Skip to main content

7. Security Considerations

SDP session descriptions, and the protocols that carry them, can be secured against message modification or eavesdropping.

SDP session descriptions contain information needed for the establishment of a variety of network services. In many cases, it is desirable to ensure that the information is conveyed to the receiving party with confidentiality and integrity protection.

Session descriptions MAY be conveyed using security protocols appropriate for the transport in use. For example:

  • When conveyed over HTTP, TLS [RFC8446] SHOULD be used
  • When conveyed over SIP, the mechanisms described in [RFC3261] SHOULD be used
  • When conveyed over email, S/MIME [RFC8551] SHOULD be used

The security considerations that apply to SDP depend significantly on how SDP is being used. SDP employs URIs to identify resources. The security considerations of [RFC3986] apply to these URIs.

Session descriptions include transport addresses and other information that could be used to attack systems. Care should be taken to ensure that session descriptions are only distributed to trusted parties.

The SDP specification does not provide any mechanism for authenticating the identity of the originator of a session description, or of the recipient of a session description.

Media streams established using information in a session description MAY be subject to various security threats. The security considerations of the protocols used to establish the media streams apply.

The bandwidth specification in SDP could be used to cause denial of service attacks by causing receivers to allocate excessive resources.

The connection address field could be spoofed to direct media traffic to an unintended recipient.

SDP session descriptions can contain URIs that could be dereferenced automatically. The security considerations of [RFC3986] Section 7 apply to these URIs.

This specification deprecates the "k=" line for conveying encryption keys. Modern applications SHOULD use more secure key management mechanisms such as DTLS-SRTP [RFC5763] or the SDP Security Descriptions for Media Streams [RFC4568].

Last updated on