scale=1.0" name="viewport">
<title>RFC 8723: Double Encryption Procedures for the Secure Real-Time Transport Protocol (SRTP)</title>
<meta content="Cullen Jennings" name="author">
<meta content="Paul E. Jones" name="author">
<meta content="Richard Barnes" name="author">
<meta content="Adam Roach" name="author">
<meta content="
       In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some parameters in Real-time Transport Protocol (RTP)
packets, while still providing strong end-to-end security
guarantees. This document defines a cryptographic transform for the
Secure Real-time Transport Protocol (SRTP) that uses two separate but related
cryptographic operations to provide hop-by-hop and end-to-end
security guarantees.  Both the end-to-end and hop-by-hop
cryptographic algorithms can utilize an authenticated encryption
with associated data (AEAD) algorithm or take advantage of future SRTP
transforms with different properties.
 
    " name="description">
<meta content="xml2rfc 2.44.0" name="generator">
<meta content="PERC" name="keyword">
<meta content="SRTP" name="keyword">
<meta content="RTP" name="keyword">
<meta content="conferencing" name="keyword">
<meta content="encryption" name="keyword">
<meta content="8723" name="rfc.number">
<link href="rfc8723.xml" rel="alternate" type="application/rfc+xml">
<link href="#copyright" rel="license">
<style type="text/css">/*

  NOTE: Changes at the bottom of this file overrides some earlier settings.

  Once the style has stabilized and has been adopted as an official RFC style,
  this can be consolidated so that style settings occur only in one place, but
  for now the contents of this file consists first of the initial CSS work as
  provided to the RFC Formatter (xml2rfc) work, followed by itemized and
  commented changes found necssary during the development of the v3
  formatters.

*/

/* fonts */
@import url('https://fonts.googleapis.com/css?family=Noto+Sans'); /* Sans-serif */
@import url('https://fonts.googleapis.com/css?family=Noto+Serif'); /* Serif (print) */
@import url('https://fonts.googleapis.com/css?family=Roboto+Mono'); /* Monospace */

@viewport {
  zoom: 1.0;
  width: extend-to-zoom;
}
@-ms-viewport {
  width: extend-to-zoom;
  zoom: 1.0;
}
/* general and mobile first */
html {
}
body {
  max-width: 90%;
  margin: 1.5em auto;
  color: #222;
  background-color: #fff;
  font-size: 14px;
  font-family: 'Noto Sans', Arial, Helvetica, sans-serif;
  line-height: 1.6;
  scroll-behavior: smooth;
}
.ears {
  display: none;
}

/* headings */
#title, h1, h2, h3, h4, h5, h6 {
  margin: 1em 0 0.5em;
  font-weight: bold;
  line-height: 1.3;
}
#title {
  clear: both;
  border-bottom: 1px solid #ddd;
  margin: 0 0 0.5em 0;
  padding: 1em 0 0.5em;
}
.author {
  padding-bottom: 4px;
}
h1 {
  font-size: 26px;
  margin: 1em 0;
}
h2 {
  font-size: 22px;
  margin-top: -20px;  /* provide offset for in-page anchors */
  padding-top: 33px;
}
h3 {
  font-size: 18px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h4 {
  font-size: 16px;
  margin-top: -36px;  /* provide offset for in-page anchors */
  padding-top: 42px;
}
h5, h6 {
  font-size: 14px;
}
#n-copyright-notice {
  border-bottom: 1px solid #ddd;
  padding-bottom: 1em;
  margin-bottom: 1em;
}
/* general structure */
p {
  padding: 0;
  margin: 0 0 1em 0;
  text-align: left;
}
div, span {
  position: relative;
}
div {
  margin: 0;
}
.alignRight.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignRight.art-text pre {
  padding: 0;
}
.alignRight {
  margin: 1em 0;
}
.alignRight > *:first-child {
  border: none;
  margin: 0;
  float: right;
  clear: both;
}
.alignRight > *:nth-child(2) {
  clear: both;
  display: block;
  border: none;
}
svg {
  display: block;
}
.alignCenter.art-text {
  background-color: #f9f9f9;
  border: 1px solid #eee;
  border-radius: 3px;
  padding: 1em 1em 0;
  margin-bottom: 1.5em;
}
.alignCenter.art-text pre {
  padding: 0;
}
.alignCenter {
  margin: 1em 0;
}
.alignCenter > *:first-child {
  border: none;
  /* this isn't optimal, but it's an existence proof.  PrinceXML doesn't
     support flexbox yet.
  */
  display: table;
  margin: 0 auto;
}

/* lists */
ol, ul {
  padding: 0;
  margin: 0 0 1em 2em;
}
ol ol, ul ul, ol ul, ul ol {
  margin-left: 1em;
}
li {
  margin: 0 0 0.25em 0;
}
.ulCompact li {
  margin: 0;
}
ul.empty, .ulEmpty {
  list-style-type: none;
}
ul.empty li, .ulEmpty li {
  margin-top: 0.5em;
}
ul.compact, .ulCompact,
ol.compact, .olCompact {
  line-height: 100%;
  margin: 0 0 0 2em;
}

/* definition lists */
dl {
}
dl > dt {
  float: left;
  margin-right: 1em;
}
/* 
dl.nohang > dt {
  float: none;
}
*/
dl > dd {
  margin-bottom: .8em;
  min-height: 1.3em;
}
dl.compact > dd, .dlCompact > dd {
  margin-bottom: 0em;
}
dl > dd > dl {
  margin-top: 0.5em;
  margin-bottom: 0em;
}

/* links */
a {
  text-decoration: none;
}
a[href] {
  color: #22e; /* Arlen: WCAG 2019 */
}
a[href]:hover {
  background-color: #f2f2f2;
}
figcaption a[href],
a[href].selfRef {
  color: #222;
}
/* XXX probably not this:
a.selfRef:hover {
  background-color: transparent;
  cursor: default;
} */

/* Figures */
tt, code, pre, code {
  background-color: #f9f9f9;
  font-family: 'Roboto Mono', monospace;
}
pre {
  border: 1px solid #eee;
  margin: 0;
  padding: 1em;
}
img {
  max-width: 100%;
}
figure {
  margin: 0;
}
figure blockquote {
  margin: 0.8em 0.4em 0.4em;
}
figcaption {
  font-style: italic;
  margin: 0 0 1em 0;
}
@media screen {
  pre {
    overflow-x: auto;
    max-width: 100%;
    max-width: calc(100% - 22px);
  }
}

/* aside, blockquote */
aside, blockquote {
  margin-left: 0;
  padding: 1.2em 2em;
}
blockquote {
  background-color: #f9f9f9;
  color: #111; /* Arlen: WCAG 2019 */
  border: 1px solid #ddd;
  border-radius: 3px;
  margin: 1em 0;
}
cite {
  display: block;
  text-align: right;
  font-style: italic;
}

/* tables */
table {
  width: 100%;
  margin: 0 0 1em;
  border-collapse: collapse;
  border: 1px solid #eee;
}
th, td {
  text-align: left;
  vertical-align: top;
  padding: 0.5em 0.75em;
}
th {
  text-align: left;
  background-color: #e9e9e9;
}
tr:nth-child(2n+1) > td {
  background-color: #f5f5f5;
}
table caption {
  font-style: italic;
  margin: 0;
  padding: 0;
  text-align: left;
}
table p {
  /* XXX to avoid bottom margin on table row signifiers. If paragraphs should
     be allowed within tables more generally, it would be far better to select on a class. */
  margin: 0;
}

/* pilcrow */
a.pilcrow {
  color: #666; /* Arlen: AHDJ 2019 */
  text-decoration: none;
  visibility: hidden;
  user-select: none;
  -ms-user-select: none;
  -o-user-select:none;
  -moz-user-select: none;
  -khtml-user-select: none;
  -webkit-user-select: none;
  -webkit-touch-callout: none;
}
@media screen {
  aside:hover > a.pilcrow,
  p:hover > a.pilcrow,
  blockquote:hover > a.pilcrow,
  div:hover > a.pilcrow,
  li:hover > a.pilcrow,
  pre:hover > a.pilcrow {
    visibility: visible;
  }
  a.pilcrow:hover {
    background-color: transparent;
  }
}

/* misc */
hr {
  border: 0;
  border-top: 1px solid #eee;
}
.bcp14 {
  font-variant: small-caps;
}

.role {
  font-variant: all-small-caps;
}

/* info block */
#identifiers {
  margin: 0;
  font-size: 0.9em;
}
#identifiers dt {
  width: 3em;
  clear: left;
}
#identifiers dd {
  float: left;
  margin-bottom: 0;
}
#identifiers .authors .author {
  display: inline-block;
  margin-right: 1.5em;
}
#identifiers .authors .org {
  font-style: italic;
}

/* The prepared/rendered info at the very bottom of the page */
.docInfo {
  color: #666; /* Arlen: WCAG 2019 */
  font-size: 0.9em;
  font-style: italic;
  margin-top: 2em;
}
.docInfo .prepared {
  float: left;
}
.docInfo .prepared {
  float: right;
}

/* table of contents */
#toc  {
  padding: 0.75em 0 2em 0;
  margin-bottom: 1em;
}
nav.toc ul {
  margin: 0 0.5em 0 0;
  padding: 0;
  list-style: none;
}
nav.toc li {
  line-height: 1.3em;
  margin: 0.75em 0;
  padding-left: 1.2em;
  text-indent: -1.2em;
}
/* references */
.references dt {
  text-align: right;
  font-weight: bold;
  min-width: 7em;
}
.references dd {
  margin-left: 8em;
  overflow: auto;
}

.refInstance {
  margin-bottom: 1.25em;
}

.references .ascii {
  margin-bottom: 0.25em;
}

/* index */
.index ul {
  margin: 0 0 0 1em;
  padding: 0;
  list-style: none;
}
.index ul ul {
  margin: 0;
}
.index li {
  margin: 0;
  text-indent: -2em;
  padding-left: 2em;
  padding-bottom: 5px;
}
.indexIndex {
  margin: 0.5em 0 1em;
}
.index a {
  font-weight: 700;
}
/* make the index two-column on all but the smallest screens */
@media (min-width: 600px) {
  .index ul {
    -moz-column-count: 2;
    -moz-column-gap: 20px;
  }
  .index ul ul {
    -moz-column-count: 1;
    -moz-column-gap: 0;
  }
}

/* authors */
address.vcard {
  font-style: normal;
  margin: 1em 0;
}

address.vcard .nameRole {
  font-weight: 700;
  margin-left: 0;
}
address.vcard .label {
  font-family: "Noto Sans",Arial,Helvetica,sans-serif;
  margin: 0.5em 0;
}
address.vcard .type {
  display: none;
}
.alternative-contact {
  margin: 1.5em 0 1em;
}
hr.addr {
  border-top: 1px dashed;
  margin: 0;
  color: #ddd;
  max-width: calc(100% - 16px);
}

/* temporary notes */
.rfcEditorRemove::before {
  position: absolute;
  top: 0.2em;
  right: 0.2em;
  padding: 0.2em;
  content: "The RFC Editor will remove this note";
  color: #9e2a00; /* Arlen: WCAG 2019 */
  background-color: #ffd; /* Arlen: WCAG 2019 */
}
.rfcEditorRemove {
  position: relative;
  padding-top: 1.8em;
  background-color: #ffd; /* Arlen: WCAG 2019 */
  border-radius: 3px;
}
.cref {
  background-color: #ffd; /* Arlen: WCAG 2019 */
  padding: 2px 4px;
}
.crefSource {
  font-style: italic;
}
/* alternative layout for smaller screens */
@media screen and (max-width: 1023px) {
  body {
    padding-top: 2em;
  }
  #title {
    padding: 1em 0;
  }
  h1 {
    font-size: 24px;
  }
  h2 {
    font-size: 20px;
    margin-top: -18px;  /* provide offset for in-page anchors */
    padding-top: 38px;
  }
  #identifiers dd {
    max-width: 60%;
  }
  #toc {
    position: fixed;
    z-index: 2;
    top: 0;
    right: 0;
    padding: 0;
    margin: 0;
    background-color: inherit;
    border-bottom: 1px solid #ccc;
  }
  #toc h2 {
    margin: -1px 0 0 0;
    padding: 4px 0 4px 6px;
    padding-right: 1em;
    min-width: 190px;
    font-size: 1.1em;
    text-align: right;
    background-color: #444;
    color: white;
    cursor: pointer;
  }
  #toc h2::before { /* css hamburger */
    float: right;
    position: relative;
    width: 1em;
    height: 1px;
    left: -164px;
    margin: 6px 0 0 0;
    background: white none repeat scroll 0 0;
    box-shadow: 0 4px 0 0 white, 0 8px 0 0 white;
    content: "";
  }
  #toc nav {
    display: none;
    padding: 0.5em 1em 1em;
    overflow: auto;
    height: calc(100vh - 48px);
    border-left: 1px solid #ddd;
  }
}

/* alternative layout for wide screens */
@media screen and (min-width: 1024px) {
  body {
    max-width: 724px;
    margin: 42px auto;
    padding-left: 1.5em;
    padding-right: 29em;
  }
  #toc {
    position: fixed;
    top: 42px;
    right: 42px;
    width: 25%;
    margin: 0;
    padding: 0 1em;
    z-index: 1;
  }
  #toc h2 {
    border-top: none;
    border-bottom: 1px solid #ddd;
    font-size: 1em;
    font-weight: normal;
    margin: 0;
    padding: 0.25em 1em 1em 0;
  }
  #toc nav {
    display: block;
    height: calc(90vh - 84px);
    bottom: 0;
    padding: 0.5em 0 0;
    overflow: auto;
  }
  img { /* future proofing */
    max-width: 100%;
    height: auto;
  }
}

/* pagination */
@media print {
  body {

    width: 100%;
  }
  p {
    orphans: 3;
    widows: 3;
  }
  #n-copyright-notice {
    border-bottom: none;
  }
  #toc, #n-introduction {
    page-break-before: always;
  }
  #toc {
    border-top: none;
    padding-top: 0;
  }
  figure, pre {
    page-break-inside: avoid;
  }
  figure {
    overflow: scroll;
  }
  h1, h2, h3, h4, h5, h6 {
    page-break-after: avoid;
  }
  h2+*, h3+*, h4+*, h5+*, h6+* {
    page-break-before: avoid;
  }
  pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    font-size: 10pt;
  }
  table {
    border: 1px solid #ddd;
  }
  td {
    border-top: 1px solid #ddd;
  }
}

/* This is commented out here, as the string-set: doesn't
   pass W3C validation currently */
/*
.ears thead .left {
  string-set: ears-top-left content();
}

.ears thead .center {
  string-set: ears-top-center content();
}

.ears thead .right {
  string-set: ears-top-right content();
}

.ears tfoot .left {
  string-set: ears-bottom-left content();
}

.ears tfoot .center {
  string-set: ears-bottom-center content();
}

.ears tfoot .right {
  string-set: ears-bottom-right content();
}
*/

@page :first {
  padding-top: 0;
  @top-left {
    content: normal;
    border: none;
  }
  @top-center {
    content: normal;
    border: none;
  }
  @top-right {
    content: normal;
    border: none;
  }
}

@page {
  size: A4;
  margin-bottom: 45mm;
  padding-top: 20px;
  /* The follwing is commented out here, but set appropriately by in code, as
     the content depends on the document */
  /*
  @top-left {
    content: 'Internet-Draft';
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-left {
    content: string(ears-top-left);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-center {
    content: string(ears-top-center);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @top-right {
    content: string(ears-top-right);
    vertical-align: bottom;
    border-bottom: solid 1px #ccc;
  }
  @bottom-left {
    content: string(ears-bottom-left);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-center {
    content: string(ears-bottom-center);
    vertical-align: top;
    border-top: solid 1px #ccc;
  }
  @bottom-right {
      content: '[Page ' counter(page) ']';
      vertical-align: top;
      border-top: solid 1px #ccc;
  }
  */

}

/* Changes introduced to fix issues found during implementation */
/* Make sure links are clickable even if overlapped by following H* */
a {
  z-index: 2;
}
/* Separate body from document info even without intervening H1 */
section {
  clear: both;
}


/* Top align author divs, to avoid names without organization dropping level with org names */
.author {
  vertical-align: top;
}

/* Leave room in document info to show Internet-Draft on one line */
#identifiers dt {
  width: 8em;
}

/* Don't waste quite as much whitespace between label and value in doc info */
#identifiers dd {
  margin-left: 1em;
}

/* Give floating toc a background color (needed when it's a div inside section */
#toc {
  background-color: white;
}

/* Make the collapsed ToC header render white on gray also when it's a link */
@media screen and (max-width: 1023px) {
  #toc h2 a,
  #toc h2 a:link,
  #toc h2 a:focus,
  #toc h2 a:hover,
  #toc a.toplink,
  #toc a.toplink:hover {
    color: white;
    background-color: #444;
    text-decoration: none;
  }
}

/* Give the bottom of the ToC some whitespace */
@media screen and (min-width: 1024px) {
  #toc {
    padding: 0 0 1em 1em;
  }
}

/* Style section numbers with more space between number and title */
.section-number {
  padding-right: 0.5em;
}

/* prevent monospace from becoming overly large */
tt, code, pre, code {
  font-size: 95%;
}

/* Fix the height/width aspect for ascii art*/
pre.sourcecode,
.art-text pre {
  line-height: 1.12;
}


/* Add styling for a link in the ToC that points to the top of the document */
a.toplink {
  float: right;
  margin-right: 0.5em;
}

/* Fix the dl styling to match the RFC 7992 attributes */
dl > dt,
dl.dlParallel > dt {
  float: left;
  margin-right: 1em;
}
dl.dlNewline > dt {
  float: none;
}

/* Provide styling for table cell text alignment */
table td.text-left,
table th.text-left {
  text-align: left;
}
table td.text-center,
table th.text-center {
  text-align: center;
}
table td.text-right,
table th.text-right {
  text-align: right;
}

/* Make the alternative author contact informatio look less like just another
   author, and group it closer with the primary author contact information */
.alternative-contact {
  margin: 0.5em 0 0.25em 0;
}
address .non-ascii {
  margin: 0 0 0 2em;
}

/* With it being possible to set tables with alignment
  left, center, and right, { width: 100%; } does not make sense */
table {
  width: auto;
}

/* Avoid reference text that sits in a block with very wide left margin,
   because of a long floating dt label.*/
.references dd {
  overflow: visible;
}

/* Control caption placement */
caption {
  caption-side: bottom;
}

/* Limit the width of the author address vcard, so names in right-to-left
   script don't end up on the other side of the page. */

address.vcard {
  max-width: 30em;
  margin-right: auto;
}

/* For address alignment dependent on LTR or RTL scripts */
address div.left {
  text-align: left;
}
address div.right {
  text-align: right;
}

/* Provide table alignment support.  We can't use the alignX classes above
   since they do unwanted things with caption and other styling. */
table.right {
 margin-left: auto;
 margin-right: 0;
}
table.center {
 margin-left: auto;
 margin-right: auto;
}
table.left {
 margin-left: 0;
 margin-right: auto;
}

/* Give the table caption label the same styling as the figcaption */
caption a[href] {
  color: #222;
}

@media print {
  .toplink {
    display: none;
  }

  /* avoid overwriting the top border line with the ToC header */
  #toc {
    padding-top: 1px;
  }

  /* Avoid page breaks inside dl and author address entries */
  .vcard {
    page-break-inside: avoid;
  }

}
/* Avoid wrapping of URLs in references */
@media screen {
  .references a {
    white-space: nowrap;
  }
}
/* Tweak the bcp14 keyword presentation */
.bcp14 {
  font-variant: small-caps;
  font-weight: bold;
  font-size: 0.9em;
}
/* Tweak the invisible space above H* in order not to overlay links in text above */
 h2 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 31px;
 }
 h3 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
 h4 {
  margin-top: -18px;  /* provide offset for in-page anchors */
  padding-top: 24px;
 }
/* Float artwork pilcrow to the right */
@media screen {
  .artwork a.pilcrow {
    display: block;
    line-height: 0.7;
    margin-top: 0.15em;
  }
}
/* Make pilcrows on dd visible */
@media screen {
  dd:hover > a.pilcrow {
    visibility: visible;
  }
}
/* Make the placement of figcaption match that of a table's caption
   by removing the figure's added bottom margin */
.alignLeft.art-text,
.alignCenter.art-text,
.alignRight.art-text {
   margin-bottom: 0;
}
.alignLeft,
.alignCenter,
.alignRight {
  margin: 1em 0 0 0;
}
/* In print, the pilcrow won't show on hover, so prevent it from taking up space,
   possibly even requiring a new line */
@media print {
  a.pilcrow {
    display: none;
  }
}
/* Styling for the external metadata */
div#external-metadata {
  background-color: #eee;
  padding: 0.5em;
  margin-bottom: 0.5em;
  display: none;
}
div#internal-metadata {
  padding: 0.5em;                       /* to match the external-metadata padding */
}
/* Styling for title RFC Number */
h1#rfcnum {
  clear: both;
  margin: 0 0 -1em;
  padding: 1em 0 0 0;
}
/* Make .olPercent look the same as <ol><li> */
dl.olPercent > dd {
  margin-bottom: 0.25em;
  min-height: initial;
}
/* Give aside some styling to set it apart */
aside {
  border-left: 1px solid #ddd;
  margin: 1em 0 1em 2em;
  padding: 0.2em 2em;
}
aside > dl,
aside > ol,
aside > ul,
aside > table,
aside > p {
  margin-bottom: 0.5em;
}
/* Additional page break settings */
@media print {
  figcaption, table caption {
    page-break-before: avoid;
  }
}
/* Font size adjustments for print */
@media print {
  body  { font-size: 10pt;      line-height: normal; max-width: 96%; }
  h1    { font-size: 1.72em;    padding-top: 1.5em; } /* 1*1.2*1.2*1.2 */
  h2    { font-size: 1.44em;    padding-top: 1.5em; } /* 1*1.2*1.2 */
  h3    { font-size: 1.2em;     padding-top: 1.5em; } /* 1*1.2 */
  h4    { font-size: 1em;       padding-top: 1.5em; }
  h5, h6 { font-size: 1em;      margin: initial; padding: 0.5em 0 0.3em; }
}
/* Sourcecode margin in print, when there's no pilcrow */
@media print {
  .artwork,
  .sourcecode {
    margin-bottom: 1em;
  }
}
/* Avoid narrow tables forcing too narrow table captions, which may render badly */
table {
  min-width: 20em;
}
/* ol type a */
ol.type-a { list-style-type: lower-alpha; }
ol.type-A { list-style-type: upper-alpha; }
ol.type-i { list-style-type: lower-roman; }
ol.type-I { list-style-type: lower-roman; }
/* Apply the print table and row borders in general, on request from the RPC,
and increase the contrast between border and odd row background sligthtly */
table {
  border: 1px solid #ddd;
}
td {
  border-top: 1px solid #ddd;
}
tr:nth-child(2n+1) > td {
  background-color: #f8f8f8;
}
/* Use style rules to govern display of the TOC. */
@media screen and (max-width: 1023px) {
  #toc nav { display: none; }
  #toc.active nav { display: block; }
}
/* Add support for keepWithNext */
.keepWithNext {
  break-after: avoid-page;
  break-after: avoid-page;
}
/* Add support for keepWithPrevious */
.keepWithPrevious {
  break-before: avoid-page;
}
/* Change the approach to avoiding breaks inside artwork etc. */
figure, pre, table, .artwork, .sourcecode  {
  break-before: avoid-page;
  break-after: auto;
}
/* Avoid breaks between <dt> and <dd> */
dl {
  break-inside: auto;
}
dt {
  break-before: auto;
  break-after: avoid-page;
}
dd {
  break-before: avoid-page;
  break-after: auto;
  orphans: 3;
  widows: 3
}
dd.break {
  margin-bottom: 0;
  min-height: 0;
  break-before: auto;
  break-inside: auto;
  break-after: auto;
}
/* Undo break-before ToC */
@media print {
  #toc {
    break-before: auto;
  }
}</style>
<link href="rfc-local.css" rel="stylesheet" type="text/css">
<link href="https://dx.doi.org/10.17487/rfc8723" rel="alternate">
  <link href="urn:issn:2070-1721" rel="alternate">
  <link href="https://datatracker.ietf.org/doc/draft-ietf-perc-double-12" rel="prev">
  </head>
<body>
<script src="https://www.rfc-editor.org/js/metadata.min.js"></script>
<table class="ears">
<thead><tr>
<td class="left">RFC 8723</td>
<td class="center">Double SRTP</td>
<td class="right">April 2020</td>
</tr></thead>
<tfoot><tr>
<td class="left">Jennings, et al.</td>
<td class="center">Standards Track</td>
<td class="right">[Page]</td>
</tr></tfoot>
</table>
<div id="external-metadata" class="document-information"></div>
<div id="internal-metadata" class="document-information">
<dl id="identifiers">
<dt class="label-stream">Stream:</dt>
<dd class="stream">Internet Engineering Task Force (IETF)</dd>
<dt class="label-rfc">RFC:</dt>
<dd class="rfc"><a href="https://www.rfc-editor.org/rfc/rfc8723" class="eref">8723</a></dd>
<dt class="label-category">Category:</dt>
<dd class="category">Standards Track</dd>
<dt class="label-published">Published:</dt>
<dd class="published">
<time datetime="2020-04" class="published">April 2020</time>
    </dd>
<dt class="label-issn">ISSN:</dt>
<dd class="issn">2070-1721</dd>
<dt class="label-authors">Authors:</dt>
<dd class="authors">
<div class="author">
      <div class="author-name">C. Jennings</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
      <div class="author-name">P. Jones</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
      <div class="author-name">R. Barnes</div>
<div class="org">Cisco Systems</div>
</div>
<div class="author">
      <div class="author-name">A.B. Roach</div>
<div class="org">Mozilla</div>
</div>
</dd>
</dl>
</div>
<h1 id="rfcnum">RFC 8723</h1>
<h1 id="title">Double Encryption Procedures for the Secure Real-Time Transport Protocol (SRTP)</h1>
<section id="section-abstract">
      <h2 id="abstract"><a href="#abstract" class="selfRef">Abstract</a></h2>
<p id="section-abstract-1">In some conferencing scenarios, it is desirable for an intermediary
to be able to manipulate some parameters in Real-time Transport Protocol (RTP)
packets, while still providing strong end-to-end security
guarantees. This document defines a cryptographic transform for the
Secure Real-time Transport Protocol (SRTP) that uses two separate but related
cryptographic operations to provide hop-by-hop and end-to-end
security guarantees.  Both the end-to-end and hop-by-hop
cryptographic algorithms can utilize an authenticated encryption
with associated data (AEAD) algorithm or take advantage of future SRTP
transforms with different properties.<a href="#section-abstract-1" class="pilcrow">¶</a></p>
</section>
<div id="status-of-memo">
<section id="section-boilerplate.1">
        <h2 id="name-status-of-this-memo">
<a href="#name-status-of-this-memo" class="section-name selfRef">Status of This Memo</a>
        </h2>
<p id="section-boilerplate.1-1">
            This is an Internet Standards Track document.<a href="#section-boilerplate.1-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-2">
            This document is a product of the Internet Engineering Task Force
            (IETF).  It represents the consensus of the IETF community.  It has
            received public review and has been approved for publication by
            the Internet Engineering Steering Group (IESG).  Further
            information on Internet Standards is available in Section 2 of 
            RFC 7841.<a href="#section-boilerplate.1-2" class="pilcrow">¶</a></p>
<p id="section-boilerplate.1-3">
            Information about the current status of this document, any
            errata, and how to provide feedback on it may be obtained at
            <span><a href="https://www.rfc-editor.org/info/rfc8723">https://www.rfc-editor.org/info/rfc8723</a></span>.<a href="#section-boilerplate.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="copyright">
<section id="section-boilerplate.2">
        <h2 id="name-copyright-notice">
<a href="#name-copyright-notice" class="section-name selfRef">Copyright Notice</a>
        </h2>
<p id="section-boilerplate.2-1">
            Copyright (c) 2020 IETF Trust and the persons identified as the
            document authors. All rights reserved.<a href="#section-boilerplate.2-1" class="pilcrow">¶</a></p>
<p id="section-boilerplate.2-2">
            This document is subject to BCP 78 and the IETF Trust's Legal
            Provisions Relating to IETF Documents
            (<span><a href="https://trustee.ietf.org/license-info">https://trustee.ietf.org/license-info</a></span>) in effect on the date of
            publication of this document. Please review these documents
            carefully, as they describe your rights and restrictions with
            respect to this document. Code Components extracted from this
            document must include Simplified BSD License text as described in
            Section 4.e of the Trust Legal Provisions and are provided without
            warranty as described in the Simplified BSD License.<a href="#section-boilerplate.2-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="toc">
<section id="section-toc.1">
        <a href="#" onclick="scroll(0,0)" class="toplink">▲</a><h2 id="name-table-of-contents">
<a href="#name-table-of-contents" class="section-name selfRef">Table of Contents</a>
        </h2>
<nav class="toc"><ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.1">
            <p id="section-toc.1-1.1.1" class="keepWithNext"><a href="#section-1" class="xref">1</a>.  <a href="#name-introduction" class="xref">Introduction</a><a href="#section-toc.1-1.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.2">
            <p id="section-toc.1-1.2.1" class="keepWithNext"><a href="#section-2" class="xref">2</a>.  <a href="#name-terminology" class="xref">Terminology</a><a href="#section-toc.1-1.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.3">
            <p id="section-toc.1-1.3.1"><a href="#section-3" class="xref">3</a>.  <a href="#name-cryptographic-context" class="xref">Cryptographic Context</a><a href="#section-toc.1-1.3.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.3.2.1">
                <p id="section-toc.1-1.3.2.1.1" class="keepWithNext"><a href="#section-3.1" class="xref">3.1</a>.  <a href="#name-key-derivation" class="xref">Key Derivation</a><a href="#section-toc.1-1.3.2.1.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.4">
            <p id="section-toc.1-1.4.1"><a href="#section-4" class="xref">4</a>.  <a href="#name-original-header-block" class="xref">Original Header Block</a><a href="#section-toc.1-1.4.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5">
            <p id="section-toc.1-1.5.1"><a href="#section-5" class="xref">5</a>.  <a href="#name-rtp-operations" class="xref">RTP Operations</a><a href="#section-toc.1-1.5.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.5.2.1">
                <p id="section-toc.1-1.5.2.1.1"><a href="#section-5.1" class="xref">5.1</a>.  <a href="#name-encrypting-a-packet" class="xref">Encrypting a Packet</a><a href="#section-toc.1-1.5.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5.2.2">
                <p id="section-toc.1-1.5.2.2.1"><a href="#section-5.2" class="xref">5.2</a>.  <a href="#name-relaying-a-packet" class="xref">Relaying a Packet</a><a href="#section-toc.1-1.5.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.5.2.3">
                <p id="section-toc.1-1.5.2.3.1"><a href="#section-5.3" class="xref">5.3</a>.  <a href="#name-decrypting-a-packet" class="xref">Decrypting a Packet</a><a href="#section-toc.1-1.5.2.3.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.6">
            <p id="section-toc.1-1.6.1"><a href="#section-6" class="xref">6</a>.  <a href="#name-rtcp-operations" class="xref">RTCP Operations</a><a href="#section-toc.1-1.6.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7">
            <p id="section-toc.1-1.7.1"><a href="#section-7" class="xref">7</a>.  <a href="#name-use-with-other-rtp-mechanis" class="xref">Use with Other RTP Mechanisms</a><a href="#section-toc.1-1.7.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.7.2.1">
                <p id="section-toc.1-1.7.2.1.1"><a href="#section-7.1" class="xref">7.1</a>.  <a href="#name-rtp-retransmission-rtx" class="xref">RTP Retransmission (RTX)</a><a href="#section-toc.1-1.7.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7.2.2">
                <p id="section-toc.1-1.7.2.2.1"><a href="#section-7.2" class="xref">7.2</a>.  <a href="#name-redundant-audio-data-red" class="xref">Redundant Audio Data (RED)</a><a href="#section-toc.1-1.7.2.2.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7.2.3">
                <p id="section-toc.1-1.7.2.3.1"><a href="#section-7.3" class="xref">7.3</a>.  <a href="#name-forward-error-correction-fe" class="xref">Forward Error Correction (FEC)</a><a href="#section-toc.1-1.7.2.3.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.7.2.4">
                <p id="section-toc.1-1.7.2.4.1"><a href="#section-7.4" class="xref">7.4</a>.  <a href="#name-dtmf" class="xref">DTMF</a><a href="#section-toc.1-1.7.2.4.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.8">
            <p id="section-toc.1-1.8.1"><a href="#section-8" class="xref">8</a>.  <a href="#name-recommended-inner-and-outer" class="xref">Recommended Inner and Outer Cryptographic Algorithms</a><a href="#section-toc.1-1.8.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.9">
            <p id="section-toc.1-1.9.1"><a href="#section-9" class="xref">9</a>.  <a href="#name-security-considerations" class="xref">Security Considerations</a><a href="#section-toc.1-1.9.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.10">
            <p id="section-toc.1-1.10.1"><a href="#section-10" class="xref">10</a>. <a href="#name-iana-considerations" class="xref">IANA Considerations</a><a href="#section-toc.1-1.10.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.10.2.1">
                <p id="section-toc.1-1.10.2.1.1"><a href="#section-10.1" class="xref">10.1</a>.  <a href="#name-dtls-srtp" class="xref">DTLS-SRTP</a><a href="#section-toc.1-1.10.2.1.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.11">
            <p id="section-toc.1-1.11.1"><a href="#section-11" class="xref">11</a>. <a href="#name-references" class="xref">References</a><a href="#section-toc.1-1.11.1" class="pilcrow">¶</a></p>
<ul class="toc ulEmpty">
<li class="toc ulEmpty" id="section-toc.1-1.11.2.1">
                <p id="section-toc.1-1.11.2.1.1"><a href="#section-11.1" class="xref">11.1</a>.  <a href="#name-normative-references" class="xref">Normative References</a><a href="#section-toc.1-1.11.2.1.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.11.2.2">
                <p id="section-toc.1-1.11.2.2.1"><a href="#section-11.2" class="xref">11.2</a>.  <a href="#name-informative-references" class="xref">Informative References</a><a href="#section-toc.1-1.11.2.2.1" class="pilcrow">¶</a></p>
</li>
</ul>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.12">
            <p id="section-toc.1-1.12.1"><a href="#section-appendix.a" class="xref">Appendix A</a>.  <a href="#name-encryption-overview" class="xref">Encryption Overview</a><a href="#section-toc.1-1.12.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.13">
            <p id="section-toc.1-1.13.1"><a href="#section-appendix.b" class="xref"></a><a href="#name-acknowledgments" class="xref">Acknowledgments</a><a href="#section-toc.1-1.13.1" class="pilcrow">¶</a></p>
</li>
<li class="toc ulEmpty" id="section-toc.1-1.14">
            <p id="section-toc.1-1.14.1"><a href="#section-appendix.c" class="xref"></a><a href="#name-authors-addresses" class="xref">Authors' Addresses</a><a href="#section-toc.1-1.14.1" class="pilcrow">¶</a></p>
</li>
</ul>
</nav>
</section>
</div>
<div id="introduction">
<section id="section-1">
      <h2 id="name-introduction">
<a href="#section-1" class="section-number selfRef">1. </a><a href="#name-introduction" class="section-name selfRef">Introduction</a>
      </h2>
<p id="section-1-1">Cloud conferencing systems that are based on switched conferencing
have a central Media Distributor (MD) device that receives media from
endpoints and distributes it to other endpoints, but does not need
to interpret or change the media content.  For these systems, it is
desirable to have one cryptographic key that enables encryption and
authentication of the media
end-to-end while still allowing certain information in the header of
an RTP packet to be changed by the MD.  
At the same time, a separate cryptographic key
provides integrity and optional confidentiality for the media
flowing between the MD and the endpoints.  The
framework document <span>[<a href="#I-D.ietf-perc-private-media-framework" class="xref">PRIVATE-MEDIA-FRAMEWORK</a>]</span>
describes this concept in more detail.<a href="#section-1-1" class="pilcrow">¶</a></p>
<p id="section-1-2">This specification defines a transform for 
SRTP that uses 1) the AES Galois/Counter Mode (AES-GCM) algorithm <span>[<a href="#RFC7714" class="xref">RFC7714</a>]</span> to
provide encryption and integrity for an RTP packet for the
end-to-end cryptographic key and 2) a hop-by-hop cryptographic
encryption and integrity between the endpoint and the MD. 
The MD decrypts and checks integrity of
the hop-by-hop security. The MD <span class="bcp14">MAY</span> change some of
the RTP header information that would impact the end-to-end
integrity. In that case, the original value of any RTP header field
that is changed is included in an "Original Header Block" that is
added to the packet. The new RTP packet is encrypted with the
hop-by-hop cryptographic algorithm before it is sent. The receiving
endpoint decrypts and checks integrity using the hop-by-hop
cryptographic algorithm and then replaces any parameters the MD 
changed using the information in the Original Header
Block before decrypting and checking the end-to-end integrity.<a href="#section-1-2" class="pilcrow">¶</a></p>
<p id="section-1-3">One can think of the double transform as a normal SRTP transform for encrypting
the RTP in a way such that things that only know half of the key, can
decrypt and modify part of the RTP packet but not other parts,
including the media payload.<a href="#section-1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="terminology">
<section id="section-2">
      <h2 id="name-terminology">
<a href="#section-2" class="section-number selfRef">2. </a><a href="#name-terminology" class="section-name selfRef">Terminology</a>
      </h2>
<p id="section-2-1">The key words "<span class="bcp14">MUST</span>", "<span class="bcp14">MUST NOT</span>", "<span class="bcp14">REQUIRED</span>", "<span class="bcp14">SHALL</span>", "<span class="bcp14">SHALL NOT</span>", "<span class="bcp14">SHOULD</span>", "<span class="bcp14">SHOULD NOT</span>", "<span class="bcp14">RECOMMENDED</span>", "<span class="bcp14">NOT RECOMMENDED</span>",
    "<span class="bcp14">MAY</span>", and "<span class="bcp14">OPTIONAL</span>" in this document are to be interpreted as
    described in BCP 14 <span>[<a href="#RFC2119" class="xref">RFC2119</a>]</span> <span>[<a href="#RFC8174" class="xref">RFC8174</a>]</span> 
    when, and only when, they appear in all capitals, as shown here.<a href="#section-2-1" class="pilcrow">¶</a></p>
<p id="section-2-2">Terms used throughout this document include:<a href="#section-2-2" class="pilcrow">¶</a></p>
<dl class="dlParallel" id="section-2-3">
        <dt id="section-2-3.1">Media Distributor (MD):</dt>
<dd id="section-2-3.2">A device that receives media from endpoints and
distributes it to other endpoints, but does not need to interpret
or change the media content (see also
<span>[<a href="#I-D.ietf-perc-private-media-framework" class="xref">PRIVATE-MEDIA-FRAMEWORK</a>]</span>).<a href="#section-2-3.2" class="pilcrow">¶</a>
</dd>
<dd class="break"></dd>
<dt id="section-2-3.3">end-to-end:</dt>
<dd id="section-2-3.4">The path from one endpoint through one or
more MDs to the endpoint at the other end.<a href="#section-2-3.4" class="pilcrow">¶</a>
</dd>
<dd class="break"></dd>
<dt id="section-2-3.5">hop-by-hop:</dt>
<dd id="section-2-3.6">The path from the endpoint to or from the MD.<a href="#section-2-3.6" class="pilcrow">¶</a>
</dd>
<dd class="break"></dd>
<dt id="section-2-3.7">Original Header Block (OHB):</dt>
<dd id="section-2-3.8">An octet string that contains the
original values from the RTP header that might have been changed
by an MD.<a href="#section-2-3.8" class="pilcrow">¶</a>
</dd>
<dd class="break"></dd>
</dl>
</section>
</div>
<div id="cryptographic-context">
<section id="section-3">
      <h2 id="name-cryptographic-context">
<a href="#section-3" class="section-number selfRef">3. </a><a href="#name-cryptographic-context" class="section-name selfRef">Cryptographic Context</a>
      </h2>
<p id="section-3-1">This specification uses a cryptographic context with two parts:<a href="#section-3-1" class="pilcrow">¶</a></p>
<ul>
<li id="section-3-2.1">An inner (end-to-end) part that is used by endpoints that originate and
consume media to ensure the integrity of media end-to-end, and<a href="#section-3-2.1" class="pilcrow">¶</a>
</li>
<li id="section-3-2.2">An outer (hop-by-hop) part that is used between endpoints and MDs 
to ensure the integrity of media over a single hop and to
enable an MD to modify certain RTP header fields. RTCP
is also handled using the hop-by-hop cryptographic part.<a href="#section-3-2.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-3-3">The <span class="bcp14">RECOMMENDED</span> cipher for the hop-by-hop and end-to-end algorithms is
AES-GCM.  Other combinations of SRTP ciphers that support the
procedures in this document can be added to the IANA registry.<a href="#section-3-3" class="pilcrow">¶</a></p>
<p id="section-3-4">The keys and salt for these algorithms are generated with the following
steps:<a href="#section-3-4" class="pilcrow">¶</a></p>
<ul>
<li id="section-3-5.1">Generate key and salt values of the length required for the combined
inner (end-to-end) and outer (hop-by-hop) algorithms.<a href="#section-3-5.1" class="pilcrow">¶</a>
</li>
<li id="section-3-5.2">Assign the key and salt values generated for the inner (end-to-end)
algorithm to the first half of the key and the first half of the
salt for the double algorithm.<a href="#section-3-5.2" class="pilcrow">¶</a>
</li>
<li id="section-3-5.3">Assign the key and salt values for the outer (hop-by-hop) algorithm
to the second half of the key and second half of the salt for the
double algorithm. The first half of the key is referred to as the
inner key while the second half is referred to as the outer key.
When a key is used by a cryptographic algorithm, the salt that is used is
the part of the salt generated with that key.<a href="#section-3-5.3" class="pilcrow">¶</a>
</li>
<li id="section-3-5.4">the synchronization source (SSRC) is the same for both the inner and outer algorithms as
it cannot be changed.<a href="#section-3-5.4" class="pilcrow">¶</a>
</li>
<li id="section-3-5.5">The sequence number (SEQ) and rollover counter (ROC) are tracked independently for the inner and outer
algorithms.<a href="#section-3-5.5" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-3-6">If the MD is to be able to modify header fields but
not decrypt the payload, then it must have a cryptographic key for the
outer algorithm but not the inner (end-to-end) algorithm.  This
document does not define how the MD should be
provisioned with this information.  One possible way to provide
keying material for the outer (hop-by-hop) algorithm is to use
<span>[<a href="#I-D.ietf-perc-dtls-tunnel" class="xref">DTLS-TUNNEL</a>]</span>.<a href="#section-3-6" class="pilcrow">¶</a></p>
<div id="key-derivation">
<section id="section-3.1">
        <h3 id="name-key-derivation">
<a href="#section-3.1" class="section-number selfRef">3.1. </a><a href="#name-key-derivation" class="section-name selfRef">Key Derivation</a>
        </h3>
<p id="section-3.1-1">Although SRTP uses a single master key to derive keys for an SRTP
session, this transform requires separate inner and outer keys.
In order to allow the inner and outer keys to be managed
independently via the master key, the transforms defined in this
document <span class="bcp14">MUST</span> be used with the following pseudorandom function
(PRF), which preserves the separation between the two halves of the
key.  Given a positive integer <code>n</code> representing the desired output
length, a master key <code>k_master</code>, and an input <code>x</code>:<a href="#section-3.1-1" class="pilcrow">¶</a></p>
<div class="artwork art-text alignCenter" id="section-3.1-2">
<pre>
PRF_double_n(k_master,x) = PRF_(n/2)(inner(k_master),x) ||
                           PRF_(n/2)(outer(k_master),x)
</pre><a href="#section-3.1-2" class="pilcrow">¶</a>
</div>
<p id="section-3.1-3">Here <code>PRF_double_n(k_master, x)</code> represents the AES_CM PRF Key Derivation Function (KDF) (see 
<span><a href="https://www.rfc-editor.org/rfc/rfc3711#section-4.3.3" class="relref">Section 4.3.3</a> of [<a href="#RFC3711" class="xref">RFC3711</a>]</span>) for
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM algorithm and
AES_256_CM_PRF KDF <span>[<a href="#RFC6188" class="xref">RFC6188</a>]</span> for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM
algorithm. The term <code>inner(k_master)</code> represents the first half of
the key; <code>outer(k_master)</code>
represents the second half of the key.<a href="#section-3.1-3" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="ohb">
<section id="section-4">
      <h2 id="name-original-header-block">
<a href="#section-4" class="section-number selfRef">4. </a><a href="#name-original-header-block" class="section-name selfRef">Original Header Block</a>
      </h2>
<p id="section-4-1">The OHB contains the original values of any
modified RTP header fields. In the encryption process, the OHB is
included in an SRTP packet as described in <a href="#rtp-operations" class="xref">Section 5</a>.  In the
decryption process, the receiving endpoint uses it to reconstruct
the original RTP header so that it can pass the proper additional authenticated data (AAD) value to
the inner transform.<a href="#section-4-1" class="pilcrow">¶</a></p>
<p id="section-4-2">The OHB can reflect modifications to the following fields in an RTP header: the
payload type (PT), the SEQ, and the marker bit.  All other fields in the
RTP header <span class="bcp14">MUST</span> remain unmodified; since the OHB cannot reflect their original
values, the receiver will be unable to verify the end-to-end integrity of the packet.<a href="#section-4-2" class="pilcrow">¶</a></p>
<p id="section-4-3">The OHB has the following syntax (in ABNF <span>[<a href="#RFC5234" class="xref">RFC5234</a>]</span>):<a href="#section-4-3" class="pilcrow">¶</a></p>
<div id="section-4-4">
<pre class="sourcecode lang-abnf">
OCTET = %x00-FF

PT = OCTET
SEQ = 2OCTET
Config = OCTET
OHB = [ PT ] [ SEQ ] Config
</pre><a href="#section-4-4" class="pilcrow">¶</a>
</div>
<p id="section-4-5">If present, the PT and SEQ parts of the OHB contain the original payload type
and sequence number fields, respectively. The final "Config" octet of the OHB
specifies whether these fields are present, and the original value of the
marker bit (if necessary):<a href="#section-4-5" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft" id="section-4-6">
<pre>
+-+-+-+-+-+-+-+-+
|R R R R B M P Q|
+-+-+-+-+-+-+-+-+
</pre><a href="#section-4-6" class="pilcrow">¶</a>
</div>
<ul>
<li id="section-4-7.1">P: PT is present<a href="#section-4-7.1" class="pilcrow">¶</a>
</li>
<li id="section-4-7.2">Q: SEQ is present<a href="#section-4-7.2" class="pilcrow">¶</a>
</li>
<li id="section-4-7.3">M: Marker bit is present<a href="#section-4-7.3" class="pilcrow">¶</a>
</li>
<li id="section-4-7.4">B: Value of marker bit<a href="#section-4-7.4" class="pilcrow">¶</a>
</li>
<li id="section-4-7.5">R: Reserved, <span class="bcp14">MUST</span> be set to 0<a href="#section-4-7.5" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-4-8">In particular, an all-zero OHB Config octet (<code>0x00</code>) indicates that
there have been no modifications from the original header.<a href="#section-4-8" class="pilcrow">¶</a></p>
<p id="section-4-9">If the marker bit is not present (M=0), then <code>B</code> <span class="bcp14">MUST</span> be set to zero.
That is, if <code>C</code> represents the value of the Config octet, then the
masked value <code>C &amp; 0x0C</code> <span class="bcp14">MUST NOT</span> have the value <code>0x80</code>.<a href="#section-4-9" class="pilcrow">¶</a></p>
</section>
</div>
<div id="rtp-operations">
<section id="section-5">
      <h2 id="name-rtp-operations">
<a href="#section-5" class="section-number selfRef">5. </a><a href="#name-rtp-operations" class="section-name selfRef">RTP Operations</a>
      </h2>
<p id="section-5-1">As implied by the use of the word "double" above, this transform
applies AES-GCM to the SRTP packet twice.  This allows media
distributors to be able to modify some header fields while allowing
endpoints to verify the end-to-end integrity of a packet.<a href="#section-5-1" class="pilcrow">¶</a></p>
<p id="section-5-2">The first, "inner" application of AES-GCM encrypts the SRTP payload
and protects the integrity of a version of the SRTP header with extensions
truncated.  Omitting extensions from the inner integrity check means
that they can be modified by an MD holding only the outer key.<a href="#section-5-2" class="pilcrow">¶</a></p>
<p id="section-5-3">The second, "outer" application of AES-GCM encrypts the ciphertext
produced by the inner encryption (i.e., the encrypted payload and
authentication tag), plus an OHB that expresses any changes made
between the inner and outer transforms.<a href="#section-5-3" class="pilcrow">¶</a></p>
<p id="section-5-4">An MD that has the outer key but not the inner key may
modify the header fields that can be included in the OHB by
decrypting, modifying, and re-encrypting the packet.<a href="#section-5-4" class="pilcrow">¶</a></p>
<div id="encrypt">
<section id="section-5.1">
        <h3 id="name-encrypting-a-packet">
<a href="#section-5.1" class="section-number selfRef">5.1. </a><a href="#name-encrypting-a-packet" class="section-name selfRef">Encrypting a Packet</a>
        </h3>
<p id="section-5.1-1">An endpoint encrypts a packet by using the inner (end-to-end)
cryptographic key and then the outer (hop-by-hop) cryptographic key.
The encryption also supports a mode
for repair packets that only does the outer (hop-by-hop) encryption.
The processes is as follows:<a href="#section-5.1-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-5.1-2">
          <li id="section-5.1-2.1">Form an RTP packet.  If there are any header extensions, 
they <span class="bcp14">MUST</span> use <span>[<a href="#RFC8285" class="xref">RFC8285</a>]</span>.<a href="#section-5.1-2.1" class="pilcrow">¶</a>
</li>
<li id="section-5.1-2.2">If the packet is for repair mode data, skip to <a href="#step6" class="xref">step 6</a>.<a href="#section-5.1-2.2" class="pilcrow">¶</a>
</li>
<li id="section-5.1-2.3">
            <p id="section-5.1-2.3.1">Form a synthetic RTP packet with the following contents:<a href="#section-5.1-2.3.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.1-2.3.2.1">
                <p id="section-5.1-2.3.2.1.1">Header: The RTP header of the original packet with 
the following modifications:<a href="#section-5.1-2.3.2.1.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.1-2.3.2.1.2.1">The X bit is set to zero.<a href="#section-5.1-2.3.2.1.2.1" class="pilcrow">¶</a>
</li>
<li id="section-5.1-2.3.2.1.2.2">The header is truncated to remove any extensions 
(i.e., keep only the first 12 + 4 * CSRC count (CC) bytes of the header).<a href="#section-5.1-2.3.2.1.2.2" class="pilcrow">¶</a>
</li>
</ul>
</li>
<li id="section-5.1-2.3.2.2">Payload: The RTP payload of the original packet (including 
padding when present).<a href="#section-5.1-2.3.2.2" class="pilcrow">¶</a>
</li>
</ul>
</li>
<div id="step4a">
<li id="section-5.1-2.4">Apply the inner cryptographic algorithm to the synthetic RTP packet from the previous step.<a href="#section-5.1-2.4" class="pilcrow">¶</a>
</li>
</div>
<li id="section-5.1-2.5">Replace the header of the protected RTP packet with the header of
the original packet (to restore any header extensions and reset
the X bit), and append an empty OHB (<code>0x00</code>) to the encrypted
payload (with the authentication tag) obtained from <a href="#step4a" class="xref">step 4</a>.<a href="#section-5.1-2.5" class="pilcrow">¶</a>
</li>
<div id="step6">
<li id="section-5.1-2.6">Apply the outer cryptographic algorithm to the RTP packet.  If
encrypting RTP header extensions hop-by-hop, then <span>[<a href="#RFC6904" class="xref">RFC6904</a>]</span> <span class="bcp14">MUST</span>
be used when encrypting the RTP packet using the outer
cryptographic key.<a href="#section-5.1-2.6" class="pilcrow">¶</a>
</li>
</div>
</ol>
<p id="section-5.1-3">When using Encrypted Key Transport (EKT) <span>[<a href="#I-D.ietf-perc-srtp-ekt-diet" class="xref">EKT-SRTP</a>]</span>, the EKTField comes
after the SRTP packet, exactly like using EKT with any other SRTP
transform.<a href="#section-5.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="relay">
<section id="section-5.2">
        <h3 id="name-relaying-a-packet">
<a href="#section-5.2" class="section-number selfRef">5.2. </a><a href="#name-relaying-a-packet" class="section-name selfRef">Relaying a Packet</a>
        </h3>
<p id="section-5.2-1">The MD has the part of the key for the outer
(hop-by-hop) cryptographic algorithm, but it does not have the part
of the key for the inner (end-to-end) cryptographic algorithm.  The
cryptographic algorithm and key used to decrypt a packet and
any encrypted RTP header extensions would be the same as those
used in the endpoint's outer algorithm and key.<a href="#section-5.2-1" class="pilcrow">¶</a></p>
<p id="section-5.2-2">In order to modify a packet, the MD decrypts the
received packet, modifies the packet, updates the OHB with
any modifications not already present in the OHB, and re-encrypts
the packet using the outer (hop-by-hop) cryptographic key
before transmitting using the following steps:<a href="#section-5.2-2" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-5.2-3">
          <div id="step1">
<li id="section-5.2-3.1">Apply the outer (hop-by-hop) cryptographic algorithm to decrypt the
packet.  If decrypting RTP header extensions hop-by-hop, then
<span>[<a href="#RFC6904" class="xref">RFC6904</a>]</span> <span class="bcp14">MUST</span> be used.  Note that the RTP payload produced by
this decryption operation contains the original encrypted payload
with the tag from the inner transform and the OHB appended.<a href="#section-5.2-3.1" class="pilcrow">¶</a>
</li>
</div>
<li id="section-5.2-3.2">Make any desired changes to the fields that are allowed to be changed,
i.e., PT, SEQ, and M.  The MD <span class="bcp14">MAY</span> also make
modifications to header extensions, without the need to reflect
these changes in the OHB.<a href="#section-5.2-3.2" class="pilcrow">¶</a>
</li>
<li id="section-5.2-3.3">
            <p id="section-5.2-3.3.1">Reflect any changes to header fields in the OHB:<a href="#section-5.2-3.3.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.2-3.3.2.1">If the MD changed a field that is not already in the
OHB, then it <span class="bcp14">MUST</span> add the original value of the field to the
OHB.  Note that this might result in an increase in the size of
the OHB.<a href="#section-5.2-3.3.2.1" class="pilcrow">¶</a>
</li>
<li id="section-5.2-3.3.2.2">If the MD took a field that had previously been
modified and reset to its original value, then it <span class="bcp14">SHOULD</span> drop
the corresponding information from the OHB.  Note that this
might result in a decrease in the size of the OHB.<a href="#section-5.2-3.3.2.2" class="pilcrow">¶</a>
</li>
<li id="section-5.2-3.3.2.3">Otherwise, the MD <span class="bcp14">MUST NOT</span> modify the OHB.<a href="#section-5.2-3.3.2.3" class="pilcrow">¶</a>
</li>
</ul>
</li>
<div id="step4">
<li id="section-5.2-3.4">Apply the outer (hop-by-hop) cryptographic algorithm to the
packet. If the RTP sequence number has been modified, SRTP
processing happens as defined in SRTP and will end up using the new
sequence number. If encrypting RTP header extensions hop-by-hop,
then <span>[<a href="#RFC6904" class="xref">RFC6904</a>]</span> <span class="bcp14">MUST</span> be used.<a href="#section-5.2-3.4" class="pilcrow">¶</a>
</li>
</div>
</ol>
<p id="section-5.2-4">In order to avoid nonce reuse, the cryptographic contexts
 used in steps
<a href="#step1" class="xref">1</a> and <a href="#step4" class="xref">4</a> <span class="bcp14">MUST</span> use different, independent master keys.  Note
that this means that the key used for decryption by the MD <span class="bcp14">MUST</span> be
different from the key used for re-encryption to the end recipient.<a href="#section-5.2-4" class="pilcrow">¶</a></p>
<p id="section-5.2-5">Note that if multiple MDs modify the same packet, then the first MD
to alter a given header field is the one that adds it to the OHB.
If a subsequent MD changes the value of a header field that has
already been changed, then the original value will already be in the
OHB, so no update to the OHB is required.<a href="#section-5.2-5" class="pilcrow">¶</a></p>
<p id="section-5.2-6">An MD that decrypts, modifies, and re-encrypts
packets in this way <span class="bcp14">MUST</span> use an independent key for each recipient,
and <span class="bcp14">MUST NOT</span> re-encrypt the packet using the sender's keys.  If the
MD decrypts and re-encrypts with the same key and
salt, it will result in the reuse of a (key, nonce) pair,
undermining the security of AES-GCM.<a href="#section-5.2-6" class="pilcrow">¶</a></p>
</section>
</div>
<div id="decrypt">
<section id="section-5.3">
        <h3 id="name-decrypting-a-packet">
<a href="#section-5.3" class="section-number selfRef">5.3. </a><a href="#name-decrypting-a-packet" class="section-name selfRef">Decrypting a Packet</a>
        </h3>
<p id="section-5.3-1">To decrypt a packet, the endpoint first decrypts and verifies using
the outer (hop-by-hop) cryptographic key, then uses the OHB to
reconstruct the original packet, which it decrypts and verifies with
the inner (end-to-end) cryptographic key using the following steps:<a href="#section-5.3-1" class="pilcrow">¶</a></p>
<ol start="1" type="1" class="normal type-1" id="section-5.3-2">
          <li id="section-5.3-2.1">Apply the outer cryptographic algorithm to the packet.  If the
integrity check does not pass, discard the packet.  The result of
this is referred to as the outer SRTP packet.  If decrypting RTP
header extensions hop-by-hop, then <span>[<a href="#RFC6904" class="xref">RFC6904</a>]</span> <span class="bcp14">MUST</span> be used when
decrypting the RTP packet using the outer cryptographic key.<a href="#section-5.3-2.1" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.2">If the packet is for repair mode data, skip the rest of the
steps. Note that the packet that results from the repair algorithm
will still have encrypted data that needs to be decrypted as
specified by the repair algorithm sections.<a href="#section-5.3-2.2" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.3">Remove the inner authentication tag and the OHB from the end of the
payload of the outer SRTP packet.<a href="#section-5.3-2.3" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.4">
            <p id="section-5.3-2.4.1">Form a new synthetic SRTP packet with:<a href="#section-5.3-2.4.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.3-2.4.2.1">
                <p id="section-5.3-2.4.2.1.1">Header = Received header, with the following modifications:<a href="#section-5.3-2.4.2.1.1" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.3-2.4.2.1.2.1">Header fields replaced with values from OHB (if any).<a href="#section-5.3-2.4.2.1.2.1" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.4.2.1.2.2">The X bit is set to zero.<a href="#section-5.3-2.4.2.1.2.2" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.4.2.1.2.3">The header is truncated to remove any extensions (i.e., keep
only the first 12 + 4 * CC bytes of the header).<a href="#section-5.3-2.4.2.1.2.3" class="pilcrow">¶</a>
</li>
</ul>
</li>
<li id="section-5.3-2.4.2.2">Payload is the encrypted payload from the outer SRTP packet (after
the inner tag and OHB have been stripped).<a href="#section-5.3-2.4.2.2" class="pilcrow">¶</a>
</li>
<li id="section-5.3-2.4.2.3">Authentication tag is the inner authentication tag from the outer
SRTP packet.<a href="#section-5.3-2.4.2.3" class="pilcrow">¶</a>
</li>
</ul>
</li>
<li id="section-5.3-2.5">Apply the inner cryptographic algorithm to this synthetic SRTP
packet.  Note if the RTP sequence number was changed by the MD, the synthetic packet has the original sequence
number. If the integrity check does not pass, discard the packet.<a href="#section-5.3-2.5" class="pilcrow">¶</a>
</li>
</ol>
<p id="section-5.3-3">Once the packet has been successfully decrypted, the application needs
to be careful about which information it uses to get the correct
behavior.  The application <span class="bcp14">MUST</span> use only the information found in the
synthetic SRTP packet and <span class="bcp14">MUST NOT</span> use the other data that was in the
outer SRTP packet with the following exceptions:<a href="#section-5.3-3" class="pilcrow">¶</a></p>
<ul>
<li id="section-5.3-4.1">The PT from the outer SRTP packet is used for normal matching to 
Session Description Protocol (SDP) and codec selection.<a href="#section-5.3-4.1" class="pilcrow">¶</a>
</li>
<li id="section-5.3-4.2">The sequence number from the outer SRTP packet is used for normal
RTP ordering.<a href="#section-5.3-4.2" class="pilcrow">¶</a>
</li>
</ul>
<p id="section-5.3-5">The PT and sequence number from the inner SRTP packet can be used for
collection of various statistics.<a href="#section-5.3-5" class="pilcrow">¶</a></p>
<p id="section-5.3-6">If the RTP header of the outer packet contains extensions, they <span class="bcp14">MAY</span>
be used.  However, because extensions are not protected end-to-end,
implementations <span class="bcp14">SHOULD</span> reject an RTP packet containing headers that
would require end-to-end protection.<a href="#section-5.3-6" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="rtcp-operations">
<section id="section-6">
      <h2 id="name-rtcp-operations">
<a href="#section-6" class="section-number selfRef">6. </a><a href="#name-rtcp-operations" class="section-name selfRef">RTCP Operations</a>
      </h2>
<p id="section-6-1">Unlike RTP, which is encrypted both hop-by-hop and end-to-end using
two separate cryptographic keys, RTCP is encrypted using only the outer
(hop-by-hop) cryptographic key. The procedures for RTCP encryption
are specified in <span>[<a href="#RFC3711" class="xref">RFC3711</a>]</span>, and this document introduces no
additional steps.<a href="#section-6-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="use-with-other-rtp-mechanisms">
<section id="section-7">
      <h2 id="name-use-with-other-rtp-mechanis">
<a href="#section-7" class="section-number selfRef">7. </a><a href="#name-use-with-other-rtp-mechanis" class="section-name selfRef">Use with Other RTP Mechanisms</a>
      </h2>
<p id="section-7-1">MDs sometimes interact with RTP media packets sent
by endpoints, e.g., to provide recovery or receive commands via
dual-tone multi-frequency (DTMF) signaling.  When media packets are encrypted end-to-end, these procedures
require modification.  (End-to-end interactions, including
end-to-end recovery, are not affected by end-to-end encryption.)<a href="#section-7-1" class="pilcrow">¶</a></p>
<p id="section-7-2">Repair mechanisms, in general, will need to perform recovery on
encrypted packets (double-encrypted when using this transform),
since the MD does not have access to the plaintext of
the packet, only an intermediate, E2E-encrypted form.<a href="#section-7-2" class="pilcrow">¶</a></p>
<p id="section-7-3">When the recovery mechanism calls for the recovery packet itself to
be encrypted, it is encrypted with only the outer, hop-by-hop key.  This
allows an MD to generate recovery packets without
having access to the inner, end-to-end keys.  However, it also results in
recovery packets being triple-encrypted, twice for the base
transform, and once for the recovery protection.<a href="#section-7-3" class="pilcrow">¶</a></p>
<div id="rtx">
<section id="section-7.1">
        <h3 id="name-rtp-retransmission-rtx">
<a href="#section-7.1" class="section-number selfRef">7.1. </a><a href="#name-rtp-retransmission-rtx" class="section-name selfRef">RTP Retransmission (RTX)</a>
        </h3>
<p id="section-7.1-1">When using RTX <span>[<a href="#RFC4588" class="xref">RFC4588</a>]</span> with the double transform, the cached payloads <span class="bcp14">MUST</span> be the
double-encrypted packets, i.e., the bits that are sent over the wire to the
other side. When encrypting a retransmission packet, it <span class="bcp14">MUST</span> be
encrypted like a packet in repair mode (i.e., with only the hop-by-hop key).<a href="#section-7.1-1" class="pilcrow">¶</a></p>
<p id="section-7.1-2">If the MD were to cache the inner, E2E-encrypted
payload and retransmit it with an RTX original sequence number field prepended, then
the modifications to the payload would cause the inner integrity
check to fail at the receiver.<a href="#section-7.1-2" class="pilcrow">¶</a></p>
<p id="section-7.1-3">A typical RTX receiver would decrypt the packet, undo the RTX
transformation, then process the resulting packet normally by
using the steps in <a href="#decrypt" class="xref">Section 5.3</a>.<a href="#section-7.1-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="red">
<section id="section-7.2">
        <h3 id="name-redundant-audio-data-red">
<a href="#section-7.2" class="section-number selfRef">7.2. </a><a href="#name-redundant-audio-data-red" class="section-name selfRef">Redundant Audio Data (RED)</a>
        </h3>
<p id="section-7.2-1">When using RED <span>[<a href="#RFC2198" class="xref">RFC2198</a>]</span> with the double transform, the processing at the sender
and receiver is the same as when using RED with any other SRTP
transform.<a href="#section-7.2-1" class="pilcrow">¶</a></p>
<p id="section-7.2-2">The main difference between the double transform and any other transform is that
in an intermediated environment, usage of RED must be end-to-end.  
An MD cannot synthesize RED packets, because it lacks
access to the plaintext media payloads that are combined to form a
RED payload.<a href="#section-7.2-2" class="pilcrow">¶</a></p>
<p id="section-7.2-3">Note that Flexible Forward Error Correction (Flex FEC) may often provide similar or better repair
capabilities compared to RED.  For most applications, Flex FEC is a
better choice than RED; in particular, Flex FEC has modes in which
the MD can synthesize recovery packets.<a href="#section-7.2-3" class="pilcrow">¶</a></p>
</section>
</div>
<div id="fec">
<section id="section-7.3">
        <h3 id="name-forward-error-correction-fe">
<a href="#section-7.3" class="section-number selfRef">7.3. </a><a href="#name-forward-error-correction-fe" class="section-name selfRef">Forward Error Correction (FEC)</a>
        </h3>
<p id="section-7.3-1">When using Flex FEC <span>[<a href="#RFC8627" class="xref">RFC8627</a>]</span> with
the double transform, repair packets <span class="bcp14">MUST</span> be constructed by first
double-encrypting the packet, then performing FEC.  Processing of
repair packets proceeds in the opposite order, performing FEC
recovery and then decrypting.  This ensures that the original media
is not revealed to the MD but, at the same time, allows
the MD to repair media.  When encrypting a packet
that contains the Flex FEC data, which is already encrypted, it <span class="bcp14">MUST</span>
be encrypted with only the outer, hop-by-hop transform.<a href="#section-7.3-1" class="pilcrow">¶</a></p>
<p id="section-7.3-2">The algorithm recommended in <span>[<a href="#I-D.ietf-rtcweb-fec" class="xref">WEBRTC-FEC</a>]</span> for repair of video
is Flex FEC <span>[<a href="#RFC8627" class="xref">RFC8627</a>]</span>.  Note that for
interoperability with WebRTC, <span>[<a href="#I-D.ietf-rtcweb-fec" class="xref">WEBRTC-FEC</a>]</span> recommends not
using additional FEC-only "m=" lines in SDP for the repair packets.<a href="#section-7.3-2" class="pilcrow">¶</a></p>
</section>
</div>
<div id="dtmf">
<section id="section-7.4">
        <h3 id="name-dtmf">
<a href="#section-7.4" class="section-number selfRef">7.4. </a><a href="#name-dtmf" class="section-name selfRef">DTMF</a>
        </h3>
<p id="section-7.4-1">When DTMF is sent using the mechanism in <span>[<a href="#RFC4733" class="xref">RFC4733</a>]</span>, it is
end-to-end encrypted; the relay cannot read it, so it cannot be
used to control the relay. Other out-of-band methods to control the
relay need to be used instead.<a href="#section-7.4-1" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<div id="recommended-inner-and-outer-cryptographic-algorithms">
<section id="section-8">
      <h2 id="name-recommended-inner-and-outer">
<a href="#section-8" class="section-number selfRef">8. </a><a href="#name-recommended-inner-and-outer" class="section-name selfRef">Recommended Inner and Outer Cryptographic Algorithms</a>
      </h2>
<p id="section-8-1">This specification recommends and defines AES-GCM as both the inner
and outer cryptographic algorithms, identified as
DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM and
DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM.  These algorithms provide for
authenticated encryption and will consume additional processing time
double-encrypting for hop-by-hop and end-to-end.  However, the
approach is secure and simple; thus, it is  viewed as an acceptable
trade-off in processing efficiency.<a href="#section-8-1" class="pilcrow">¶</a></p>
<p id="section-8-2">Note that names for the cryptographic transforms are of the form
DOUBLE_(inner algorithm)_(outer algorithm).<a href="#section-8-2" class="pilcrow">¶</a></p>
<p id="section-8-3">While this document only defines a profile based on AES-GCM, it is
possible for future documents to define further profiles with
different inner and outer algorithms in this same framework.  For example,
if a new SRTP transform were defined that encrypts some or all of the
RTP header, it would be reasonable for systems to have the option of
using that for the outer algorithm.  Similarly, if a new transform were
defined that provided only integrity, that would also be reasonable to
use for the outer transform as the payload data is already encrypted by the
inner transform.<a href="#section-8-3" class="pilcrow">¶</a></p>
<p id="section-8-4">The AES-GCM cryptographic algorithm introduces an additional 16
octets to the length of the packet.  When using AES-GCM for both the
inner and outer cryptographic algorithms, the total additional
length is 32 octets.  The OHB will consume an additional 1-4 octets.
Packets in repair mode will carry additional repair data, further
increasing their size.<a href="#section-8-4" class="pilcrow">¶</a></p>
</section>
</div>
<div id="sec">
<section id="section-9">
      <h2 id="name-security-considerations">
<a href="#section-9" class="section-number selfRef">9. </a><a href="#name-security-considerations" class="section-name selfRef">Security Considerations</a>
      </h2>
<p id="section-9-1">This SRTP transform provides protection against two classes of
attacker:  a network attacker that knows neither the inner nor outer
keys and a malicious MD that knows the outer key.  Obviously, it
provides no protections against an attacker that holds both the
inner and outer keys.<a href="#section-9-1" class="pilcrow">¶</a></p>
<p id="section-9-2">The protections with regard to the network are the same as with the
normal SRTP AES-GCM transforms.  The major difference is that the
double transforms are designed to work better in a group context.
In such contexts, it is important to note that because these
transforms are symmetric, they do not protect against attacks within
the group.  Any member of the group can generate valid SRTP packets
for any SSRC in use by the group.<a href="#section-9-2" class="pilcrow">¶</a></p>
<p id="section-9-3">With regard to a malicious MD, the recipient can verify the
integrity of the base header fields and confidentiality and
integrity of the payload.  The recipient has no assurance, however,
of the integrity of the header extensions in the packet.<a href="#section-9-3" class="pilcrow">¶</a></p>
<p id="section-9-4">The main innovation of this transform relative to other SRTP
transforms is that it allows a partly trusted MD to decrypt, modify,
and re-encrypt a packet.  When this is done, the cryptographic
contexts used for decryption and re-encryption <span class="bcp14">MUST</span> use different,
independent master keys.  If the same context is
used, the nonce formation rules for SRTP will cause the same key and
nonce to be used with two different plaintexts, which substantially
degrades the security of AES-GCM.<a href="#section-9-4" class="pilcrow">¶</a></p>
<p id="section-9-5">In other words, from the perspective of the MD, re-encrypting
packets using this protocol will involve the same cryptographic
operations as if it had established independent AES-GCM crypto
contexts with the sender and the receiver. This property allows
the use of an MD that supports AES-GCM but does not modify any
header fields, without requiring any modification to the MD.<a href="#section-9-5" class="pilcrow">¶</a></p>
</section>
</div>
<div id="iana">
<section id="section-10">
      <h2 id="name-iana-considerations">
<a href="#section-10" class="section-number selfRef">10. </a><a href="#name-iana-considerations" class="section-name selfRef">IANA Considerations</a>
      </h2>
<div id="dtlssrtp">
<section id="section-10.1">
        <h3 id="name-dtls-srtp">
<a href="#section-10.1" class="section-number selfRef">10.1. </a><a href="#name-dtls-srtp" class="section-name selfRef">DTLS-SRTP</a>
        </h3>
<p id="section-10.1-1">IANA has added the following protection profiles to the
"DTLS-SRTP Protection Profiles" registry defined in <span>[<a href="#RFC5764" class="xref">RFC5764</a>]</span>.<a href="#section-10.1-1" class="pilcrow">¶</a></p>
<span id="name-updates-to-the-dtls-srtp-pr"></span><table class="center" id="table-1">
          <caption>
<a href="#table-1" class="selfRef">Table 1</a>:
<a href="#name-updates-to-the-dtls-srtp-pr" class="selfRef">Updates to the DTLS-SRTP Protection Profiles Registry</a>
          </caption>
<thead>
            <tr>
              <th class="text-left" rowspan="1" colspan="1">Value</th>
              <th class="text-left" rowspan="1" colspan="1">Profile</th>
              <th class="text-left" rowspan="1" colspan="1">Reference</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">{0x00, 0x09}</td>
              <td class="text-left" rowspan="1" colspan="1">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 8723</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">{0x00, 0x0A}</td>
              <td class="text-left" rowspan="1" colspan="1">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</td>
              <td class="text-left" rowspan="1" colspan="1">RFC 8723</td>
            </tr>
          </tbody>
        </table>
<p id="section-10.1-3">The SRTP transform parameters for each of these protection profiles are:<a href="#section-10.1-3" class="pilcrow">¶</a></p>
<span id="name-srtp-transform-parameters-f"></span><table class="center" id="table-2">
          <caption>
<a href="#table-2" class="selfRef">Table 2</a>:
<a href="#name-srtp-transform-parameters-f" class="selfRef">SRTP Transform Parameters for DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</a>
          </caption>
<tbody>
            <tr>
              <th class="text-left" rowspan="1" colspan="2">DOUBLE_AEAD_AES_128_GCM_AEAD_AES_128_GCM</th>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher:</td>
              <td class="text-left" rowspan="1" colspan="1">AES_128_GCM then AES_128_GCM</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher_key_length:</td>
              <td class="text-left" rowspan="1" colspan="1">256 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher_salt_length:</td>
              <td class="text-left" rowspan="1" colspan="1">192 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">aead_auth_tag_length:</td>
              <td class="text-left" rowspan="1" colspan="1">256 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_function:</td>
              <td class="text-left" rowspan="1" colspan="1">NULL</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_key_length:</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_tag_length:</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">maximum lifetime:</td>
              <td class="text-left" rowspan="1" colspan="1">at most 2<sup>31</sup> SRTCP packets and at most 2<sup>48</sup> SRTP packets</td>
            </tr>
          </tbody>
        </table>
<span id="name-srtp-transform-parameters-fo"></span><table class="center" id="table-3">
          <caption>
<a href="#table-3" class="selfRef">Table 3</a>:
<a href="#name-srtp-transform-parameters-fo" class="selfRef">SRTP Transform Parameters for DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</a>
          </caption>
<tbody>
            <tr>
              <th class="text-left" rowspan="1" colspan="2">DOUBLE_AEAD_AES_256_GCM_AEAD_AES_256_GCM</th>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher:</td>
              <td class="text-left" rowspan="1" colspan="1">AES_256_GCM then AES_256_GCM</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher_key_length:</td>
              <td class="text-left" rowspan="1" colspan="1">512 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">cipher_salt_length:</td>
              <td class="text-left" rowspan="1" colspan="1">192 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">aead_auth_tag_length:</td>
              <td class="text-left" rowspan="1" colspan="1">256 bits</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_function:</td>
              <td class="text-left" rowspan="1" colspan="1">NULL</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_key_length:</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">auth_tag_length:</td>
              <td class="text-left" rowspan="1" colspan="1">N/A</td>
            </tr>
            <tr>
              <td class="text-left" rowspan="1" colspan="1">maximum lifetime:</td>
              <td class="text-left" rowspan="1" colspan="1">at most 2<sup>31</sup> SRTCP packets and at most 2<sup>48</sup> SRTP packets</td>
            </tr>
          </tbody>
        </table>
<p id="section-10.1-6">The first half of the key and salt is used for the inner (end-to-end)
algorithm and the second half is used for the outer (hop-by-hop)
algorithm.<a href="#section-10.1-6" class="pilcrow">¶</a></p>
</section>
</div>
</section>
</div>
<section id="section-11">
      <h2 id="name-references">
<a href="#section-11" class="section-number selfRef">11. </a><a href="#name-references" class="section-name selfRef">References</a>
      </h2>
<section id="section-11.1">
        <h3 id="name-normative-references">
<a href="#section-11.1" class="section-number selfRef">11.1. </a><a href="#name-normative-references" class="section-name selfRef">Normative References</a>
        </h3>
<dl class="references">
<dt id="RFC2119">[RFC2119]</dt>
<dd>
<span class="refAuthor">Bradner, S.</span>, <span class="refTitle">"Key words for use in RFCs to Indicate Requirement Levels"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 2119</span>, <span class="seriesInfo">DOI 10.17487/RFC2119</span>, <time datetime="1997-03">March 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2119">https://www.rfc-editor.org/info/rfc2119</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC3711">[RFC3711]</dt>
<dd>
<span class="refAuthor">Baugher, M.</span><span class="refAuthor">, McGrew, D.</span><span class="refAuthor">, Naslund, M.</span><span class="refAuthor">, Carrara, E.</span><span class="refAuthor">, and K. Norrman</span>, <span class="refTitle">"The Secure Real-time Transport Protocol (SRTP)"</span>, <span class="seriesInfo">RFC 3711</span>, <span class="seriesInfo">DOI 10.17487/RFC3711</span>, <time datetime="2004-03">March 2004</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc3711">https://www.rfc-editor.org/info/rfc3711</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5764">[RFC5764]</dt>
<dd>
<span class="refAuthor">McGrew, D.</span><span class="refAuthor"> and E. Rescorla</span>, <span class="refTitle">"Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)"</span>, <span class="seriesInfo">RFC 5764</span>, <span class="seriesInfo">DOI 10.17487/RFC5764</span>, <time datetime="2010-05">May 2010</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5764">https://www.rfc-editor.org/info/rfc5764</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6188">[RFC6188]</dt>
<dd>
<span class="refAuthor">McGrew, D.</span>, <span class="refTitle">"The Use of AES-192 and AES-256 in Secure RTP"</span>, <span class="seriesInfo">RFC 6188</span>, <span class="seriesInfo">DOI 10.17487/RFC6188</span>, <time datetime="2011-03">March 2011</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6188">https://www.rfc-editor.org/info/rfc6188</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC6904">[RFC6904]</dt>
<dd>
<span class="refAuthor">Lennox, J.</span>, <span class="refTitle">"Encryption of Header Extensions in the Secure Real-time Transport Protocol (SRTP)"</span>, <span class="seriesInfo">RFC 6904</span>, <span class="seriesInfo">DOI 10.17487/RFC6904</span>, <time datetime="2013-04">April 2013</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc6904">https://www.rfc-editor.org/info/rfc6904</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC7714">[RFC7714]</dt>
<dd>
<span class="refAuthor">McGrew, D.</span><span class="refAuthor"> and K. Igoe</span>, <span class="refTitle">"AES-GCM Authenticated Encryption in the Secure Real-time Transport Protocol (SRTP)"</span>, <span class="seriesInfo">RFC 7714</span>, <span class="seriesInfo">DOI 10.17487/RFC7714</span>, <time datetime="2015-12">December 2015</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc7714">https://www.rfc-editor.org/info/rfc7714</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8174">[RFC8174]</dt>
<dd>
<span class="refAuthor">Leiba, B.</span>, <span class="refTitle">"Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words"</span>, <span class="seriesInfo">BCP 14</span>, <span class="seriesInfo">RFC 8174</span>, <span class="seriesInfo">DOI 10.17487/RFC8174</span>, <time datetime="2017-05">May 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8174">https://www.rfc-editor.org/info/rfc8174</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8285">[RFC8285]</dt>
<dd>
<span class="refAuthor">Singer, D.</span><span class="refAuthor">, Desineni, H.</span><span class="refAuthor">, and R. Even, Ed.</span>, <span class="refTitle">"A General Mechanism for RTP Header Extensions"</span>, <span class="seriesInfo">RFC 8285</span>, <span class="seriesInfo">DOI 10.17487/RFC8285</span>, <time datetime="2017-10">October 2017</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8285">https://www.rfc-editor.org/info/rfc8285</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
<section id="section-11.2">
        <h3 id="name-informative-references">
<a href="#section-11.2" class="section-number selfRef">11.2. </a><a href="#name-informative-references" class="section-name selfRef">Informative References</a>
        </h3>
<dl class="references">
<dt id="I-D.ietf-perc-dtls-tunnel">[DTLS-TUNNEL]</dt>
<dd>
<span class="refAuthor">Jones, P.</span><span class="refAuthor">, Ellenbogen, P.</span><span class="refAuthor">, and N. Ohlmeier</span>, <span class="refTitle">"DTLS Tunnel between a Media Distributor and Key Distributor to Facilitate Key Exchange"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-perc-dtls-tunnel-06</span>, <time datetime="2019-10-16">16 October 2019</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-ietf-perc-dtls-tunnel-06">https://tools.ietf.org/html/draft-ietf-perc-dtls-tunnel-06</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-perc-srtp-ekt-diet">[EKT-SRTP]</dt>
<dd>
<span class="refAuthor">Jennings, C.</span><span class="refAuthor">, Mattsson, J.</span><span class="refAuthor">, McGrew, D.</span><span class="refAuthor">, Wing, D.</span><span class="refAuthor">, and F. Andreasen</span>, <span class="refTitle">"Encrypted Key Transport for DTLS and Secure RTP"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-perc-srtp-ekt-diet-10</span>, <time datetime="2019-07-08">8 July 2019</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-ietf-perc-srtp-ekt-diet-10">https://tools.ietf.org/html/draft-ietf-perc-srtp-ekt-diet-10</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-perc-private-media-framework">[PRIVATE-MEDIA-FRAMEWORK]</dt>
<dd>
<span class="refAuthor">Jones, P.</span><span class="refAuthor">, Benham, D.</span><span class="refAuthor">, and C. Groves</span>, <span class="refTitle">"A Solution Framework for Private Media in Privacy Enhanced RTP Conferencing (PERC)"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-perc-private-media-framework-12</span>, <time datetime="2019-06-05">5 June 2019</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-ietf-perc-private-media-framework-12">https://tools.ietf.org/html/draft-ietf-perc-private-media-framework-12</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC2198">[RFC2198]</dt>
<dd>
<span class="refAuthor">Perkins, C.</span><span class="refAuthor">, Kouvelas, I.</span><span class="refAuthor">, Hodson, O.</span><span class="refAuthor">, Hardman, V.</span><span class="refAuthor">, Handley, M.</span><span class="refAuthor">, Bolot, J.C.</span><span class="refAuthor">, Vega-Garcia, A.</span><span class="refAuthor">, and S. Fosse-Parisis</span>, <span class="refTitle">"RTP Payload for Redundant Audio Data"</span>, <span class="seriesInfo">RFC 2198</span>, <span class="seriesInfo">DOI 10.17487/RFC2198</span>, <time datetime="1997-09">September 1997</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc2198">https://www.rfc-editor.org/info/rfc2198</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC4588">[RFC4588]</dt>
<dd>
<span class="refAuthor">Rey, J.</span><span class="refAuthor">, Leon, D.</span><span class="refAuthor">, Miyazaki, A.</span><span class="refAuthor">, Varsa, V.</span><span class="refAuthor">, and R. Hakenberg</span>, <span class="refTitle">"RTP Retransmission Payload Format"</span>, <span class="seriesInfo">RFC 4588</span>, <span class="seriesInfo">DOI 10.17487/RFC4588</span>, <time datetime="2006-07">July 2006</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4588">https://www.rfc-editor.org/info/rfc4588</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC4733">[RFC4733]</dt>
<dd>
<span class="refAuthor">Schulzrinne, H.</span><span class="refAuthor"> and T. Taylor</span>, <span class="refTitle">"RTP Payload for DTMF Digits, Telephony Tones, and Telephony Signals"</span>, <span class="seriesInfo">RFC 4733</span>, <span class="seriesInfo">DOI 10.17487/RFC4733</span>, <time datetime="2006-12">December 2006</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc4733">https://www.rfc-editor.org/info/rfc4733</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC5234">[RFC5234]</dt>
<dd>
<span class="refAuthor">Crocker, D., Ed.</span><span class="refAuthor"> and P. Overell</span>, <span class="refTitle">"Augmented BNF for Syntax Specifications: ABNF"</span>, <span class="seriesInfo">STD 68</span>, <span class="seriesInfo">RFC 5234</span>, <span class="seriesInfo">DOI 10.17487/RFC5234</span>, <time datetime="2008-01">January 2008</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc5234">https://www.rfc-editor.org/info/rfc5234</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="RFC8627">[RFC8627]</dt>
<dd>
<span class="refAuthor">Zanaty, M.</span><span class="refAuthor">, Singh, V.</span><span class="refAuthor">, Begen, A.</span><span class="refAuthor">, and G. Mandyam</span>, <span class="refTitle">"RTP Payload Format for Flexible Forward Error Correction (FEC)"</span>, <span class="seriesInfo">RFC 8627</span>, <span class="seriesInfo">DOI 10.17487/RFC8627</span>, <time datetime="2019-07">July 2019</time>, <span>&lt;<a href="https://www.rfc-editor.org/info/rfc8627">https://www.rfc-editor.org/info/rfc8627</a>&gt;</span>. </dd>
<dd class="break"></dd>
<dt id="I-D.ietf-rtcweb-fec">[WEBRTC-FEC]</dt>
<dd>
<span class="refAuthor">Uberti, J.</span>, <span class="refTitle">"WebRTC Forward Error Correction Requirements"</span>, <span class="refContent">Work in Progress</span>, <span class="seriesInfo">Internet-Draft, draft-ietf-rtcweb-fec-10</span>, <time datetime="2019-07-16">16 July 2019</time>, <span>&lt;<a href="https://tools.ietf.org/html/draft-ietf-rtcweb-fec-10">https://tools.ietf.org/html/draft-ietf-rtcweb-fec-10</a>&gt;</span>. </dd>
<dd class="break"></dd>
</dl>
</section>
</section>
<div id="encryption-overview">
<section id="section-appendix.a">
      <h2 id="name-encryption-overview">
<a href="#section-appendix.a" class="section-number selfRef">Appendix A. </a><a href="#name-encryption-overview" class="section-name selfRef">Encryption Overview</a>
      </h2>
<p id="section-appendix.a-1">The following figures show a double-encrypted SRTP packet. The sides
indicate the parts of the packet that are encrypted and authenticated
by the hop-by-hop and end-to-end operations.<a href="#section-appendix.a-1" class="pilcrow">¶</a></p>
<div class="artwork art-text alignLeft art-ascii-art" id="section-appendix.a-2">
<pre>
     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |V=2|P|X|  CC   |M|     PT      |       sequence number         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                           timestamp                           |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |           synchronization source (SSRC) identifier            |
    +=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    |            contributing source (CSRC) identifiers             |
    |                               ....                            |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    RTP extension (OPTIONAL) ...               |
+&gt;+&gt;+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O I |                          payload ...                          |
O I |                               +-------------------------------+
O I |                               | RTP padding   | RTP pad count |
O +&gt;+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O | |                    E2E authentication tag                     |
O | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
O | |                            OHB ...                            |
+&gt;| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | |                    HBH authentication tag                     |
| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| +- E2E Encrypted Portion
|
+--- HBH Encrypted Portion
</pre><a href="#section-appendix.a-2" class="pilcrow">¶</a>
</div>
<div class="artwork art-text alignLeft art-ascii-art" id="section-appendix.a-3">
<pre>
 0                   1                   2                   3
 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+&lt;+
|V=2|P|X|  CC   |M|     PT      |       sequence number         | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
|                           timestamp                           | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I O
|           synchronization source (SSRC) identifier            | I O
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ I O
|            contributing source (CSRC) identifiers             | I O
|                               ....                            | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+ O
|                    RTP extension (OPTIONAL) ...               | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+ O
|                           payload ...                         | I O
|                               +-------------------------------+ I O
|                               | RTP padding   | RTP pad count | I O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+&lt;+ O
|                    E2E authentication tag                     | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | O
|                            OHB ...                            | | O
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |&lt;+
|                    HBH authentication tag                     | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
                                                                  | |
                                     E2E Authenticated Portion ---+ |
                                                                    |
                                     HBH Authenticated Portion -----+
</pre><a href="#section-appendix.a-3" class="pilcrow">¶</a>
</div>
</section>
</div>
<div id="acknowledgments">
<section id="section-appendix.b">
      <h2 id="name-acknowledgments">
<a href="#name-acknowledgments" class="section-name selfRef">Acknowledgments</a>
      </h2>
<p id="section-appendix.b-1">Thank you to <span class="contact-name">Alex Gouaillard</span>, 
<span class="contact-name">David Benham</span>, <span class="contact-name">Magnus Westerlund</span>, 
<span class="contact-name">Nils Ohlmeier</span>, <span class="contact-name">Roni Even</span>, and <span class="contact-name">Suhas Nandakumar</span> 
for reviews and improvements to this specification. In addition, thank you to
<span class="contact-name">Sergio Garcia Murillo</span>, who proposed the change of transporting the OHB
information in the RTP payload instead of the RTP header.<a href="#section-appendix.b-1" class="pilcrow">¶</a></p>
</section>
</div>
<div id="authors-addresses">
<section id="section-appendix.c">
      <h2 id="name-authors-addresses">
<a href="#name-authors-addresses" class="section-name selfRef">Authors' Addresses</a>
      </h2>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Cullen Jennings</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:fluffy@iii.ca" class="email">fluffy@iii.ca</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Paul E. Jones</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:paulej@packetizer.com" class="email">paulej@packetizer.com</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Richard Barnes</span></div>
<div dir="auto" class="left"><span class="org">Cisco Systems</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:rlb@ipv.sx" class="email">rlb@ipv.sx</a>
</div>
</address>
<address class="vcard">
        <div dir="auto" class="left"><span class="fn nameRole">Adam Roach</span></div>
<div dir="auto" class="left"><span class="org">Mozilla</span></div>
<div class="email">
<span>Email:</span>
<a href="mailto:adam@nostrum.com" class="email">adam@nostrum.com</a>
</div>
</address>
</section>
</div>
<script>const toc = document.getElementById("toc");
toc.querySelector("h2").addEventListener("click", e => {
  toc.classList.toggle("active");
});
toc.querySelector("nav").addEventListener("click", e => {
  toc.classList.remove("active");
});
</script>
</body>
</html>