diff --git a/doc/Streaming.xml b/doc/Streaming.xml
index a680744cb..fcee967e1 100644
--- a/doc/Streaming.xml
+++ b/doc/Streaming.xml
@@ -235,8 +235,7 @@
IETF RFC 2435, RFC2435 - RTP Payload Format for JPEG-compressed Video<>IETF RFC 3016, RTP Payload Format for MPEG-4 Audio/Visual Streams
-
+ <>IETF RFC 3550, RTP: A Transport Protocol for Real-Time Applications<>IETF RFC 3551, RTP Profile for Audio and Video Conferences with Minimal Control
@@ -381,6 +380,22 @@
+
+ MIKEY
+
+
+ Multimedia Internet KEYing
+
+
+
+
+ MKI
+
+
+ Master Key Identifier
+
+
+ MPEG-4
@@ -590,7 +605,195 @@
SRTP data transfer via UDP
- This mode allows secure transmission of RTP packets via UDP unicast and multicast. See RFC 3711 for transmission and RFC 4567 for key exchange.
+ This mode allows secure transmission of RTP packets via UDP unicast and multicast. Related documents are RFC 3711, RFC 7714 for transmission and RFC 3830, RFC 4567 for key exchange.
+
+ The device must list whether or not it supports SRTP streaming through the GetServiceCapabilities action's response. If the device supports SRTP streaming, the device must indicate it through the SecureRTSPStreaming parameter in the StreamingCapabilities.
+
+
+ Cryptographic algorithm negotiation
+
+
+ The device may list which SRTP cryptographic algorithms it supports through the Media1 and Media2 wsdls.
+ Each encoder can list the algorithms it supports through the SecureStreamingProtocolAlgorithms element present in:
+
+
+ AudioEncoderConfigurationOptions
+
+
+ MetadataConfigurationOptions
+
+
+ VideoEncoderConfigurationOptions
+
+
+ AudioEncoder2ConfigurationOptions
+
+
+ VideoEncoder2ConfigurationOptions
+
+
+
+ If the SecureStreamingProtocolAlgorithms parameter is present, the device must support a least one of the following algorithms:
+
+
+ NONE
+ NONE is a special case, where the media is listed as RTP/AVP instead of RTP/SAVP and where MIKEY is unused altogether.
+ This it to allow the use of RTSPS to authenticate with the camera without using encrypted media streams.
+
+
+ AES_CM_128_HMAC_SHA1_80
+
+
+ AEAD_AES_128_GCM
+
+
+ AEAD_AES_256_GCM
+
+
+ If the device supports SRTP streaming through the SecureRTSPStreaming parameter, but does not list any supported SRTP cryptographic algorithms through the SecureStreamingProtocolAlgorithms parameter, the device shall support the AES_CM_128_SHA1_80 algorithm as defined in RFC 3711.
+
+
+
+ The client may choose to configure a device to use a specific algorithm. To do so, it must set the SecureStreamingProtocolAlgorithm attribute through the following actions:
+
+
+ SetAudioEncoderConfiguration
+
+
+ SetMetadataConfiguration
+
+
+ SetVideoEncoderConfiguration
+
+
+
+
+
+ If a device supports encryption algorithms other than AES_CM_128_SHA1_80 as defined in RFC 3711, it must also support the ConfigurationOptions and the actions listed above.
+ This mechanism allows the client to choose the encryption algorithm used by the device for SRTP.
+
+
+
+ MIKEY is used for key management for SRTP. The device shall support MIKEY as defined in RFC 3830 for key management.
+ One exception is that in RFC 3830, support for MIKEY-PSK and MIKEY-PK are listed mandatory. For ONVIF SRTP, only MIKEY-PSK support is defined and mandatory.
+ MIKEY-PK should not be used for ONVIF SRTP.
+
+
+ The MIKEY message must contain the following payloads:
+
+
+ Common Header Payload
+
+
+ KEMAC Payload
+ The KEMAC payload should not be encrypted since TLS already encrypts the RTSPS channel.
+ If the key type is TEK without salt and a salt must be provided, the key and the salt must be concatenated and sent in the Key data section of the payload.
+ (To verify, some cameras return RTP packets when this is done?)If the key type is TEK+SALT and a salt must be provided, the SALT must be in the Salt data section.
+ The device and client must support TEK for AES_CM_128_SHA1_80 and TEK+SALT for other encryption algorithms.
+ To keep track of key validity, The SPI/MKI must be set in the KV data. The SRTP packets must also include the MKI.
+
+
+ Security Policy Payload
+
+ Specifies the encryption parameters to be used by the streams.
+
+
+ AES_CM_128_HMAC_SHA1_80
+ Encryption Algorithm: AES-CM
+ Session Encryption Key Length: 128 bits
+ Authentication Algorithm: HMAC-SHA-1
+ Session Auth Key Length: 160 bits
+ Session Salt Key Length: 112 bits
+ SRTP Encryption: On
+ SRTCP Encryption: On
+ Authnetication Tag Length: 80 bits
+ SRTP PRF: AES-CM
+
+
+ AEAD_AES_128_GCM
+ Encryption Algorithm: AES-GCM
+ Session Encryption Key Length: 128 bits
+ Authentication Algorithm: NULL
+ Session Auth Key Length: N/A
+ Session Salt Key Length: 96 bits
+ SRTP Encryption: On
+ SRTCP Encryption: On
+ AEAD Authnetication Tag Length: 16 octets
+ SRTP PRF: AES-CM
+
+
+ AEAD_AES_256_GCM
+ Encryption Algorithm: AES-GCM
+ Session Encryption Key Length: 256 bits
+ Authentication Algorithm: NULL
+ Session Auth Key Length: N/A
+ Session Salt Key Length: 96 bits
+ SRTP Encryption: On
+ SRTCP Encryption: On
+ AEAD Authnetication Tag Length: 16 octets
+ SRTP PRF: AES-CM
+
+
+
+
+
+
+
+ The key management extensions for SDP and RTSP (RFC 4567) allow for key management through RTSP.
+
+ Key management through RTSP
+
+ Stream Initialization
+
+ Key management extensions for SDP and RTSP (RFC 4567) defines stream initialization.
+
+
+ When the device is providing the key, the SDP is required to have a media of type RTP/SAVP and a MIKEY message.
+ It's permitted to have two media fields, one with RTP/AVP and one with RTP/SAVP. The RTP/AVP track is used for unencrypted streaming.
+
+
+
+ When the client is providing the key, it will add a KeyMgmt header containing the MIKEY with transport type RTP/SAVP in the SETUP.
+ The client may use a different encryption algorithm than what is configured with SetAudioEncoderConfiguration, SetMetadataConfiguration and SetVideoEncoderConfiguration.
+ The GetAudioEncoderConfiguration, GetMetadataConfiguration and GetVideoEncoderConfiguration responses shall not be affected by the encryption algorithm configured through RTSP with MIKEY.
+ SetAudioEncoderConfiguration, SetMetadataConfiguration and SetVideoEncoderConfiguration shall only be used to configure the device for the default encryption algorithm sent in the DESCRIBE.
+ RTSP/1.0
+CSeq: 2
+User-Agent: OmnicastRTSPClient/1.0
+Transport: RTP/SAVP/UDP;unicast
+KeyMgmt: prot=mikey;uri="";data="AQAFAP1td9ABAADCD1UcAAAAAAoAAdOOGc75XD0BAAAAGAABAQEBE
+AIBAQMBFAcBAQgBAQoBAQsBCgAAACcAIQAe30C59UrClE0e27UP5h/Wty9UL8+dfzg+2ttmmo3kBAAAAC8A"
+]]>
+
+
+
+ Client Re-Keying with MIKEY
+
+ The client may request the use of new keys for stream encryption.
+ The SET_PARAMETER method shall be used with a mikey parameter to set the new encryption keys.
+ The client may use a different encryption algorithm than what is configured with the SetAudioEncoderConfiguration, SetMetadataConfiguration and SetVideoEncoderConfiguration actions.
+
+
+
+ Multicast considerations
+
+
+
+ RTP/RTSP/HTTP/TCP
diff --git a/wsdl/ver10/media/wsdl/media.wsdl b/wsdl/ver10/media/wsdl/media.wsdl
index dfdb86457..4b6687268 100644
--- a/wsdl/ver10/media/wsdl/media.wsdl
+++ b/wsdl/ver10/media/wsdl/media.wsdl
@@ -120,6 +120,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
Indicates the device does not support live media streaming via RTSP.
+
+
+ Indicates support for live media streaming via RTSPS and SRTP.
+
+
diff --git a/wsdl/ver10/schema/onvif.xsd b/wsdl/ver10/schema/onvif.xsd
index c2a285338..b2a2f277b 100755
--- a/wsdl/ver10/schema/onvif.xsd
+++ b/wsdl/ver10/schema/onvif.xsd
@@ -710,6 +710,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
The rtsp session timeout for the related video stream
+
+
+ The cryptographic algorithm used as defined by tr2:SrtpSecurityAlgorithms
+
+
@@ -846,6 +851,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
+
+
+ If secure RTSP streaming is supported, this shall return the list of supported cryptographic algorithms as defined by tr2:SrtpSecurityAlgorithms.
+
+
@@ -1004,6 +1014,15 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
+
+
+
+
+
+
+
+
+
@@ -1059,6 +1078,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
Relative value for the video quantizers and the quality of the video. A high value within supported quality range means higher quality
+
+
+ Defines the cryptographic algorithm to use as defined by tr2:SrtpSecurityAlgorithms
+
+
@@ -1156,6 +1180,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
Supported range of encoded bitrate in kbps.
+
+
+ If secure RTSP streaming is supported, this shall return the list of supported cryptographic algorithms as defined by tr2:SrtpSecurityAlgorithms.
+
+
@@ -1260,6 +1289,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
The rtsp session timeout for the related audio stream
+
+
+ The cryptographic algorithm used as defined by tr2:SrtpSecurityAlgorithms
+
+
@@ -1303,6 +1337,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
List of supported Sample Rates in kHz for the specified Encoding
+
+
+ If secure RTSP streaming is supported, this shall return the list of supported cryptographic algorithms as defined by tr2:SrtpSecurityAlgorithms.
+
+
@@ -1348,6 +1387,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
The output sample rate in kHz.
+
+
+ Defines the cryptographic algorithm to use as defined by tr2:SrtpSecurityAlgorithms
+
+
@@ -1373,6 +1417,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
List of supported Sample Rates in kHz for the specified Encoding
+
+
+ If secure RTSP streaming is supported, this shall return the list of supported cryptographic algorithms as defined by tr2:SrtpSecurityAlgorithms.
+
+
@@ -1430,6 +1479,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
The rtsp session timeout for the related audio stream (when using Media2 Service, this value is deprecated and ignored)
+
+
+ The cryptographic algorithm used as defined by tr2:SrtpSecurityAlgorithms
+
+
@@ -1507,6 +1561,11 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
+
+
+ If secure RTSP streaming is supported, this shall return the list of supported cryptographic algorithms as defined by tr2:SrtpSecurityAlgorithms.
+
+
diff --git a/wsdl/ver20/media/wsdl/media.wsdl b/wsdl/ver20/media/wsdl/media.wsdl
index 06af8571e..794ee24b8 100644
--- a/wsdl/ver20/media/wsdl/media.wsdl
+++ b/wsdl/ver20/media/wsdl/media.wsdl
@@ -722,8 +722,8 @@ IN NO EVENT WILL THE CORPORATION OR ITS MEMBERS OR THEIR AFFILIATES BE LIABLE FO
-
-
+
+
@@ -1811,12 +1811,14 @@ support streaming video data of such a profile. This operation requests a URI that can be used to initiate a live media stream using RTSP as
the control protocol. The returned URI shall remain valid indefinitely even if the profile is changed.
Defined stream types are
-
-
RtspUnicast RTSP streaming RTP as UDP Unicast.
-
RtspMulticast RTSP streaming RTP as UDP Multicast.
-
RTSP RTSP streaming RTP over TCP.
-
RtspOverHttp Tunneling both the RTSP control channel and the RTP stream over HTTP or HTTPS.
-
+
+
RtspUnicast RTSP streaming RTP as UDP Unicast.
+
RtspMulticast RTSP streaming RTP as UDP Multicast.
+
RtspsUnicast Secure RTSP streaming with SRTP as UDP Unicast.
+
RtspsMulticast Secure RTSP streaming with SRTP as UDP Multicast.
+
RTSP RTSP streaming RTP over TCP.
+
RtspOverHttp Tunneling both the RTSP control channel and the RTP stream over HTTP or HTTPS.
+
If a multicast stream is requested at least one of VideoEncoder2Configuration, AudioEncoder2Configuration and MetadataConfiguration shall have a valid multicast setting.
For full compatibility with other ONVIF services a device should not generate Uris longer than
128 octets.
@@ -1856,7 +1858,7 @@ the PTZ position shall be repeated within the metadata stream.
A client uses the GetSnapshotUri command to obtain a JPEG snapshot from the
device. The returned URI shall remain valid indefinitely even if the profile is changed. The URI can be used for
-acquiring a JPEG image through an HTTP GET operation. The image encoding will always be
+acquiring a JPEG image through a HTTP GET operation. The image encoding will always be
JPEG regardless of the encoding setting in the media profile. The Jpeg settings
(like resolution or quality) may be taken from the profile if suitable. The provided
image will be updated automatically and independent from calls to GetSnapshotUri.